Secret
Provides a resource to manage roles in an SSH secret backend SSH secret backend within Vault.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.Mount("example", {type: "ssh"});
const foo = new vault.ssh.SecretBackendRole("foo", {
name: "my-role",
backend: example.path,
keyType: "ca",
allowUserCertificates: true,
});
const bar = new vault.ssh.SecretBackendRole("bar", {
name: "otp-role",
backend: example.path,
keyType: "otp",
defaultUser: "default",
allowedUsers: "default,baz",
cidrList: "0.0.0.0/0",
});import pulumi
import pulumi_vault as vault
example = vault.Mount("example", type="ssh")
foo = vault.ssh.SecretBackendRole("foo",
name="my-role",
backend=example.path,
key_type="ca",
allow_user_certificates=True)
bar = vault.ssh.SecretBackendRole("bar",
name="otp-role",
backend=example.path,
key_type="otp",
default_user="default",
allowed_users="default,baz",
cidr_list="0.0.0.0/0")using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.Mount("example", new()
{
Type = "ssh",
});
var foo = new Vault.Ssh.SecretBackendRole("foo", new()
{
Name = "my-role",
Backend = example.Path,
KeyType = "ca",
AllowUserCertificates = true,
});
var bar = new Vault.Ssh.SecretBackendRole("bar", new()
{
Name = "otp-role",
Backend = example.Path,
KeyType = "otp",
DefaultUser = "default",
AllowedUsers = "default,baz",
CidrList = "0.0.0.0/0",
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ssh"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := vault.NewMount(ctx, "example", &vault.MountArgs{
Type: pulumi.String("ssh"),
})
if err != nil {
return err
}
_, err = ssh.NewSecretBackendRole(ctx, "foo", &ssh.SecretBackendRoleArgs{
Name: pulumi.String("my-role"),
Backend: example.Path,
KeyType: pulumi.String("ca"),
AllowUserCertificates: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = ssh.NewSecretBackendRole(ctx, "bar", &ssh.SecretBackendRoleArgs{
Name: pulumi.String("otp-role"),
Backend: example.Path,
KeyType: pulumi.String("otp"),
DefaultUser: pulumi.String("default"),
AllowedUsers: pulumi.String("default,baz"),
CidrList: pulumi.String("0.0.0.0/0"),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.ssh.SecretBackendRole;
import com.pulumi.vault.ssh.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Mount("example", MountArgs.builder()
.type("ssh")
.build());
var foo = new SecretBackendRole("foo", SecretBackendRoleArgs.builder()
.name("my-role")
.backend(example.path())
.keyType("ca")
.allowUserCertificates(true)
.build());
var bar = new SecretBackendRole("bar", SecretBackendRoleArgs.builder()
.name("otp-role")
.backend(example.path())
.keyType("otp")
.defaultUser("default")
.allowedUsers("default,baz")
.cidrList("0.0.0.0/0")
.build());
}
}resources:
example:
type: vault:Mount
properties:
type: ssh
foo:
type: vault:ssh:SecretBackendRole
properties:
name: my-role
backend: ${example.path}
keyType: ca
allowUserCertificates: true
bar:
type: vault:ssh:SecretBackendRole
properties:
name: otp-role
backend: ${example.path}
keyType: otp
defaultUser: default
allowedUsers: default,baz
cidrList: 0.0.0.0/0Import
SSH secret backend roles can be imported using the path, e.g.
$ pulumi import vault:ssh/secretBackendRole:SecretBackendRole foo ssh/roles/my-roleConstructors
Properties
When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.
Specifies if host certificates that are requested are allowed to use the base domains listed in allowed_domains.
Specifies a comma-separated list of critical options that certificates can have when signed.
The list of domains for which a client can request a host certificate.
Specifies if allowed_domains can be declared using identity template policies. Non-templated domains are also permitted.
Specifies a comma-separated list of extensions that certificates can have when signed.
Set of configuration blocks to define allowed user key configuration, like key type and their lengths. Can be specified multiple times. See Configuration-Options for more info
Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.
Specifies if allowed_users can be declared using identity template policies. Non-templated users are also permitted.
Allow signing certificates with no valid principals (e.g. any valid principal). For backwards compatibility only. The default of false is highly recommended.
Specifies if certificates are allowed to be signed for use as a 'host'.
Specifies if host certificates that are requested are allowed to be subdomains of those listed in allowed_domains.
Specifies if certificates are allowed to be signed for use as a 'user'.
Specifies if users can override the key ID for a signed certificate with the key_id field.
Specifies a map of critical options that certificates have when signed.
Specifies a map of extensions that certificates have when signed.
Specifies the default username for which a credential will be generated.
If set, default_users can be specified using identity template values. A non-templated user is also permitted.
Specifies a custom format for the key id of a signed certificate.
Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings.