1. Packages
  2. Pulumi Vault Provider
  3. API Docs
  4. ldap
  5. SecretBackend
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

vault.ldap.SecretBackend

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const config = new vault.ldap.SecretBackend("config", {
        path: "my-custom-ldap",
        binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
        bindpass: "SuperSecretPassw0rd",
        url: "ldaps://localhost",
        insecureTls: true,
        userdn: "CN=Users,DC=corp,DC=example,DC=net",
    });
    
    import pulumi
    import pulumi_vault as vault
    
    config = vault.ldap.SecretBackend("config",
        path="my-custom-ldap",
        binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
        bindpass="SuperSecretPassw0rd",
        url="ldaps://localhost",
        insecure_tls=True,
        userdn="CN=Users,DC=corp,DC=example,DC=net")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ldap"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := ldap.NewSecretBackend(ctx, "config", &ldap.SecretBackendArgs{
    			Path:        pulumi.String("my-custom-ldap"),
    			Binddn:      pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
    			Bindpass:    pulumi.String("SuperSecretPassw0rd"),
    			Url:         pulumi.String("ldaps://localhost"),
    			InsecureTls: pulumi.Bool(true),
    			Userdn:      pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var config = new Vault.Ldap.SecretBackend("config", new()
        {
            Path = "my-custom-ldap",
            Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
            Bindpass = "SuperSecretPassw0rd",
            Url = "ldaps://localhost",
            InsecureTls = true,
            Userdn = "CN=Users,DC=corp,DC=example,DC=net",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.ldap.SecretBackend;
    import com.pulumi.vault.ldap.SecretBackendArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var config = new SecretBackend("config", SecretBackendArgs.builder()
                .path("my-custom-ldap")
                .binddn("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net")
                .bindpass("SuperSecretPassw0rd")
                .url("ldaps://localhost")
                .insecureTls("true")
                .userdn("CN=Users,DC=corp,DC=example,DC=net")
                .build());
    
        }
    }
    
    resources:
      config:
        type: vault:ldap:SecretBackend
        properties:
          path: my-custom-ldap
          binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
          bindpass: SuperSecretPassw0rd
          url: ldaps://localhost
          insecureTls: 'true'
          userdn: CN=Users,DC=corp,DC=example,DC=net
    

    Create SecretBackend Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackend(resource_name: str,
                      args: SecretBackendArgs,
                      opts: Optional[ResourceOptions] = None)
    
    @overload
    def SecretBackend(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      binddn: Optional[str] = None,
                      bindpass: Optional[str] = None,
                      insecure_tls: Optional[bool] = None,
                      connection_timeout: Optional[int] = None,
                      audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
                      local: Optional[bool] = None,
                      certificate: Optional[str] = None,
                      client_tls_cert: Optional[str] = None,
                      client_tls_key: Optional[str] = None,
                      max_lease_ttl_seconds: Optional[int] = None,
                      default_lease_ttl_seconds: Optional[int] = None,
                      delegated_auth_accessors: Optional[Sequence[str]] = None,
                      description: Optional[str] = None,
                      disable_remount: Optional[bool] = None,
                      external_entropy_access: Optional[bool] = None,
                      namespace: Optional[str] = None,
                      allowed_managed_keys: Optional[Sequence[str]] = None,
                      listing_visibility: Optional[str] = None,
                      allowed_response_headers: Optional[Sequence[str]] = None,
                      audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
                      identity_token_key: Optional[str] = None,
                      options: Optional[Mapping[str, str]] = None,
                      passthrough_request_headers: Optional[Sequence[str]] = None,
                      password_policy: Optional[str] = None,
                      path: Optional[str] = None,
                      plugin_version: Optional[str] = None,
                      request_timeout: Optional[int] = None,
                      schema: Optional[str] = None,
                      seal_wrap: Optional[bool] = None,
                      skip_static_role_import_rotation: Optional[bool] = None,
                      starttls: Optional[bool] = None,
                      upndomain: Optional[str] = None,
                      url: Optional[str] = None,
                      userattr: Optional[str] = None,
                      userdn: Optional[str] = None)
    func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
    public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
    public SecretBackend(String name, SecretBackendArgs args)
    public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
    
