vault.ldap.SecretBackend
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const config = new vault.ldap.SecretBackend("config", {
path: "my-custom-ldap",
binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
bindpass: "SuperSecretPassw0rd",
url: "ldaps://localhost",
insecureTls: true,
userdn: "CN=Users,DC=corp,DC=example,DC=net",
});
import pulumi
import pulumi_vault as vault
config = vault.ldap.SecretBackend("config",
path="my-custom-ldap",
binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
bindpass="SuperSecretPassw0rd",
url="ldaps://localhost",
insecure_tls=True,
userdn="CN=Users,DC=corp,DC=example,DC=net")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ldap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ldap.NewSecretBackend(ctx, "config", &ldap.SecretBackendArgs{
Path: pulumi.String("my-custom-ldap"),
Binddn: pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
Bindpass: pulumi.String("SuperSecretPassw0rd"),
Url: pulumi.String("ldaps://localhost"),
InsecureTls: pulumi.Bool(true),
Userdn: pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Ldap.SecretBackend("config", new()
{
Path = "my-custom-ldap",
Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
Bindpass = "SuperSecretPassw0rd",
Url = "ldaps://localhost",
InsecureTls = true,
Userdn = "CN=Users,DC=corp,DC=example,DC=net",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.ldap.SecretBackend;
import com.pulumi.vault.ldap.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("my-custom-ldap")
.binddn("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net")
.bindpass("SuperSecretPassw0rd")
.url("ldaps://localhost")
.insecureTls("true")
.userdn("CN=Users,DC=corp,DC=example,DC=net")
.build());
}
}
resources:
config:
type: vault:ldap:SecretBackend
properties:
path: my-custom-ldap
binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
bindpass: SuperSecretPassw0rd
url: ldaps://localhost
insecureTls: 'true'
userdn: CN=Users,DC=corp,DC=example,DC=net
Create SecretBackend Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
@overload
def SecretBackend(resource_name: str,
args: SecretBackendArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecretBackend(resource_name: str,
opts: Optional[ResourceOptions] = None,
binddn: Optional[str] = None,
bindpass: Optional[str] = None,
insecure_tls: Optional[bool] = None,
connection_timeout: Optional[int] = None,
audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
local: Optional[bool] = None,
certificate: Optional[str] = None,
client_tls_cert: Optional[str] = None,
client_tls_key: Optional[str] = None,
max_lease_ttl_seconds: Optional[int] = None,
default_lease_ttl_seconds: Optional[int] = None,
delegated_auth_accessors: Optional[Sequence[str]] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
external_entropy_access: Optional[bool] = None,
namespace: Optional[str] = None,
allowed_managed_keys: Optional[Sequence[str]] = None,
listing_visibility: Optional[str] = None,
allowed_response_headers: Optional[Sequence[str]] = None,
audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
identity_token_key: Optional[str] = None,
options: Optional[Mapping[str, str]] = None,
passthrough_request_headers: Optional[Sequence[str]] = None,
password_policy: Optional[str] = None,
path: Optional[str] = None,
plugin_version: Optional[str] = None,
request_timeout: Optional[int] = None,
schema: Optional[str] = None,
seal_wrap: Optional[bool] = None,
skip_static_role_import_rotation: Optional[bool] = None,
starttls: Optional[bool] = None,
upndomain: Optional[str] = None,
url: Optional[str] = None,
userattr: Optional[str] = None,
userdn: Optional[str] = None)
func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
public SecretBackend(String name, SecretBackendArgs args)
public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)
type: vault:ldap:SecretBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var examplesecretBackendResourceResourceFromLdapsecretBackend = new Vault.Ldap.SecretBackend("examplesecretBackendResourceResourceFromLdapsecretBackend", new()
{
Binddn = "string",
Bindpass = "string",
InsecureTls = false,
ConnectionTimeout = 0,
AuditNonHmacRequestKeys = new[]
{
"string",
},
Local = false,
Certificate = "string",
ClientTlsCert = "string",
ClientTlsKey = "string",
