Secret
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const config = new vault.ldap.SecretBackend("config", {
path: "my-custom-ldap",
binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
bindpass: "SuperSecretPassw0rd",
url: "ldaps://localhost",
insecureTls: true,
userdn: "CN=Users,DC=corp,DC=example,DC=net",
rotationSchedule: "0 * * * SAT",
rotationWindow: 3600,
});import pulumi
import pulumi_vault as vault
config = vault.ldap.SecretBackend("config",
path="my-custom-ldap",
binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
bindpass="SuperSecretPassw0rd",
url="ldaps://localhost",
insecure_tls=True,
userdn="CN=Users,DC=corp,DC=example,DC=net",
rotation_schedule="0 * * * SAT",
rotation_window=3600)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var config = new Vault.Ldap.SecretBackend("config", new()
{
Path = "my-custom-ldap",
Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
Bindpass = "SuperSecretPassw0rd",
Url = "ldaps://localhost",
InsecureTls = true,
Userdn = "CN=Users,DC=corp,DC=example,DC=net",
RotationSchedule = "0 * * * SAT",
RotationWindow = 3600,
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ldap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ldap.NewSecretBackend(ctx, "config", &ldap.SecretBackendArgs{
Path: pulumi.String("my-custom-ldap"),
Binddn: pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
Bindpass: pulumi.String("SuperSecretPassw0rd"),
Url: pulumi.String("ldaps://localhost"),
InsecureTls: pulumi.Bool(true),
Userdn: pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
RotationSchedule: pulumi.String("0 * * * SAT"),
RotationWindow: pulumi.Int(3600),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.ldap.SecretBackend;
import com.pulumi.vault.ldap.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var config = new SecretBackend("config", SecretBackendArgs.builder()
.path("my-custom-ldap")
.binddn("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net")
.bindpass("SuperSecretPassw0rd")
.url("ldaps://localhost")
.insecureTls("true")
.userdn("CN=Users,DC=corp,DC=example,DC=net")
.rotationSchedule("0 * * * SAT")
.rotationWindow(3600)
.build());
}
}resources:
config:
type: vault:ldap:SecretBackend
properties:
path: my-custom-ldap
binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
bindpass: SuperSecretPassw0rd
url: ldaps://localhost
insecureTls: 'true'
userdn: CN=Users,DC=corp,DC=example,DC=net
rotationSchedule: 0 * * * SAT
rotationWindow: 3600Import
LDAP secret backend can be imported using the ${mount}/config, e.g.
$ pulumi import vault:ldap/secretBackend:SecretBackend config ldap/configConstructors
Properties
List of managed key registry entry names that the mount in question is allowed to access
List of headers to allow and pass from the request to the plugin
Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
Timeout, in seconds, when attempting to connect to the LDAP server before trying the next URL in the configuration.
Default lease duration for secrets in seconds.
List of headers to allow and pass from the request to the plugin
Human-friendly description of the mount for the Active Directory backend.
Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.
If set, opts out of mount migration on path updates.
Enable the secrets engine to access Vault's external entropy source
The key to use for signing plugin workload identity tokens
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
Specifies whether to show this mount in the UI-specific listing endpoint
Maximum possible lease duration for secrets in seconds.
List of headers to allow and pass from the request to the plugin
Name of the password policy to use to generate passwords.
Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.
The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.
The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.
If set to true, static roles will not be rotated during import. Defaults to false. Requires Vault 1.16 or above.