    type: vault:ldap:SecretBackend
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var examplesecretBackendResourceResourceFromLdapsecretBackend = new Vault.Ldap.SecretBackend("examplesecretBackendResourceResourceFromLdapsecretBackend", new()
    {
        Binddn = "string",
        Bindpass = "string",
        InsecureTls = false,
        ConnectionTimeout = 0,
        AuditNonHmacRequestKeys = new[]
        {
            "string",
        },
        Local = false,
        Certificate = "string",
        ClientTlsCert = "string",
        ClientTlsKey = "string",
        MaxLeaseTtlSeconds = 0,
        DefaultLeaseTtlSeconds = 0,
        DelegatedAuthAccessors = new[]
        {
            "string",
        },
        Description = "string",
        DisableRemount = false,
        ExternalEntropyAccess = false,
        Namespace = "string",
        AllowedManagedKeys = new[]
        {
            "string",
        },
        ListingVisibility = "string",
        AllowedResponseHeaders = new[]
        {
            "string",
        },
        AuditNonHmacResponseKeys = new[]
        {
            "string",
        },
        IdentityTokenKey = "string",
        Options = 
        {
            { "string", "string" },
        },
        PassthroughRequestHeaders = new[]
        {
            "string",
        },
        PasswordPolicy = "string",
        Path = "string",
        PluginVersion = "string",
        RequestTimeout = 0,
        Schema = "string",
        SealWrap = false,
        SkipStaticRoleImportRotation = false,
        Starttls = false,
        Upndomain = "string",
        Url = "string",
        Userattr = "string",
        Userdn = "string",
    });
    
    example, err := ldap.NewSecretBackend(ctx, "examplesecretBackendResourceResourceFromLdapsecretBackend", &ldap.SecretBackendArgs{
    	Binddn:            pulumi.String("string"),
    	Bindpass:          pulumi.String("string"),
    	InsecureTls:       pulumi.Bool(false),
    	ConnectionTimeout: pulumi.Int(0),
    	AuditNonHmacRequestKeys: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Local:                  pulumi.Bool(false),
    	Certificate:            pulumi.String("string"),
    	ClientTlsCert:          pulumi.String("string"),
    	ClientTlsKey:           pulumi.String("string"),
    	MaxLeaseTtlSeconds:     pulumi.Int(0),
    	DefaultLeaseTtlSeconds: pulumi.Int(0),
    	DelegatedAuthAccessors: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Description:           pulumi.String("string"),
    	DisableRemount:        pulumi.Bool(false),
    	ExternalEntropyAccess: pulumi.Bool(false),
    	Namespace:             pulumi.String("string"),
    	AllowedManagedKeys: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	ListingVisibility: pulumi.String("string"),
    	AllowedResponseHeaders: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AuditNonHmacResponseKeys: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	IdentityTokenKey: pulumi.String("string"),
    	Options: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	PassthroughRequestHeaders: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	PasswordPolicy:               pulumi.String("string"),
    	Path:                         pulumi.String("string"),
    	PluginVersion:                pulumi.String("string"),
    	RequestTimeout:               pulumi.Int(0),
    	Schema:                       pulumi.String("string"),
    	SealWrap:                     pulumi.Bool(false),
    	SkipStaticRoleImportRotation: pulumi.Bool(false),
    	Starttls:                     pulumi.Bool(false),
    	Upndomain:                    pulumi.String("string"),
    	Url:                          pulumi.String("string"),
    	Userattr:                     pulumi.String("string"),
    	Userdn:                       pulumi.String("string"),
    })
    
