vault.ad.SecretBackend
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const config = new vault.ad.SecretBackend("config", {
backend: "ad",
binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
bindpass: "SuperSecretPassw0rd",
url: "ldaps://ad",
insecureTls: true,
userdn: "CN=Users,DC=corp,DC=example,DC=net",
});
import pulumi
import pulumi_vault as vault
config = vault.ad.SecretBackend("config",
backend="ad",
binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
bindpass="SuperSecretPassw0rd",
url="ldaps://ad",
insecure_tls=True,
userdn="CN=Users,DC=corp,DC=example,DC=net")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ad"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ad.NewSecretBackend(ctx, "config", &ad.SecretBackendArgs{
Backend: pulumi.String("ad"),
Binddn: pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
Bindpass: pulumi.String("SuperSecretPassw0rd"),
Url: pulumi.String("ldaps://ad"),
InsecureTls: pulumi.Bool(true),
Userdn: pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.AD.SecretBackend("config", new()
{
Backend = "ad",
Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
Bindpass = "SuperSecretPassw0rd",
Url = "ldaps://ad",
InsecureTls = true,
Userdn = "CN=Users,DC=corp,DC=example,DC=net",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.ad.SecretBackend;
import com.pulumi.vault.ad.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.backend("ad")
.binddn("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net")
.bindpass("SuperSecretPassw0rd")
.url("ldaps://ad")
.insecureTls("true")
.userdn("CN=Users,DC=corp,DC=example,DC=net")
.build());
}
}
resources:
config:
type: vault:ad:SecretBackend
properties:
backend: ad
binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
bindpass: SuperSecretPassw0rd
url: ldaps://ad
insecureTls: 'true'
userdn: CN=Users,DC=corp,DC=example,DC=net
Create SecretBackend Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
@overload
def SecretBackend(resource_name: str,
args: SecretBackendArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecretBackend(resource_name: str,
opts: Optional[ResourceOptions] = None,
binddn: Optional[str] = None,
bindpass: Optional[str] = None,
insecure_tls: Optional[bool] = None,
use_token_groups: Optional[bool] = None,
case_sensitive_names: Optional[bool] = None,
certificate: Optional[str] = None,
client_tls_cert: Optional[str] = None,
client_tls_key: Optional[str] = None,
local: Optional[bool] = None,
deny_null_bind: Optional[bool] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
discoverdn: Optional[bool] = None,
groupattr: Optional[str] = None,
groupdn: Optional[str] = None,
groupfilter: Optional[str] = None,
userdn: Optional[str] = None,
backend: Optional[str] = None,
default_lease_ttl_seconds: Optional[int] = None,
max_lease_ttl_seconds: Optional[int] = None,
max_ttl: Optional[int] = None,
namespace: Optional[str] = None,
password_policy: Optional[str] = None,
request_timeout: Optional[int] = None,
starttls: Optional[bool] = None,
tls_max_version: Optional[str] = None,
tls_min_version: Optional[str] = None,
ttl: Optional[int] = None,
upndomain: Optional[str] = None,
url: Optional[str] = None,
use_pre111_group_cn_behavior: Optional[bool] = None,
last_rotation_tolerance: Optional[int] = None,
userattr: Optional[str] = None,
anonymous_group_search: Optional[bool] = None)
func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
public SecretBackend(String name, SecretBackendArgs args)
public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
type: vault:ad:SecretBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var secretBackendResource = new Vault.AD.SecretBackend("secretBackendResource", new()
{
Binddn = "string",
Bindpass = "string",
InsecureTls = false,
UseTokenGroups = false,
CaseSensitiveNames = false,
Certificate = "string",
ClientTlsCert = "string",
ClientTlsKey = "string",
Local = false,
DenyNullBind = false,
Description = "string",
DisableRemount = false,
Discoverdn = false,
Groupattr = "string",
Groupdn = "string",
Groupfilter = "string",
Userdn = "string",
Backend = "string",
DefaultLeaseTtlSeconds = 0,
MaxLeaseTtlSeconds = 0,
MaxTtl = 0,
Namespace = "string",
PasswordPolicy = "string",
RequestTimeout = 0,
Starttls = false,
TlsMaxVersion = "string",
TlsMinVersion = "string",
Ttl = 0,
Upndomain = "string",
Url = "string",
UsePre111GroupCnBehavior = false,
LastRotationTolerance = 0,
Userattr = "string",
AnonymousGroupSearch = false,
});
example, err := ad.NewSecretBackend(ctx, "secretBackendResource", &ad.SecretBackendArgs{
Binddn: pulumi.String("string"),
Bindpass: pulumi.String("string"),
InsecureTls: pulumi.Bool(false),
UseTokenGroups: pulumi.Bool(false),
CaseSensitiveNames: pulumi.Bool(false),
Certificate: pulumi.String("string"),
ClientTlsCert: pulumi.String("string"),
ClientTlsKey: pulumi.String("string"),
