1. Packages
  2. Pulumi Vault Provider
  3. API Docs
  4. managed
  5. Keys
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

vault.managed.Keys

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi

    A resource that manages the lifecycle of all Managed Keys in Vault.

    Note this feature is available only with Vault Enterprise.

    Create Keys Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Keys(name: string, args?: KeysArgs, opts?: CustomResourceOptions);
    @overload
    def Keys(resource_name: str,
             args: Optional[KeysArgs] = None,
             opts: Optional[ResourceOptions] = None)
    
    @overload
    def Keys(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             aws: Optional[Sequence[KeysAwArgs]] = None,
             azures: Optional[Sequence[KeysAzureArgs]] = None,
             namespace: Optional[str] = None,
             pkcs: Optional[Sequence[KeysPkcArgs]] = None)
    func NewKeys(ctx *Context, name string, args *KeysArgs, opts ...ResourceOption) (*Keys, error)
    public Keys(string name, KeysArgs? args = null, CustomResourceOptions? opts = null)
    public Keys(String name, KeysArgs args)
    public Keys(String name, KeysArgs args, CustomResourceOptions options)
    
    type: vault:managed:Keys
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KeysArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var keysResource = new Vault.Managed.Keys("keysResource", new()
    {
        Aws = new[]
        {
            new Vault.Managed.Inputs.KeysAwArgs
            {
                KeyBits = "string",
                SecretKey = "string",
                Name = "string",
                AccessKey = "string",
                KmsKey = "string",
                KeyType = "string",
                AllowStoreKey = false,
                Endpoint = "string",
                Curve = "string",
                AnyMount = false,
                AllowReplaceKey = false,
                Region = "string",
                AllowGenerateKey = false,
                Uuid = "string",
            },
        },
        Azures = new[]
        {
            new Vault.Managed.Inputs.KeysAzureArgs
            {
                KeyName = "string",
                VaultName = "string",
                TenantId = "string",
                Name = "string",
                ClientId = "string",
                ClientSecret = "string",
                KeyType = "string",
                AnyMount = false,
                KeyBits = "string",
                Environment = "string",
                AllowGenerateKey = false,
                Resource = "string",
                AllowStoreKey = false,
                Uuid = "string",
                AllowReplaceKey = false,
            },
        },
        Namespace = "string",
        Pkcs = new[]
        {
            new Vault.Managed.Inputs.KeysPkcArgs
            {
                Pin = "string",
                Mechanism = "string",
                Name = "string",
                KeyId = "string",
                KeyLabel = "string",
                Library = "string",
                AllowReplaceKey = false,
                KeyBits = "string",
                Curve = "string",
                ForceRwSession = "string",
                AnyMount = false,
                AllowStoreKey = false,
                AllowGenerateKey = false,
                Slot = "string",
                TokenLabel = "string",
                Uuid = "string",
            },
        },
    });
    
    example, err := managed.NewKeys(ctx, "keysResource", &managed.KeysArgs{
    	Aws: managed.KeysAwArray{
    		&managed.KeysAwArgs{
    			KeyBits:          pulumi.String("string"),
    			SecretKey:        pulumi.String("string"),
    			Name:             pulumi.String("string"),
    			AccessKey:        pulumi.String("string"),
    			KmsKey:           pulumi.String("string"),
    			KeyType:          pulumi.String("string"),
    			AllowStoreKey:    pulumi.Bool(false),
    			Endpoint:         pulumi.String("string"),
    			Curve:            pulumi.String("string"),
    			AnyMount:         pulumi.Bool(false),
    			AllowReplaceKey:  pulumi.Bool(false),
    			Region:           pulumi.String("string"),
    			AllowGenerateKey: pulumi.Bool(false),
    			Uuid:             pulumi.String("string"),
    		},
    	},
    	Azures: managed.KeysAzureArray{
    		&managed.KeysAzureArgs{
    			KeyName:          pulumi.String("string"),
    			VaultName:        pulumi.String("string"),
    			TenantId:         pulumi.String("string"),
    			Name:             pulumi.String("string"),
    			ClientId:         pulumi.String("string"),
    			ClientSecret:     pulumi.String("string"),
    			KeyType:          pulumi.String("string"),
    			AnyMount:         pulumi.Bool(false),
    			KeyBits:          pulumi.String("string"),
    			Environment:      pulumi.String("string"),
    			AllowGenerateKey: pulumi.Bool(false),
    			Resource:         pulumi.String("string"),
    			AllowStoreKey:    pulumi.Bool(false),
    			Uuid:             pulumi.String("string"),
    			AllowReplaceKey:  pulumi.Bool(false),
    		},
    	},
    	Namespace: pulumi.String("string"),
    	Pkcs: managed.KeysPkcArray{
    		&managed.KeysPkcArgs{
    			Pin:              pulumi.String("string"),
    			Mechanism:        pulumi.String("string"),
    			Name:             pulumi.String("string"),
    			KeyId:            pulumi.String("string"),
    			KeyLabel:         pulumi.String("string"),
    			Library:          pulumi.String("string"),
    			AllowReplaceKey:  pulumi.Bool(false),
    			KeyBits:          pulumi.String("string"),
    			Curve:            pulumi.String("string"),
    			ForceRwSession:   pulumi.String("string"),
    			AnyMount:         pulumi.Bool(false),
    			AllowStoreKey:    pulumi.Bool(false),
    			AllowGenerateKey: pulumi.Bool(false),
    			Slot:             pulumi.String("string"),
    			TokenLabel:       pulumi.String("string"),
    			Uuid:             pulumi.String("string"),
    		},
    	},
    })
    
    var keysResource = new Keys("keysResource", KeysArgs.builder()
        .aws(KeysAwArgs.builder()
            .keyBits("string")
            .secretKey("string")
            .name("string")
            .accessKey("string")
            .kmsKey("string")
            .keyType("string")
            .allowStoreKey(false)
            .endpoint("string")
            .curve("string")
            .anyMount(false)
            .allowReplaceKey(false)
            .region("string")
            .allowGenerateKey(false)
            .uuid("string")
            .build())
        .azures(KeysAzureArgs.builder()
            .keyName("string")
            .vaultName("string")
            .tenantId("string")
            .name("string")
            .clientId("string")
            .clientSecret("string")
            .keyType("string")
            .anyMount(false)
            .keyBits("string")
            .environment("string")
            .allowGenerateKey(false)
            .resource("string")
            .allowStoreKey(false)
            .uuid("string")
            .allowReplaceKey(false)
            .build())
        .namespace("string")
        .pkcs(KeysPkcArgs.builder()
            .pin("string")
            .mechanism("string")
            .name("string")
            .keyId("string")
            .keyLabel("string")
            .library("string")
            .allowReplaceKey(false)
            .keyBits("string")
            .curve("string")
            .forceRwSession("string")
            .anyMount(false)
            .allowStoreKey(false)
            .allowGenerateKey(false)
            .slot("string")
            .tokenLabel("string")
            .uuid("string")
            .build())
        .build());
    
    keys_resource = vault.managed.Keys("keysResource",
        aws=[{
            "key_bits": "string",
            "secret_key": "string",
            "name": "string",
            "access_key": "string",
            "kms_key": "string",
            "key_type": "string",
            "allow_store_key": False,
            "endpoint": "string",
            "curve": "string",
            "any_mount": False,
            "allow_replace_key": False,
            "region": "string",
            "allow_generate_key": False,
            "uuid": "string",
        }],
        azures=[{
            "key_name": "string",
            "vault_name": "string",
            "tenant_id": "string",
            "name": "string",
            "client_id": "string",
            "client_secret": "string",
            "key_type": "string",
            "any_mount": False,
            "key_bits": "string",
            "environment": "string",
            "allow_generate_key": False,
            "resource": "string",
            "allow_store_key": False,
            "uuid": "string",
            "allow_replace_key": False,
        }],
        namespace="string",
        pkcs=[{
            "pin": "string",
            "mechanism": "string",
            "name": "string",
            "key_id": "string",
            "key_label": "string",
            "library": "string",
            "allow_replace_key": False,
            "key_bits": "string",
            "curve": "string",
            "force_rw_session": "string",
            "any_mount": False,
            "allow_store_key": False,
            "allow_generate_key": False,
            "slot": "string",
            "token_label": "string",
            "uuid": "string",
        }])
    
