Cert
Provides a resource to create a role in an Cert auth backend within Vault.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as std from "@pulumi/std";
import * as vault from "@pulumi/vault";
const cert = new vault.AuthBackend("cert", {
path: "cert",
type: "cert",
});
const certCertAuthBackendRole = new vault.CertAuthBackendRole("cert", {
name: "foo",
certificate: std.file({
input: "/path/to/certs/ca-cert.pem",
}).then(invoke => invoke.result),
backend: cert.path,
allowedNames: [
"foo.example.org",
"baz.example.org",
],
tokenTtl: 300,
tokenMaxTtl: 600,
tokenPolicies: ["foo"],
});import pulumi
import pulumi_std as std
import pulumi_vault as vault
cert = vault.AuthBackend("cert",
path="cert",
type="cert")
cert_cert_auth_backend_role = vault.CertAuthBackendRole("cert",
name="foo",
certificate=std.file(input="/path/to/certs/ca-cert.pem").result,
backend=cert.path,
allowed_names=[
"foo.example.org",
"baz.example.org",
],
token_ttl=300,
token_max_ttl=600,
token_policies=["foo"])using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Std = Pulumi.Std;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var cert = new Vault.AuthBackend("cert", new()
{
Path = "cert",
Type = "cert",
});
var certCertAuthBackendRole = new Vault.CertAuthBackendRole("cert", new()
{
Name = "foo",
Certificate = Std.File.Invoke(new()
{
Input = "/path/to/certs/ca-cert.pem",
}).Apply(invoke => invoke.Result),
Backend = cert.Path,
AllowedNames = new[]
{
"foo.example.org",
"baz.example.org",
},
TokenTtl = 300,
TokenMaxTtl = 600,
TokenPolicies = new[]
{
"foo",
},
});
});package main
import (
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cert, err := vault.NewAuthBackend(ctx, "cert", &vault.AuthBackendArgs{
Path: pulumi.String("cert"),
Type: pulumi.String("cert"),
})
if err != nil {
return err
}
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "/path/to/certs/ca-cert.pem",
}, nil)
if err != nil {
return err
}
_, err = vault.NewCertAuthBackendRole(ctx, "cert", &vault.CertAuthBackendRoleArgs{
Name: pulumi.String("foo"),
Certificate: pulumi.String(invokeFile.Result),
Backend: cert.Path,
AllowedNames: pulumi.StringArray{
pulumi.String("foo.example.org"),
pulumi.String("baz.example.org"),
},
TokenTtl: pulumi.Int(300),
TokenMaxTtl: pulumi.Int(600),
TokenPolicies: pulumi.StringArray{
pulumi.String("foo"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.CertAuthBackendRole;
import com.pulumi.vault.CertAuthBackendRoleArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var cert = new AuthBackend("cert", AuthBackendArgs.builder()
.path("cert")
.type("cert")
.build());
var certCertAuthBackendRole = new CertAuthBackendRole("certCertAuthBackendRole", CertAuthBackendRoleArgs.builder()
.name("foo")
.certificate(StdFunctions.file(FileArgs.builder()
.input("/path/to/certs/ca-cert.pem")
.build()).result())
.backend(cert.path())
.allowedNames(
"foo.example.org",
"baz.example.org")
.tokenTtl(300)
.tokenMaxTtl(600)
.tokenPolicies("foo")
.build());
}
}resources:
cert:
type: vault:AuthBackend
properties:
path: cert
type: cert
certCertAuthBackendRole:
type: vault:CertAuthBackendRole
name: cert
properties:
name: foo
certificate:
fn::invoke:
function: std:file
arguments:
input: /path/to/certs/ca-cert.pem
return: result
backend: ${cert.path}
allowedNames:
- foo.example.org
- baz.example.org
tokenTtl: 300
tokenMaxTtl: 600
tokenPolicies:
- fooConstructors
Properties
Allowed the common names for authenticated client certificates
Allowed alternative dns names for authenticated client certificates
Allowed emails for authenticated client certificates
DEPRECATED: Please use the individual allowed_X_sans parameters instead. Allowed subject names for authenticated client certificates
Allowed organization units for authenticated client certificates.
Allowed URIs for authenticated client certificates
CA certificate used to validate client certificates
The name to display on tokens issued under this role.
Any additional CA certificates needed to verify OCSP responses. Provided as base64 encoded PEM data. Requires Vault version 1.13+.
If enabled, validate certificates' revocation status using OCSP. Requires Vault version 1.13+.
If true and an OCSP response cannot be fetched or is of an unknown status, the login will proceed as if the certificate has not been revoked. Requires Vault version 1.13+.
If set to true, rather than accepting the first successful OCSP response, query all servers and consider the certificate valid only if all servers agree. Requires Vault version 1.13+.
: A comma-separated list of OCSP server addresses. If unset, the OCSP server is determined from the AuthorityInformationAccess extension on the certificate being inspected. Requires Vault version 1.13+.
TLS extensions required on client certificates
Specifies the blocks of IP addresses which are allowed to use the generated token
Generated Token's Explicit Maximum TTL in seconds
The maximum lifetime of the generated token
If true, the 'default' policy will not automatically be added to generated tokens
The maximum number of times a token may be used, a value of zero means unlimited
Generated Token's Period
Generated Token's Policies