Docs Home Pulumi IaC Pulumi ESC Pulumi Cloud Packages Tutorials
  1. Packages
  2. HashiCorp Vault Provider
  3. API Docs
  4. pkiSecret
  5. SecretBackendRole
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi
pulumi/pulumi-vault

vault.pkiSecret.SecretBackendRole

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi
pulumi/pulumi-vault

    Creates a role on an PKI Secret Backend for Vault.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const pki = new vault.Mount("pki", {
    path: "pki",
    type: "pki",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const role = new vault.pkisecret.SecretBackendRole("role", {
    backend: pki.path,
    name: "my_role",
    ttl: "3600",
    allowIpSans: true,
    keyType: "rsa",
    keyBits: 4096,
    allowedDomains: [
        "example.com",
        "my.domain",
    ],
    allowSubdomains: true,
});

    import pulumi
import pulumi_vault as vault

pki = vault.Mount("pki",
    path="pki",
    type="pki",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
role = vault.pki_secret.SecretBackendRole("role",
    backend=pki.path,
    name="my_role",
    ttl="3600",
    allow_ip_sans=True,
    key_type="rsa",
    key_bits=4096,
    allowed_domains=[
        "example.com",
        "my.domain",
    ],
    allow_subdomains=True)

    package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
			Path:                   pulumi.String("pki"),
			Type:                   pulumi.String("pki"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = pkisecret.NewSecretBackendRole(ctx, "role", &pkisecret.SecretBackendRoleArgs{
			Backend:     pki.Path,
			Name:        pulumi.String("my_role"),
			Ttl:         pulumi.String("3600"),
			AllowIpSans: pulumi.Bool(true),
			KeyType:     pulumi.String("rsa"),
			KeyBits:     pulumi.Int(4096),
			AllowedDomains: pulumi.StringArray{
				pulumi.String("example.com"),
				pulumi.String("my.domain"),
			},
			AllowSubdomains: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var pki = new Vault.Mount("pki", new()
    {
        Path = "pki",
        Type = "pki",
        DefaultLeaseTtlSeconds = 3600,
        MaxLeaseTtlSeconds = 86400,
    });

    var role = new Vault.PkiSecret.SecretBackendRole("role", new()
    {
        Backend = pki.Path,
        Name = "my_role",
        Ttl = "3600",
        AllowIpSans = true,
        KeyType = "rsa",
        KeyBits = 4096,
        AllowedDomains = new[]
        {
            "example.com",
            "my.domain",
        },
        AllowSubdomains = true,
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var pki = new Mount("pki", MountArgs.builder()
            .path("pki")
            .type("pki")
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());

        var role = new SecretBackendRole("role", SecretBackendRoleArgs.builder()
            .backend(pki.path())
            .name("my_role")
            .ttl(3600)
            .allowIpSans(true)
            .keyType("rsa")
            .keyBits(4096)
            .allowedDomains(            
                "example.com",
                "my.domain")
            .allowSubdomains(true)
            .build());

    }
}

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true

    Create SecretBackendRole Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new SecretBackendRole(name: string, args: SecretBackendRoleArgs, opts?: CustomResourceOptions);
    @overload
def SecretBackendRole(resource_name: str,
                      args: SecretBackendRoleArgs,
                      opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendRole(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      backend: Optional[str] = None,
                      key_bits: Optional[int] = None,
                      allowed_domains: Optional[Sequence[str]] = None,
                      allow_ip_sans: Optional[bool] = None,
                      allow_localhost: Optional[bool] = None,
                      allow_subdomains: Optional[bool] = None,
                      allow_wildcard_certificates: Optional[bool] = None,
                      allow_any_name: Optional[bool] = None,
                      allowed_domains_template: Optional[bool] = None,
                      allowed_other_sans: Optional[Sequence[str]] = None,
                      allowed_serial_numbers: Optional[Sequence[str]] = None,
                      allowed_uri_sans: Optional[Sequence[str]] = None,
                      allowed_uri_sans_template: Optional[bool] = None,
                      allowed_user_ids: Optional[Sequence[str]] = None,
                      allow_bare_domains: Optional[bool] = None,
                      basic_constraints_valid_for_non_ca: Optional[bool] = None,
                      client_flag: Optional[bool] = None,
                      cn_validations: Optional[Sequence[str]] = None,
                      code_signing_flag: Optional[bool] = None,
                      issuer_ref: Optional[str] = None,
                      email_protection_flag: Optional[bool] = None,
                      enforce_hostnames: Optional[bool] = None,
                      ext_key_usage_oids: Optional[Sequence[str]] = None,
                      ext_key_usages: Optional[Sequence[str]] = None,
                      generate_lease: Optional[bool] = None,
                      countries: Optional[Sequence[str]] = None,
                      allow_glob_domains: Optional[bool] = None,
                      use_csr_sans: Optional[bool] = None,
                      key_usages: Optional[Sequence[str]] = None,
                      localities: Optional[Sequence[str]] = None,
                      max_ttl: Optional[str] = None,
                      name: Optional[str] = None,
                      namespace: Optional[str] = None,
                      no_store: Optional[bool] = None,
                      no_store_metadata: Optional[bool] = None,
                      not_after: Optional[str] = None,
                      not_before_duration: Optional[str] = None,
                      organization_unit: Optional[Sequence[str]] = None,
                      organizations: Optional[Sequence[str]] = None,
                      policy_identifier: Optional[Sequence[_pkisecret.SecretBackendRolePolicyIdentifierArgs]] = None,
                      policy_identifiers: Optional[Sequence[str]] = None,
                      postal_codes: Optional[Sequence[str]] = None,
                      provinces: Optional[Sequence[str]] = None,
                      require_cn: Optional[bool] = None,
                      serial_number_source: Optional[str] = None,
                      server_flag: Optional[bool] = None,
                      signature_bits: Optional[int] = None,
                      street_addresses: Optional[Sequence[str]] = None,
                      ttl: Optional[str] = None,
                      use_csr_common_name: Optional[bool] = None,
                      key_type: Optional[str] = None,
                      use_pss: Optional[bool] = None)
    func NewSecretBackendRole(ctx *Context, name string, args SecretBackendRoleArgs, opts ...ResourceOption) (*SecretBackendRole, error)
    public SecretBackendRole(string name, SecretBackendRoleArgs args, CustomResourceOptions? opts = null)
    public SecretBackendRole(String name, SecretBackendRoleArgs args)
public SecretBackendRole(String name, SecretBackendRoleArgs args, CustomResourceOptions options)

    type: vault:pkiSecret:SecretBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args SecretBackendRoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new Vault.PkiSecret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", new()
{
    Backend = "string",
    KeyBits = 0,
    AllowedDomains = new[]
    {
        "string",
    },
    AllowIpSans = false,
    AllowLocalhost = false,
    AllowSubdomains = false,
    AllowWildcardCertificates = false,
    AllowAnyName = false,
    AllowedDomainsTemplate = false,
    AllowedOtherSans = new[]
    {
        "string",
    },
    AllowedSerialNumbers = new[]
    {
        "string",
    },
    AllowedUriSans = new[]
    {
        "string",
    },
    AllowedUriSansTemplate = false,
    AllowedUserIds = new[]
    {
        "string",
    },
    AllowBareDomains = false,
    BasicConstraintsValidForNonCa = false,
    ClientFlag = false,
    CnValidations = new[]
    {
        "string",
    },
    CodeSigningFlag = false,
    IssuerRef = "string",
    EmailProtectionFlag = false,
    EnforceHostnames = false,
    ExtKeyUsageOids = new[]
    {
        "string",
    },
    ExtKeyUsages = new[]
    {
        "string",
    },
    GenerateLease = false,
    Countries = new[]
    {
        "string",
    },
    AllowGlobDomains = false,
    UseCsrSans = false,
    KeyUsages = new[]
    {
        "string",
    },
    Localities = new[]
    {
        "string",
    },
    MaxTtl = "string",
    Name = "string",
    Namespace = "string",
    NoStore = false,
    NoStoreMetadata = false,
    NotAfter = "string",
    NotBeforeDuration = "string",
    OrganizationUnit = new[]
    {
        "string",
    },
    Organizations = new[]
    {
        "string",
    },
    PolicyIdentifier = new[]
    {
        new Vault.PkiSecret.Inputs.SecretBackendRolePolicyIdentifierArgs
        {
            Oid = "string",
            Cps = "string",
            Notice = "string",
        },
    },
    PolicyIdentifiers = new[]
    {
        "string",
    },
    PostalCodes = new[]
    {
        "string",
    },
    Provinces = new[]
    {
        "string",
    },
    RequireCn = false,
    SerialNumberSource = "string",
    ServerFlag = false,
    SignatureBits = 0,
    StreetAddresses = new[]
    {
        "string",
    },
    Ttl = "string",
    UseCsrCommonName = false,
    KeyType = "string",
    UsePss = false,
});

    example, err := pkiSecret.NewSecretBackendRole(ctx, "examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", &pkiSecret.SecretBackendRoleArgs{
	Backend: pulumi.String("string"),
	KeyBits: pulumi.Int(0),
	AllowedDomains: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowIpSans:               pulumi.Bool(false),
	AllowLocalhost:            pulumi.Bool(false),
	AllowSubdomains:           pulumi.Bool(false),
	AllowWildcardCertificates: pulumi.Bool(false),
	AllowAnyName:              pulumi.Bool(false),
	AllowedDomainsTemplate:    pulumi.Bool(false),
	AllowedOtherSans: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedSerialNumbers: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedUriSans: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowedUriSansTemplate: pulumi.Bool(false),
	AllowedUserIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowBareDomains:              pulumi.Bool(false),
	BasicConstraintsValidForNonCa: pulumi.Bool(false),
	ClientFlag:                    pulumi.Bool(false),
	CnValidations: pulumi.StringArray{
		pulumi.String("string"),
	},
	CodeSigningFlag:     pulumi.Bool(false),
	IssuerRef:           pulumi.String("string"),
	EmailProtectionFlag: pulumi.Bool(false),
	EnforceHostnames:    pulumi.Bool(false),
	ExtKeyUsageOids: pulumi.StringArray{
		pulumi.String("string"),
	},
	ExtKeyUsages: pulumi.StringArray{
		pulumi.String("string"),
	},
	GenerateLease: pulumi.Bool(false),
	Countries: pulumi.StringArray{
		pulumi.String("string"),
	},
	AllowGlobDomains: pulumi.Bool(false),
	UseCsrSans:       pulumi.Bool(false),
	KeyUsages: pulumi.StringArray{
		pulumi.String("string"),
	},
	Localities: pulumi.StringArray{
		pulumi.String("string"),
	},
	MaxTtl:            pulumi.String("string"),
	Name:              pulumi.String("string"),
	Namespace:         pulumi.String("string"),
	NoStore:           pulumi.Bool(false),
	NoStoreMetadata:   pulumi.Bool(false),
	NotAfter:          pulumi.String("string"),
	NotBeforeDuration: pulumi.String("string"),
	OrganizationUnit: pulumi.StringArray{
		pulumi.String("string"),
	},
	Organizations: pulumi.StringArray{
		pulumi.String("string"),
	},
	PolicyIdentifier: pkisecret.SecretBackendRolePolicyIdentifierArray{
		&pkisecret.SecretBackendRolePolicyIdentifierArgs{
			Oid:    pulumi.String("string"),
			Cps:    pulumi.String("string"),
			Notice: pulumi.String("string"),
		},
	},
	PolicyIdentifiers: pulumi.StringArray{
		pulumi.String("string"),
	},
	PostalCodes: pulumi.StringArray{
		pulumi.String("string"),
	},
	Provinces: pulumi.StringArray{
		pulumi.String("string"),
	},
	RequireCn:          pulumi.Bool(false),
	SerialNumberSource: pulumi.String("string"),
	ServerFlag:         pulumi.Bool(false),
	SignatureBits:      pulumi.Int(0),
	StreetAddresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	Ttl:              pulumi.String("string"),
	UseCsrCommonName: pulumi.Bool(false),
	KeyType:          pulumi.String("string"),
	UsePss:           pulumi.Bool(false),
})

    var examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", SecretBackendRoleArgs.builder()
    .backend("string")
    .keyBits(0)
    .allowedDomains("string")
    .allowIpSans(false)
    .allowLocalhost(false)
    .allowSubdomains(false)
    .allowWildcardCertificates(false)
    .allowAnyName(false)
    .allowedDomainsTemplate(false)
    .allowedOtherSans("string")
    .allowedSerialNumbers("string")
    .allowedUriSans("string")
    .allowedUriSansTemplate(false)
    .allowedUserIds("string")
    .allowBareDomains(false)
    .basicConstraintsValidForNonCa(false)
    .clientFlag(false)
    .cnValidations("string")
    .codeSigningFlag(false)
    .issuerRef("string")
    .emailProtectionFlag(false)
    .enforceHostnames(false)
    .extKeyUsageOids("string")
    .extKeyUsages("string")
    .generateLease(false)
    .countries("string")
    .allowGlobDomains(false)
    .useCsrSans(false)
    .keyUsages("string")
    .localities("string")
    .maxTtl("string")
    .name("string")
    .namespace("string")
    .noStore(false)
    .noStoreMetadata(false)
    .notAfter("string")
    .notBeforeDuration("string")
    .organizationUnit("string")
    .organizations("string")
    .policyIdentifier(SecretBackendRolePolicyIdentifierArgs.builder()
        .oid("string")
        .cps("string")
        .notice("string")
        .build())
    .policyIdentifiers("string")
    .postalCodes("string")
    .provinces("string")
    .requireCn(false)
    .serialNumberSource("string")
    .serverFlag(false)
    .signatureBits(0)
    .streetAddresses("string")
    .ttl("string")
    .useCsrCommonName(false)
    .keyType("string")
    .usePss(false)
    .build());

    examplesecret_backend_role_resource_resource_from_pki_secretsecret_backend_role = vault.pki_secret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole",
    backend="string",
    key_bits=0,
    allowed_domains=["string"],
    allow_ip_sans=False,
    allow_localhost=False,
    allow_subdomains=False,
    allow_wildcard_certificates=False,
    allow_any_name=False,
    allowed_domains_template=False,
    allowed_other_sans=["string"],
    allowed_serial_numbers=["string"],
    allowed_uri_sans=["string"],
    allowed_uri_sans_template=False,
    allowed_user_ids=["string"],
    allow_bare_domains=False,
    basic_constraints_valid_for_non_ca=False,
    client_flag=False,
    cn_validations=["string"],
    code_signing_flag=False,
    issuer_ref="string",
    email_protection_flag=False,
    enforce_hostnames=False,
    ext_key_usage_oids=["string"],
    ext_key_usages=["string"],
    generate_lease=False,
    countries=["string"],
    allow_glob_domains=False,
    use_csr_sans=False,
    key_usages=["string"],
    localities=["string"],
    max_ttl="string",
    name="string",
    namespace="string",
    no_store=False,
    no_store_metadata=False,
    not_after="string",
    not_before_duration="string",
    organization_unit=["string"],
    organizations=["string"],
    policy_identifier=[{
        "oid": "string",
        "cps": "string",
        "notice": "string",
    }],
    policy_identifiers=["string"],
    postal_codes=["string"],
    provinces=["string"],
    require_cn=False,
    serial_number_source="string",
    server_flag=False,
    signature_bits=0,
    street_addresses=["string"],
    ttl="string",
    use_csr_common_name=False,
    key_type="string",
    use_pss=False)

    const examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole = new vault.pkisecret.SecretBackendRole("examplesecretBackendRoleResourceResourceFromPkiSecretsecretBackendRole", {
    backend: "string",
    keyBits: 0,
    allowedDomains: ["string"],
    allowIpSans: false,
    allowLocalhost: false,
    allowSubdomains: false,
    allowWildcardCertificates: false,
    allowAnyName: false,
    allowedDomainsTemplate: false,
    allowedOtherSans: ["string"],
    allowedSerialNumbers: ["string"],
    allowedUriSans: ["string"],
    allowedUriSansTemplate: false,
    allowedUserIds: ["string"],
    allowBareDomains: false,
    basicConstraintsValidForNonCa: false,
    clientFlag: false,
    cnValidations: ["string"],
    codeSigningFlag: false,
    issuerRef: "string",
    emailProtectionFlag: false,
    enforceHostnames: false,
    extKeyUsageOids: ["string"],
    extKeyUsages: ["string"],
    generateLease: false,
    countries: ["string"],
    allowGlobDomains: false,
    useCsrSans: false,
    keyUsages: ["string"],
    localities: ["string"],
    maxTtl: "string",
    name: "string",
    namespace: "string",
    noStore: false,
    noStoreMetadata: false,
    notAfter: "string",
    notBeforeDuration: "string",
    organizationUnit: ["string"],
    organizations: ["string"],
    policyIdentifier: [{
        oid: "string",
        cps: "string",
        notice: "string",
    }],
    policyIdentifiers: ["string"],
    postalCodes: ["string"],
    provinces: ["string"],
    requireCn: false,
    serialNumberSource: "string",
    serverFlag: false,
    signatureBits: 0,
    streetAddresses: ["string"],
    ttl: "string",
    useCsrCommonName: false,
    keyType: "string",
    usePss: false,
});

    type: vault:pkiSecret:SecretBackendRole
properties:
    allowAnyName: false
    allowBareDomains: false
    allowGlobDomains: false
    allowIpSans: false
    allowLocalhost: false
    allowSubdomains: false
    allowWildcardCertificates: false
    allowedDomains:
        - string
    allowedDomainsTemplate: false
    allowedOtherSans:
        - string
    allowedSerialNumbers:
        - string
    allowedUriSans:
        - string
    allowedUriSansTemplate: false
    allowedUserIds:
        - string
    backend: string
    basicConstraintsValidForNonCa: false
    clientFlag: false
    cnValidations:
        - string
    codeSigningFlag: false
    countries:
        - string
    emailProtectionFlag: false
    enforceHostnames: false
    extKeyUsageOids:
        - string
    extKeyUsages:
        - string
    generateLease: false
    issuerRef: string
    keyBits: 0
    keyType: string
    keyUsages:
        - string
    localities:
        - string
    maxTtl: string
    name: string
    namespace: string
    noStore: false
    noStoreMetadata: false
    notAfter: string
    notBeforeDuration: string
    organizationUnit:
        - string
    organizations:
        - string
    policyIdentifier:
        - cps: string
          notice: string
          oid: string
    policyIdentifiers:
        - string
    postalCodes:
        - string
    provinces:
        - string
    requireCn: false
    serialNumberSource: string
    serverFlag: false
    signatureBits: 0
    streetAddresses:
        - string
    ttl: string
    useCsrCommonName: false
    useCsrSans: false
    usePss: false

    SecretBackendRole Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The SecretBackendRole resource accepts the following input properties:

    Backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    AllowAnyName bool
    Flag to allow any name
    AllowBareDomains bool
    Flag to allow certificates matching the actual domain
    AllowGlobDomains bool
    Flag to allow names containing glob patterns.
    AllowIpSans bool
    Flag to allow IP SANs
    AllowLocalhost bool
    Flag to allow certificates for localhost
    AllowSubdomains bool
    Flag to allow certificates matching subdomains
    AllowWildcardCertificates bool
    Flag to allow wildcard certificates.
    AllowedDomains List<string>
    List of allowed domains for certificates
    AllowedDomainsTemplate bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedOtherSans List<string>
    Defines allowed custom SANs
    AllowedSerialNumbers List<string>
    An array of allowed serial numbers to put in Subject
    AllowedUriSans List<string>
    Defines allowed URI SANs
    AllowedUriSansTemplate bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedUserIds List<string>
    Defines allowed User IDs
    BasicConstraintsValidForNonCa bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    ClientFlag bool
    Flag to specify certificates for client use
    CnValidations List<string>
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    CodeSigningFlag bool
    Flag to specify certificates for code signing use
    Countries List<string>
    The country of generated certificates
    EmailProtectionFlag bool
    Flag to specify certificates for email protection use
    EnforceHostnames bool
    Flag to allow only valid host names
    ExtKeyUsageOids List<string>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ExtKeyUsages List<string>
    Specify the allowed extended key usage constraint on issued certificates
    GenerateLease bool
    Flag to generate leases with certificates
    IssuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    KeyBits int
    The number of bits of generated keys
    KeyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    KeyUsages List<string>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    Localities List<string>
    The locality of generated certificates
    MaxTtl string
    The maximum lease TTL, in seconds, for the role.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NoStore bool
    Flag to not store certificates in the storage backend
    NoStoreMetadata bool
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    NotAfter string
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    NotBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    OrganizationUnit List<string>
    The organization unit of generated certificates
    Organizations List<string>
    The organization of generated certificates
    PolicyIdentifier List<SecretBackendRolePolicyIdentifier>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    PolicyIdentifiers List<string>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    PostalCodes List<string>
    The postal code of generated certificates
    Provinces List<string>
    The province of generated certificates
    RequireCn bool
    Flag to force CN usage
    SerialNumberSource string

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    ServerFlag bool
    Flag to specify certificates for server use
    SignatureBits int
    The number of bits to use in the signature algorithm
    StreetAddresses List<string>
    The street address of generated certificates
    Ttl string
    The TTL, in seconds, for any certificate issued against this role.
    UseCsrCommonName bool
    Flag to use the CN in the CSR
    UseCsrSans bool
    Flag to use the SANs in the CSR
    UsePss bool
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    Backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    AllowAnyName bool
    Flag to allow any name
    AllowBareDomains bool
    Flag to allow certificates matching the actual domain
    AllowGlobDomains bool
    Flag to allow names containing glob patterns.
    AllowIpSans bool
    Flag to allow IP SANs
    AllowLocalhost bool
    Flag to allow certificates for localhost
    AllowSubdomains bool
    Flag to allow certificates matching subdomains
    AllowWildcardCertificates bool
    Flag to allow wildcard certificates.
    AllowedDomains []string
    List of allowed domains for certificates
    AllowedDomainsTemplate bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedOtherSans []string
    Defines allowed custom SANs
    AllowedSerialNumbers []string
    An array of allowed serial numbers to put in Subject
    AllowedUriSans []string
    Defines allowed URI SANs
    AllowedUriSansTemplate bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedUserIds []string
    Defines allowed User IDs
    BasicConstraintsValidForNonCa bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    ClientFlag bool
    Flag to specify certificates for client use
    CnValidations []string
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    CodeSigningFlag bool
    Flag to specify certificates for code signing use
    Countries []string
    The country of generated certificates
    EmailProtectionFlag bool
    Flag to specify certificates for email protection use
    EnforceHostnames bool
    Flag to allow only valid host names
    ExtKeyUsageOids []string
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ExtKeyUsages []string
    Specify the allowed extended key usage constraint on issued certificates
    GenerateLease bool
    Flag to generate leases with certificates
    IssuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    KeyBits int
    The number of bits of generated keys
    KeyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    KeyUsages []string
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    Localities []string
    The locality of generated certificates
    MaxTtl string
    The maximum lease TTL, in seconds, for the role.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NoStore bool
    Flag to not store certificates in the storage backend
    NoStoreMetadata bool
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    NotAfter string
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    NotBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    OrganizationUnit []string
    The organization unit of generated certificates
    Organizations []string
    The organization of generated certificates
    PolicyIdentifier []SecretBackendRolePolicyIdentifierArgs
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    PolicyIdentifiers []string
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    PostalCodes []string
    The postal code of generated certificates
    Provinces []string
    The province of generated certificates
    RequireCn bool
    Flag to force CN usage
    SerialNumberSource string

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    ServerFlag bool
    Flag to specify certificates for server use
    SignatureBits int
    The number of bits to use in the signature algorithm
    StreetAddresses []string
    The street address of generated certificates
    Ttl string
    The TTL, in seconds, for any certificate issued against this role.
    UseCsrCommonName bool
    Flag to use the CN in the CSR
    UseCsrSans bool
    Flag to use the SANs in the CSR
    UsePss bool
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    backend String
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    allowAnyName Boolean
    Flag to allow any name
    allowBareDomains Boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains Boolean
    Flag to allow names containing glob patterns.
    allowIpSans Boolean
    Flag to allow IP SANs
    allowLocalhost Boolean
    Flag to allow certificates for localhost
    allowSubdomains Boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates Boolean
    Flag to allow wildcard certificates.
    allowedDomains List<String>
    List of allowed domains for certificates
    allowedDomainsTemplate Boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans List<String>
    Defines allowed custom SANs
    allowedSerialNumbers List<String>
    An array of allowed serial numbers to put in Subject
    allowedUriSans List<String>
    Defines allowed URI SANs
    allowedUriSansTemplate Boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds List<String>
    Defines allowed User IDs
    basicConstraintsValidForNonCa Boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag Boolean
    Flag to specify certificates for client use
    cnValidations List<String>
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    codeSigningFlag Boolean
    Flag to specify certificates for code signing use
    countries List<String>
    The country of generated certificates
    emailProtectionFlag Boolean
    Flag to specify certificates for email protection use
    enforceHostnames Boolean
    Flag to allow only valid host names
    extKeyUsageOids List<String>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages List<String>
    Specify the allowed extended key usage constraint on issued certificates
    generateLease Boolean
    Flag to generate leases with certificates
    issuerRef String
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits Integer
    The number of bits of generated keys
    keyType String
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages List<String>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities List<String>
    The locality of generated certificates
    maxTtl String
    The maximum lease TTL, in seconds, for the role.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore Boolean
    Flag to not store certificates in the storage backend
    noStoreMetadata Boolean
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    notAfter String
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    notBeforeDuration String
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit List<String>
    The organization unit of generated certificates
    organizations List<String>
    The organization of generated certificates
    policyIdentifier List<SecretBackendRolePolicyIdentifier>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers List<String>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes List<String>
    The postal code of generated certificates
    provinces List<String>
    The province of generated certificates
    requireCn Boolean
    Flag to force CN usage
    serialNumberSource String

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    serverFlag Boolean
    Flag to specify certificates for server use
    signatureBits Integer
    The number of bits to use in the signature algorithm
    streetAddresses List<String>
    The street address of generated certificates
    ttl String
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName Boolean
    Flag to use the CN in the CSR
    useCsrSans Boolean
    Flag to use the SANs in the CSR
    usePss Boolean
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    allowAnyName boolean
    Flag to allow any name
    allowBareDomains boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains boolean
    Flag to allow names containing glob patterns.
    allowIpSans boolean
    Flag to allow IP SANs
    allowLocalhost boolean
    Flag to allow certificates for localhost
    allowSubdomains boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates boolean
    Flag to allow wildcard certificates.
    allowedDomains string[]
    List of allowed domains for certificates
    allowedDomainsTemplate boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans string[]
    Defines allowed custom SANs
    allowedSerialNumbers string[]
    An array of allowed serial numbers to put in Subject
    allowedUriSans string[]
    Defines allowed URI SANs
    allowedUriSansTemplate boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds string[]
    Defines allowed User IDs
    basicConstraintsValidForNonCa boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag boolean
    Flag to specify certificates for client use
    cnValidations string[]
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    codeSigningFlag boolean
    Flag to specify certificates for code signing use
    countries string[]
    The country of generated certificates
    emailProtectionFlag boolean
    Flag to specify certificates for email protection use
    enforceHostnames boolean
    Flag to allow only valid host names
    extKeyUsageOids string[]
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages string[]
    Specify the allowed extended key usage constraint on issued certificates
    generateLease boolean
    Flag to generate leases with certificates
    issuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits number
    The number of bits of generated keys
    keyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages string[]
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities string[]
    The locality of generated certificates
    maxTtl string
    The maximum lease TTL, in seconds, for the role.
    name string
    The name to identify this role within the backend. Must be unique within the backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore boolean
    Flag to not store certificates in the storage backend
    noStoreMetadata boolean
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    notAfter string
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    notBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit string[]
    The organization unit of generated certificates
    organizations string[]
    The organization of generated certificates
    policyIdentifier SecretBackendRolePolicyIdentifier[]
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers string[]
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes string[]
    The postal code of generated certificates
    provinces string[]
    The province of generated certificates
    requireCn boolean
    Flag to force CN usage
    serialNumberSource string

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    serverFlag boolean
    Flag to specify certificates for server use
    signatureBits number
    The number of bits to use in the signature algorithm
    streetAddresses string[]
    The street address of generated certificates
    ttl string
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName boolean
    Flag to use the CN in the CSR
    useCsrSans boolean
    Flag to use the SANs in the CSR
    usePss boolean
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    backend str
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    allow_any_name bool
    Flag to allow any name
    allow_bare_domains bool
    Flag to allow certificates matching the actual domain
    allow_glob_domains bool
    Flag to allow names containing glob patterns.
    allow_ip_sans bool
    Flag to allow IP SANs
    allow_localhost bool
    Flag to allow certificates for localhost
    allow_subdomains bool
    Flag to allow certificates matching subdomains
    allow_wildcard_certificates bool
    Flag to allow wildcard certificates.
    allowed_domains Sequence[str]
    List of allowed domains for certificates
    allowed_domains_template bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowed_other_sans Sequence[str]
    Defines allowed custom SANs
    allowed_serial_numbers Sequence[str]
    An array of allowed serial numbers to put in Subject
    allowed_uri_sans Sequence[str]
    Defines allowed URI SANs
    allowed_uri_sans_template bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowed_user_ids Sequence[str]
    Defines allowed User IDs
    basic_constraints_valid_for_non_ca bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    client_flag bool
    Flag to specify certificates for client use
    cn_validations Sequence[str]
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    code_signing_flag bool
    Flag to specify certificates for code signing use
    countries Sequence[str]
    The country of generated certificates
    email_protection_flag bool
    Flag to specify certificates for email protection use
    enforce_hostnames bool
    Flag to allow only valid host names
    ext_key_usage_oids Sequence[str]
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ext_key_usages Sequence[str]
    Specify the allowed extended key usage constraint on issued certificates
    generate_lease bool
    Flag to generate leases with certificates
    issuer_ref str
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    key_bits int
    The number of bits of generated keys
    key_type str
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    key_usages Sequence[str]
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities Sequence[str]
    The locality of generated certificates
    max_ttl str
    The maximum lease TTL, in seconds, for the role.
    name str
    The name to identify this role within the backend. Must be unique within the backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    no_store bool
    Flag to not store certificates in the storage backend
    no_store_metadata bool
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    not_after str
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    not_before_duration str
    Specifies the duration by which to backdate the NotBefore property.
    organization_unit Sequence[str]
    The organization unit of generated certificates
    organizations Sequence[str]
    The organization of generated certificates
    policy_identifier Sequence[pkisecret.SecretBackendRolePolicyIdentifierArgs]
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policy_identifiers Sequence[str]
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postal_codes Sequence[str]
    The postal code of generated certificates
    provinces Sequence[str]
    The province of generated certificates
    require_cn bool
    Flag to force CN usage
    serial_number_source str

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    server_flag bool
    Flag to specify certificates for server use
    signature_bits int
    The number of bits to use in the signature algorithm
    street_addresses Sequence[str]
    The street address of generated certificates
    ttl str
    The TTL, in seconds, for any certificate issued against this role.
    use_csr_common_name bool
    Flag to use the CN in the CSR
    use_csr_sans bool
    Flag to use the SANs in the CSR
    use_pss bool
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    backend String
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    allowAnyName Boolean
    Flag to allow any name
    allowBareDomains Boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains Boolean
    Flag to allow names containing glob patterns.
    allowIpSans Boolean
    Flag to allow IP SANs
    allowLocalhost Boolean
    Flag to allow certificates for localhost
    allowSubdomains Boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates Boolean
    Flag to allow wildcard certificates.
    allowedDomains List<String>
    List of allowed domains for certificates
    allowedDomainsTemplate Boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans List<String>
    Defines allowed custom SANs
    allowedSerialNumbers List<String>
    An array of allowed serial numbers to put in Subject
    allowedUriSans List<String>
    Defines allowed URI SANs
    allowedUriSansTemplate Boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds List<String>
    Defines allowed User IDs
    basicConstraintsValidForNonCa Boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag Boolean
    Flag to specify certificates for client use
    cnValidations List<String>
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    codeSigningFlag Boolean
    Flag to specify certificates for code signing use
    countries List<String>
    The country of generated certificates
    emailProtectionFlag Boolean
    Flag to specify certificates for email protection use
    enforceHostnames Boolean
    Flag to allow only valid host names
    extKeyUsageOids List<String>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages List<String>
    Specify the allowed extended key usage constraint on issued certificates
    generateLease Boolean
    Flag to generate leases with certificates
    issuerRef String
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits Number
    The number of bits of generated keys
    keyType String
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages List<String>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities List<String>
    The locality of generated certificates
    maxTtl String
    The maximum lease TTL, in seconds, for the role.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore Boolean
    Flag to not store certificates in the storage backend
    noStoreMetadata Boolean
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    notAfter String
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    notBeforeDuration String
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit List<String>
    The organization unit of generated certificates
    organizations List<String>
    The organization of generated certificates
    policyIdentifier List<Property Map>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers List<String>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes List<String>
    The postal code of generated certificates
    provinces List<String>
    The province of generated certificates
    requireCn Boolean
    Flag to force CN usage
    serialNumberSource String

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    serverFlag Boolean
    Flag to specify certificates for server use
    signatureBits Number
    The number of bits to use in the signature algorithm
    streetAddresses List<String>
    The street address of generated certificates
    ttl String
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName Boolean
    Flag to use the CN in the CSR
    useCsrSans Boolean
    Flag to use the SANs in the CSR
    usePss Boolean
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the SecretBackendRole resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing SecretBackendRole Resource

    Get an existing SecretBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: SecretBackendRoleState, opts?: CustomResourceOptions): SecretBackendRole
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allow_any_name: Optional[bool] = None,
        allow_bare_domains: Optional[bool] = None,
        allow_glob_domains: Optional[bool] = None,
        allow_ip_sans: Optional[bool] = None,
        allow_localhost: Optional[bool] = None,
        allow_subdomains: Optional[bool] = None,
        allow_wildcard_certificates: Optional[bool] = None,
        allowed_domains: Optional[Sequence[str]] = None,
        allowed_domains_template: Optional[bool] = None,
        allowed_other_sans: Optional[Sequence[str]] = None,
        allowed_serial_numbers: Optional[Sequence[str]] = None,
        allowed_uri_sans: Optional[Sequence[str]] = None,
        allowed_uri_sans_template: Optional[bool] = None,
        allowed_user_ids: Optional[Sequence[str]] = None,
        backend: Optional[str] = None,
        basic_constraints_valid_for_non_ca: Optional[bool] = None,
        client_flag: Optional[bool] = None,
        cn_validations: Optional[Sequence[str]] = None,
        code_signing_flag: Optional[bool] = None,
        countries: Optional[Sequence[str]] = None,
        email_protection_flag: Optional[bool] = None,
        enforce_hostnames: Optional[bool] = None,
        ext_key_usage_oids: Optional[Sequence[str]] = None,
        ext_key_usages: Optional[Sequence[str]] = None,
        generate_lease: Optional[bool] = None,
        issuer_ref: Optional[str] = None,
        key_bits: Optional[int] = None,
        key_type: Optional[str] = None,
        key_usages: Optional[Sequence[str]] = None,
        localities: Optional[Sequence[str]] = None,
        max_ttl: Optional[str] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        no_store: Optional[bool] = None,
        no_store_metadata: Optional[bool] = None,
        not_after: Optional[str] = None,
        not_before_duration: Optional[str] = None,
        organization_unit: Optional[Sequence[str]] = None,
        organizations: Optional[Sequence[str]] = None,
        policy_identifier: Optional[Sequence[_pkisecret.SecretBackendRolePolicyIdentifierArgs]] = None,
        policy_identifiers: Optional[Sequence[str]] = None,
        postal_codes: Optional[Sequence[str]] = None,
        provinces: Optional[Sequence[str]] = None,
        require_cn: Optional[bool] = None,
        serial_number_source: Optional[str] = None,
        server_flag: Optional[bool] = None,
        signature_bits: Optional[int] = None,
        street_addresses: Optional[Sequence[str]] = None,
        ttl: Optional[str] = None,
        use_csr_common_name: Optional[bool] = None,
        use_csr_sans: Optional[bool] = None,
        use_pss: Optional[bool] = None) -> SecretBackendRole
    func GetSecretBackendRole(ctx *Context, name string, id IDInput, state *SecretBackendRoleState, opts ...ResourceOption) (*SecretBackendRole, error)
    public static SecretBackendRole Get(string name, Input<string> id, SecretBackendRoleState? state, CustomResourceOptions? opts = null)
    public static SecretBackendRole get(String name, Output<String> id, SecretBackendRoleState state, CustomResourceOptions options)
    resources:  _:    type: vault:pkiSecret:SecretBackendRole    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AllowAnyName bool
    Flag to allow any name
    AllowBareDomains bool
    Flag to allow certificates matching the actual domain
    AllowGlobDomains bool
    Flag to allow names containing glob patterns.
    AllowIpSans bool
    Flag to allow IP SANs
    AllowLocalhost bool
    Flag to allow certificates for localhost
    AllowSubdomains bool
    Flag to allow certificates matching subdomains
    AllowWildcardCertificates bool
    Flag to allow wildcard certificates.
    AllowedDomains List<string>
    List of allowed domains for certificates
    AllowedDomainsTemplate bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedOtherSans List<string>
    Defines allowed custom SANs
    AllowedSerialNumbers List<string>
    An array of allowed serial numbers to put in Subject
    AllowedUriSans List<string>
    Defines allowed URI SANs
    AllowedUriSansTemplate bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedUserIds List<string>
    Defines allowed User IDs
    Backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    BasicConstraintsValidForNonCa bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    ClientFlag bool
    Flag to specify certificates for client use
    CnValidations List<string>
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    CodeSigningFlag bool
    Flag to specify certificates for code signing use
    Countries List<string>
    The country of generated certificates
    EmailProtectionFlag bool
    Flag to specify certificates for email protection use
    EnforceHostnames bool
    Flag to allow only valid host names
    ExtKeyUsageOids List<string>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ExtKeyUsages List<string>
    Specify the allowed extended key usage constraint on issued certificates
    GenerateLease bool
    Flag to generate leases with certificates
    IssuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    KeyBits int
    The number of bits of generated keys
    KeyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    KeyUsages List<string>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    Localities List<string>
    The locality of generated certificates
    MaxTtl string
    The maximum lease TTL, in seconds, for the role.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NoStore bool
    Flag to not store certificates in the storage backend
    NoStoreMetadata bool
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    NotAfter string
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    NotBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    OrganizationUnit List<string>
    The organization unit of generated certificates
    Organizations List<string>
    The organization of generated certificates
    PolicyIdentifier List<SecretBackendRolePolicyIdentifier>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    PolicyIdentifiers List<string>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    PostalCodes List<string>
    The postal code of generated certificates
    Provinces List<string>
    The province of generated certificates
    RequireCn bool
    Flag to force CN usage
    SerialNumberSource string

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    ServerFlag bool
    Flag to specify certificates for server use
    SignatureBits int
    The number of bits to use in the signature algorithm
    StreetAddresses List<string>
    The street address of generated certificates
    Ttl string
    The TTL, in seconds, for any certificate issued against this role.
    UseCsrCommonName bool
    Flag to use the CN in the CSR
    UseCsrSans bool
    Flag to use the SANs in the CSR
    UsePss bool
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    AllowAnyName bool
    Flag to allow any name
    AllowBareDomains bool
    Flag to allow certificates matching the actual domain
    AllowGlobDomains bool
    Flag to allow names containing glob patterns.
    AllowIpSans bool
    Flag to allow IP SANs
    AllowLocalhost bool
    Flag to allow certificates for localhost
    AllowSubdomains bool
    Flag to allow certificates matching subdomains
    AllowWildcardCertificates bool
    Flag to allow wildcard certificates.
    AllowedDomains []string
    List of allowed domains for certificates
    AllowedDomainsTemplate bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedOtherSans []string
    Defines allowed custom SANs
    AllowedSerialNumbers []string
    An array of allowed serial numbers to put in Subject
    AllowedUriSans []string
    Defines allowed URI SANs
    AllowedUriSansTemplate bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    AllowedUserIds []string
    Defines allowed User IDs
    Backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    BasicConstraintsValidForNonCa bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    ClientFlag bool
    Flag to specify certificates for client use
    CnValidations []string
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    CodeSigningFlag bool
    Flag to specify certificates for code signing use
    Countries []string
    The country of generated certificates
    EmailProtectionFlag bool
    Flag to specify certificates for email protection use
    EnforceHostnames bool
    Flag to allow only valid host names
    ExtKeyUsageOids []string
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ExtKeyUsages []string
    Specify the allowed extended key usage constraint on issued certificates
    GenerateLease bool
    Flag to generate leases with certificates
    IssuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    KeyBits int
    The number of bits of generated keys
    KeyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    KeyUsages []string
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    Localities []string
    The locality of generated certificates
    MaxTtl string
    The maximum lease TTL, in seconds, for the role.
    Name string
    The name to identify this role within the backend. Must be unique within the backend.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NoStore bool
    Flag to not store certificates in the storage backend
    NoStoreMetadata bool
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    NotAfter string
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    NotBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    OrganizationUnit []string
    The organization unit of generated certificates
    Organizations []string
    The organization of generated certificates
    PolicyIdentifier []SecretBackendRolePolicyIdentifierArgs
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    PolicyIdentifiers []string
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    PostalCodes []string
    The postal code of generated certificates
    Provinces []string
    The province of generated certificates
    RequireCn bool
    Flag to force CN usage
    SerialNumberSource string

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    ServerFlag bool
    Flag to specify certificates for server use
    SignatureBits int
    The number of bits to use in the signature algorithm
    StreetAddresses []string
    The street address of generated certificates
    Ttl string
    The TTL, in seconds, for any certificate issued against this role.
    UseCsrCommonName bool
    Flag to use the CN in the CSR
    UseCsrSans bool
    Flag to use the SANs in the CSR
    UsePss bool
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    allowAnyName Boolean
    Flag to allow any name
    allowBareDomains Boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains Boolean
    Flag to allow names containing glob patterns.
    allowIpSans Boolean
    Flag to allow IP SANs
    allowLocalhost Boolean
    Flag to allow certificates for localhost
    allowSubdomains Boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates Boolean
    Flag to allow wildcard certificates.
    allowedDomains List<String>
    List of allowed domains for certificates
    allowedDomainsTemplate Boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans List<String>
    Defines allowed custom SANs
    allowedSerialNumbers List<String>
    An array of allowed serial numbers to put in Subject
    allowedUriSans List<String>
    Defines allowed URI SANs
    allowedUriSansTemplate Boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds List<String>
    Defines allowed User IDs
    backend String
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    basicConstraintsValidForNonCa Boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag Boolean
    Flag to specify certificates for client use
    cnValidations List<String>
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    codeSigningFlag Boolean
    Flag to specify certificates for code signing use
    countries List<String>
    The country of generated certificates
    emailProtectionFlag Boolean
    Flag to specify certificates for email protection use
    enforceHostnames Boolean
    Flag to allow only valid host names
    extKeyUsageOids List<String>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages List<String>
    Specify the allowed extended key usage constraint on issued certificates
    generateLease Boolean
    Flag to generate leases with certificates
    issuerRef String
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits Integer
    The number of bits of generated keys
    keyType String
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages List<String>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities List<String>
    The locality of generated certificates
    maxTtl String
    The maximum lease TTL, in seconds, for the role.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore Boolean
    Flag to not store certificates in the storage backend
    noStoreMetadata Boolean
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    notAfter String
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    notBeforeDuration String
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit List<String>
    The organization unit of generated certificates
    organizations List<String>
    The organization of generated certificates
    policyIdentifier List<SecretBackendRolePolicyIdentifier>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers List<String>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes List<String>
    The postal code of generated certificates
    provinces List<String>
    The province of generated certificates
    requireCn Boolean
    Flag to force CN usage
    serialNumberSource String

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    serverFlag Boolean
    Flag to specify certificates for server use
    signatureBits Integer
    The number of bits to use in the signature algorithm
    streetAddresses List<String>
    The street address of generated certificates
    ttl String
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName Boolean
    Flag to use the CN in the CSR
    useCsrSans Boolean
    Flag to use the SANs in the CSR
    usePss Boolean
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    allowAnyName boolean
    Flag to allow any name
    allowBareDomains boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains boolean
    Flag to allow names containing glob patterns.
    allowIpSans boolean
    Flag to allow IP SANs
    allowLocalhost boolean
    Flag to allow certificates for localhost
    allowSubdomains boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates boolean
    Flag to allow wildcard certificates.
    allowedDomains string[]
    List of allowed domains for certificates
    allowedDomainsTemplate boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans string[]
    Defines allowed custom SANs
    allowedSerialNumbers string[]
    An array of allowed serial numbers to put in Subject
    allowedUriSans string[]
    Defines allowed URI SANs
    allowedUriSansTemplate boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds string[]
    Defines allowed User IDs
    backend string
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    basicConstraintsValidForNonCa boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag boolean
    Flag to specify certificates for client use
    cnValidations string[]
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    codeSigningFlag boolean
    Flag to specify certificates for code signing use
    countries string[]
    The country of generated certificates
    emailProtectionFlag boolean
    Flag to specify certificates for email protection use
    enforceHostnames boolean
    Flag to allow only valid host names
    extKeyUsageOids string[]
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages string[]
    Specify the allowed extended key usage constraint on issued certificates
    generateLease boolean
    Flag to generate leases with certificates
    issuerRef string
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits number
    The number of bits of generated keys
    keyType string
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages string[]
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities string[]
    The locality of generated certificates
    maxTtl string
    The maximum lease TTL, in seconds, for the role.
    name string
    The name to identify this role within the backend. Must be unique within the backend.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore boolean
    Flag to not store certificates in the storage backend
    noStoreMetadata boolean
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    notAfter string
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    notBeforeDuration string
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit string[]
    The organization unit of generated certificates
    organizations string[]
    The organization of generated certificates
    policyIdentifier SecretBackendRolePolicyIdentifier[]
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers string[]
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes string[]
    The postal code of generated certificates
    provinces string[]
    The province of generated certificates
    requireCn boolean
    Flag to force CN usage
    serialNumberSource string

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    serverFlag boolean
    Flag to specify certificates for server use
    signatureBits number
    The number of bits to use in the signature algorithm
    streetAddresses string[]
    The street address of generated certificates
    ttl string
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName boolean
    Flag to use the CN in the CSR
    useCsrSans boolean
    Flag to use the SANs in the CSR
    usePss boolean
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    allow_any_name bool
    Flag to allow any name
    allow_bare_domains bool
    Flag to allow certificates matching the actual domain
    allow_glob_domains bool
    Flag to allow names containing glob patterns.
    allow_ip_sans bool
    Flag to allow IP SANs
    allow_localhost bool
    Flag to allow certificates for localhost
    allow_subdomains bool
    Flag to allow certificates matching subdomains
    allow_wildcard_certificates bool
    Flag to allow wildcard certificates.
    allowed_domains Sequence[str]
    List of allowed domains for certificates
    allowed_domains_template bool
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowed_other_sans Sequence[str]
    Defines allowed custom SANs
    allowed_serial_numbers Sequence[str]
    An array of allowed serial numbers to put in Subject
    allowed_uri_sans Sequence[str]
    Defines allowed URI SANs
    allowed_uri_sans_template bool
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowed_user_ids Sequence[str]
    Defines allowed User IDs
    backend str
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    basic_constraints_valid_for_non_ca bool
    Flag to mark basic constraints valid when issuing non-CA certificates
    client_flag bool
    Flag to specify certificates for client use
    cn_validations Sequence[str]
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    code_signing_flag bool
    Flag to specify certificates for code signing use
    countries Sequence[str]
    The country of generated certificates
    email_protection_flag bool
    Flag to specify certificates for email protection use
    enforce_hostnames bool
    Flag to allow only valid host names
    ext_key_usage_oids Sequence[str]
    Specify the allowed extended key usage OIDs constraint on issued certificates
    ext_key_usages Sequence[str]
    Specify the allowed extended key usage constraint on issued certificates
    generate_lease bool
    Flag to generate leases with certificates
    issuer_ref str
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    key_bits int
    The number of bits of generated keys
    key_type str
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    key_usages Sequence[str]
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities Sequence[str]
    The locality of generated certificates
    max_ttl str
    The maximum lease TTL, in seconds, for the role.
    name str
    The name to identify this role within the backend. Must be unique within the backend.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    no_store bool
    Flag to not store certificates in the storage backend
    no_store_metadata bool
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    not_after str
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    not_before_duration str
    Specifies the duration by which to backdate the NotBefore property.
    organization_unit Sequence[str]
    The organization unit of generated certificates
    organizations Sequence[str]
    The organization of generated certificates
    policy_identifier Sequence[pkisecret.SecretBackendRolePolicyIdentifierArgs]
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policy_identifiers Sequence[str]
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postal_codes Sequence[str]
    The postal code of generated certificates
    provinces Sequence[str]
    The province of generated certificates
    require_cn bool
    Flag to force CN usage
    serial_number_source str

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    server_flag bool
    Flag to specify certificates for server use
    signature_bits int
    The number of bits to use in the signature algorithm
    street_addresses Sequence[str]
    The street address of generated certificates
    ttl str
    The TTL, in seconds, for any certificate issued against this role.
    use_csr_common_name bool
    Flag to use the CN in the CSR
    use_csr_sans bool
    Flag to use the SANs in the CSR
    use_pss bool
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.
    allowAnyName Boolean
    Flag to allow any name
    allowBareDomains Boolean
    Flag to allow certificates matching the actual domain
    allowGlobDomains Boolean
    Flag to allow names containing glob patterns.
    allowIpSans Boolean
    Flag to allow IP SANs
    allowLocalhost Boolean
    Flag to allow certificates for localhost
    allowSubdomains Boolean
    Flag to allow certificates matching subdomains
    allowWildcardCertificates Boolean
    Flag to allow wildcard certificates.
    allowedDomains List<String>
    List of allowed domains for certificates
    allowedDomainsTemplate Boolean
    Flag, if set, allowed_domains can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedOtherSans List<String>
    Defines allowed custom SANs
    allowedSerialNumbers List<String>
    An array of allowed serial numbers to put in Subject
    allowedUriSans List<String>
    Defines allowed URI SANs
    allowedUriSansTemplate Boolean
    Flag, if set, allowed_uri_sans can be specified using identity template expressions such as {{identity.entity.aliases.<mount accessor>.name}}.
    allowedUserIds List<String>
    Defines allowed User IDs
    backend String
    The path the PKI secret backend is mounted at, with no leading or trailing /s.
    basicConstraintsValidForNonCa Boolean
    Flag to mark basic constraints valid when issuing non-CA certificates
    clientFlag Boolean
    Flag to specify certificates for client use
    cnValidations List<String>
    Validations to run on the Common Name field of the certificate, choices: email, hostname, disabled
    codeSigningFlag Boolean
    Flag to specify certificates for code signing use
    countries List<String>
    The country of generated certificates
    emailProtectionFlag Boolean
    Flag to specify certificates for email protection use
    enforceHostnames Boolean
    Flag to allow only valid host names
    extKeyUsageOids List<String>
    Specify the allowed extended key usage OIDs constraint on issued certificates
    extKeyUsages List<String>
    Specify the allowed extended key usage constraint on issued certificates
    generateLease Boolean
    Flag to generate leases with certificates
    issuerRef String
    Specifies the default issuer of this request. May be the value default, a name, or an issuer ID. Use ACLs to prevent access to the /pki/issuer/:issuer_ref/{issue,sign}/:name paths to prevent users overriding the role's issuer_ref value.
    keyBits Number
    The number of bits of generated keys
    keyType String
    The generated key type, choices: rsa, ec, ed25519, any Defaults to rsa
    keyUsages List<String>
    Specify the allowed key usage constraint on issued certificates. Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]). To specify no default key usage constraints, set this to an empty list [].
    localities List<String>
    The locality of generated certificates
    maxTtl String
    The maximum lease TTL, in seconds, for the role.
    name String
    The name to identify this role within the backend. Must be unique within the backend.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    noStore Boolean
    Flag to not store certificates in the storage backend
    noStoreMetadata Boolean
    Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs
    notAfter String
    Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
    notBeforeDuration String
    Specifies the duration by which to backdate the NotBefore property.
    organizationUnit List<String>
    The organization unit of generated certificates
    organizations List<String>
    The organization of generated certificates
    policyIdentifier List<Property Map>
    (Vault 1.11+ only) A block for specifying policy identifers. The policy_identifier block can be repeated, and supports the following arguments:
    policyIdentifiers List<String>
    Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use policy_identifier blocks instead
    postalCodes List<String>
    The postal code of generated certificates
    provinces List<String>
    The province of generated certificates
    requireCn Boolean
    Flag to force CN usage
    serialNumberSource String

    Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the serial_number parameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the serial_number parameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.

    Example usage:

    package generated_program;

    import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRole;
import com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
    

    public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
    

    public static void stack(Context ctx) {
    var pki = new Mount(&quot;pki&quot;, MountArgs.builder()
        .path(&quot;pki&quot;)
        .type(&quot;pki&quot;)
        .defaultLeaseTtlSeconds(3600)
        .maxLeaseTtlSeconds(86400)
        .build());

    var role = new SecretBackendRole(&quot;role&quot;, SecretBackendRoleArgs.builder()
        .backend(pki.path())
        .name(&quot;my_role&quot;)
        .ttl(3600)
        .allowIpSans(true)
        .keyType(&quot;rsa&quot;)
        .keyBits(4096)
        .allowedDomains(            
            &quot;example.com&quot;,
            &quot;my.domain&quot;)
        .allowSubdomains(true)
        .policyIdentifiers(            
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.7.8&quot;),
                Map.entry(&quot;notice&quot;, &quot;I am a user Notice&quot;)
            ),
            Map.ofEntries(
                Map.entry(&quot;oid&quot;, &quot;1.3.6.1.4.1.44947.1.2.4&quot;),
                Map.entry(&quot;cps&quot;, &quot;https://example.com&quot;)
            ))
        .build());

}

    }

    resources:
  pki:
    type: vault:Mount
    properties:
      path: pki
      type: pki
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  role:
    type: vault:pkiSecret:SecretBackendRole
    properties:
      backend: ${pki.path}
      name: my_role
      ttl: 3600
      allowIpSans: true
      keyType: rsa
      keyBits: 4096
      allowedDomains:
        - example.com
        - my.domain
      allowSubdomains: true
      policyIdentifiers:
        - oid: 1.3.6.1.4.1.7.8
          notice: I am a user Notice
        - oid: 1.3.6.1.4.1.44947.1.2.4
          cps: https://example.com
    serverFlag Boolean
    Flag to specify certificates for server use
    signatureBits Number
    The number of bits to use in the signature algorithm
    streetAddresses List<String>
    The street address of generated certificates
    ttl String
    The TTL, in seconds, for any certificate issued against this role.
    useCsrCommonName Boolean
    Flag to use the CN in the CSR
    useCsrSans Boolean
    Flag to use the SANs in the CSR
    usePss Boolean
    Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.

    Supporting Types

    SecretBackendRolePolicyIdentifier, SecretBackendRolePolicyIdentifierArgs

    Oid string
    The OID for the policy identifier
    Cps string
    The URL of the CPS for the policy identifier
    Notice string
    A notice for the policy identifier
    Oid string
    The OID for the policy identifier
    Cps string
    The URL of the CPS for the policy identifier
    Notice string
    A notice for the policy identifier
    oid String
    The OID for the policy identifier
    cps String
    The URL of the CPS for the policy identifier
    notice String
    A notice for the policy identifier
    oid string
    The OID for the policy identifier
    cps string
    The URL of the CPS for the policy identifier
    notice string
    A notice for the policy identifier
    oid str
    The OID for the policy identifier
    cps str
    The URL of the CPS for the policy identifier
    notice str
    A notice for the policy identifier
    oid String
    The OID for the policy identifier
    cps String
    The URL of the CPS for the policy identifier
    notice String
    A notice for the policy identifier

    Import

    PKI secret backend roles can be imported using the path, e.g.

    $ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi
    pulumi/pulumi-vault