    const keysResource = new vault.managed.Keys("keysResource", {
        aws: [{
            keyBits: "string",
            secretKey: "string",
            name: "string",
            accessKey: "string",
            kmsKey: "string",
            keyType: "string",
            allowStoreKey: false,
            endpoint: "string",
            curve: "string",
            anyMount: false,
            allowReplaceKey: false,
            region: "string",
            allowGenerateKey: false,
            uuid: "string",
        }],
        azures: [{
            keyName: "string",
            vaultName: "string",
            tenantId: "string",
            name: "string",
            clientId: "string",
            clientSecret: "string",
            keyType: "string",
            anyMount: false,
            keyBits: "string",
            environment: "string",
            allowGenerateKey: false,
            resource: "string",
            allowStoreKey: false,
            uuid: "string",
            allowReplaceKey: false,
        }],
        namespace: "string",
        pkcs: [{
            pin: "string",
            mechanism: "string",
            name: "string",
            keyId: "string",
            keyLabel: "string",
            library: "string",
            allowReplaceKey: false,
            keyBits: "string",
            curve: "string",
            forceRwSession: "string",
            anyMount: false,
            allowStoreKey: false,
            allowGenerateKey: false,
            slot: "string",
            tokenLabel: "string",
            uuid: "string",
        }],
    });
    
    type: vault:managed:Keys
    properties:
        aws:
            - accessKey: string
              allowGenerateKey: false
              allowReplaceKey: false
              allowStoreKey: false
              anyMount: false
              curve: string
              endpoint: string
              keyBits: string
              keyType: string
              kmsKey: string
              name: string
              region: string
              secretKey: string
              uuid: string
        azures:
            - allowGenerateKey: false
              allowReplaceKey: false
              allowStoreKey: false
              anyMount: false
              clientId: string
              clientSecret: string
              environment: string
              keyBits: string
              keyName: string
              keyType: string
              name: string
              resource: string
              tenantId: string
              uuid: string
              vaultName: string
        namespace: string
        pkcs:
            - allowGenerateKey: false
              allowReplaceKey: false
              allowStoreKey: false
              anyMount: false
              curve: string
              forceRwSession: string
              keyBits: string
              keyId: string
              keyLabel: string
              library: string
              mechanism: string
              name: string
              pin: string
              slot: string
              tokenLabel: string
              uuid: string
    

    Keys Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Keys resource accepts the following input properties:

    Aws List<KeysAw>
    Configuration block for AWS Managed Keys
    Azures List<KeysAzure>
    Configuration block for Azure Managed Keys
    Namespace string
    Target namespace. (requires Enterprise)
    Pkcs List<KeysPkc>
    Configuration block for PKCS Managed Keys
    Aws []KeysAwArgs
    Configuration block for AWS Managed Keys
    Azures []KeysAzureArgs
    Configuration block for Azure Managed Keys
    Namespace string
    Target namespace. (requires Enterprise)
    Pkcs []KeysPkcArgs
    Configuration block for PKCS Managed Keys
    aws List<KeysAw>
    Configuration block for AWS Managed Keys
    azures List<KeysAzure>
    Configuration block for Azure Managed Keys
    namespace String
    Target namespace. (requires Enterprise)
    pkcs List<KeysPkc>
    Configuration block for PKCS Managed Keys
    aws KeysAw[]
    Configuration block for AWS Managed Keys
    azures KeysAzure[]
    Configuration block for Azure Managed Keys
    namespace string
    Target namespace. (requires Enterprise)
    pkcs KeysPkc[]
    Configuration block for PKCS Managed Keys
    aws Sequence[KeysAwArgs]
    Configuration block for AWS Managed Keys
    azures Sequence[KeysAzureArgs]
    Configuration block for Azure Managed Keys
    namespace str
    Target namespace. (requires Enterprise)
    pkcs Sequence[KeysPkcArgs]
    Configuration block for PKCS Managed Keys
    aws List<Property Map>
    Configuration block for AWS Managed Keys
    azures List<Property Map>
    Configuration block for Azure Managed Keys
    namespace String
    Target namespace. (requires Enterprise)
    pkcs List<Property Map>
    Configuration block for PKCS Managed Keys

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Keys resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Keys Resource

    Get an existing Keys resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KeysState, opts?: CustomResourceOptions): Keys
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            aws: Optional[Sequence[KeysAwArgs]] = None,
            azures: Optional[Sequence[KeysAzureArgs]] = None,
            namespace: Optional[str] = None,
            pkcs: Optional[Sequence[KeysPkcArgs]] = None) -> Keys
    func GetKeys(ctx *Context, name string, id IDInput, state *KeysState, opts ...ResourceOption) (*Keys, error)
    public static Keys Get(string name, Input<string> id, KeysState? state, CustomResourceOptions? opts = null)
    public static Keys get(String name, Output<String> id, KeysState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Aws List<KeysAw>
    Configuration block for AWS Managed Keys
    Azures List<KeysAzure>
    Configuration block for Azure Managed Keys
    Namespace string
    Target namespace. (requires Enterprise)
    Pkcs List<KeysPkc>
    Configuration block for PKCS Managed Keys
    Aws []KeysAwArgs
    Configuration block for AWS Managed Keys
    Azures []KeysAzureArgs
    Configuration block for Azure Managed Keys
    Namespace string
    Target namespace. (requires Enterprise)
    Pkcs []KeysPkcArgs
    Configuration block for PKCS Managed Keys
    aws List<KeysAw>
    Configuration block for AWS Managed Keys
    azures List<KeysAzure>
    Configuration block for Azure Managed Keys
    namespace String
    Target namespace. (requires Enterprise)
    pkcs List<KeysPkc>
    Configuration block for PKCS Managed Keys
    aws KeysAw[]
    Configuration block for AWS Managed Keys
    azures KeysAzure[]
    Configuration block for Azure Managed Keys
    namespace string
    Target namespace. (requires Enterprise)
    pkcs KeysPkc[]
    Configuration block for PKCS Managed Keys
    aws Sequence[KeysAwArgs]
    Configuration block for AWS Managed Keys
    azures Sequence[KeysAzureArgs]
    Configuration block for Azure Managed Keys
    namespace str
    Target namespace. (requires Enterprise)
    pkcs Sequence[KeysPkcArgs]
    Configuration block for PKCS Managed Keys
    aws List<Property Map>
    Configuration block for AWS Managed Keys
    azures List<Property Map>
    Configuration block for Azure Managed Keys
    namespace String
    Target namespace. (requires Enterprise)
    pkcs List<Property Map>
    Configuration block for PKCS Managed Keys

    Supporting Types

    KeysAw, KeysAwArgs

    AccessKey string
    The AWS access key to use
    KeyBits string
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
    KeyType string
    The type of key to use
    KmsKey string
    An identifier for the key
    Name string
    A unique lowercase name that serves as identifying the key
    SecretKey string
    The AWS secret key to use
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    AnyMount bool
    Allow usage from any mount point within the namespace if 'true'
    Curve string
    The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
    Endpoint string
    Used to specify a custom AWS endpoint
    Region string
    The AWS region where the keys are stored (or will be stored)
    Uuid string
    ID of the managed key read from Vault
    AccessKey string
    The AWS access key to use
    KeyBits string
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
    KeyType string
    The type of key to use
    KmsKey string
    An identifier for the key
    Name string
    A unique lowercase name that serves as identifying the key
    SecretKey string
    The AWS secret key to use
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    AnyMount bool
    Allow usage from any mount point within the namespace if 'true'
    Curve string
    The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
    Endpoint string
    Used to specify a custom AWS endpoint
    Region string
    The AWS region where the keys are stored (or will be stored)
    Uuid string
    ID of the managed key read from Vault
    accessKey String
    The AWS access key to use
    keyBits String
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
    keyType String
    The type of key to use
    kmsKey String
    An identifier for the key
    name String
    A unique lowercase name that serves as identifying the key
    secretKey String
    The AWS secret key to use
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount Boolean
    Allow usage from any mount point within the namespace if 'true'
    curve String
    The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
    endpoint String
    Used to specify a custom AWS endpoint
    region String
    The AWS region where the keys are stored (or will be stored)
    uuid String
    ID of the managed key read from Vault
    accessKey string
    The AWS access key to use
    keyBits string
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
    keyType string
    The type of key to use
    kmsKey string
    An identifier for the key
    name string
    A unique lowercase name that serves as identifying the key
    secretKey string
    The AWS secret key to use
    allowGenerateKey boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount boolean
    Allow usage from any mount point within the namespace if 'true'
    curve string
    The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
    endpoint string
    Used to specify a custom AWS endpoint
    region string
    The AWS region where the keys are stored (or will be stored)
    uuid string
    ID of the managed key read from Vault
    access_key str
    The AWS access key to use
    key_bits str
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
    key_type str
    The type of key to use
    kms_key str
    An identifier for the key
    name str
    A unique lowercase name that serves as identifying the key
    secret_key str
    The AWS secret key to use
    allow_generate_key bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allow_replace_key bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allow_store_key bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    any_mount bool
    Allow usage from any mount point within the namespace if 'true'
    curve str
    The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
    endpoint str
    Used to specify a custom AWS endpoint
    region str
    The AWS region where the keys are stored (or will be stored)
    uuid str
    ID of the managed key read from Vault
    accessKey String
    The AWS access key to use
    keyBits String
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'
    keyType String
    The type of key to use
    kmsKey String
    An identifier for the key
    name String
    A unique lowercase name that serves as identifying the key
    secretKey String
    The AWS secret key to use
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount Boolean
    Allow usage from any mount point within the namespace if 'true'
    curve String
    The curve to use for an ECDSA key. Used when key_type is 'ECDSA'. Required if 'allow_generate_key' is true
    endpoint String
    Used to specify a custom AWS endpoint
    region String
    The AWS region where the keys are stored (or will be stored)
    uuid String
    ID of the managed key read from Vault

    KeysAzure, KeysAzureArgs

    ClientId string
    The client id for credentials to query the Azure APIs
    ClientSecret string
    The client secret for credentials to query the Azure APIs
    KeyName string
    The Key Vault key to use for encryption and decryption
    KeyType string
    The type of key to use
    Name string
    A unique lowercase name that serves as identifying the key
    TenantId string
    The tenant id for the Azure Active Directory organization
    VaultName string
    The Key Vault vault to use the encryption keys for encryption and decryption
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    AnyMount bool
    Allow usage from any mount point within the namespace if 'true'
    Environment string
    The Azure Cloud environment API endpoints to use
    KeyBits string
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
    Resource string
    The Azure Key Vault resource's DNS Suffix to connect to
    Uuid string
    ID of the managed key read from Vault
    ClientId string
    The client id for credentials to query the Azure APIs
    ClientSecret string
    The client secret for credentials to query the Azure APIs
    KeyName string
    The Key Vault key to use for encryption and decryption
    KeyType string
    The type of key to use
    Name string
    A unique lowercase name that serves as identifying the key
    TenantId string
    The tenant id for the Azure Active Directory organization
    VaultName string
    The Key Vault vault to use the encryption keys for encryption and decryption
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    AnyMount bool
    Allow usage from any mount point within the namespace if 'true'
    Environment string
    The Azure Cloud environment API endpoints to use
    KeyBits string
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
    Resource string
    The Azure Key Vault resource's DNS Suffix to connect to
    Uuid string
    ID of the managed key read from Vault
    clientId String
    The client id for credentials to query the Azure APIs
    clientSecret String
    The client secret for credentials to query the Azure APIs
    keyName String
    The Key Vault key to use for encryption and decryption
    keyType String
    The type of key to use
    name String
    A unique lowercase name that serves as identifying the key
    tenantId String
    The tenant id for the Azure Active Directory organization
    vaultName String
    The Key Vault vault to use the encryption keys for encryption and decryption
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount Boolean
    Allow usage from any mount point within the namespace if 'true'
    environment String
    The Azure Cloud environment API endpoints to use
    keyBits String
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
    resource String
    The Azure Key Vault resource's DNS Suffix to connect to
    uuid String
    ID of the managed key read from Vault
    clientId string
    The client id for credentials to query the Azure APIs
    clientSecret string
    The client secret for credentials to query the Azure APIs
    keyName string
    The Key Vault key to use for encryption and decryption
    keyType string
    The type of key to use
    name string
    A unique lowercase name that serves as identifying the key
    tenantId string
    The tenant id for the Azure Active Directory organization
    vaultName string
    The Key Vault vault to use the encryption keys for encryption and decryption
    allowGenerateKey boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount boolean
    Allow usage from any mount point within the namespace if 'true'
    environment string
    The Azure Cloud environment API endpoints to use
    keyBits string
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
    resource string
    The Azure Key Vault resource's DNS Suffix to connect to
    uuid string
    ID of the managed key read from Vault
    client_id str
    The client id for credentials to query the Azure APIs
    client_secret str
    The client secret for credentials to query the Azure APIs
    key_name str
    The Key Vault key to use for encryption and decryption
    key_type str
    The type of key to use
    name str
    A unique lowercase name that serves as identifying the key
    tenant_id str
    The tenant id for the Azure Active Directory organization
    vault_name str
    The Key Vault vault to use the encryption keys for encryption and decryption
    allow_generate_key bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allow_replace_key bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allow_store_key bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    any_mount bool
    Allow usage from any mount point within the namespace if 'true'
    environment str
    The Azure Cloud environment API endpoints to use
    key_bits str
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
    resource str
    The Azure Key Vault resource's DNS Suffix to connect to
    uuid str
    ID of the managed key read from Vault
    clientId String
    The client id for credentials to query the Azure APIs
    clientSecret String
    The client secret for credentials to query the Azure APIs
    keyName String
    The Key Vault key to use for encryption and decryption
    keyType String
    The type of key to use
    name String
    A unique lowercase name that serves as identifying the key
    tenantId String
    The tenant id for the Azure Active Directory organization
    vaultName String
    The Key Vault vault to use the encryption keys for encryption and decryption
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount Boolean
    Allow usage from any mount point within the namespace if 'true'
    environment String
    The Azure Cloud environment API endpoints to use
    keyBits String
    The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true
    resource String
    The Azure Key Vault resource's DNS Suffix to connect to
    uuid String
    ID of the managed key read from Vault

    KeysPkc, KeysPkcArgs

    KeyId string
    The id of a PKCS#11 key to use
    KeyLabel string
    The label of the key to use
    Library string
    The name of the kms_library stanza to use from Vault's config to lookup the local library path
    Mechanism string
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    Name string
    A unique lowercase name that serves as identifying the key
    Pin string
    The PIN for login
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    AnyMount bool
    Allow usage from any mount point within the namespace if 'true'
    Curve string
    Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
    ForceRwSession string
    Force all operations to open up a read-write session to the HSM
    KeyBits string
    Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
    Slot string
    The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
    TokenLabel string
    The slot token label to use
    Uuid string
    ID of the managed key read from Vault
    KeyId string
    The id of a PKCS#11 key to use
    KeyLabel string
    The label of the key to use
    Library string
    The name of the kms_library stanza to use from Vault's config to lookup the local library path
    Mechanism string
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    Name string
    A unique lowercase name that serves as identifying the key
    Pin string
    The PIN for login
    AllowGenerateKey bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    AllowReplaceKey bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    AllowStoreKey bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    AnyMount bool
    Allow usage from any mount point within the namespace if 'true'
    Curve string
    Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
    ForceRwSession string
    Force all operations to open up a read-write session to the HSM
    KeyBits string
    Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
    Slot string
    The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
    TokenLabel string
    The slot token label to use
    Uuid string
    ID of the managed key read from Vault
    keyId String
    The id of a PKCS#11 key to use
    keyLabel String
    The label of the key to use
    library String
    The name of the kms_library stanza to use from Vault's config to lookup the local library path
    mechanism String
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    name String
    A unique lowercase name that serves as identifying the key
    pin String
    The PIN for login
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount Boolean
    Allow usage from any mount point within the namespace if 'true'
    curve String
    Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
    forceRwSession String
    Force all operations to open up a read-write session to the HSM
    keyBits String
    Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
    slot String
    The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
    tokenLabel String
    The slot token label to use
    uuid String
    ID of the managed key read from Vault
    keyId string
    The id of a PKCS#11 key to use
    keyLabel string
    The label of the key to use
    library string
    The name of the kms_library stanza to use from Vault's config to lookup the local library path
    mechanism string
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    name string
    A unique lowercase name that serves as identifying the key
    pin string
    The PIN for login
    allowGenerateKey boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount boolean
    Allow usage from any mount point within the namespace if 'true'
    curve string
    Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
    forceRwSession string
    Force all operations to open up a read-write session to the HSM
    keyBits string
    Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
    slot string
    The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
    tokenLabel string
    The slot token label to use
    uuid string
    ID of the managed key read from Vault
    key_id str
    The id of a PKCS#11 key to use
    key_label str
    The label of the key to use
    library str
    The name of the kms_library stanza to use from Vault's config to lookup the local library path
    mechanism str
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    name str
    A unique lowercase name that serves as identifying the key
    pin str
    The PIN for login
    allow_generate_key bool
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allow_replace_key bool
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allow_store_key bool
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    any_mount bool
    Allow usage from any mount point within the namespace if 'true'
    curve str
    Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
    force_rw_session str
    Force all operations to open up a read-write session to the HSM
    key_bits str
    Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
    slot str
    The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
    token_label str
    The slot token label to use
    uuid str
    ID of the managed key read from Vault
    keyId String
    The id of a PKCS#11 key to use
    keyLabel String
    The label of the key to use
    library String
    The name of the kms_library stanza to use from Vault's config to lookup the local library path
    mechanism String
    The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.
    name String
    A unique lowercase name that serves as identifying the key
    pin String
    The PIN for login
    allowGenerateKey Boolean
    If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend
    allowReplaceKey Boolean
    Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.
    allowStoreKey Boolean
    Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden
    anyMount Boolean
    Allow usage from any mount point within the namespace if 'true'
    curve String
    Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true
    forceRwSession String
    Force all operations to open up a read-write session to the HSM
    keyBits String
    Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true
    slot String
    The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')
    tokenLabel String
    The slot token label to use
    uuid String
    ID of the managed key read from Vault

    Import

    Mounts can be imported using the id of default, e.g.

    $ pulumi import vault:managed/keys:Keys keys default
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.4.0 published on Wednesday, Nov 20, 2024 by Pulumi