1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. transit
  5. SecretBackendKey
HashiCorp Vault v6.3.0 published on Thursday, Aug 8, 2024 by Pulumi

vault.transit.SecretBackendKey

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.3.0 published on Thursday, Aug 8, 2024 by Pulumi

    Creates an Encryption Keyring on a Transit Secret Backend for Vault.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const transit = new vault.Mount("transit", {
        path: "transit",
        type: "transit",
        description: "Example description",
        defaultLeaseTtlSeconds: 3600,
        maxLeaseTtlSeconds: 86400,
    });
    const key = new vault.transit.SecretBackendKey("key", {
        backend: transit.path,
        name: "my_key",
    });
    
    import pulumi
    import pulumi_vault as vault
    
    transit = vault.Mount("transit",
        path="transit",
        type="transit",
        description="Example description",
        default_lease_ttl_seconds=3600,
        max_lease_ttl_seconds=86400)
    key = vault.transit.SecretBackendKey("key",
        backend=transit.path,
        name="my_key")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
    	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/transit"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		transit, err := vault.NewMount(ctx, "transit", &vault.MountArgs{
    			Path:                   pulumi.String("transit"),
    			Type:                   pulumi.String("transit"),
    			Description:            pulumi.String("Example description"),
    			DefaultLeaseTtlSeconds: pulumi.Int(3600),
    			MaxLeaseTtlSeconds:     pulumi.Int(86400),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = transit.NewSecretBackendKey(ctx, "key", &transit.SecretBackendKeyArgs{
    			Backend: transit.Path,
    			Name:    pulumi.String("my_key"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var transit = new Vault.Mount("transit", new()
        {
            Path = "transit",
            Type = "transit",
            Description = "Example description",
            DefaultLeaseTtlSeconds = 3600,
            MaxLeaseTtlSeconds = 86400,
        });
    
        var key = new Vault.Transit.SecretBackendKey("key", new()
        {
            Backend = transit.Path,
            Name = "my_key",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.Mount;
    import com.pulumi.vault.MountArgs;
    import com.pulumi.vault.transit.SecretBackendKey;
    import com.pulumi.vault.transit.SecretBackendKeyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var transit = new Mount("transit", MountArgs.builder()
                .path("transit")
                .type("transit")
                .description("Example description")
                .defaultLeaseTtlSeconds(3600)
                .maxLeaseTtlSeconds(86400)
                .build());
    
            var key = new SecretBackendKey("key", SecretBackendKeyArgs.builder()
                .backend(transit.path())
                .name("my_key")
                .build());
    
        }
    }
    
    resources:
      transit:
        type: vault:Mount
        properties:
          path: transit
          type: transit
          description: Example description
          defaultLeaseTtlSeconds: 3600
          maxLeaseTtlSeconds: 86400
      key:
        type: vault:transit:SecretBackendKey
        properties:
          backend: ${transit.path}
          name: my_key
    

    Create SecretBackendKey Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SecretBackendKey(name: string, args: SecretBackendKeyArgs, opts?: CustomResourceOptions);
    @overload
    def SecretBackendKey(resource_name: str,
                         args: SecretBackendKeyArgs,
                         opts: Optional[ResourceOptions] = None)
    
    @overload
    def SecretBackendKey(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         backend: Optional[str] = None,
                         exportable: Optional[bool] = None,
                         auto_rotate_period: Optional[int] = None,
                         convergent_encryption: Optional[bool] = None,
                         deletion_allowed: Optional[bool] = None,
                         derived: Optional[bool] = None,
                         allow_plaintext_backup: Optional[bool] = None,
                         key_size: Optional[int] = None,
                         min_decryption_version: Optional[int] = None,
                         min_encryption_version: Optional[int] = None,
                         name: Optional[str] = None,
                         namespace: Optional[str] = None,
                         type: Optional[str] = None)
    func NewSecretBackendKey(ctx *Context, name string, args SecretBackendKeyArgs, opts ...ResourceOption) (*SecretBackendKey, error)
    public SecretBackendKey(string name, SecretBackendKeyArgs args, CustomResourceOptions? opts = null)
    public SecretBackendKey(String name, SecretBackendKeyArgs args)
    public SecretBackendKey(String name, SecretBackendKeyArgs args, CustomResourceOptions options)
    
    type: vault:transit:SecretBackendKey
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args SecretBackendKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendKeyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendKeyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendKeyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendKeyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var vaultSecretBackendKeyResource = new Vault.Transit.SecretBackendKey("vaultSecretBackendKeyResource", new()
    {
        Backend = "string",
        Exportable = false,
        AutoRotatePeriod = 0,
        ConvergentEncryption = false,
        DeletionAllowed = false,
        Derived = false,
        AllowPlaintextBackup = false,
        KeySize = 0,
        MinDecryptionVersion = 0,
        MinEncryptionVersion = 0,
        Name = "string",
        Namespace = "string",
        Type = "string",
    });
    
    example, err := transit.NewSecretBackendKey(ctx, "vaultSecretBackendKeyResource", &transit.SecretBackendKeyArgs{
    	Backend:              pulumi.String("string"),
    	Exportable:           pulumi.Bool(false),
    	AutoRotatePeriod:     pulumi.Int(0),
    	ConvergentEncryption: pulumi.Bool(false),
    	DeletionAllowed:      pulumi.Bool(false),
    	Derived:              pulumi.Bool(false),
    	AllowPlaintextBackup: pulumi.Bool(false),
    	KeySize:              pulumi.Int(0),
    	MinDecryptionVersion: pulumi.Int(0),
    	MinEncryptionVersion: pulumi.Int(0),
    	Name:                 pulumi.String("string"),
    	Namespace:            pulumi.String("string"),
    	Type:                 pulumi.String("string"),
    })
    
    var vaultSecretBackendKeyResource = new SecretBackendKey("vaultSecretBackendKeyResource", SecretBackendKeyArgs.builder()
        .backend("string")
        .exportable(false)
        .autoRotatePeriod(0)
        .convergentEncryption(false)
        .deletionAllowed(false)
        .derived(false)
        .allowPlaintextBackup(false)
        .keySize(0)
        .minDecryptionVersion(0)
        .minEncryptionVersion(0)
        .name("string")
        .namespace("string")
        .type("string")
        .build());
    
    vault_secret_backend_key_resource = vault.transit.SecretBackendKey("vaultSecretBackendKeyResource",
        backend="string",
        exportable=False,
        auto_rotate_period=0,
        convergent_encryption=False,
        deletion_allowed=False,
        derived=False,
        allow_plaintext_backup=False,
        key_size=0,
        min_decryption_version=0,
        min_encryption_version=0,
        name="string",
        namespace="string",
        type="string")
    
    const vaultSecretBackendKeyResource = new vault.transit.SecretBackendKey("vaultSecretBackendKeyResource", {
        backend: "string",
        exportable: false,
        autoRotatePeriod: 0,
        convergentEncryption: false,
        deletionAllowed: false,
        derived: false,
        allowPlaintextBackup: false,
        keySize: 0,
        minDecryptionVersion: 0,
        minEncryptionVersion: 0,
        name: "string",
        namespace: "string",
        type: "string",
    });
    
    type: vault:transit:SecretBackendKey
    properties:
        allowPlaintextBackup: false
        autoRotatePeriod: 0
        backend: string
        convergentEncryption: false
        deletionAllowed: false
        derived: false
        exportable: false
        keySize: 0
        minDecryptionVersion: 0
        minEncryptionVersion: 0
        name: string
        namespace: string
        type: string
    

    SecretBackendKey Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The SecretBackendKey resource accepts the following input properties:

    Backend string
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    AllowPlaintextBackup bool
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    AutoRotatePeriod int
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    ConvergentEncryption bool
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    DeletionAllowed bool
    Specifies if the key is allowed to be deleted.
    Derived bool
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    Exportable bool
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    KeySize int
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    MinDecryptionVersion int
    Minimum key version to use for decryption.
    MinEncryptionVersion int
    Minimum key version to use for encryption
    Name string
    The name to identify this key within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Type string
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    Backend string
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    AllowPlaintextBackup bool
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    AutoRotatePeriod int
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    ConvergentEncryption bool
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    DeletionAllowed bool
    Specifies if the key is allowed to be deleted.
    Derived bool
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    Exportable bool
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    KeySize int
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    MinDecryptionVersion int
    Minimum key version to use for decryption.
    MinEncryptionVersion int
    Minimum key version to use for encryption
    Name string
    The name to identify this key within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    Type string
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    backend String
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    allowPlaintextBackup Boolean
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    autoRotatePeriod Integer
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    convergentEncryption Boolean
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    deletionAllowed Boolean
    Specifies if the key is allowed to be deleted.
    derived Boolean
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    exportable Boolean
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    keySize Integer
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    minDecryptionVersion Integer
    Minimum key version to use for decryption.
    minEncryptionVersion Integer
    Minimum key version to use for encryption
    name String
    The name to identify this key within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    type String
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    backend string
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    allowPlaintextBackup boolean
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    autoRotatePeriod number
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    convergentEncryption boolean
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    deletionAllowed boolean
    Specifies if the key is allowed to be deleted.
    derived boolean
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    exportable boolean
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    keySize number
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    minDecryptionVersion number
    Minimum key version to use for decryption.
    minEncryptionVersion number
    Minimum key version to use for encryption
    name string
    The name to identify this key within the backend. Must be unique within the backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    type string
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    backend str
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    allow_plaintext_backup bool
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    auto_rotate_period int
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    convergent_encryption bool
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    deletion_allowed bool
    Specifies if the key is allowed to be deleted.
    derived bool
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    exportable bool
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    key_size int
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    min_decryption_version int
    Minimum key version to use for decryption.
    min_encryption_version int
    Minimum key version to use for encryption
    name str
    The name to identify this key within the backend. Must be unique within the backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    type str
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    backend String
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    allowPlaintextBackup Boolean
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    autoRotatePeriod Number
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    convergentEncryption Boolean
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    deletionAllowed Boolean
    Specifies if the key is allowed to be deleted.
    derived Boolean
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    exportable Boolean
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    keySize Number
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    minDecryptionVersion Number
    Minimum key version to use for decryption.
    minEncryptionVersion Number
    Minimum key version to use for encryption
    name String
    The name to identify this key within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    type String
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackendKey resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Keys List<ImmutableDictionary<string, object>>
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    LatestVersion int
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    MinAvailableVersion int
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    SupportsDecryption bool
    Whether or not the key supports decryption, based on key type.
    SupportsDerivation bool
    Whether or not the key supports derivation, based on key type.
    SupportsEncryption bool
    Whether or not the key supports encryption, based on key type.
    SupportsSigning bool
    Whether or not the key supports signing, based on key type.
    Id string
    The provider-assigned unique ID for this managed resource.
    Keys []map[string]interface{}
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    LatestVersion int
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    MinAvailableVersion int
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    SupportsDecryption bool
    Whether or not the key supports decryption, based on key type.
    SupportsDerivation bool
    Whether or not the key supports derivation, based on key type.
    SupportsEncryption bool
    Whether or not the key supports encryption, based on key type.
    SupportsSigning bool
    Whether or not the key supports signing, based on key type.
    id String
    The provider-assigned unique ID for this managed resource.
    keys List<Map<String,Object>>
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    latestVersion Integer
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    minAvailableVersion Integer
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    supportsDecryption Boolean
    Whether or not the key supports decryption, based on key type.
    supportsDerivation Boolean
    Whether or not the key supports derivation, based on key type.
    supportsEncryption Boolean
    Whether or not the key supports encryption, based on key type.
    supportsSigning Boolean
    Whether or not the key supports signing, based on key type.
    id string
    The provider-assigned unique ID for this managed resource.
    keys {[key: string]: any}[]
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    latestVersion number
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    minAvailableVersion number
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    supportsDecryption boolean
    Whether or not the key supports decryption, based on key type.
    supportsDerivation boolean
    Whether or not the key supports derivation, based on key type.
    supportsEncryption boolean
    Whether or not the key supports encryption, based on key type.
    supportsSigning boolean
    Whether or not the key supports signing, based on key type.
    id str
    The provider-assigned unique ID for this managed resource.
    keys Sequence[Mapping[str, Any]]
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    latest_version int
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    min_available_version int
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    supports_decryption bool
    Whether or not the key supports decryption, based on key type.
    supports_derivation bool
    Whether or not the key supports derivation, based on key type.
    supports_encryption bool
    Whether or not the key supports encryption, based on key type.
    supports_signing bool
    Whether or not the key supports signing, based on key type.
    id String
    The provider-assigned unique ID for this managed resource.
    keys List<Map<Any>>
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    latestVersion Number
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    minAvailableVersion Number
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    supportsDecryption Boolean
    Whether or not the key supports decryption, based on key type.
    supportsDerivation Boolean
    Whether or not the key supports derivation, based on key type.
    supportsEncryption Boolean
    Whether or not the key supports encryption, based on key type.
    supportsSigning Boolean
    Whether or not the key supports signing, based on key type.

    Look up Existing SecretBackendKey Resource

    Get an existing SecretBackendKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendKeyState, opts?: CustomResourceOptions): SecretBackendKey
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            allow_plaintext_backup: Optional[bool] = None,
            auto_rotate_period: Optional[int] = None,
            backend: Optional[str] = None,
            convergent_encryption: Optional[bool] = None,
            deletion_allowed: Optional[bool] = None,
            derived: Optional[bool] = None,
            exportable: Optional[bool] = None,
            key_size: Optional[int] = None,
            keys: Optional[Sequence[Mapping[str, Any]]] = None,
            latest_version: Optional[int] = None,
            min_available_version: Optional[int] = None,
            min_decryption_version: Optional[int] = None,
            min_encryption_version: Optional[int] = None,
            name: Optional[str] = None,
            namespace: Optional[str] = None,
            supports_decryption: Optional[bool] = None,
            supports_derivation: Optional[bool] = None,
            supports_encryption: Optional[bool] = None,
            supports_signing: Optional[bool] = None,
            type: Optional[str] = None) -> SecretBackendKey
    func GetSecretBackendKey(ctx *Context, name string, id IDInput, state *SecretBackendKeyState, opts ...ResourceOption) (*SecretBackendKey, error)
    public static SecretBackendKey Get(string name, Input<string> id, SecretBackendKeyState? state, CustomResourceOptions? opts = null)
    public static SecretBackendKey get(String name, Output<String> id, SecretBackendKeyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AllowPlaintextBackup bool
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    AutoRotatePeriod int
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    Backend string
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    ConvergentEncryption bool
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    DeletionAllowed bool
    Specifies if the key is allowed to be deleted.
    Derived bool
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    Exportable bool
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    KeySize int
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    Keys List<ImmutableDictionary<string, object>>
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    LatestVersion int
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    MinAvailableVersion int
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    MinDecryptionVersion int
    Minimum key version to use for decryption.
    MinEncryptionVersion int
    Minimum key version to use for encryption
    Name string
    The name to identify this key within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    SupportsDecryption bool
    Whether or not the key supports decryption, based on key type.
    SupportsDerivation bool
    Whether or not the key supports derivation, based on key type.
    SupportsEncryption bool
    Whether or not the key supports encryption, based on key type.
    SupportsSigning bool
    Whether or not the key supports signing, based on key type.
    Type string
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    AllowPlaintextBackup bool
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    AutoRotatePeriod int
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    Backend string
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    ConvergentEncryption bool
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    DeletionAllowed bool
    Specifies if the key is allowed to be deleted.
    Derived bool
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    Exportable bool
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    KeySize int
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    Keys []map[string]interface{}
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    LatestVersion int
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    MinAvailableVersion int
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    MinDecryptionVersion int
    Minimum key version to use for decryption.
    MinEncryptionVersion int
    Minimum key version to use for encryption
    Name string
    The name to identify this key within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    SupportsDecryption bool
    Whether or not the key supports decryption, based on key type.
    SupportsDerivation bool
    Whether or not the key supports derivation, based on key type.
    SupportsEncryption bool
    Whether or not the key supports encryption, based on key type.
    SupportsSigning bool
    Whether or not the key supports signing, based on key type.
    Type string
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    allowPlaintextBackup Boolean
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    autoRotatePeriod Integer
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    backend String
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    convergentEncryption Boolean
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    deletionAllowed Boolean
    Specifies if the key is allowed to be deleted.
    derived Boolean
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    exportable Boolean
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    keySize Integer
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    keys List<Map<String,Object>>
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    latestVersion Integer
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    minAvailableVersion Integer
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    minDecryptionVersion Integer
    Minimum key version to use for decryption.
    minEncryptionVersion Integer
    Minimum key version to use for encryption
    name String
    The name to identify this key within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    supportsDecryption Boolean
    Whether or not the key supports decryption, based on key type.
    supportsDerivation Boolean
    Whether or not the key supports derivation, based on key type.
    supportsEncryption Boolean
    Whether or not the key supports encryption, based on key type.
    supportsSigning Boolean
    Whether or not the key supports signing, based on key type.
    type String
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    allowPlaintextBackup boolean
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    autoRotatePeriod number
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    backend string
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    convergentEncryption boolean
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    deletionAllowed boolean
    Specifies if the key is allowed to be deleted.
    derived boolean
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    exportable boolean
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    keySize number
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    keys {[key: string]: any}[]
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    latestVersion number
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    minAvailableVersion number
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    minDecryptionVersion number
    Minimum key version to use for decryption.
    minEncryptionVersion number
    Minimum key version to use for encryption
    name string
    The name to identify this key within the backend. Must be unique within the backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    supportsDecryption boolean
    Whether or not the key supports decryption, based on key type.
    supportsDerivation boolean
    Whether or not the key supports derivation, based on key type.
    supportsEncryption boolean
    Whether or not the key supports encryption, based on key type.
    supportsSigning boolean
    Whether or not the key supports signing, based on key type.
    type string
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    allow_plaintext_backup bool
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    auto_rotate_period int
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    backend str
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    convergent_encryption bool
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    deletion_allowed bool
    Specifies if the key is allowed to be deleted.
    derived bool
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    exportable bool
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    key_size int
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    keys Sequence[Mapping[str, Any]]
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    latest_version int
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    min_available_version int
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    min_decryption_version int
    Minimum key version to use for decryption.
    min_encryption_version int
    Minimum key version to use for encryption
    name str
    The name to identify this key within the backend. Must be unique within the backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    supports_decryption bool
    Whether or not the key supports decryption, based on key type.
    supports_derivation bool
    Whether or not the key supports derivation, based on key type.
    supports_encryption bool
    Whether or not the key supports encryption, based on key type.
    supports_signing bool
    Whether or not the key supports signing, based on key type.
    type str
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types
    allowPlaintextBackup Boolean
    Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

    • Refer to Vault API documentation on key backups for more information: Backup Key
    autoRotatePeriod Number
    Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
    backend String
    The path the transit secret backend is mounted at, with no leading or trailing /s.
    convergentEncryption Boolean
    Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
    deletionAllowed Boolean
    Specifies if the key is allowed to be deleted.
    derived Boolean
    Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
    exportable Boolean
    Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
    keySize Number
    The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
    keys List<Map<Any>>
    List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

    • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
    • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
    latestVersion Number
    Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
    minAvailableVersion Number
    Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
    minDecryptionVersion Number
    Minimum key version to use for decryption.
    minEncryptionVersion Number
    Minimum key version to use for encryption
    name String
    The name to identify this key within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    supportsDecryption Boolean
    Whether or not the key supports decryption, based on key type.
    supportsDerivation Boolean
    Whether or not the key supports derivation, based on key type.
    supportsEncryption Boolean
    Whether or not the key supports encryption, based on key type.
    supportsSigning Boolean
    Whether or not the key supports signing, based on key type.
    type String
    Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

    • Refer to the Vault documentation on transit key types for more information: Key Types

    Import

    Transit secret backend keys can be imported using the path, e.g.

    $ pulumi import vault:transit/secretBackendKey:SecretBackendKey key transit/keys/my_key
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.3.0 published on Thursday, Aug 8, 2024 by Pulumi