    var examplesecretBackendResourceResourceFromLdapsecretBackend = new SecretBackend("examplesecretBackendResourceResourceFromLdapsecretBackend", SecretBackendArgs.builder()
        .binddn("string")
        .bindpass("string")
        .insecureTls(false)
        .connectionTimeout(0)
        .auditNonHmacRequestKeys("string")
        .local(false)
        .certificate("string")
        .clientTlsCert("string")
        .clientTlsKey("string")
        .maxLeaseTtlSeconds(0)
        .defaultLeaseTtlSeconds(0)
        .delegatedAuthAccessors("string")
        .description("string")
        .disableRemount(false)
        .externalEntropyAccess(false)
        .namespace("string")
        .allowedManagedKeys("string")
        .listingVisibility("string")
        .allowedResponseHeaders("string")
        .auditNonHmacResponseKeys("string")
        .identityTokenKey("string")
        .options(Map.of("string", "string"))
        .passthroughRequestHeaders("string")
        .passwordPolicy("string")
        .path("string")
        .pluginVersion("string")
        .requestTimeout(0)
        .schema("string")
        .sealWrap(false)
        .skipStaticRoleImportRotation(false)
        .starttls(false)
        .upndomain("string")
        .url("string")
        .userattr("string")
        .userdn("string")
        .build());
    
    examplesecret_backend_resource_resource_from_ldapsecret_backend = vault.ldap.SecretBackend("examplesecretBackendResourceResourceFromLdapsecretBackend",
        binddn="string",
        bindpass="string",
        insecure_tls=False,
        connection_timeout=0,
        audit_non_hmac_request_keys=["string"],
        local=False,
        certificate="string",
        client_tls_cert="string",
        client_tls_key="string",
        max_lease_ttl_seconds=0,
        default_lease_ttl_seconds=0,
        delegated_auth_accessors=["string"],
        description="string",
        disable_remount=False,
        external_entropy_access=False,
        namespace="string",
        allowed_managed_keys=["string"],
        listing_visibility="string",
        allowed_response_headers=["string"],
        audit_non_hmac_response_keys=["string"],
        identity_token_key="string",
        options={
            "string": "string",
        },
        passthrough_request_headers=["string"],
        password_policy="string",
        path="string",
        plugin_version="string",
        request_timeout=0,
        schema="string",
        seal_wrap=False,
        skip_static_role_import_rotation=False,
        starttls=False,
        upndomain="string",
        url="string",
        userattr="string",
        userdn="string")
    
    const examplesecretBackendResourceResourceFromLdapsecretBackend = new vault.ldap.SecretBackend("examplesecretBackendResourceResourceFromLdapsecretBackend", {
        binddn: "string",
        bindpass: "string",
        insecureTls: false,
        connectionTimeout: 0,
        auditNonHmacRequestKeys: ["string"],
        local: false,
        certificate: "string",
        clientTlsCert: "string",
        clientTlsKey: "string",
        maxLeaseTtlSeconds: 0,
        defaultLeaseTtlSeconds: 0,
        delegatedAuthAccessors: ["string"],
        description: "string",
        disableRemount: false,
        externalEntropyAccess: false,
        namespace: "string",
        allowedManagedKeys: ["string"],
        listingVisibility: "string",
        allowedResponseHeaders: ["string"],
        auditNonHmacResponseKeys: ["string"],
        identityTokenKey: "string",
        options: {
            string: "string",
        },
        passthroughRequestHeaders: ["string"],
        passwordPolicy: "string",
        path: "string",
        pluginVersion: "string",
        requestTimeout: 0,
        schema: "string",
        sealWrap: false,
        skipStaticRoleImportRotation: false,
        starttls: false,
        upndomain: "string",
        url: "string",
        userattr: "string",
        userdn: "string",
    });
    
