1. Packages
  2. HashiCorp Vault Provider
  3. API Docs
  4. transit
  5. SecretBackendKey
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi

vault.transit.SecretBackendKey

Explore with Pulumi AI

Creates an Encryption Keyring on a Transit Secret Backend for Vault.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const transit = new vault.Mount("transit", {
    path: "transit",
    type: "transit",
    description: "Example description",
    defaultLeaseTtlSeconds: 3600,
    maxLeaseTtlSeconds: 86400,
});
const key = new vault.transit.SecretBackendKey("key", {
    backend: transit.path,
    name: "my_key",
});
Copy
import pulumi
import pulumi_vault as vault

transit = vault.Mount("transit",
    path="transit",
    type="transit",
    description="Example description",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)
key = vault.transit.SecretBackendKey("key",
    backend=transit.path,
    name="my_key")
Copy
package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/transit"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		transit, err := vault.NewMount(ctx, "transit", &vault.MountArgs{
			Path:                   pulumi.String("transit"),
			Type:                   pulumi.String("transit"),
			Description:            pulumi.String("Example description"),
			DefaultLeaseTtlSeconds: pulumi.Int(3600),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
		})
		if err != nil {
			return err
		}
		_, err = transit.NewSecretBackendKey(ctx, "key", &transit.SecretBackendKeyArgs{
			Backend: transit.Path,
			Name:    pulumi.String("my_key"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var transit = new Vault.Mount("transit", new()
    {
        Path = "transit",
        Type = "transit",
        Description = "Example description",
        DefaultLeaseTtlSeconds = 3600,
        MaxLeaseTtlSeconds = 86400,
    });

    var key = new Vault.Transit.SecretBackendKey("key", new()
    {
        Backend = transit.Path,
        Name = "my_key",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.transit.SecretBackendKey;
import com.pulumi.vault.transit.SecretBackendKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var transit = new Mount("transit", MountArgs.builder()
            .path("transit")
            .type("transit")
            .description("Example description")
            .defaultLeaseTtlSeconds(3600)
            .maxLeaseTtlSeconds(86400)
            .build());

        var key = new SecretBackendKey("key", SecretBackendKeyArgs.builder()
            .backend(transit.path())
            .name("my_key")
            .build());

    }
}
Copy
resources:
  transit:
    type: vault:Mount
    properties:
      path: transit
      type: transit
      description: Example description
      defaultLeaseTtlSeconds: 3600
      maxLeaseTtlSeconds: 86400
  key:
    type: vault:transit:SecretBackendKey
    properties:
      backend: ${transit.path}
      name: my_key
Copy