MaxLeaseTtlSeconds = 0,
DefaultLeaseTtlSeconds = 0,
DelegatedAuthAccessors = new[]
{
"string",
},
Description = "string",
DisableRemount = false,
ExternalEntropyAccess = false,
Namespace = "string",
AllowedManagedKeys = new[]
{
"string",
},
ListingVisibility = "string",
AllowedResponseHeaders = new[]
{
"string",
},
AuditNonHmacResponseKeys = new[]
{
"string",
},
IdentityTokenKey = "string",
Options =
{
{ "string", "string" },
},
PassthroughRequestHeaders = new[]
{
"string",
},
PasswordPolicy = "string",
Path = "string",
PluginVersion = "string",
RequestTimeout = 0,
Schema = "string",
SealWrap = false,
SkipStaticRoleImportRotation = false,
Starttls = false,
Upndomain = "string",
Url = "string",
Userattr = "string",
Userdn = "string",
});
example, err := ldap.NewSecretBackend(ctx, "examplesecretBackendResourceResourceFromLdapsecretBackend", &ldap.SecretBackendArgs{
Binddn: pulumi.String("string"),
Bindpass: pulumi.String("string"),
InsecureTls: pulumi.Bool(false),
ConnectionTimeout: pulumi.Int(0),
AuditNonHmacRequestKeys: pulumi.StringArray{
pulumi.String("string"),
},
Local: pulumi.Bool(false),
Certificate: pulumi.String("string"),
ClientTlsCert: pulumi.String("string"),
ClientTlsKey: pulumi.String("string"),
MaxLeaseTtlSeconds: pulumi.Int(0),
DefaultLeaseTtlSeconds: pulumi.Int(0),
DelegatedAuthAccessors: pulumi.StringArray{
pulumi.String("string"),
},
Description: pulumi.String("string"),
DisableRemount: pulumi.Bool(false),
ExternalEntropyAccess: pulumi.Bool(false),
Namespace: pulumi.String("string"),
AllowedManagedKeys: pulumi.StringArray{
pulumi.String("string"),
},
ListingVisibility: pulumi.String("string"),
AllowedResponseHeaders: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacResponseKeys: pulumi.StringArray{
pulumi.String("string"),
},
IdentityTokenKey: pulumi.String("string"),
Options: pulumi.StringMap{
"string": pulumi.String("string"),
},
PassthroughRequestHeaders: pulumi.StringArray{
pulumi.String("string"),
},
PasswordPolicy: pulumi.String("string"),
Path: pulumi.String("string"),
PluginVersion: pulumi.String("string"),
RequestTimeout: pulumi.Int(0),
Schema: pulumi.String("string"),
SealWrap: pulumi.Bool(false),
SkipStaticRoleImportRotation: pulumi.Bool(false),
Starttls: pulumi.Bool(false),
Upndomain: pulumi.String("string"),
Url: pulumi.String("string"),
Userattr: pulumi.String("string"),
Userdn: pulumi.String("string"),
})
var examplesecretBackendResourceResourceFromLdapsecretBackend = new SecretBackend("examplesecretBackendResourceResourceFromLdapsecretBackend", SecretBackendArgs.builder()
.binddn("string")
.bindpass("string")
.insecureTls(false)
.connectionTimeout(0)
.auditNonHmacRequestKeys("string")
.local(false)
.certificate("string")
.clientTlsCert("string")
.clientTlsKey("string")
.maxLeaseTtlSeconds(0)
.defaultLeaseTtlSeconds(0)
.delegatedAuthAccessors("string")
.description("string")
.disableRemount(false)
.externalEntropyAccess(false)
.namespace("string")
.allowedManagedKeys("string")
.listingVisibility("string")
.allowedResponseHeaders("string")
.auditNonHmacResponseKeys("string")
.identityTokenKey("string")
.options(Map.of("string", "string"))
.passthroughRequestHeaders("string")
.passwordPolicy("string")
.path("string")
.pluginVersion("string")
.requestTimeout(0)
.schema("string")
.sealWrap(false)
.skipStaticRoleImportRotation(false)
.starttls(false)
.upndomain("string")
.url("string")
.userattr("string")
.userdn("string")
.build());
examplesecret_backend_resource_resource_from_ldapsecret_backend = vault.ldap.SecretBackend("examplesecretBackendResourceResourceFromLdapsecretBackend",
binddn="string",
bindpass="string",
insecure_tls=False,
connection_timeout=0,
audit_non_hmac_request_keys=["string"],
local=False,
certificate="string",
client_tls_cert="string",
client_tls_key="string",
max_lease_ttl_seconds=0,
default_lease_ttl_seconds=0,
delegated_auth_accessors=["string"],
description="string",
disable_remount=False,
external_entropy_access=False,
namespace="string",
allowed_managed_keys=["string"],
listing_visibility="string",
allowed_response_headers=["string"],
audit_non_hmac_response_keys=["string"],
identity_token_key="string",
options={
"string": "string",
},
passthrough_request_headers=["string"],
password_policy="string",
path="string",
plugin_version="string",