Local: pulumi.Bool(false),
DenyNullBind: pulumi.Bool(false),
Description: pulumi.String("string"),
DisableRemount: pulumi.Bool(false),
Discoverdn: pulumi.Bool(false),
Groupattr: pulumi.String("string"),
Groupdn: pulumi.String("string"),
Groupfilter: pulumi.String("string"),
Userdn: pulumi.String("string"),
Backend: pulumi.String("string"),
DefaultLeaseTtlSeconds: pulumi.Int(0),
MaxLeaseTtlSeconds: pulumi.Int(0),
MaxTtl: pulumi.Int(0),
Namespace: pulumi.String("string"),
PasswordPolicy: pulumi.String("string"),
RequestTimeout: pulumi.Int(0),
Starttls: pulumi.Bool(false),
TlsMaxVersion: pulumi.String("string"),
TlsMinVersion: pulumi.String("string"),
Ttl: pulumi.Int(0),
Upndomain: pulumi.String("string"),
Url: pulumi.String("string"),
UsePre111GroupCnBehavior: pulumi.Bool(false),
LastRotationTolerance: pulumi.Int(0),
Userattr: pulumi.String("string"),
AnonymousGroupSearch: pulumi.Bool(false),
})
var secretBackendResource = new SecretBackend("secretBackendResource", SecretBackendArgs.builder()
.binddn("string")
.bindpass("string")
.insecureTls(false)
.useTokenGroups(false)
.caseSensitiveNames(false)
.certificate("string")
.clientTlsCert("string")
.clientTlsKey("string")
.local(false)
.denyNullBind(false)
.description("string")
.disableRemount(false)
.discoverdn(false)
.groupattr("string")
.groupdn("string")
.groupfilter("string")
.userdn("string")
.backend("string")
.defaultLeaseTtlSeconds(0)
.maxLeaseTtlSeconds(0)
.maxTtl(0)
.namespace("string")
.passwordPolicy("string")
.requestTimeout(0)
.starttls(false)
.tlsMaxVersion("string")
.tlsMinVersion("string")
.ttl(0)
.upndomain("string")
.url("string")
.usePre111GroupCnBehavior(false)
.lastRotationTolerance(0)
.userattr("string")
.anonymousGroupSearch(false)
.build());
secret_backend_resource = vault.ad.SecretBackend("secretBackendResource",
binddn="string",
bindpass="string",
insecure_tls=False,
use_token_groups=False,
case_sensitive_names=False,
certificate="string",
client_tls_cert="string",
client_tls_key="string",
local=False,
deny_null_bind=False,
description="string",
disable_remount=False,
discoverdn=False,
groupattr="string",
groupdn="string",
groupfilter="string",
userdn="string",
backend="string",
default_lease_ttl_seconds=0,
max_lease_ttl_seconds=0,
max_ttl=0,
namespace="string",
password_policy="string",
request_timeout=0,
starttls=False,
tls_max_version="string",
tls_min_version="string",
ttl=0,
upndomain="string",
url="string",
use_pre111_group_cn_behavior=False,
last_rotation_tolerance=0,
userattr="string",
anonymous_group_search=False)
const secretBackendResource = new vault.ad.SecretBackend("secretBackendResource", {
binddn: "string",
bindpass: "string",
insecureTls: false,
useTokenGroups: false,
caseSensitiveNames: false,
certificate: "string",
clientTlsCert: "string",
clientTlsKey: "string",
local: false,
denyNullBind: false,
description: "string",
disableRemount: false,
discoverdn: false,
groupattr: "string",
groupdn: "string",
groupfilter: "string",
userdn: "string",
backend: "string",
defaultLeaseTtlSeconds: 0,
maxLeaseTtlSeconds: 0,
maxTtl: 0,
namespace: "string",
passwordPolicy: "string",
requestTimeout: 0,
starttls: false,
tlsMaxVersion: "string",
tlsMinVersion: "string",
ttl: 0,
upndomain: "string",
url: "string",
usePre111GroupCnBehavior: false,
lastRotationTolerance: 0,
userattr: "string",
anonymousGroupSearch: false,
});
type: vault:ad:SecretBackend
properties:
anonymousGroupSearch: false
backend: string
binddn: string
bindpass: string
caseSensitiveNames: false
certificate: string
clientTlsCert: string
clientTlsKey: string
defaultLeaseTtlSeconds: 0
denyNullBind: false
description: string
disableRemount: false
discoverdn: false
groupattr: string
groupdn: string
groupfilter: string
insecureTls: false
lastRotationTolerance: 0
local: false
maxLeaseTtlSeconds: 0
maxTtl: 0
namespace: string
passwordPolicy: string
requestTimeout: 0
starttls: false
tlsMaxVersion: string
tlsMinVersion: string
ttl: 0
upndomain: string
url: string
usePre111GroupCnBehavior: false
useTokenGroups: false
userattr: string
userdn: string
SecretBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecretBackend resource accepts the following input properties:
- Binddn string
- Distinguished name of object to bind when performing user and group search.
- Bindpass string
- Password to use along with binddn when performing user search.
- Anonymous
Group boolSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- Backend string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - Case
Sensitive boolNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- Certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Default
Lease intTtl Seconds - Default lease duration for secrets in seconds.
- Deny
Null boolBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- Description string
- Human-friendly description of the mount for the Active Directory backend.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Discoverdn bool
- Use anonymous bind to discover the bind Distinguished Name of a user.
- Groupattr string
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - Groupdn string
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- Groupfilter string
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- Insecure
Tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - Last
Rotation intTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- Local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds - Maximum possible lease duration for secrets in seconds.
- Max
Ttl int - In seconds, the maximum password time-to-live.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Password
Policy string - Name of the password policy to use to generate passwords.
- Request
Timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- Tls
Max stringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - Tls
Min stringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - Ttl int
- In seconds, the default password time-to-live.
- Upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - Use
Pre111Group boolCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- Use
Token boolGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- Userattr string
- Attribute used when searching users. Defaults to
cn
. - Userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- Binddn string
- Distinguished name of object to bind when performing user and group search.
- Bindpass string
- Password to use along with binddn when performing user search.
- Anonymous
Group boolSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- Backend string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - Case
Sensitive boolNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- Certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Default
Lease intTtl Seconds - Default lease duration for secrets in seconds.
- Deny
Null boolBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- Description string
- Human-friendly description of the mount for the Active Directory backend.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Discoverdn bool
- Use anonymous bind to discover the bind Distinguished Name of a user.
- Groupattr string
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - Groupdn string
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- Groupfilter string
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- Insecure
Tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - Last
Rotation intTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- Local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds - Maximum possible lease duration for secrets in seconds.
- Max
Ttl int - In seconds, the maximum password time-to-live.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Password
Policy string - Name of the password policy to use to generate passwords.
- Request
Timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- Tls
Max stringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - Tls
Min stringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - Ttl int
- In seconds, the default password time-to-live.
- Upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - Use
Pre111Group boolCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- Use
Token boolGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- Userattr string
- Attribute used when searching users. Defaults to
cn
. - Userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn String
- Distinguished name of object to bind when performing user and group search.
- bindpass String
- Password to use along with binddn when performing user search.
- anonymous
Group BooleanSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend String
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - case
Sensitive BooleanNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate String
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease IntegerTtl Seconds - Default lease duration for secrets in seconds.
- deny
Null BooleanBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description String
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- discoverdn Boolean
- Use anonymous bind to discover the bind Distinguished Name of a user.
- groupattr String
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - groupdn String
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter String
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls Boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - last
Rotation IntegerTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- local Boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease IntegerTtl Seconds - Maximum possible lease duration for secrets in seconds.
