pulumi-vault-kotlin/com.pulumi.vault.transit.kotlin/SecretBackendKey

SecretBackendKey

class SecretBackendKey : KotlinCustomResource

Creates an Encryption Keyring on a Transit Secret Backend for Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const transit = new vault.Mount("transit", {
    path: "transit",
    type: "transit",
    description: "Example description",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const key = new vault.transit.SecretBackendKey("key", {
    backend: transit.path,
    name: "my_key",
});

import pulumi
import pulumi_vault as vault
transit = vault.Mount("transit",
    path="transit",
    type="transit",
    description="Example description",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
key = vault.transit.SecretBackendKey("key",
    backend=transit.path,
    name="my_key")

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var transit = new Vault.Mount("transit", new()
    {
        Path = "transit",
        Type = "transit",
        Description = "Example description",
        DefaultLeaseTtlSeconds = 3600,
        MaxLeaseTtlSeconds = 86400,
    });
    var key = new Vault.Transit.SecretBackendKey("key", new()
    {
        Backend = transit.Path,
        Name = "my_key",
    });
});

package main
import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/transit"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		transit, err := vault.NewMount(ctx, "transit", &vault.MountArgs{
			Path:                   pulumi.String("transit"),
			Type:                   pulumi.String("transit"),
			Description:            pulumi.String("Example description"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = transit.NewSecretBackendKey(ctx, "key", &transit.SecretBackendKeyArgs{
			Backend: transit.Path,
			Name:    pulumi.String("my_key"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.transit.SecretBackendKey;
import com.pulumi.vault.transit.SecretBackendKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var transit = new Mount("transit", MountArgs.builder()
            .path("transit")
            .type("transit")
            .description("Example description")
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());
        var key = new SecretBackendKey("key", SecretBackendKeyArgs.builder()
            .backend(transit.path())
            .name("my_key")
            .build());
    }
}

resources:
  transit:
    type: vault:Mount
    properties:
      path: transit
      type: transit
      description: Example description
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  key:
    type: vault:transit:SecretBackendKey
    properties:
      backend: ${transit.path}
      name: my_key

Import

Transit secret backend keys can be imported using the path, e.g.

$ pulumi import vault:transit/secretBackendKey:SecretBackendKey key transit/keys/my_key

Properties

allowPlaintextBackup

val allowPlaintextBackup: Output<Boolean>?

Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

autoRotatePeriod

val autoRotatePeriod: Output<Int>

Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.

backend

val backend: Output<String>

The path the transit secret backend is mounted at, with no leading or trailing /s.

convergentEncryption

val convergentEncryption: Output<Boolean>?

Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.

deletionAllowed

val deletionAllowed: Output<Boolean>?

Specifies if the key is allowed to be deleted.

derived

val derived: Output<Boolean>?

Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.

exportable

val exportable: Output<Boolean>?

Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.

hybridKeyTypeEc

val hybridKeyTypeEc: Output<String>?

The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.

hybridKeyTypePqc

val hybridKeyTypePqc: Output<String>?

The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.

val id: Output<String>

keys

val keys: Output<List<Map<String, String>>>

List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

keySize

val keySize: Output<Int>?

The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.

latestVersion

val latestVersion: Output<Int>

Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0

minAvailableVersion

val minAvailableVersion: Output<Int>

Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.

minDecryptionVersion

val minDecryptionVersion: Output<Int>?

Minimum key version to use for decryption.

minEncryptionVersion

val minEncryptionVersion: Output<Int>?

Minimum key version to use for encryption

name

val name: Output<String>

The name to identify this key within the backend. Must be unique within the backend.

namespace

val namespace: Output<String>?

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

parameterSet

val parameterSet: Output<String>?

The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

supportsDecryption

val supportsDecryption: Output<Boolean>

Whether or not the key supports decryption, based on key type.

supportsDerivation

val supportsDerivation: Output<Boolean>

Whether or not the key supports derivation, based on key type.

supportsEncryption

val supportsEncryption: Output<Boolean>

Whether or not the key supports encryption, based on key type.

supportsSigning

val supportsSigning: Output<Boolean>

Whether or not the key supports signing, based on key type.

type

val type: Output<String>?

Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

urn

val urn: Output<String>