vault.transit.SecretBackendKey
Explore with Pulumi AI
Creates an Encryption Keyring on a Transit Secret Backend for Vault.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const transit = new vault.Mount("transit", {
path: "transit",
type: "transit",
description: "Example description",
defaultLeaseTtlSeconds: 3600,
maxLeaseTtlSeconds: 86400,
});
const key = new vault.transit.SecretBackendKey("key", {
backend: transit.path,
name: "my_key",
});
import pulumi
import pulumi_vault as vault
transit = vault.Mount("transit",
path="transit",
type="transit",
description="Example description",
default_lease_ttl_seconds=3600,
max_lease_ttl_seconds=86400)
key = vault.transit.SecretBackendKey("key",
backend=transit.path,
name="my_key")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/transit"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
transit, err := vault.NewMount(ctx, "transit", &vault.MountArgs{
Path: pulumi.String("transit"),
Type: pulumi.String("transit"),
Description: pulumi.String("Example description"),
DefaultLeaseTtlSeconds: pulumi.Int(3600),
MaxLeaseTtlSeconds: pulumi.Int(86400),
})
if err != nil {
return err
}
_, err = transit.NewSecretBackendKey(ctx, "key", &transit.SecretBackendKeyArgs{
Backend: transit.Path,
Name: pulumi.String("my_key"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var transit = new Vault.Mount("transit", new()
{
Path = "transit",
Type = "transit",
Description = "Example description",
DefaultLeaseTtlSeconds = 3600,
MaxLeaseTtlSeconds = 86400,
});
var key = new Vault.Transit.SecretBackendKey("key", new()
{
Backend = transit.Path,
Name = "my_key",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.transit.SecretBackendKey;
import com.pulumi.vault.transit.SecretBackendKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var transit = new Mount("transit", MountArgs.builder()
.path("transit")
.type("transit")
.description("Example description")
.defaultLeaseTtlSeconds(3600)
.maxLeaseTtlSeconds(86400)
.build());
var key = new SecretBackendKey("key", SecretBackendKeyArgs.builder()
.backend(transit.path())
.name("my_key")
.build());
}
}
resources:
transit:
type: vault:Mount
properties:
path: transit
type: transit
description: Example description
defaultLeaseTtlSeconds: 3600
maxLeaseTtlSeconds: 86400
key:
type: vault:transit:SecretBackendKey
properties:
backend: ${transit.path}
name: my_key
Create SecretBackendKey Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new SecretBackendKey(name: string, args: SecretBackendKeyArgs, opts?: CustomResourceOptions);
@overload
def SecretBackendKey(resource_name: str,
args: SecretBackendKeyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def SecretBackendKey(resource_name: str,
opts: Optional[ResourceOptions] = None,
backend: Optional[str] = None,
exportable: Optional[bool] = None,
auto_rotate_period: Optional[int] = None,
convergent_encryption: Optional[bool] = None,
deletion_allowed: Optional[bool] = None,
derived: Optional[bool] = None,
allow_plaintext_backup: Optional[bool] = None,
key_size: Optional[int] = None,
min_decryption_version: Optional[int] = None,
min_encryption_version: Optional[int] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
type: Optional[str] = None)
func NewSecretBackendKey(ctx *Context, name string, args SecretBackendKeyArgs, opts ...ResourceOption) (*SecretBackendKey, error)
public SecretBackendKey(string name, SecretBackendKeyArgs args, CustomResourceOptions? opts = null)
public SecretBackendKey(String name, SecretBackendKeyArgs args)
public SecretBackendKey(String name, SecretBackendKeyArgs args, CustomResourceOptions options)
type: vault:transit:SecretBackendKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args SecretBackendKeyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var vaultSecretBackendKeyResource = new Vault.Transit.SecretBackendKey("vaultSecretBackendKeyResource", new()
{
Backend = "string",
Exportable = false,
AutoRotatePeriod = 0,
ConvergentEncryption = false,
DeletionAllowed = false,
Derived = false,
AllowPlaintextBackup = false,
KeySize = 0,
MinDecryptionVersion = 0,
MinEncryptionVersion = 0,
Name = "string",
Namespace = "string",
Type = "string",
});
example, err := transit.NewSecretBackendKey(ctx, "vaultSecretBackendKeyResource", &transit.SecretBackendKeyArgs{
Backend: pulumi.String("string"),
Exportable: pulumi.Bool(false),
AutoRotatePeriod: pulumi.Int(0),
ConvergentEncryption: pulumi.Bool(false),
DeletionAllowed: pulumi.Bool(false),
Derived: pulumi.Bool(false),
AllowPlaintextBackup: pulumi.Bool(false),
KeySize: pulumi.Int(0),
MinDecryptionVersion: pulumi.Int(0),
MinEncryptionVersion: pulumi.Int(0),
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
Type: pulumi.String("string"),
})
var vaultSecretBackendKeyResource = new SecretBackendKey("vaultSecretBackendKeyResource", SecretBackendKeyArgs.builder()
.backend("string")
.exportable(false)
.autoRotatePeriod(0)
.convergentEncryption(false)
.deletionAllowed(false)
.derived(false)
.allowPlaintextBackup(false)
.keySize(0)
.minDecryptionVersion(0)
.minEncryptionVersion(0)
.name("string")
.namespace("string")
.type("string")
.build());
vault_secret_backend_key_resource = vault.transit.SecretBackendKey("vaultSecretBackendKeyResource",
backend="string",
exportable=False,
auto_rotate_period=0,
convergent_encryption=False,
deletion_allowed=False,
derived=False,
allow_plaintext_backup=False,
key_size=0,
min_decryption_version=0,
min_encryption_version=0,
name="string",
namespace="string",
type="string")
const vaultSecretBackendKeyResource = new vault.transit.SecretBackendKey("vaultSecretBackendKeyResource", {
backend: "string",
exportable: false,
autoRotatePeriod: 0,
convergentEncryption: false,
deletionAllowed: false,
derived: false,
allowPlaintextBackup: false,
keySize: 0,
minDecryptionVersion: 0,
minEncryptionVersion: 0,
name: "string",
namespace: "string",
type: "string",
});
type: vault:transit:SecretBackendKey
properties:
allowPlaintextBackup: false
autoRotatePeriod: 0
backend: string
convergentEncryption: false
deletionAllowed: false
derived: false
exportable: false
keySize: 0
minDecryptionVersion: 0
minEncryptionVersion: 0
name: string
namespace: string
type: string
SecretBackendKey Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The SecretBackendKey resource accepts the following input properties:
- Backend string
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - Allow
Plaintext boolBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- Auto
Rotate intPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- Convergent
Encryption bool - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - Deletion
Allowed bool - Specifies if the key is allowed to be deleted.
- Derived bool
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- Exportable bool
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- Key
Size int - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- Min
Decryption intVersion - Minimum key version to use for decryption.
- Min
Encryption intVersion - Minimum key version to use for encryption
- Name string
- The name to identify this key within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Type string
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- Backend string
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - Allow
Plaintext boolBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- Auto
Rotate intPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- Convergent
Encryption bool - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - Deletion
Allowed bool - Specifies if the key is allowed to be deleted.
- Derived bool
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- Exportable bool
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- Key
Size int - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- Min
Decryption intVersion - Minimum key version to use for decryption.
- Min
Encryption intVersion - Minimum key version to use for encryption
- Name string
- The name to identify this key within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Type string
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- backend String
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - allow
Plaintext BooleanBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate IntegerPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- convergent
Encryption Boolean - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - deletion
Allowed Boolean - Specifies if the key is allowed to be deleted.
- derived Boolean
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable Boolean
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- key
Size Integer - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- min
Decryption IntegerVersion - Minimum key version to use for decryption.
- min
Encryption IntegerVersion - Minimum key version to use for encryption
- name String
- The name to identify this key within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - type String
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- backend string
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - allow
Plaintext booleanBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate numberPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- convergent
Encryption boolean - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - deletion
Allowed boolean - Specifies if the key is allowed to be deleted.
- derived boolean
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable boolean
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- key
Size number - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- min
Decryption numberVersion - Minimum key version to use for decryption.
- min
Encryption numberVersion - Minimum key version to use for encryption
- name string
- The name to identify this key within the backend. Must be unique within the backend.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - type string
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- backend str
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - allow_
plaintext_ boolbackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto_
rotate_ intperiod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- convergent_
encryption bool - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - deletion_
allowed bool - Specifies if the key is allowed to be deleted.
- derived bool
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable bool
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- key_
size int - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- min_
decryption_ intversion - Minimum key version to use for decryption.
- min_
encryption_ intversion - Minimum key version to use for encryption
- name str
- The name to identify this key within the backend. Must be unique within the backend.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - type str
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- backend String
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - allow
Plaintext BooleanBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate NumberPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- convergent
Encryption Boolean - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - deletion
Allowed Boolean - Specifies if the key is allowed to be deleted.
- derived Boolean
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable Boolean
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- key
Size Number - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- min
Decryption NumberVersion - Minimum key version to use for decryption.
- min
Encryption NumberVersion - Minimum key version to use for encryption
- name String
- The name to identify this key within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - type String
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
Outputs
All input properties are implicitly available as output properties. Additionally, the SecretBackendKey resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Keys
List<Immutable
Dictionary<string, string>> - List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- Latest
Version int - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- int
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - Supports
Decryption bool - Whether or not the key supports decryption, based on key type.
- Supports
Derivation bool - Whether or not the key supports derivation, based on key type.
- Supports
Encryption bool - Whether or not the key supports encryption, based on key type.
- Supports
Signing bool - Whether or not the key supports signing, based on key type.
- Id string
- The provider-assigned unique ID for this managed resource.
- Keys []map[string]string
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- Latest
Version int - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- int
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - Supports
Decryption bool - Whether or not the key supports decryption, based on key type.
- Supports
Derivation bool - Whether or not the key supports derivation, based on key type.
- Supports
Encryption bool - Whether or not the key supports encryption, based on key type.
- Supports
Signing bool - Whether or not the key supports signing, based on key type.
- id String
- The provider-assigned unique ID for this managed resource.
- keys List<Map<String,String>>
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version Integer - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- Integer
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - supports
Decryption Boolean - Whether or not the key supports decryption, based on key type.
- supports
Derivation Boolean - Whether or not the key supports derivation, based on key type.
- supports
Encryption Boolean - Whether or not the key supports encryption, based on key type.
- supports
Signing Boolean - Whether or not the key supports signing, based on key type.
- id string
- The provider-assigned unique ID for this managed resource.
- keys {[key: string]: string}[]
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version number - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- number
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - supports
Decryption boolean - Whether or not the key supports decryption, based on key type.
- supports
Derivation boolean - Whether or not the key supports derivation, based on key type.
- supports
Encryption boolean - Whether or not the key supports encryption, based on key type.
- supports
Signing boolean - Whether or not the key supports signing, based on key type.
- id str
- The provider-assigned unique ID for this managed resource.
- keys Sequence[Mapping[str, str]]
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest_
version int - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- min_
available_ intversion - Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - supports_
decryption bool - Whether or not the key supports decryption, based on key type.
- supports_
derivation bool - Whether or not the key supports derivation, based on key type.
- supports_
encryption bool - Whether or not the key supports encryption, based on key type.
- supports_
signing bool - Whether or not the key supports signing, based on key type.
- id String
- The provider-assigned unique ID for this managed resource.
- keys List<Map<String>>
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version Number - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- Number
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - supports
Decryption Boolean - Whether or not the key supports decryption, based on key type.
- supports
Derivation Boolean - Whether or not the key supports derivation, based on key type.
- supports
Encryption Boolean - Whether or not the key supports encryption, based on key type.
- supports
Signing Boolean - Whether or not the key supports signing, based on key type.
Look up Existing SecretBackendKey Resource
Get an existing SecretBackendKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: SecretBackendKeyState, opts?: CustomResourceOptions): SecretBackendKey
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allow_plaintext_backup: Optional[bool] = None,
auto_rotate_period: Optional[int] = None,
backend: Optional[str] = None,
convergent_encryption: Optional[bool] = None,
deletion_allowed: Optional[bool] = None,
derived: Optional[bool] = None,
exportable: Optional[bool] = None,
key_size: Optional[int] = None,
keys: Optional[Sequence[Mapping[str, str]]] = None,
latest_version: Optional[int] = None,
min_available_version: Optional[int] = None,
min_decryption_version: Optional[int] = None,
min_encryption_version: Optional[int] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
supports_decryption: Optional[bool] = None,
supports_derivation: Optional[bool] = None,
supports_encryption: Optional[bool] = None,
supports_signing: Optional[bool] = None,
type: Optional[str] = None) -> SecretBackendKey
func GetSecretBackendKey(ctx *Context, name string, id IDInput, state *SecretBackendKeyState, opts ...ResourceOption) (*SecretBackendKey, error)
public static SecretBackendKey Get(string name, Input<string> id, SecretBackendKeyState? state, CustomResourceOptions? opts = null)
public static SecretBackendKey get(String name, Output<String> id, SecretBackendKeyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allow
Plaintext boolBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- Auto
Rotate intPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- Backend string
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - Convergent
Encryption bool - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - Deletion
Allowed bool - Specifies if the key is allowed to be deleted.
- Derived bool
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- Exportable bool
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- Key
Size int - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- Keys
List<Immutable
Dictionary<string, string>> - List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- Latest
Version int - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- int
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - Min
Decryption intVersion - Minimum key version to use for decryption.
- Min
Encryption intVersion - Minimum key version to use for encryption
- Name string
- The name to identify this key within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Supports
Decryption bool - Whether or not the key supports decryption, based on key type.
- Supports
Derivation bool - Whether or not the key supports derivation, based on key type.
- Supports
Encryption bool - Whether or not the key supports encryption, based on key type.
- Supports
Signing bool - Whether or not the key supports signing, based on key type.
- Type string
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- Allow
Plaintext boolBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- Auto
Rotate intPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- Backend string
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - Convergent
Encryption bool - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - Deletion
Allowed bool - Specifies if the key is allowed to be deleted.
- Derived bool
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- Exportable bool
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- Key
Size int - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- Keys []map[string]string
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- Latest
Version int - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- int
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - Min
Decryption intVersion - Minimum key version to use for decryption.
- Min
Encryption intVersion - Minimum key version to use for encryption
- Name string
- The name to identify this key within the backend. Must be unique within the backend.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Supports
Decryption bool - Whether or not the key supports decryption, based on key type.
- Supports
Derivation bool - Whether or not the key supports derivation, based on key type.
- Supports
Encryption bool - Whether or not the key supports encryption, based on key type.
- Supports
Signing bool - Whether or not the key supports signing, based on key type.
- Type string
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- allow
Plaintext BooleanBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate IntegerPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- backend String
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - convergent
Encryption Boolean - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - deletion
Allowed Boolean - Specifies if the key is allowed to be deleted.
- derived Boolean
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable Boolean
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- key
Size Integer - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- keys List<Map<String,String>>
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version Integer - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- Integer
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - min
Decryption IntegerVersion - Minimum key version to use for decryption.
- min
Encryption IntegerVersion - Minimum key version to use for encryption
- name String
- The name to identify this key within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - supports
Decryption Boolean - Whether or not the key supports decryption, based on key type.
- supports
Derivation Boolean - Whether or not the key supports derivation, based on key type.
- supports
Encryption Boolean - Whether or not the key supports encryption, based on key type.
- supports
Signing Boolean - Whether or not the key supports signing, based on key type.
- type String
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- allow
Plaintext booleanBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate numberPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- backend string
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - convergent
Encryption boolean - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - deletion
Allowed boolean - Specifies if the key is allowed to be deleted.
- derived boolean
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable boolean
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- key
Size number - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- keys {[key: string]: string}[]
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version number - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- number
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - min
Decryption numberVersion - Minimum key version to use for decryption.
- min
Encryption numberVersion - Minimum key version to use for encryption
- name string
- The name to identify this key within the backend. Must be unique within the backend.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - supports
Decryption boolean - Whether or not the key supports decryption, based on key type.
- supports
Derivation boolean - Whether or not the key supports derivation, based on key type.
- supports
Encryption boolean - Whether or not the key supports encryption, based on key type.
- supports
Signing boolean - Whether or not the key supports signing, based on key type.
- type string
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- allow_
plaintext_ boolbackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto_
rotate_ intperiod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- backend str
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - convergent_
encryption bool - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - deletion_
allowed bool - Specifies if the key is allowed to be deleted.
- derived bool
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable bool
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- key_
size int - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- keys Sequence[Mapping[str, str]]
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest_
version int - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- min_
available_ intversion - Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - min_
decryption_ intversion - Minimum key version to use for decryption.
- min_
encryption_ intversion - Minimum key version to use for encryption
- name str
- The name to identify this key within the backend. Must be unique within the backend.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - supports_
decryption bool - Whether or not the key supports decryption, based on key type.
- supports_
derivation bool - Whether or not the key supports derivation, based on key type.
- supports_
encryption bool - Whether or not the key supports encryption, based on key type.
- supports_
signing bool - Whether or not the key supports signing, based on key type.
- type str
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
- allow
Plaintext BooleanBackup - Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.
- Refer to Vault API documentation on key backups for more information: Backup Key
- auto
Rotate NumberPeriod - Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
- backend String
- The path the transit secret backend is mounted at, with no leading or trailing
/
s. - convergent
Encryption Boolean - Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires
derived
to be set totrue
. - deletion
Allowed Boolean - Specifies if the key is allowed to be deleted.
- derived Boolean
- Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
- exportable Boolean
- Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
- key
Size Number - The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
- keys List<Map<String>>
- List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the
type
of the encryption key.- for key types
aes128-gcm96
,aes256-gcm96
andchacha20-poly1305
, each key version will be a map of a single valueid
which is just a hash of the key's metadata. - for key types
ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,rsa-2048
,rsa-3072
andrsa-4096
, each key version will be a map of the following:
- for key types
- latest
Version Number - Latest key version available. This value is 1-indexed, so if
latest_version
is1
, then the key's information can be referenced fromkeys
by selecting element0
- Number
- Minimum key version available for use. If keys have been archived by increasing
min_decryption_version
, this attribute will reflect that change. - min
Decryption NumberVersion - Minimum key version to use for decryption.
- min
Encryption NumberVersion - Minimum key version to use for encryption
- name String
- The name to identify this key within the backend. Must be unique within the backend.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - supports
Decryption Boolean - Whether or not the key supports decryption, based on key type.
- supports
Derivation Boolean - Whether or not the key supports derivation, based on key type.
- supports
Encryption Boolean - Whether or not the key supports encryption, based on key type.
- supports
Signing Boolean - Whether or not the key supports signing, based on key type.
- type String
- Specifies the type of key to create. The currently-supported types are:
aes128-gcm96
,aes256-gcm96
(default),chacha20-poly1305
,ed25519
,ecdsa-p256
,ecdsa-p384
,ecdsa-p521
,hmac
,rsa-2048
,rsa-3072
andrsa-4096
.- Refer to the Vault documentation on transit key types for more information: Key Types
Import
Transit secret backend keys can be imported using the path
, e.g.
$ pulumi import vault:transit/secretBackendKey:SecretBackendKey key transit/keys/my_key
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.