    type: vault:ldap:SecretBackend
    properties:
        allowedManagedKeys:
            - string
        allowedResponseHeaders:
            - string
        auditNonHmacRequestKeys:
            - string
        auditNonHmacResponseKeys:
            - string
        binddn: string
        bindpass: string
        certificate: string
        clientTlsCert: string
        clientTlsKey: string
        connectionTimeout: 0
        defaultLeaseTtlSeconds: 0
        delegatedAuthAccessors:
            - string
        description: string
        disableRemount: false
        externalEntropyAccess: false
        identityTokenKey: string
        insecureTls: false
        listingVisibility: string
        local: false
        maxLeaseTtlSeconds: 0
        namespace: string
        options:
            string: string
        passthroughRequestHeaders:
            - string
        passwordPolicy: string
        path: string
        pluginVersion: string
        requestTimeout: 0
        schema: string
        sealWrap: false
        skipStaticRoleImportRotation: false
        starttls: false
        upndomain: string
        url: string
        userattr: string
        userdn: string
    

    SecretBackend Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The SecretBackend resource accepts the following input properties:

    Binddn string
    Distinguished name of object to bind when performing user and group search.
    Bindpass string
    Password to use along with binddn when performing user search.
    AllowedManagedKeys List<string>
    List of managed key registry entry names that the mount in question is allowed to access
    AllowedResponseHeaders List<string>
    List of headers to allow and pass from the request to the plugin
    AuditNonHmacRequestKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    Certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    ClientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    ClientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    ConnectionTimeout int
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    DefaultLeaseTtlSeconds int
    Default lease duration for secrets in seconds.
    DelegatedAuthAccessors List<string>
    List of headers to allow and pass from the request to the plugin
    Description string
    Human-friendly description of the mount for the Active Directory backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates.
    ExternalEntropyAccess bool
    Enable the secrets engine to access Vault's external entropy source
    IdentityTokenKey string
    The key to use for signing plugin workload identity tokens
    InsecureTls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    Local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for secrets in seconds.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options Dictionary<string, string>
    Specifies mount type specific options that are passed to the backend
    PassthroughRequestHeaders List<string>
    List of headers to allow and pass from the request to the plugin
    PasswordPolicy string
    Name of the password policy to use to generate passwords.
    Path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    PluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    RequestTimeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    Schema string
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    SealWrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    SkipStaticRoleImportRotation bool
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    Starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    Upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    Url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    Userattr string
    Attribute used when searching users. Defaults to cn.
    Userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    Binddn string
    Distinguished name of object to bind when performing user and group search.
    Bindpass string
    Password to use along with binddn when performing user search.
    AllowedManagedKeys []string
    List of managed key registry entry names that the mount in question is allowed to access
    AllowedResponseHeaders []string
    List of headers to allow and pass from the request to the plugin
    AuditNonHmacRequestKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    Certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    ClientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    ClientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    ConnectionTimeout int
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    DefaultLeaseTtlSeconds int
    Default lease duration for secrets in seconds.
    DelegatedAuthAccessors []string
    List of headers to allow and pass from the request to the plugin
    Description string
    Human-friendly description of the mount for the Active Directory backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates.
    ExternalEntropyAccess bool
    Enable the secrets engine to access Vault's external entropy source
    IdentityTokenKey string
    The key to use for signing plugin workload identity tokens
    InsecureTls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    Local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for secrets in seconds.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options map[string]string
    Specifies mount type specific options that are passed to the backend
    PassthroughRequestHeaders []string
    List of headers to allow and pass from the request to the plugin
    PasswordPolicy string
    Name of the password policy to use to generate passwords.
    Path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    PluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    RequestTimeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    Schema string
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    SealWrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    SkipStaticRoleImportRotation bool
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    Starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    Upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    Url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    Userattr string
    Attribute used when searching users. Defaults to cn.
    Userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    binddn String
    Distinguished name of object to bind when performing user and group search.
    bindpass String
    Password to use along with binddn when performing user search.
    allowedManagedKeys List<String>
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    certificate String
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert String
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey String
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    connectionTimeout Integer
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    defaultLeaseTtlSeconds Integer
    Default lease duration for secrets in seconds.
    delegatedAuthAccessors List<String>
    List of headers to allow and pass from the request to the plugin
    description String
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates.
    externalEntropyAccess Boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey String
    The key to use for signing plugin workload identity tokens
    insecureTls Boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint
    local Boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds Integer
    Maximum possible lease duration for secrets in seconds.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String,String>
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    passwordPolicy String
    Name of the password policy to use to generate passwords.
    path String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    pluginVersion String
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    requestTimeout Integer