Create SecretBackendKey Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendKey(name: string, args: SecretBackendKeyArgs, opts?: CustomResourceOptions);
@overload
def SecretBackendKey(resource_name: str,
                     args: SecretBackendKeyArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendKey(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     backend: Optional[str] = None,
                     hybrid_key_type_pqc: Optional[str] = None,
                     key_size: Optional[int] = None,
                     convergent_encryption: Optional[bool] = None,
                     deletion_allowed: Optional[bool] = None,
                     derived: Optional[bool] = None,
                     exportable: Optional[bool] = None,
                     auto_rotate_period: Optional[int] = None,
                     allow_plaintext_backup: Optional[bool] = None,
                     hybrid_key_type_ec: Optional[str] = None,
                     min_decryption_version: Optional[int] = None,
                     min_encryption_version: Optional[int] = None,
                     name: Optional[str] = None,
                     namespace: Optional[str] = None,
                     parameter_set: Optional[str] = None,
                     type: Optional[str] = None)
func NewSecretBackendKey(ctx *Context, name string, args SecretBackendKeyArgs, opts ...ResourceOption) (*SecretBackendKey, error)
public SecretBackendKey(string name, SecretBackendKeyArgs args, CustomResourceOptions? opts = null)
public SecretBackendKey(String name, SecretBackendKeyArgs args)
public SecretBackendKey(String name, SecretBackendKeyArgs args, CustomResourceOptions options)
type: vault:transit:SecretBackendKey
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. SecretBackendKeyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. SecretBackendKeyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. SecretBackendKeyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. SecretBackendKeyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. SecretBackendKeyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var vaultSecretBackendKeyResource = new Vault.Transit.SecretBackendKey("vaultSecretBackendKeyResource", new()
{
    Backend = "string",
    HybridKeyTypePqc = "string",
    KeySize = 0,
    ConvergentEncryption = false,
    DeletionAllowed = false,
    Derived = false,
    Exportable = false,
    AutoRotatePeriod = 0,
    AllowPlaintextBackup = false,
    HybridKeyTypeEc = "string",
    MinDecryptionVersion = 0,
    MinEncryptionVersion = 0,
    Name = "string",
    Namespace = "string",
    ParameterSet = "string",
    Type = "string",
});
Copy
example, err := transit.NewSecretBackendKey(ctx, "vaultSecretBackendKeyResource", &transit.SecretBackendKeyArgs{
	Backend:              pulumi.String("string"),
	HybridKeyTypePqc:     pulumi.String("string"),
	KeySize:              pulumi.Int(0),
	ConvergentEncryption: pulumi.Bool(false),
	DeletionAllowed:      pulumi.Bool(false),
	Derived:              pulumi.Bool(false),
	Exportable:           pulumi.Bool(false),
	AutoRotatePeriod:     pulumi.Int(0),
	AllowPlaintextBackup: pulumi.Bool(false),
	HybridKeyTypeEc:      pulumi.String("string"),
	MinDecryptionVersion: pulumi.Int(0),
	MinEncryptionVersion: pulumi.Int(0),
	Name:                 pulumi.String("string"),
	Namespace:            pulumi.String("string"),
	ParameterSet:         pulumi.String("string"),
	Type:                 pulumi.String("string"),
})
Copy
var vaultSecretBackendKeyResource = new SecretBackendKey("vaultSecretBackendKeyResource", SecretBackendKeyArgs.builder()
    .backend("string")
    .hybridKeyTypePqc("string")
    .keySize(0)
    .convergentEncryption(false)
    .deletionAllowed(false)
    .derived(false)
    .exportable(false)
    .autoRotatePeriod(0)
    .allowPlaintextBackup(false)
    .hybridKeyTypeEc("string")
    .minDecryptionVersion(0)
    .minEncryptionVersion(0)
    .name("string")
    .namespace("string")
    .parameterSet("string")
    .type("string")
    .build());
Copy
vault_secret_backend_key_resource = vault.transit.SecretBackendKey("vaultSecretBackendKeyResource",
    backend="string",
    hybrid_key_type_pqc="string",
    key_size=0,
    convergent_encryption=False,
    deletion_allowed=False,
    derived=False,
    exportable=False,
    auto_rotate_period=0,
    allow_plaintext_backup=False,
    hybrid_key_type_ec="string",
    min_decryption_version=0,
    min_encryption_version=0,
    name="string",
    namespace="string",
    parameter_set="string",
    type="string")
Copy
const vaultSecretBackendKeyResource = new vault.transit.SecretBackendKey("vaultSecretBackendKeyResource", {
    backend: "string",
    hybridKeyTypePqc: "string",
    keySize: 0,
    convergentEncryption: false,
    deletionAllowed: false,
    derived: false,
    exportable: false,
    autoRotatePeriod: 0,
    allowPlaintextBackup: false,
    hybridKeyTypeEc: "string",
    minDecryptionVersion: 0,
    minEncryptionVersion: 0,
    name: "string",
    namespace: "string",
    parameterSet: "string",
    type: "string",
});
Copy
type: vault:transit:SecretBackendKey
properties:
    allowPlaintextBackup: false
    autoRotatePeriod: 0
    backend: string
    convergentEncryption: false
    deletionAllowed: false
    derived: false
    exportable: false
    hybridKeyTypeEc: string
    hybridKeyTypePqc: string
    keySize: 0
    minDecryptionVersion: 0
    minEncryptionVersion: 0
    name: string
    namespace: string
    parameterSet: string
    type: string
Copy

SecretBackendKey Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackendKey resource accepts the following input properties:

Backend
This property is required.
Changes to this property will trigger replacement.
string
The path the transit secret backend is mounted at, with no leading or trailing /s.
AllowPlaintextBackup bool
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
AutoRotatePeriod int
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
ConvergentEncryption Changes to this property will trigger replacement. bool
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
DeletionAllowed bool
Specifies if the key is allowed to be deleted.
Derived Changes to this property will trigger replacement. bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
Exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
HybridKeyTypeEc string
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
HybridKeyTypePqc string
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
KeySize int
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
MinDecryptionVersion int
Minimum key version to use for decryption.
MinEncryptionVersion int
Minimum key version to use for encryption
Name Changes to this property will trigger replacement. string
The name to identify this key within the backend. Must be unique within the backend.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
ParameterSet string
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
Type Changes to this property will trigger replacement. string
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
Backend
This property is required.
Changes to this property will trigger replacement.
string
The path the transit secret backend is mounted at, with no leading or trailing /s.
AllowPlaintextBackup bool
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
AutoRotatePeriod int
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
ConvergentEncryption Changes to this property will trigger replacement. bool
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
DeletionAllowed bool
Specifies if the key is allowed to be deleted.
Derived Changes to this property will trigger replacement. bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
Exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
HybridKeyTypeEc string
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
HybridKeyTypePqc string
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
KeySize int
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
MinDecryptionVersion int
Minimum key version to use for decryption.
MinEncryptionVersion int
Minimum key version to use for encryption
Name Changes to this property will trigger replacement. string
The name to identify this key within the backend. Must be unique within the backend.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
ParameterSet string
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
Type Changes to this property will trigger replacement. string
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
backend
This property is required.
Changes to this property will trigger replacement.
String
The path the transit secret backend is mounted at, with no leading or trailing /s.
allowPlaintextBackup Boolean
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
autoRotatePeriod Integer
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
convergentEncryption Changes to this property will trigger replacement. Boolean
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletionAllowed Boolean
Specifies if the key is allowed to be deleted.
derived Changes to this property will trigger replacement. Boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable Boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
hybridKeyTypeEc String
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
hybridKeyTypePqc String
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
keySize Integer
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
minDecryptionVersion Integer
Minimum key version to use for decryption.
minEncryptionVersion Integer
Minimum key version to use for encryption
name Changes to this property will trigger replacement. String
The name to identify this key within the backend. Must be unique within the backend.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
parameterSet String
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
type Changes to this property will trigger replacement. String
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
backend
This property is required.
Changes to this property will trigger replacement.
string
The path the transit secret backend is mounted at, with no leading or trailing /s.
allowPlaintextBackup boolean
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
autoRotatePeriod number
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
convergentEncryption Changes to this property will trigger replacement. boolean
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletionAllowed boolean
Specifies if the key is allowed to be deleted.
derived Changes to this property will trigger replacement. boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
hybridKeyTypeEc string
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
hybridKeyTypePqc string
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
keySize number
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
minDecryptionVersion number
Minimum key version to use for decryption.
minEncryptionVersion number
Minimum key version to use for encryption
name Changes to this property will trigger replacement. string
The name to identify this key within the backend. Must be unique within the backend.
namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
parameterSet string
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
type Changes to this property will trigger replacement. string
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
backend
This property is required.
Changes to this property will trigger replacement.
str
The path the transit secret backend is mounted at, with no leading or trailing /s.
allow_plaintext_backup bool
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
auto_rotate_period int
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
convergent_encryption Changes to this property will trigger replacement. bool
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletion_allowed bool
Specifies if the key is allowed to be deleted.
derived Changes to this property will trigger replacement. bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
hybrid_key_type_ec str
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
hybrid_key_type_pqc str
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
key_size int
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
min_decryption_version int
Minimum key version to use for decryption.
min_encryption_version int
Minimum key version to use for encryption
name Changes to this property will trigger replacement. str
The name to identify this key within the backend. Must be unique within the backend.
namespace Changes to this property will trigger replacement. str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
parameter_set str
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
type Changes to this property will trigger replacement. str
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
backend
This property is required.
Changes to this property will trigger replacement.
String
The path the transit secret backend is mounted at, with no leading or trailing /s.
allowPlaintextBackup Boolean
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
autoRotatePeriod Number
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
convergentEncryption Changes to this property will trigger replacement. Boolean
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletionAllowed Boolean
Specifies if the key is allowed to be deleted.
derived Changes to this property will trigger replacement. Boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable Boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
hybridKeyTypeEc String
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
hybridKeyTypePqc String
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
keySize Number
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
minDecryptionVersion Number
Minimum key version to use for decryption.
minEncryptionVersion Number
Minimum key version to use for encryption
name Changes to this property will trigger replacement. String
The name to identify this key within the backend. Must be unique within the backend.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
parameterSet String
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
type Changes to this property will trigger replacement. String
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendKey resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Keys List<ImmutableDictionary<string, string>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
LatestVersion int
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
MinAvailableVersion int
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
SupportsDecryption bool
Whether or not the key supports decryption, based on key type.
SupportsDerivation bool
Whether or not the key supports derivation, based on key type.
SupportsEncryption bool
Whether or not the key supports encryption, based on key type.
SupportsSigning bool
Whether or not the key supports signing, based on key type.
Id string
The provider-assigned unique ID for this managed resource.
Keys []map[string]string
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
LatestVersion int
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
MinAvailableVersion int
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
SupportsDecryption bool
Whether or not the key supports decryption, based on key type.
SupportsDerivation bool
Whether or not the key supports derivation, based on key type.
SupportsEncryption bool
Whether or not the key supports encryption, based on key type.
SupportsSigning bool
Whether or not the key supports signing, based on key type.
id String
The provider-assigned unique ID for this managed resource.
keys List<Map<String,String>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
latestVersion Integer
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
minAvailableVersion Integer
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
supportsDecryption Boolean
Whether or not the key supports decryption, based on key type.
supportsDerivation Boolean
Whether or not the key supports derivation, based on key type.
supportsEncryption Boolean
Whether or not the key supports encryption, based on key type.
supportsSigning Boolean
Whether or not the key supports signing, based on key type.
id string
The provider-assigned unique ID for this managed resource.
keys {[key: string]: string}[]
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
latestVersion number
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
minAvailableVersion number
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
supportsDecryption boolean
Whether or not the key supports decryption, based on key type.
supportsDerivation boolean
Whether or not the key supports derivation, based on key type.
supportsEncryption boolean
Whether or not the key supports encryption, based on key type.
supportsSigning boolean
Whether or not the key supports signing, based on key type.
id str
The provider-assigned unique ID for this managed resource.
keys Sequence[Mapping[str, str]]
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
latest_version int
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
min_available_version int
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
supports_decryption bool
Whether or not the key supports decryption, based on key type.
supports_derivation bool
Whether or not the key supports derivation, based on key type.
supports_encryption bool
Whether or not the key supports encryption, based on key type.
supports_signing bool
Whether or not the key supports signing, based on key type.
id String
The provider-assigned unique ID for this managed resource.
keys List<Map<String>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
latestVersion Number
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
minAvailableVersion Number
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
supportsDecryption Boolean
Whether or not the key supports decryption, based on key type.
supportsDerivation Boolean
Whether or not the key supports derivation, based on key type.
supportsEncryption Boolean
Whether or not the key supports encryption, based on key type.
supportsSigning Boolean
Whether or not the key supports signing, based on key type.

Look up Existing SecretBackendKey Resource

Get an existing SecretBackendKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendKeyState, opts?: CustomResourceOptions): SecretBackendKey
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allow_plaintext_backup: Optional[bool] = None,
        auto_rotate_period: Optional[int] = None,
        backend: Optional[str] = None,
        convergent_encryption: Optional[bool] = None,
        deletion_allowed: Optional[bool] = None,
        derived: Optional[bool] = None,
        exportable: Optional[bool] = None,
        hybrid_key_type_ec: Optional[str] = None,
        hybrid_key_type_pqc: Optional[str] = None,
        key_size: Optional[int] = None,
        keys: Optional[Sequence[Mapping[str, str]]] = None,
        latest_version: Optional[int] = None,
        min_available_version: Optional[int] = None,
        min_decryption_version: Optional[int] = None,
        min_encryption_version: Optional[int] = None,
        name: Optional[str] = None,
        namespace: Optional[str] = None,
        parameter_set: Optional[str] = None,
        supports_decryption: Optional[bool] = None,
        supports_derivation: Optional[bool] = None,
        supports_encryption: Optional[bool] = None,
        supports_signing: Optional[bool] = None,
        type: Optional[str] = None) -> SecretBackendKey
func GetSecretBackendKey(ctx *Context, name string, id IDInput, state *SecretBackendKeyState, opts ...ResourceOption) (*SecretBackendKey, error)
public static SecretBackendKey Get(string name, Input<string> id, SecretBackendKeyState? state, CustomResourceOptions? opts = null)
public static SecretBackendKey get(String name, Output<String> id, SecretBackendKeyState state, CustomResourceOptions options)
resources:  _:    type: vault:transit:SecretBackendKey    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AllowPlaintextBackup bool
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
AutoRotatePeriod int
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Backend Changes to this property will trigger replacement. string
The path the transit secret backend is mounted at, with no leading or trailing /s.
ConvergentEncryption Changes to this property will trigger replacement. bool
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
DeletionAllowed bool
Specifies if the key is allowed to be deleted.
Derived Changes to this property will trigger replacement. bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
Exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
HybridKeyTypeEc string
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
HybridKeyTypePqc string
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
KeySize int
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
Keys List<ImmutableDictionary<string, string>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
LatestVersion int
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
MinAvailableVersion int
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
MinDecryptionVersion int
Minimum key version to use for decryption.
MinEncryptionVersion int
Minimum key version to use for encryption
Name Changes to this property will trigger replacement. string
The name to identify this key within the backend. Must be unique within the backend.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
ParameterSet string
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
SupportsDecryption bool
Whether or not the key supports decryption, based on key type.
SupportsDerivation bool
Whether or not the key supports derivation, based on key type.
SupportsEncryption bool
Whether or not the key supports encryption, based on key type.
SupportsSigning bool
Whether or not the key supports signing, based on key type.
Type Changes to this property will trigger replacement. string
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
AllowPlaintextBackup bool
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
AutoRotatePeriod int
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
Backend Changes to this property will trigger replacement. string
The path the transit secret backend is mounted at, with no leading or trailing /s.
ConvergentEncryption Changes to this property will trigger replacement. bool
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
DeletionAllowed bool
Specifies if the key is allowed to be deleted.
Derived Changes to this property will trigger replacement. bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
Exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
HybridKeyTypeEc string
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
HybridKeyTypePqc string
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
KeySize int
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
Keys []map[string]string
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
LatestVersion int
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
MinAvailableVersion int
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
MinDecryptionVersion int
Minimum key version to use for decryption.
MinEncryptionVersion int
Minimum key version to use for encryption
Name Changes to this property will trigger replacement. string
The name to identify this key within the backend. Must be unique within the backend.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
ParameterSet string
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
SupportsDecryption bool
Whether or not the key supports decryption, based on key type.
SupportsDerivation bool
Whether or not the key supports derivation, based on key type.
SupportsEncryption bool
Whether or not the key supports encryption, based on key type.
SupportsSigning bool
Whether or not the key supports signing, based on key type.
Type Changes to this property will trigger replacement. string
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
allowPlaintextBackup Boolean
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
autoRotatePeriod Integer
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