request_timeout=0,
schema="string",
seal_wrap=False,
skip_static_role_import_rotation=False,
starttls=False,
upndomain="string",
url="string",
userattr="string",
userdn="string")
const examplesecretBackendResourceResourceFromLdapsecretBackend = new vault.ldap.SecretBackend("examplesecretBackendResourceResourceFromLdapsecretBackend", {
binddn: "string",
bindpass: "string",
insecureTls: false,
connectionTimeout: 0,
auditNonHmacRequestKeys: ["string"],
local: false,
certificate: "string",
clientTlsCert: "string",
clientTlsKey: "string",
maxLeaseTtlSeconds: 0,
defaultLeaseTtlSeconds: 0,
delegatedAuthAccessors: ["string"],
description: "string",
disableRemount: false,
externalEntropyAccess: false,
namespace: "string",
allowedManagedKeys: ["string"],
listingVisibility: "string",
allowedResponseHeaders: ["string"],
auditNonHmacResponseKeys: ["string"],
identityTokenKey: "string",
options: {
string: "string",
},
passthroughRequestHeaders: ["string"],
passwordPolicy: "string",
path: "string",
pluginVersion: "string",
requestTimeout: 0,
schema: "string",
sealWrap: false,
skipStaticRoleImportRotation: false,
starttls: false,
upndomain: "string",
url: "string",
userattr: "string",
userdn: "string",
});
type: vault:ldap:SecretBackend
properties:
allowedManagedKeys:
- string
allowedResponseHeaders:
- string
auditNonHmacRequestKeys:
- string
auditNonHmacResponseKeys:
- string
binddn: string
bindpass: string
certificate: string
clientTlsCert: string
clientTlsKey: string
connectionTimeout: 0
defaultLeaseTtlSeconds: 0
delegatedAuthAccessors:
- string
description: string
disableRemount: false
externalEntropyAccess: false
identityTokenKey: string
insecureTls: false
listingVisibility: string
local: false
maxLeaseTtlSeconds: 0
namespace: string
options:
string: string
passthroughRequestHeaders:
- string
passwordPolicy: string
path: string
pluginVersion: string
requestTimeout: 0
schema: string
sealWrap: false
skipStaticRoleImportRotation: false
starttls: false
upndomain: string
url: string
userattr: string
userdn: string
SecretBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecretBackend resource accepts the following input properties:
- Binddn string
- Distinguished name of object to bind when performing user and group search.
- Bindpass string
- Password to use along with binddn when performing user search.
- Allowed
Managed List<string>Keys - List of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response List<string>Headers - List of headers to allow and pass from the request to the plugin
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Connection
Timeout int - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- Default
Lease intTtl Seconds - Default lease duration for secrets in seconds.
- Delegated
Auth List<string>Accessors - List of headers to allow and pass from the request to the plugin
- Description string
- Human-friendly description of the mount for the Active Directory backend.
- Disable
Remount bool - If set, opts out of mount migration on path updates.
- External
Entropy boolAccess - Enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens
- Insecure
Tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- Local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds - Maximum possible lease duration for secrets in seconds.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options Dictionary<string, string>
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request List<string>Headers - List of headers to allow and pass from the request to the plugin
- Password
Policy string - Name of the password policy to use to generate passwords.
- Path string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- Request
Timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Schema string
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - Seal
Wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Skip
Static boolRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- Starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- Upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - Userattr string
- Attribute used when searching users. Defaults to
cn
. - Userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- Binddn string
- Distinguished name of object to bind when performing user and group search.
- Bindpass string
- Password to use along with binddn when performing user search.
- Allowed
Managed []stringKeys - List of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response []stringHeaders - List of headers to allow and pass from the request to the plugin
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Connection
Timeout int - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- Default
Lease intTtl Seconds - Default lease duration for secrets in seconds.
- Delegated
Auth []stringAccessors - List of headers to allow and pass from the request to the plugin
- Description string
- Human-friendly description of the mount for the Active Directory backend.
- Disable
Remount bool - If set, opts out of mount migration on path updates.
- External
Entropy boolAccess - Enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens
- Insecure
Tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- Local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds - Maximum possible lease duration for secrets in seconds.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options map[string]string
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request []stringHeaders - List of headers to allow and pass from the request to the plugin
- Password
Policy string - Name of the password policy to use to generate passwords.
- Path string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- Request
Timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Schema string
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - Seal
Wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Skip
Static boolRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- Starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- Upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - Userattr string
- Attribute used when searching users. Defaults to
cn
. - Userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn String
- Distinguished name of object to bind when performing user and group search.
- bindpass String
- Password to use along with binddn when performing user search.
- allowed
Managed List<String>Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow and pass from the request to the plugin
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- certificate String
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- connection
Timeout Integer - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- default
Lease IntegerTtl Seconds - Default lease duration for secrets in seconds.
- delegated
Auth List<String>Accessors - List of headers to allow and pass from the request to the plugin
- description String
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount Boolean - If set, opts out of mount migration on path updates.
- external
Entropy BooleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens
- insecure
Tls Boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint
- local Boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease IntegerTtl Seconds - Maximum possible lease duration for secrets in seconds.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String,String>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin
- password
Policy String - Name of the password policy to use to generate passwords.
- path String
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - plugin
Version String - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- request
Timeout Integer - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- schema String
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - seal
Wrap Boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- skip
Static BooleanRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- starttls Boolean
- Issue a StartTLS command after establishing unencrypted connection.
- upndomain String
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - userattr String
- Attribute used when searching users. Defaults to
cn
. - userdn String
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn string
- Distinguished name of object to bind when performing user and group search.
- bindpass string
- Password to use along with binddn when performing user search.
- allowed
Managed string[]Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response string[]Headers - List of headers to allow and pass from the request to the plugin
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- connection
Timeout number - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- default
Lease numberTtl Seconds - Default lease duration for secrets in seconds.
- delegated
Auth string[]Accessors - List of headers to allow and pass from the request to the plugin
- description string
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount boolean - If set, opts out of mount migration on path updates.
- external
Entropy booleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token stringKey - The key to use for signing plugin workload identity tokens
- insecure
Tls boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- local boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease numberTtl Seconds - Maximum possible lease duration for secrets in seconds.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - options {[key: string]: string}
- Specifies mount type specific options that are passed to the backend
- passthrough
Request string[]Headers - List of headers to allow and pass from the request to the plugin
- password
Policy string - Name of the password policy to use to generate passwords.
- path string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- request
Timeout number - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- schema string
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - seal
Wrap boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- skip
Static booleanRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- starttls boolean
- Issue a StartTLS command after establishing unencrypted connection.
- upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - userattr string
- Attribute used when searching users. Defaults to
cn
. - userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn str
- Distinguished name of object to bind when performing user and group search.
- bindpass str
- Password to use along with binddn when performing user search.
- allowed_
managed_ Sequence[str]keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed_
response_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- certificate str
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client_
tls_ strcert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client_
tls_ strkey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- connection_
timeout int - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- default_
lease_ intttl_ seconds - Default lease duration for secrets in seconds.
- delegated_
auth_ Sequence[str]accessors - List of headers to allow and pass from the request to the plugin
- description str
- Human-friendly description of the mount for the Active Directory backend.
- disable_
remount bool - If set, opts out of mount migration on path updates.