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    schema String
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    sealWrap Boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    skipStaticRoleImportRotation Boolean
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    starttls Boolean
    Issue a StartTLS command after establishing unencrypted connection.
    upndomain String
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url String
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    userattr String
    Attribute used when searching users. Defaults to cn.
    userdn String
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    binddn string
    Distinguished name of object to bind when performing user and group search.
    bindpass string
    Password to use along with binddn when performing user search.
    allowedManagedKeys string[]
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders string[]
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    connectionTimeout number
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    defaultLeaseTtlSeconds number
    Default lease duration for secrets in seconds.
    delegatedAuthAccessors string[]
    List of headers to allow and pass from the request to the plugin
    description string
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount boolean
    If set, opts out of mount migration on path updates.
    externalEntropyAccess boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey string
    The key to use for signing plugin workload identity tokens
    insecureTls boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    listingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    local boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds number
    Maximum possible lease duration for secrets in seconds.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options {[key: string]: string}
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders string[]
    List of headers to allow and pass from the request to the plugin
    passwordPolicy string
    Name of the password policy to use to generate passwords.
    path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    pluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    requestTimeout number
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    schema string
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    sealWrap boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    skipStaticRoleImportRotation boolean
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    starttls boolean
    Issue a StartTLS command after establishing unencrypted connection.
    upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    userattr string
    Attribute used when searching users. Defaults to cn.
    userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    binddn str
    Distinguished name of object to bind when performing user and group search.
    bindpass str
    Password to use along with binddn when performing user search.
    allowed_managed_keys Sequence[str]
    List of managed key registry entry names that the mount in question is allowed to access
    allowed_response_headers Sequence[str]
    List of headers to allow and pass from the request to the plugin
    audit_non_hmac_request_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    audit_non_hmac_response_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    certificate str
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    client_tls_cert str
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    client_tls_key str
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    connection_timeout int
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    default_lease_ttl_seconds int
    Default lease duration for secrets in seconds.
    delegated_auth_accessors Sequence[str]
    List of headers to allow and pass from the request to the plugin
    description str
    Human-friendly description of the mount for the Active Directory backend.
    disable_remount bool
    If set, opts out of mount migration on path updates.
    external_entropy_access bool
    Enable the secrets engine to access Vault's external entropy source
    identity_token_key str
    The key to use for signing plugin workload identity tokens
    insecure_tls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    listing_visibility str
    Specifies whether to show this mount in the UI-specific listing endpoint
    local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    max_lease_ttl_seconds int
    Maximum possible lease duration for secrets in seconds.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Mapping[str, str]
    Specifies mount type specific options that are passed to the backend
    passthrough_request_headers Sequence[str]
    List of headers to allow and pass from the request to the plugin
    password_policy str
    Name of the password policy to use to generate passwords.
    path str
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    plugin_version str
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    request_timeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    schema str
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    seal_wrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    skip_static_role_import_rotation bool
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    upndomain str
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url str
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    userattr str
    Attribute used when searching users. Defaults to cn.
    userdn str
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    binddn String
    Distinguished name of object to bind when performing user and group search.
    bindpass String
    Password to use along with binddn when performing user search.
    allowedManagedKeys List<String>
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    certificate String
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert String
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey String
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    connectionTimeout Number
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    defaultLeaseTtlSeconds Number
    Default lease duration for secrets in seconds.
    delegatedAuthAccessors List<String>
    List of headers to allow and pass from the request to the plugin
    description String
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates.
    externalEntropyAccess Boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey String
    The key to use for signing plugin workload identity tokens
    insecureTls Boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint
    local Boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds Number
    Maximum possible lease duration for secrets in seconds.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String>
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    passwordPolicy String
    Name of the password policy to use to generate passwords.
    path String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    pluginVersion String
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    requestTimeout Number
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    schema String
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    sealWrap Boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    skipStaticRoleImportRotation Boolean
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    starttls Boolean
    Issue a StartTLS command after establishing unencrypted connection.
    upndomain String
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url String
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    userattr String
    Attribute used when searching users. Defaults to cn.
    userdn String
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:

    Accessor string
    Accessor of the mount
    Id string
    The provider-assigned unique ID for this managed resource.
    Accessor string
    Accessor of the mount
    Id string
    The provider-assigned unique ID for this managed resource.
    accessor String
    Accessor of the mount
    id String
    The provider-assigned unique ID for this managed resource.
    accessor string
    Accessor of the mount
    id string
    The provider-assigned unique ID for this managed resource.
    accessor str
    Accessor of the mount
    id str
    The provider-assigned unique ID for this managed resource.
    accessor String
    Accessor of the mount
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackend Resource

    Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            accessor: Optional[str] = None,
            allowed_managed_keys: Optional[Sequence[str]] = None,
            allowed_response_headers: Optional[Sequence[str]] = None,
            audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
            audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
            binddn: Optional[str] = None,
            bindpass: Optional[str] = None,
            certificate: Optional[str] = None,
            client_tls_cert: Optional[str] = None,
            client_tls_key: Optional[str] = None,
            connection_timeout: Optional[int] = None,
            default_lease_ttl_seconds: Optional[int] = None,
            delegated_auth_accessors: Optional[Sequence[str]] = None,
            description: Optional[str] = None,
            disable_remount: Optional[bool] = None,
            external_entropy_access: Optional[bool] = None,
            identity_token_key: Optional[str] = None,
            insecure_tls: Optional[bool] = None,
            listing_visibility: Optional[str] = None,
            local: Optional[bool] = None,
            max_lease_ttl_seconds: Optional[int] = None,
            namespace: Optional[str] = None,
            options: Optional[Mapping[str, str]] = None,
            passthrough_request_headers: Optional[Sequence[str]] = None,
            password_policy: Optional[str] = None,
            path: Optional[str] = None,
            plugin_version: Optional[str] = None,
            request_timeout: Optional[int] = None,
            schema: Optional[str] = None,
            seal_wrap: Optional[bool] = None,
            skip_static_role_import_rotation: Optional[bool] = None,
            starttls: Optional[bool] = None,
            upndomain: Optional[str] = None,
            url: Optional[str] = None,
            userattr: Optional[str] = None,
            userdn: Optional[str] = None) -> SecretBackend
    func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
    public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
    public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Accessor string
    Accessor of the mount
    AllowedManagedKeys List<string>
    List of managed key registry entry names that the mount in question is allowed to access
    AllowedResponseHeaders List<string>
    List of headers to allow and pass from the request to the plugin
    AuditNonHmacRequestKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    Binddn string
    Distinguished name of object to bind when performing user and group search.
    Bindpass string
    Password to use along with binddn when performing user search.
    Certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    ClientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    ClientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    ConnectionTimeout int
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    DefaultLeaseTtlSeconds int
    Default lease duration for secrets in seconds.
    DelegatedAuthAccessors List<string>
    List of headers to allow and pass from the request to the plugin
    Description string
    Human-friendly description of the mount for the Active Directory backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates.
    ExternalEntropyAccess bool
    Enable the secrets engine to access Vault's external entropy source
    IdentityTokenKey string
    The key to use for signing plugin workload identity tokens
    InsecureTls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    Local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for secrets in seconds.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options Dictionary<string, string>
    Specifies mount type specific options that are passed to the backend
    PassthroughRequestHeaders List<string>
    List of headers to allow and pass from the request to the plugin
    PasswordPolicy string
    Name of the password policy to use to generate passwords.
    Path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    PluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    RequestTimeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    Schema string
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    SealWrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    SkipStaticRoleImportRotation bool
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    Starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    Upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    Url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    Userattr string
    Attribute used when searching users. Defaults to cn.
    Userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    Accessor string
    Accessor of the mount
    AllowedManagedKeys []string
    List of managed key registry entry names that the mount in question is allowed to access
    AllowedResponseHeaders []string
    List of headers to allow and pass from the request to the plugin
    AuditNonHmacRequestKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    Binddn string
    Distinguished name of object to bind when performing user and group search.
    Bindpass string
    Password to use along with binddn when performing user search.
    Certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    ClientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    ClientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    ConnectionTimeout int
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    DefaultLeaseTtlSeconds int
    Default lease duration for secrets in seconds.
    DelegatedAuthAccessors []string