- max
Ttl Integer - In seconds, the maximum password time-to-live.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password
Policy String - Name of the password policy to use to generate passwords.
- request
Timeout Integer - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls Boolean
- Issue a StartTLS command after establishing unencrypted connection.
- tls
Max StringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - tls
Min StringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - ttl Integer
- In seconds, the default password time-to-live.
- upndomain String
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - use
Pre111Group BooleanCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token BooleanGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr String
- Attribute used when searching users. Defaults to
cn
. - userdn String
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn string
- Distinguished name of object to bind when performing user and group search.
- bindpass string
- Password to use along with binddn when performing user search.
- anonymous
Group booleanSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - case
Sensitive booleanNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease numberTtl Seconds - Default lease duration for secrets in seconds.
- deny
Null booleanBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description string
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- discoverdn boolean
- Use anonymous bind to discover the bind Distinguished Name of a user.
- groupattr string
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - groupdn string
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter string
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - last
Rotation numberTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- local boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease numberTtl Seconds - Maximum possible lease duration for secrets in seconds.
- max
Ttl number - In seconds, the maximum password time-to-live.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password
Policy string - Name of the password policy to use to generate passwords.
- request
Timeout number - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls boolean
- Issue a StartTLS command after establishing unencrypted connection.
- tls
Max stringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - tls
Min stringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - ttl number
- In seconds, the default password time-to-live.
- upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - use
Pre111Group booleanCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token booleanGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr string
- Attribute used when searching users. Defaults to
cn
. - userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn str
- Distinguished name of object to bind when performing user and group search.
- bindpass str
- Password to use along with binddn when performing user search.
- anonymous_
group_ boolsearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend str
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - case_
sensitive_ boolnames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate str
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client_
tls_ strcert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client_
tls_ strkey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default_
lease_ intttl_ seconds - Default lease duration for secrets in seconds.
- deny_
null_ boolbind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description str
- Human-friendly description of the mount for the Active Directory backend.
- disable_
remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- discoverdn bool
- Use anonymous bind to discover the bind Distinguished Name of a user.
- groupattr str
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - groupdn str
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter str
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure_
tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - last_
rotation_ inttolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max_
lease_ intttl_ seconds - Maximum possible lease duration for secrets in seconds.
- max_
ttl int - In seconds, the maximum password time-to-live.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password_
policy str - Name of the password policy to use to generate passwords.
- request_
timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- tls_
max_ strversion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - tls_
min_ strversion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - ttl int
- In seconds, the default password time-to-live.
- upndomain str
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url str
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - use_
pre111_ boolgroup_ cn_ behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use_
token_ boolgroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr str
- Attribute used when searching users. Defaults to
cn
. - userdn str
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn String
- Distinguished name of object to bind when performing user and group search.
- bindpass String
- Password to use along with binddn when performing user search.
- anonymous
Group BooleanSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend String
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - case
Sensitive BooleanNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate String
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease NumberTtl Seconds - Default lease duration for secrets in seconds.
- deny
Null BooleanBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description String
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- discoverdn Boolean
- Use anonymous bind to discover the bind Distinguished Name of a user.
- groupattr String
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - groupdn String
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter String
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls Boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - last
Rotation NumberTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- local Boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease NumberTtl Seconds - Maximum possible lease duration for secrets in seconds.
- max
Ttl Number - In seconds, the maximum password time-to-live.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password
Policy String - Name of the password policy to use to generate passwords.
- request
Timeout Number - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls Boolean
- Issue a StartTLS command after establishing unencrypted connection.
- tls
Max StringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - tls
Min StringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - ttl Number
- In seconds, the default password time-to-live.
- upndomain String
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - use
Pre111Group BooleanCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token BooleanGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr String
- Attribute used when searching users. Defaults to
cn
. - userdn String
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing SecretBackend Resource
Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
anonymous_group_search: Optional[bool] = None,
backend: Optional[str] = None,
binddn: Optional[str] = None,
bindpass: Optional[str] = None,
case_sensitive_names: Optional[bool] = None,
certificate: Optional[str] = None,
client_tls_cert: Optional[str] = None,
client_tls_key: Optional[str] = None,
default_lease_ttl_seconds: Optional[int] = None,
deny_null_bind: Optional[bool] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
discoverdn: Optional[bool] = None,
groupattr: Optional[str] = None,
groupdn: Optional[str] = None,
groupfilter: Optional[str] = None,
insecure_tls: Optional[bool] = None,
last_rotation_tolerance: Optional[int] = None,
local: Optional[bool] = None,
max_lease_ttl_seconds: Optional[int] = None,
max_ttl: Optional[int] = None,
namespace: Optional[str] = None,
password_policy: Optional[str] = None,
request_timeout: Optional[int] = None,
starttls: Optional[bool] = None,
tls_max_version: Optional[str] = None,
tls_min_version: Optional[str] = None,
ttl: Optional[int] = None,
upndomain: Optional[str] = None,
url: Optional[str] = None,
use_pre111_group_cn_behavior: Optional[bool] = None,
use_token_groups: Optional[bool] = None,
userattr: Optional[str] = None,
userdn: Optional[str] = None) -> SecretBackend
func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Anonymous
Group boolSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- Backend string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - Binddn string
- Distinguished name of object to bind when performing user and group search.
- Bindpass string
- Password to use along with binddn when performing user search.
- Case
Sensitive boolNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- Certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Default
Lease intTtl Seconds - Default lease duration for secrets in seconds.
- Deny
Null boolBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- Description string
- Human-friendly description of the mount for the Active Directory backend.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Discoverdn bool
- Use anonymous bind to discover the bind Distinguished Name of a user.
- Groupattr string
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - Groupdn string
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- Groupfilter string
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- Insecure
Tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - Last
Rotation intTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- Local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds - Maximum possible lease duration for secrets in seconds.
- Max
Ttl int - In seconds, the maximum password time-to-live.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Password
Policy string - Name of the password policy to use to generate passwords.
- Request
Timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- Tls
Max stringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - Tls
Min stringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - Ttl int
- In seconds, the default password time-to-live.
- Upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - Use
Pre111Group boolCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- Use
Token boolGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- Userattr string
- Attribute used when searching users. Defaults to
cn
. - Userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- Anonymous
Group boolSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- Backend string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - Binddn string
- Distinguished name of object to bind when performing user and group search.
- Bindpass string
- Password to use along with binddn when performing user search.
- Case
Sensitive boolNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- Certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Default
Lease intTtl Seconds - Default lease duration for secrets in seconds.
- Deny
Null boolBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- Description string
- Human-friendly description of the mount for the Active Directory backend.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Discoverdn bool
- Use anonymous bind to discover the bind Distinguished Name of a user.
- Groupattr string
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - Groupdn string
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- Groupfilter string
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- Insecure
Tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - Last
Rotation intTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- Local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds - Maximum possible lease duration for secrets in seconds.
- Max
Ttl int - In seconds, the maximum password time-to-live.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Password
Policy string - Name of the password policy to use to generate passwords.
- Request
Timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- Tls
Max stringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - Tls
Min stringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - Ttl int
- In seconds, the default password time-to-live.
- Upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - Use
Pre111Group boolCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- Use
Token boolGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- Userattr string
- Attribute used when searching users. Defaults to
cn
. - Userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- anonymous
Group BooleanSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend String
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - binddn String
- Distinguished name of object to bind when performing user and group search.
- bindpass String
- Password to use along with binddn when performing user search.
- case
Sensitive BooleanNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate String
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease IntegerTtl Seconds - Default lease duration for secrets in seconds.
- deny
Null BooleanBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description String
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- discoverdn Boolean
- Use anonymous bind to discover the bind Distinguished Name of a user.
- groupattr String
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - groupdn String
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter String
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls Boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - last
Rotation IntegerTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- local Boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease IntegerTtl Seconds - Maximum possible lease duration for secrets in seconds.
- max
Ttl Integer - In seconds, the maximum password time-to-live.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password
Policy String - Name of the password policy to use to generate passwords.
- request
Timeout Integer - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls Boolean
- Issue a StartTLS command after establishing unencrypted connection.
- tls
Max StringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - tls
Min StringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - ttl Integer
- In seconds, the default password time-to-live.
- upndomain String
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - use
Pre111Group BooleanCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token BooleanGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr String
- Attribute used when searching users. Defaults to
cn
. - userdn String
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- anonymous
Group booleanSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - binddn string
- Distinguished name of object to bind when performing user and group search.
- bindpass string
- Password to use along with binddn when performing user search.
- case
Sensitive booleanNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease numberTtl Seconds - Default lease duration for secrets in seconds.
- deny
Null booleanBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description string
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- discoverdn boolean
- Use anonymous bind to discover the bind Distinguished Name of a user.
- groupattr string
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - groupdn string
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter string
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - last
Rotation numberTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- local boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease numberTtl Seconds - Maximum possible lease duration for secrets in seconds.
- max
Ttl number - In seconds, the maximum password time-to-live.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password
Policy string - Name of the password policy to use to generate passwords.
- request
Timeout number - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls boolean
- Issue a StartTLS command after establishing unencrypted connection.
- tls
Max stringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - tls
Min stringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - ttl number
- In seconds, the default password time-to-live.
- upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - use
Pre111Group booleanCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token booleanGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr string
- Attribute used when searching users. Defaults to
cn
. - userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- anonymous_
group_ boolsearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend str
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - binddn str
- Distinguished name of object to bind when performing user and group search.
- bindpass str
- Password to use along with binddn when performing user search.
- case_
sensitive_ boolnames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate str
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client_
tls_ strcert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client_
tls_ strkey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default_
lease_ intttl_ seconds - Default lease duration for secrets in seconds.
- deny_
null_ boolbind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description str
- Human-friendly description of the mount for the Active Directory backend.
- disable_
remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- discoverdn bool
- Use anonymous bind to discover the bind Distinguished Name of a user.
- groupattr str
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - groupdn str
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter str
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure_
tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - last_
rotation_ inttolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max_
lease_ intttl_ seconds - Maximum possible lease duration for secrets in seconds.
- max_
ttl int - In seconds, the maximum password time-to-live.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password_
policy str - Name of the password policy to use to generate passwords.
- request_
timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- tls_
max_ strversion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - tls_
min_ strversion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - ttl int
- In seconds, the default password time-to-live.
- upndomain str
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url str
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - use_
pre111_ boolgroup_ cn_ behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use_
token_ boolgroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr str
- Attribute used when searching users. Defaults to
cn
. - userdn str
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- anonymous
Group BooleanSearch - Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
- backend String
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toad
. - binddn String
- Distinguished name of object to bind when performing user and group search.
- bindpass String
- Password to use along with binddn when performing user search.
- case
Sensitive BooleanNames - If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
- certificate String
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- default
Lease NumberTtl Seconds - Default lease duration for secrets in seconds.
- deny
Null BooleanBind - Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
- description String
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- discoverdn Boolean
- Use anonymous bind to discover the bind Distinguished Name of a user.
- groupattr String
- LDAP attribute to follow on objects returned by in order to enumerate
user group membership. Examples:
cn
ormemberOf
, etc. Defaults tocn
. - groupdn String
- LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
- groupfilter String
- Go template for querying group membership of user (optional) The template can access
the following context variables: UserDN, Username. Defaults to
(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
- insecure
Tls Boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - last
Rotation NumberTolerance - The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
- local Boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease NumberTtl Seconds - Maximum possible lease duration for secrets in seconds.
- max
Ttl Number - In seconds, the maximum password time-to-live.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - password
Policy String - Name of the password policy to use to generate passwords.
- request
Timeout Number - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- starttls Boolean
- Issue a StartTLS command after establishing unencrypted connection.
- tls
Max StringVersion - Maximum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - tls
Min StringVersion - Minimum TLS version to use. Accepted values are
tls10
,tls11
,tls12
ortls13
. Defaults totls12
. - ttl Number
- In seconds, the default password time-to-live.
- upndomain String
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - use
Pre111Group BooleanCn Behavior - In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
- use
Token BooleanGroups - If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
- userattr String
- Attribute used when searching users. Defaults to
cn
. - userdn String
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
Import
AD secret backend can be imported using the backend
, e.g.
$ pulumi import vault:ad/secretBackend:SecretBackend ad ad
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.