- external_
entropy_ boolaccess - Enable the secrets engine to access Vault's external entropy source
- identity_
token_ strkey - The key to use for signing plugin workload identity tokens
- insecure_
tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - listing_
visibility str - Specifies whether to show this mount in the UI-specific listing endpoint
- local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max_
lease_ intttl_ seconds - Maximum possible lease duration for secrets in seconds.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Mapping[str, str]
- Specifies mount type specific options that are passed to the backend
- passthrough_
request_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin
- password_
policy str - Name of the password policy to use to generate passwords.
- path str
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - plugin_
version str - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- request_
timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- schema str
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - seal_
wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- skip_
static_ boolrole_ import_ rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- upndomain str
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url str
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - userattr str
- Attribute used when searching users. Defaults to
cn
. - userdn str
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- binddn String
- Distinguished name of object to bind when performing user and group search.
- bindpass String
- Password to use along with binddn when performing user search.
- allowed
Managed List<String>Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow and pass from the request to the plugin
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- certificate String
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- connection
Timeout Number - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- default
Lease NumberTtl Seconds - Default lease duration for secrets in seconds.
- delegated
Auth List<String>Accessors - List of headers to allow and pass from the request to the plugin
- description String
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount Boolean - If set, opts out of mount migration on path updates.
- external
Entropy BooleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens
- insecure
Tls Boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint
- local Boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease NumberTtl Seconds - Maximum possible lease duration for secrets in seconds.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin
- password
Policy String - Name of the password policy to use to generate passwords.
- path String
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - plugin
Version String - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- request
Timeout Number - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- schema String
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - seal
Wrap Boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- skip
Static BooleanRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- starttls Boolean
- Issue a StartTLS command after establishing unencrypted connection.
- upndomain String
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - userattr String
- Attribute used when searching users. Defaults to
cn
. - userdn String
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:
Look up Existing SecretBackend Resource
Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessor: Optional[str] = None,
allowed_managed_keys: Optional[Sequence[str]] = None,
allowed_response_headers: Optional[Sequence[str]] = None,
audit_non_hmac_request_keys: Optional[Sequence[str]] = None,
audit_non_hmac_response_keys: Optional[Sequence[str]] = None,
binddn: Optional[str] = None,
bindpass: Optional[str] = None,
certificate: Optional[str] = None,
client_tls_cert: Optional[str] = None,
client_tls_key: Optional[str] = None,
connection_timeout: Optional[int] = None,
default_lease_ttl_seconds: Optional[int] = None,
delegated_auth_accessors: Optional[Sequence[str]] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
external_entropy_access: Optional[bool] = None,
identity_token_key: Optional[str] = None,
insecure_tls: Optional[bool] = None,
listing_visibility: Optional[str] = None,
local: Optional[bool] = None,
max_lease_ttl_seconds: Optional[int] = None,
namespace: Optional[str] = None,
options: Optional[Mapping[str, str]] = None,
passthrough_request_headers: Optional[Sequence[str]] = None,
password_policy: Optional[str] = None,
path: Optional[str] = None,
plugin_version: Optional[str] = None,
request_timeout: Optional[int] = None,
schema: Optional[str] = None,
seal_wrap: Optional[bool] = None,
skip_static_role_import_rotation: Optional[bool] = None,
starttls: Optional[bool] = None,
upndomain: Optional[str] = None,
url: Optional[str] = None,
userattr: Optional[str] = None,
userdn: Optional[str] = None) -> SecretBackend
func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessor string
- Accessor of the mount
- Allowed
Managed List<string>Keys - List of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response List<string>Headers - List of headers to allow and pass from the request to the plugin
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Binddn string
- Distinguished name of object to bind when performing user and group search.
- Bindpass string
- Password to use along with binddn when performing user search.
- Certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Connection
Timeout int - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- Default
Lease intTtl Seconds - Default lease duration for secrets in seconds.
- Delegated
Auth List<string>Accessors - List of headers to allow and pass from the request to the plugin
- Description string
- Human-friendly description of the mount for the Active Directory backend.
- Disable
Remount bool - If set, opts out of mount migration on path updates.
- External
Entropy boolAccess - Enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens
- Insecure
Tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- Local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds - Maximum possible lease duration for secrets in seconds.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options Dictionary<string, string>
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request List<string>Headers - List of headers to allow and pass from the request to the plugin
- Password
Policy string - Name of the password policy to use to generate passwords.
- Path string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- Request
Timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Schema string
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - Seal
Wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Skip
Static boolRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- Starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- Upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - Userattr string
- Attribute used when searching users. Defaults to
cn
. - Userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- Accessor string
- Accessor of the mount
- Allowed
Managed []stringKeys - List of managed key registry entry names that the mount in question is allowed to access
- Allowed
Response []stringHeaders - List of headers to allow and pass from the request to the plugin
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Binddn string
- Distinguished name of object to bind when performing user and group search.
- Bindpass string
- Password to use along with binddn when performing user search.
- Certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- Client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- Client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- Connection
Timeout int - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- Default
Lease intTtl Seconds - Default lease duration for secrets in seconds.
- Delegated
Auth []stringAccessors - List of headers to allow and pass from the request to the plugin
- Description string
- Human-friendly description of the mount for the Active Directory backend.
- Disable
Remount bool - If set, opts out of mount migration on path updates.
- External
Entropy boolAccess - Enable the secrets engine to access Vault's external entropy source
- Identity
Token stringKey - The key to use for signing plugin workload identity tokens
- Insecure
Tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- Local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- Max
Lease intTtl Seconds - Maximum possible lease duration for secrets in seconds.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Options map[string]string
- Specifies mount type specific options that are passed to the backend
- Passthrough
Request []stringHeaders - List of headers to allow and pass from the request to the plugin
- Password
Policy string - Name of the password policy to use to generate passwords.
- Path string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - Plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- Request
Timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- Schema string
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - Seal
Wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- Skip
Static boolRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- Starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- Upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- Url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - Userattr string
- Attribute used when searching users. Defaults to
cn
. - Userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- accessor String
- Accessor of the mount
- allowed
Managed List<String>Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow and pass from the request to the plugin
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- binddn String
- Distinguished name of object to bind when performing user and group search.
- bindpass String
- Password to use along with binddn when performing user search.
- certificate String
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- connection
Timeout Integer - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- default
Lease IntegerTtl Seconds - Default lease duration for secrets in seconds.
- delegated
Auth List<String>Accessors - List of headers to allow and pass from the request to the plugin
- description String
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount Boolean - If set, opts out of mount migration on path updates.
- external
Entropy BooleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens
- insecure
Tls Boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint
- local Boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease IntegerTtl Seconds - Maximum possible lease duration for secrets in seconds.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String,String>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin
- password
Policy String - Name of the password policy to use to generate passwords.
- path String
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - plugin
Version String - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- request
Timeout Integer - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- schema String
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - seal
Wrap Boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- skip
Static BooleanRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- starttls Boolean
- Issue a StartTLS command after establishing unencrypted connection.
- upndomain String
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - userattr String
- Attribute used when searching users. Defaults to
cn
. - userdn String
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- accessor string
- Accessor of the mount
- allowed
Managed string[]Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response string[]Headers - List of headers to allow and pass from the request to the plugin
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- binddn string
- Distinguished name of object to bind when performing user and group search.
- bindpass string
- Password to use along with binddn when performing user search.
- certificate string
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls stringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls stringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- connection
Timeout number - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- default
Lease numberTtl Seconds - Default lease duration for secrets in seconds.
- delegated
Auth string[]Accessors - List of headers to allow and pass from the request to the plugin
- description string
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount boolean - If set, opts out of mount migration on path updates.
- external
Entropy booleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token stringKey - The key to use for signing plugin workload identity tokens
- insecure
Tls boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint
- local boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease numberTtl Seconds - Maximum possible lease duration for secrets in seconds.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - options {[key: string]: string}
- Specifies mount type specific options that are passed to the backend
- passthrough
Request string[]Headers - List of headers to allow and pass from the request to the plugin
- password
Policy string - Name of the password policy to use to generate passwords.
- path string
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - plugin
Version string - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- request
Timeout number - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- schema string
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - seal
Wrap boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- skip
Static booleanRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- starttls boolean
- Issue a StartTLS command after establishing unencrypted connection.