    List of headers to allow and pass from the request to the plugin
    Description string
    Human-friendly description of the mount for the Active Directory backend.
    DisableRemount bool
    If set, opts out of mount migration on path updates.
    ExternalEntropyAccess bool
    Enable the secrets engine to access Vault's external entropy source
    IdentityTokenKey string
    The key to use for signing plugin workload identity tokens
    InsecureTls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    Local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    MaxLeaseTtlSeconds int
    Maximum possible lease duration for secrets in seconds.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Options map[string]string
    Specifies mount type specific options that are passed to the backend
    PassthroughRequestHeaders []string
    List of headers to allow and pass from the request to the plugin
    PasswordPolicy string
    Name of the password policy to use to generate passwords.
    Path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    PluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    RequestTimeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    Schema string
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    SealWrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    SkipStaticRoleImportRotation bool
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    Starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    Upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    Url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    Userattr string
    Attribute used when searching users. Defaults to cn.
    Userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    accessor String
    Accessor of the mount
    allowedManagedKeys List<String>
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    binddn String
    Distinguished name of object to bind when performing user and group search.
    bindpass String
    Password to use along with binddn when performing user search.
    certificate String
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert String
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey String
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    connectionTimeout Integer
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    defaultLeaseTtlSeconds Integer
    Default lease duration for secrets in seconds.
    delegatedAuthAccessors List<String>
    List of headers to allow and pass from the request to the plugin
    description String
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates.
    externalEntropyAccess Boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey String
    The key to use for signing plugin workload identity tokens
    insecureTls Boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint
    local Boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds Integer
    Maximum possible lease duration for secrets in seconds.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String,String>
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    passwordPolicy String
    Name of the password policy to use to generate passwords.
    path String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    pluginVersion String
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    requestTimeout Integer
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    schema String
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    sealWrap Boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    skipStaticRoleImportRotation Boolean
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    starttls Boolean
    Issue a StartTLS command after establishing unencrypted connection.
    upndomain String
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url String
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    userattr String
    Attribute used when searching users. Defaults to cn.
    userdn String
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    accessor string
    Accessor of the mount
    allowedManagedKeys string[]
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders string[]
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    binddn string
    Distinguished name of object to bind when performing user and group search.
    bindpass string
    Password to use along with binddn when performing user search.
    certificate string
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert string
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey string
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    connectionTimeout number
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    defaultLeaseTtlSeconds number
    Default lease duration for secrets in seconds.
    delegatedAuthAccessors string[]
    List of headers to allow and pass from the request to the plugin
    description string
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount boolean
    If set, opts out of mount migration on path updates.
    externalEntropyAccess boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey string
    The key to use for signing plugin workload identity tokens
    insecureTls boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    listingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint
    local boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds number
    Maximum possible lease duration for secrets in seconds.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options {[key: string]: string}
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders string[]
    List of headers to allow and pass from the request to the plugin
    passwordPolicy string
    Name of the password policy to use to generate passwords.
    path string
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    pluginVersion string
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    requestTimeout number
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    schema string
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    sealWrap boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    skipStaticRoleImportRotation boolean
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    starttls boolean
    Issue a StartTLS command after establishing unencrypted connection.
    upndomain string
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url string