backend Changes to this property will trigger replacement. String
The path the transit secret backend is mounted at, with no leading or trailing /s.
convergentEncryption Changes to this property will trigger replacement. Boolean
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletionAllowed Boolean
Specifies if the key is allowed to be deleted.
derived Changes to this property will trigger replacement. Boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable Boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
hybridKeyTypeEc String
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
hybridKeyTypePqc String
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
keySize Integer
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
keys List<Map<String,String>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
latestVersion Integer
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
minAvailableVersion Integer
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
minDecryptionVersion Integer
Minimum key version to use for decryption.
minEncryptionVersion Integer
Minimum key version to use for encryption
name Changes to this property will trigger replacement. String
The name to identify this key within the backend. Must be unique within the backend.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
parameterSet String
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
supportsDecryption Boolean
Whether or not the key supports decryption, based on key type.
supportsDerivation Boolean
Whether or not the key supports derivation, based on key type.
supportsEncryption Boolean
Whether or not the key supports encryption, based on key type.
supportsSigning Boolean
Whether or not the key supports signing, based on key type.
type Changes to this property will trigger replacement. String
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
allowPlaintextBackup boolean
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
autoRotatePeriod number
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
backend Changes to this property will trigger replacement. string
The path the transit secret backend is mounted at, with no leading or trailing /s.
convergentEncryption Changes to this property will trigger replacement. boolean
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletionAllowed boolean
Specifies if the key is allowed to be deleted.
derived Changes to this property will trigger replacement. boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
hybridKeyTypeEc string
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
hybridKeyTypePqc string
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
keySize number
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
keys {[key: string]: string}[]
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
latestVersion number
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
minAvailableVersion number
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
minDecryptionVersion number
Minimum key version to use for decryption.
minEncryptionVersion number
Minimum key version to use for encryption
name Changes to this property will trigger replacement. string
The name to identify this key within the backend. Must be unique within the backend.
namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
parameterSet string
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
supportsDecryption boolean
Whether or not the key supports decryption, based on key type.
supportsDerivation boolean
Whether or not the key supports derivation, based on key type.
supportsEncryption boolean
Whether or not the key supports encryption, based on key type.
supportsSigning boolean
Whether or not the key supports signing, based on key type.
type Changes to this property will trigger replacement. string
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
allow_plaintext_backup bool
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
auto_rotate_period int
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
backend Changes to this property will trigger replacement. str
The path the transit secret backend is mounted at, with no leading or trailing /s.
convergent_encryption Changes to this property will trigger replacement. bool
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletion_allowed bool
Specifies if the key is allowed to be deleted.
derived Changes to this property will trigger replacement. bool
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable bool
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
hybrid_key_type_ec str
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
hybrid_key_type_pqc str
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
key_size int
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
keys Sequence[Mapping[str, str]]
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
latest_version int
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
min_available_version int
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
min_decryption_version int
Minimum key version to use for decryption.
min_encryption_version int
Minimum key version to use for encryption
name Changes to this property will trigger replacement. str
The name to identify this key within the backend. Must be unique within the backend.
namespace Changes to this property will trigger replacement. str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
parameter_set str
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
supports_decryption bool
Whether or not the key supports decryption, based on key type.
supports_derivation bool
Whether or not the key supports derivation, based on key type.
supports_encryption bool
Whether or not the key supports encryption, based on key type.
supports_signing bool
Whether or not the key supports signing, based on key type.
type Changes to this property will trigger replacement. str
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types
allowPlaintextBackup Boolean
Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.

  • Refer to Vault API documentation on key backups for more information: Backup Key
autoRotatePeriod Number
Amount of seconds the key should live before being automatically rotated. A value of 0 disables automatic rotation for the key.
backend Changes to this property will trigger replacement. String
The path the transit secret backend is mounted at, with no leading or trailing /s.
convergentEncryption Changes to this property will trigger replacement. Boolean
Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires derived to be set to true.
deletionAllowed Boolean
Specifies if the key is allowed to be deleted.
derived Changes to this property will trigger replacement. Boolean
Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.
exportable Boolean
Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.
hybridKeyTypeEc String
The elliptic curve algorithm to use for hybrid signatures. Supported key types are ecdsa-p256, ecdsa-p384, ecdsa-p521, and ed25519.
hybridKeyTypePqc String
The post-quantum algorithm to use for hybrid signatures. Currently, ML-DSA is the only supported key type.
keySize Number
The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.
keys List<Map<String>>
List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the type of the encryption key.

  • for key types aes128-gcm96, aes256-gcm96 and chacha20-poly1305, each key version will be a map of a single value id which is just a hash of the key's metadata.
  • for key types ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, rsa-2048, rsa-3072 and rsa-4096, each key version will be a map of the following:
latestVersion Number
Latest key version available. This value is 1-indexed, so if latest_version is 1, then the key's information can be referenced from keys by selecting element 0
minAvailableVersion Number
Minimum key version available for use. If keys have been archived by increasing min_decryption_version, this attribute will reflect that change.
minDecryptionVersion Number
Minimum key version to use for decryption.
minEncryptionVersion Number
Minimum key version to use for encryption
name Changes to this property will trigger replacement. String
The name to identify this key within the backend. Must be unique within the backend.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
parameterSet String
The parameter set to use for ML-DSA. Required for ML-DSA and hybrid keys. Valid values are 44, 65, and 87.
supportsDecryption Boolean
Whether or not the key supports decryption, based on key type.
supportsDerivation Boolean
Whether or not the key supports derivation, based on key type.
supportsEncryption Boolean
Whether or not the key supports encryption, based on key type.
supportsSigning Boolean
Whether or not the key supports signing, based on key type.
type Changes to this property will trigger replacement. String
Specifies the type of key to create. The currently-supported types are: aes128-gcm96, aes256-gcm96 (default), chacha20-poly1305, ed25519, ecdsa-p256, ecdsa-p384, ecdsa-p521, hmac, rsa-2048, rsa-3072 and rsa-4096.

  • Refer to the Vault documentation on transit key types for more information: Key Types

Import

Transit secret backend keys can be imported using the path, e.g.

$ pulumi import vault:transit/secretBackendKey:SecretBackendKey key transit/keys/my_key
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Vault pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.