- upndomain string
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url string
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - userattr string
- Attribute used when searching users. Defaults to
cn
. - userdn string
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- accessor str
- Accessor of the mount
- allowed_
managed_ Sequence[str]keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed_
response_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- binddn str
- Distinguished name of object to bind when performing user and group search.
- bindpass str
- Password to use along with binddn when performing user search.
- certificate str
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client_
tls_ strcert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client_
tls_ strkey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- connection_
timeout int - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- default_
lease_ intttl_ seconds - Default lease duration for secrets in seconds.
- delegated_
auth_ Sequence[str]accessors - List of headers to allow and pass from the request to the plugin
- description str
- Human-friendly description of the mount for the Active Directory backend.
- disable_
remount bool - If set, opts out of mount migration on path updates.
- external_
entropy_ boolaccess - Enable the secrets engine to access Vault's external entropy source
- identity_
token_ strkey - The key to use for signing plugin workload identity tokens
- insecure_
tls bool - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - listing_
visibility str - Specifies whether to show this mount in the UI-specific listing endpoint
- local bool
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max_
lease_ intttl_ seconds - Maximum possible lease duration for secrets in seconds.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Mapping[str, str]
- Specifies mount type specific options that are passed to the backend
- passthrough_
request_ Sequence[str]headers - List of headers to allow and pass from the request to the plugin
- password_
policy str - Name of the password policy to use to generate passwords.
- path str
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - plugin_
version str - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- request_
timeout int - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- schema str
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - seal_
wrap bool - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- skip_
static_ boolrole_ import_ rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- starttls bool
- Issue a StartTLS command after establishing unencrypted connection.
- upndomain str
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url str
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - userattr str
- Attribute used when searching users. Defaults to
cn
. - userdn str
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
- accessor String
- Accessor of the mount
- allowed
Managed List<String>Keys - List of managed key registry entry names that the mount in question is allowed to access
- allowed
Response List<String>Headers - List of headers to allow and pass from the request to the plugin
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- binddn String
- Distinguished name of object to bind when performing user and group search.
- bindpass String
- Password to use along with binddn when performing user search.
- certificate String
- CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
- client
Tls StringCert - Client certificate to provide to the LDAP server, must be x509 PEM encoded.
- client
Tls StringKey - Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
- connection
Timeout Number - Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
- default
Lease NumberTtl Seconds - Default lease duration for secrets in seconds.
- delegated
Auth List<String>Accessors - List of headers to allow and pass from the request to the plugin
- description String
- Human-friendly description of the mount for the Active Directory backend.
- disable
Remount Boolean - If set, opts out of mount migration on path updates.
- external
Entropy BooleanAccess - Enable the secrets engine to access Vault's external entropy source
- identity
Token StringKey - The key to use for signing plugin workload identity tokens
- insecure
Tls Boolean - Skip LDAP server SSL Certificate verification. This is not recommended for production.
Defaults to
false
. - listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint
- local Boolean
- Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
- max
Lease NumberTtl Seconds - Maximum possible lease duration for secrets in seconds.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - options Map<String>
- Specifies mount type specific options that are passed to the backend
- passthrough
Request List<String>Headers - List of headers to allow and pass from the request to the plugin
- password
Policy String - Name of the password policy to use to generate passwords.
- path String
- The unique path this backend should be mounted at. Must
not begin or end with a
/
. Defaults toldap
. - plugin
Version String - Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
- request
Timeout Number - Timeout, in seconds, for the connection when making requests against the server before returning back an error.
- schema String
- The LDAP schema to use when storing entry passwords. Valid schemas include
openldap
,ad
, andracf
. Default isopenldap
. - seal
Wrap Boolean - Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
- skip
Static BooleanRole Import Rotation - If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.
- starttls Boolean
- Issue a StartTLS command after establishing unencrypted connection.
- upndomain String
- Enables userPrincipalDomain login with [username]@UPNDomain.
- url String
- LDAP URL to connect to. Multiple URLs can be specified by concatenating
them with commas; they will be tried in-order. Defaults to
ldap://127.0.0.1
. - userattr String
- Attribute used when searching users. Defaults to
cn
. - userdn String
- LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
Import
LDAP secret backend can be imported using the ${mount}/config
, e.g.
$ pulumi import vault:ldap/secretBackend:SecretBackend config ldap/config
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.