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    userattr string
    Attribute used when searching users. Defaults to cn.
    userdn string
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    accessor str
    Accessor of the mount
    allowed_managed_keys Sequence[str]
    List of managed key registry entry names that the mount in question is allowed to access
    allowed_response_headers Sequence[str]
    List of headers to allow and pass from the request to the plugin
    audit_non_hmac_request_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    audit_non_hmac_response_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    binddn str
    Distinguished name of object to bind when performing user and group search.
    bindpass str
    Password to use along with binddn when performing user search.
    certificate str
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    client_tls_cert str
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    client_tls_key str
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    connection_timeout int
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    default_lease_ttl_seconds int
    Default lease duration for secrets in seconds.
    delegated_auth_accessors Sequence[str]
    List of headers to allow and pass from the request to the plugin
    description str
    Human-friendly description of the mount for the Active Directory backend.
    disable_remount bool
    If set, opts out of mount migration on path updates.
    external_entropy_access bool
    Enable the secrets engine to access Vault's external entropy source
    identity_token_key str
    The key to use for signing plugin workload identity tokens
    insecure_tls bool
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    listing_visibility str
    Specifies whether to show this mount in the UI-specific listing endpoint
    local bool
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    max_lease_ttl_seconds int
    Maximum possible lease duration for secrets in seconds.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Mapping[str, str]
    Specifies mount type specific options that are passed to the backend
    passthrough_request_headers Sequence[str]
    List of headers to allow and pass from the request to the plugin
    password_policy str
    Name of the password policy to use to generate passwords.
    path str
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    plugin_version str
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    request_timeout int
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    schema str
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    seal_wrap bool
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    skip_static_role_import_rotation bool
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    starttls bool
    Issue a StartTLS command after establishing unencrypted connection.
    upndomain str
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url str
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    userattr str
    Attribute used when searching users. Defaults to cn.
    userdn str
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
    accessor String
    Accessor of the mount
    allowedManagedKeys List<String>
    List of managed key registry entry names that the mount in question is allowed to access
    allowedResponseHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    binddn String
    Distinguished name of object to bind when performing user and group search.
    bindpass String
    Password to use along with binddn when performing user search.
    certificate String
    CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
    clientTlsCert String
    Client certificate to provide to the LDAP server, must be x509 PEM encoded.
    clientTlsKey String
    Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
    connectionTimeout Number
    Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
    defaultLeaseTtlSeconds Number
    Default lease duration for secrets in seconds.
    delegatedAuthAccessors List<String>
    List of headers to allow and pass from the request to the plugin
    description String
    Human-friendly description of the mount for the Active Directory backend.
    disableRemount Boolean
    If set, opts out of mount migration on path updates.
    externalEntropyAccess Boolean
    Enable the secrets engine to access Vault's external entropy source
    identityTokenKey String
    The key to use for signing plugin workload identity tokens
    insecureTls Boolean
    Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint
    local Boolean
    Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
    maxLeaseTtlSeconds Number
    Maximum possible lease duration for secrets in seconds.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    options Map<String>
    Specifies mount type specific options that are passed to the backend
    passthroughRequestHeaders List<String>
    List of headers to allow and pass from the request to the plugin
    passwordPolicy String
    Name of the password policy to use to generate passwords.
    path String
    The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
    pluginVersion String
    Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
    requestTimeout Number
    Timeout, in seconds, for the connection when making requests against the server before returning back an error.
    schema String
    The LDAP schema to use when storing entry passwords. Valid schemas include openldap, ad, and racf. Default is openldap.
    sealWrap Boolean
    Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
    skipStaticRoleImportRotation Boolean
    If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
    starttls Boolean
    Issue a StartTLS command after establishing unencrypted connection.
    upndomain String
    Enables userPrincipalDomain login with [username]@UPNDomain.
    url String
    LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
    userattr String
    Attribute used when searching users. Defaults to cn.
    userdn String
    LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

    Import

    LDAP secret backend can be imported using the ${mount}/config, e.g.

    $ pulumi import vault:ldap/secretBackend:SecretBackend config ldap/config
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi