Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. HashiCorp Vault Provider
  3. API Docs
  4. ad
  5. SecretBackend
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi
pulumi/pulumi-vault

vault.ad.SecretBackend

Explore with Pulumi AI

HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi
pulumi/pulumi-vault

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const config = new vault.ad.SecretBackend("config", {
    backend: "ad",
    binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
    bindpass: "SuperSecretPassw0rd",
    url: "ldaps://ad",
    insecureTls: true,
    userdn: "CN=Users,DC=corp,DC=example,DC=net",
});
Copy
import pulumi
import pulumi_vault as vault

config = vault.ad.SecretBackend("config",
    backend="ad",
    binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
    bindpass="SuperSecretPassw0rd",
    url="ldaps://ad",
    insecure_tls=True,
    userdn="CN=Users,DC=corp,DC=example,DC=net")
Copy
package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/ad"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := ad.NewSecretBackend(ctx, "config", &ad.SecretBackendArgs{
			Backend:     pulumi.String("ad"),
			Binddn:      pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
			Bindpass:    pulumi.String("SuperSecretPassw0rd"),
			Url:         pulumi.String("ldaps://ad"),
			InsecureTls: pulumi.Bool(true),
			Userdn:      pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var config = new Vault.AD.SecretBackend("config", new()
    {
        Backend = "ad",
        Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
        Bindpass = "SuperSecretPassw0rd",
        Url = "ldaps://ad",
        InsecureTls = true,
        Userdn = "CN=Users,DC=corp,DC=example,DC=net",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.ad.SecretBackend;
import com.pulumi.vault.ad.SecretBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var config = new SecretBackend("config", SecretBackendArgs.builder()
            .backend("ad")
            .binddn("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net")
            .bindpass("SuperSecretPassw0rd")
            .url("ldaps://ad")
            .insecureTls("true")
            .userdn("CN=Users,DC=corp,DC=example,DC=net")
            .build());

    }
}
Copy
resources:
  config:
    type: vault:ad:SecretBackend
    properties:
      backend: ad
      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
      bindpass: SuperSecretPassw0rd
      url: ldaps://ad
      insecureTls: 'true'
      userdn: CN=Users,DC=corp,DC=example,DC=net
Copy

Create SecretBackend Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackend(name: string, args: SecretBackendArgs, opts?: CustomResourceOptions);
@overload
def SecretBackend(resource_name: str,
                  args: SecretBackendArgs,
                  opts: Optional[ResourceOptions] = None)

@overload
def SecretBackend(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  binddn: Optional[str] = None,
                  bindpass: Optional[str] = None,
                  insecure_tls: Optional[bool] = None,
                  max_lease_ttl_seconds: Optional[int] = None,
                  case_sensitive_names: Optional[bool] = None,
                  certificate: Optional[str] = None,
                  client_tls_cert: Optional[str] = None,
                  client_tls_key: Optional[str] = None,
                  default_lease_ttl_seconds: Optional[int] = None,
                  deny_null_bind: Optional[bool] = None,
                  local: Optional[bool] = None,
                  disable_remount: Optional[bool] = None,
                  discoverdn: Optional[bool] = None,
                  groupattr: Optional[str] = None,
                  groupdn: Optional[str] = None,
                  groupfilter: Optional[str] = None,
                  backend: Optional[str] = None,
                  anonymous_group_search: Optional[bool] = None,
                  description: Optional[str] = None,
                  last_rotation_tolerance: Optional[int] = None,
                  max_ttl: Optional[int] = None,
                  namespace: Optional[str] = None,
                  password_policy: Optional[str] = None,
                  request_timeout: Optional[int] = None,
                  starttls: Optional[bool] = None,
                  tls_max_version: Optional[str] = None,
                  tls_min_version: Optional[str] = None,
                  ttl: Optional[int] = None,
                  upndomain: Optional[str] = None,
                  url: Optional[str] = None,
                  use_pre111_group_cn_behavior: Optional[bool] = None,
                  use_token_groups: Optional[bool] = None,
                  userattr: Optional[str] = None,
                  userdn: Optional[str] = None)
func NewSecretBackend(ctx *Context, name string, args SecretBackendArgs, opts ...ResourceOption) (*SecretBackend, error)
public SecretBackend(string name, SecretBackendArgs args, CustomResourceOptions? opts = null)
public SecretBackend(String name, SecretBackendArgs args)
public SecretBackend(String name, SecretBackendArgs args, CustomResourceOptions options)

type: vault:ad:SecretBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. SecretBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. SecretBackendArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. SecretBackendArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. SecretBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. SecretBackendArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var secretBackendResource = new Vault.AD.SecretBackend("secretBackendResource", new()
{
    Binddn = "string",
    Bindpass = "string",
    InsecureTls = false,
    MaxLeaseTtlSeconds = 0,
    CaseSensitiveNames = false,
    Certificate = "string",
    ClientTlsCert = "string",
    ClientTlsKey = "string",
    DefaultLeaseTtlSeconds = 0,
    DenyNullBind = false,
    Local = false,
    DisableRemount = false,
    Discoverdn = false,
    Groupattr = "string",
    Groupdn = "string",
    Groupfilter = "string",
    Backend = "string",
    AnonymousGroupSearch = false,
    Description = "string",
    LastRotationTolerance = 0,
    MaxTtl = 0,
    Namespace = "string",
    PasswordPolicy = "string",
    RequestTimeout = 0,
    Starttls = false,
    TlsMaxVersion = "string",
    TlsMinVersion = "string",
    Ttl = 0,
    Upndomain = "string",
    Url = "string",
    UsePre111GroupCnBehavior = false,
    UseTokenGroups = false,
    Userattr = "string",
    Userdn = "string",
});
Copy
example, err := ad.NewSecretBackend(ctx, "secretBackendResource", &ad.SecretBackendArgs{
	Binddn:                   pulumi.String("string"),
	Bindpass:                 pulumi.String("string"),
	InsecureTls:              pulumi.Bool(false),
	MaxLeaseTtlSeconds:       pulumi.Int(0),
	CaseSensitiveNames:       pulumi.Bool(false),
	Certificate:              pulumi.String("string"),
	ClientTlsCert:            pulumi.String("string"),
	ClientTlsKey:             pulumi.String("string"),
	DefaultLeaseTtlSeconds:   pulumi.Int(0),
	DenyNullBind:             pulumi.Bool(false),
	Local:                    pulumi.Bool(false),
	DisableRemount:           pulumi.Bool(false),
	Discoverdn:               pulumi.Bool(false),
	Groupattr:                pulumi.String("string"),
	Groupdn:                  pulumi.String("string"),
	Groupfilter:              pulumi.String("string"),
	Backend:                  pulumi.String("string"),
	AnonymousGroupSearch:     pulumi.Bool(false),
	Description:              pulumi.String("string"),
	LastRotationTolerance:    pulumi.Int(0),
	MaxTtl:                   pulumi.Int(0),
	Namespace:                pulumi.String("string"),
	PasswordPolicy:           pulumi.String("string"),
	RequestTimeout:           pulumi.Int(0),
	Starttls:                 pulumi.Bool(false),
	TlsMaxVersion:            pulumi.String("string"),
	TlsMinVersion:            pulumi.String("string"),
	Ttl:                      pulumi.Int(0),
	Upndomain:                pulumi.String("string"),
	Url:                      pulumi.String("string"),
	UsePre111GroupCnBehavior: pulumi.Bool(false),
	UseTokenGroups:           pulumi.Bool(false),
	Userattr:                 pulumi.String("string"),
	Userdn:                   pulumi.String("string"),
})
Copy
var secretBackendResource = new com.pulumi.vault.ad.SecretBackend("secretBackendResource", com.pulumi.vault.ad.SecretBackendArgs.builder()
    .binddn("string")
    .bindpass("string")
    .insecureTls(false)
    .maxLeaseTtlSeconds(0)
    .caseSensitiveNames(false)
    .certificate("string")
    .clientTlsCert("string")
    .clientTlsKey("string")
    .defaultLeaseTtlSeconds(0)
    .denyNullBind(false)
    .local(false)
    .disableRemount(false)
    .discoverdn(false)
    .groupattr("string")
    .groupdn("string")
    .groupfilter("string")
    .backend("string")
    .anonymousGroupSearch(false)
    .description("string")
    .lastRotationTolerance(0)
    .maxTtl(0)
    .namespace("string")
    .passwordPolicy("string")
    .requestTimeout(0)
    .starttls(false)
    .tlsMaxVersion("string")
    .tlsMinVersion("string")
    .ttl(0)
    .upndomain("string")
    .url("string")
    .usePre111GroupCnBehavior(false)
    .useTokenGroups(false)
    .userattr("string")
    .userdn("string")
    .build());
Copy
secret_backend_resource = vault.ad.SecretBackend("secretBackendResource",
    binddn="string",
    bindpass="string",
    insecure_tls=False,
    max_lease_ttl_seconds=0,
    case_sensitive_names=False,
    certificate="string",
    client_tls_cert="string",
    client_tls_key="string",
    default_lease_ttl_seconds=0,
    deny_null_bind=False,
    local=False,
    disable_remount=False,
    discoverdn=False,
    groupattr="string",
    groupdn="string",
    groupfilter="string",
    backend="string",
    anonymous_group_search=False,
    description="string",
    last_rotation_tolerance=0,
    max_ttl=0,
    namespace="string",
    password_policy="string",
    request_timeout=0,
    starttls=False,
    tls_max_version="string",
    tls_min_version="string",
    ttl=0,
    upndomain="string",
    url="string",
    use_pre111_group_cn_behavior=False,
    use_token_groups=False,
    userattr="string",
    userdn="string")
Copy
const secretBackendResource = new vault.ad.SecretBackend("secretBackendResource", {
    binddn: "string",
    bindpass: "string",
    insecureTls: false,
    maxLeaseTtlSeconds: 0,
    caseSensitiveNames: false,
    certificate: "string",
    clientTlsCert: "string",
    clientTlsKey: "string",
    defaultLeaseTtlSeconds: 0,
    denyNullBind: false,
    local: false,
    disableRemount: false,
    discoverdn: false,
    groupattr: "string",
    groupdn: "string",
    groupfilter: "string",
    backend: "string",
    anonymousGroupSearch: false,
    description: "string",
    lastRotationTolerance: 0,
    maxTtl: 0,
    namespace: "string",
    passwordPolicy: "string",
    requestTimeout: 0,
    starttls: false,
    tlsMaxVersion: "string",
    tlsMinVersion: "string",
    ttl: 0,
    upndomain: "string",
    url: "string",
    usePre111GroupCnBehavior: false,
    useTokenGroups: false,
    userattr: "string",
    userdn: "string",
});
Copy
type: vault:ad:SecretBackend
properties:
    anonymousGroupSearch: false
    backend: string
    binddn: string
    bindpass: string
    caseSensitiveNames: false
    certificate: string
    clientTlsCert: string
    clientTlsKey: string
    defaultLeaseTtlSeconds: 0
    denyNullBind: false
    description: string
    disableRemount: false
    discoverdn: false
    groupattr: string
    groupdn: string
    groupfilter: string
    insecureTls: false
    lastRotationTolerance: 0
    local: false
    maxLeaseTtlSeconds: 0
    maxTtl: 0
    namespace: string
    passwordPolicy: string
    requestTimeout: 0
    starttls: false
    tlsMaxVersion: string
    tlsMinVersion: string
    ttl: 0
    upndomain: string
    url: string
    usePre111GroupCnBehavior: false
    useTokenGroups: false
    userattr: string
    userdn: string
Copy

SecretBackend Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackend resource accepts the following input properties:

Binddn This property is required. string
Distinguished name of object to bind when performing user and group search.
Bindpass This property is required. string
Password to use along with binddn when performing user search.
AnonymousGroupSearch bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
CaseSensitiveNames bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int
Default lease duration for secrets in seconds.
DenyNullBind bool
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
Description string
Human-friendly description of the mount for the Active Directory backend.
DisableRemount bool
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int
Maximum possible lease duration for secrets in seconds.
MaxTtl int
In seconds, the maximum password time-to-live.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordPolicy string
Name of the password policy to use to generate passwords.
RequestTimeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int
In seconds, the default password time-to-live.
Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string
Attribute used when searching users. Defaults to cn.
Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
Binddn This property is required. string
Distinguished name of object to bind when performing user and group search.
Bindpass This property is required. string
Password to use along with binddn when performing user search.
AnonymousGroupSearch bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
CaseSensitiveNames bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int
Default lease duration for secrets in seconds.
DenyNullBind bool
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
Description string
Human-friendly description of the mount for the Active Directory backend.
DisableRemount bool
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int
Maximum possible lease duration for secrets in seconds.
MaxTtl int
In seconds, the maximum password time-to-live.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordPolicy string
Name of the password policy to use to generate passwords.
RequestTimeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int
In seconds, the default password time-to-live.
Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string
Attribute used when searching users. Defaults to cn.
Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
binddn This property is required. String
Distinguished name of object to bind when performing user and group search.
bindpass This property is required. String
Password to use along with binddn when performing user search.
anonymousGroupSearch Boolean
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend String
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
caseSensitiveNames Boolean
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate String
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert String
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey String
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds Integer
Default lease duration for secrets in seconds.
denyNullBind Boolean
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description String
Human-friendly description of the mount for the Active Directory backend.
disableRemount Boolean
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn Boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr String
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn String
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter String
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls Boolean
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance Integer
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local Boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds Integer
Maximum possible lease duration for secrets in seconds.
maxTtl Integer
In seconds, the maximum password time-to-live.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy String
Name of the password policy to use to generate passwords.
requestTimeout Integer
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls Boolean
Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion String
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion String
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl Integer
In seconds, the default password time-to-live.
upndomain String
Enables userPrincipalDomain login with [username]@UPNDomain.
url String
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior Boolean
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups Boolean
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr String
Attribute used when searching users. Defaults to cn.
userdn String
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
binddn This property is required. string
Distinguished name of object to bind when performing user and group search.
bindpass This property is required. string
Password to use along with binddn when performing user search.
anonymousGroupSearch boolean
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
caseSensitiveNames boolean
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds number
Default lease duration for secrets in seconds.
denyNullBind boolean
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description string
Human-friendly description of the mount for the Active Directory backend.
disableRemount boolean
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls boolean
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance number
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds number
Maximum possible lease duration for secrets in seconds.
maxTtl number
In seconds, the maximum password time-to-live.
namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy string
Name of the password policy to use to generate passwords.
requestTimeout number
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls boolean
Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl number
In seconds, the default password time-to-live.
upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior boolean
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups boolean
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr string
Attribute used when searching users. Defaults to cn.
userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
binddn This property is required. str
Distinguished name of object to bind when performing user and group search.
bindpass This property is required. str
Password to use along with binddn when performing user search.
anonymous_group_search bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend str
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
case_sensitive_names bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate str
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
client_tls_cert str
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
client_tls_key str
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
default_lease_ttl_seconds int
Default lease duration for secrets in seconds.
deny_null_bind bool
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description str
Human-friendly description of the mount for the Active Directory backend.
disable_remount bool
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr str
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn str
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter str
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
last_rotation_tolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
max_lease_ttl_seconds int
Maximum possible lease duration for secrets in seconds.
max_ttl int
In seconds, the maximum password time-to-live.
namespace Changes to this property will trigger replacement. str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
password_policy str
Name of the password policy to use to generate passwords.
request_timeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls bool
Issue a StartTLS command after establishing unencrypted connection.
tls_max_version str
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tls_min_version str
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl int
In seconds, the default password time-to-live.
upndomain str
Enables userPrincipalDomain login with [username]@UPNDomain.
url str
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
use_pre111_group_cn_behavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
use_token_groups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr str
Attribute used when searching users. Defaults to cn.
userdn str
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
binddn This property is required. String
Distinguished name of object to bind when performing user and group search.
bindpass This property is required. String
Password to use along with binddn when performing user search.
anonymousGroupSearch Boolean
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend String
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
caseSensitiveNames Boolean
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate String
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert String
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey String
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds Number
Default lease duration for secrets in seconds.
denyNullBind Boolean
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description String
Human-friendly description of the mount for the Active Directory backend.
disableRemount Boolean
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn Boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr String
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn String
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter String
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls Boolean
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance Number
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local Boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds Number
Maximum possible lease duration for secrets in seconds.
maxTtl Number
In seconds, the maximum password time-to-live.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy String
Name of the password policy to use to generate passwords.
requestTimeout Number
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls Boolean
Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion String
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion String
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl Number
In seconds, the default password time-to-live.
upndomain String
Enables userPrincipalDomain login with [username]@UPNDomain.
url String
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior Boolean
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups Boolean
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr String
Attribute used when searching users. Defaults to cn.
userdn String
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackend resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id String
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.
id String
The provider-assigned unique ID for this managed resource.

Look up Existing SecretBackend Resource

Get an existing SecretBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendState, opts?: CustomResourceOptions): SecretBackend
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        anonymous_group_search: Optional[bool] = None,
        backend: Optional[str] = None,
        binddn: Optional[str] = None,
        bindpass: Optional[str] = None,
        case_sensitive_names: Optional[bool] = None,
        certificate: Optional[str] = None,
        client_tls_cert: Optional[str] = None,
        client_tls_key: Optional[str] = None,
        default_lease_ttl_seconds: Optional[int] = None,
        deny_null_bind: Optional[bool] = None,
        description: Optional[str] = None,
        disable_remount: Optional[bool] = None,
        discoverdn: Optional[bool] = None,
        groupattr: Optional[str] = None,
        groupdn: Optional[str] = None,
        groupfilter: Optional[str] = None,
        insecure_tls: Optional[bool] = None,
        last_rotation_tolerance: Optional[int] = None,
        local: Optional[bool] = None,
        max_lease_ttl_seconds: Optional[int] = None,
        max_ttl: Optional[int] = None,
        namespace: Optional[str] = None,
        password_policy: Optional[str] = None,
        request_timeout: Optional[int] = None,
        starttls: Optional[bool] = None,
        tls_max_version: Optional[str] = None,
        tls_min_version: Optional[str] = None,
        ttl: Optional[int] = None,
        upndomain: Optional[str] = None,
        url: Optional[str] = None,
        use_pre111_group_cn_behavior: Optional[bool] = None,
        use_token_groups: Optional[bool] = None,
        userattr: Optional[str] = None,
        userdn: Optional[str] = None) -> SecretBackend
func GetSecretBackend(ctx *Context, name string, id IDInput, state *SecretBackendState, opts ...ResourceOption) (*SecretBackend, error)
public static SecretBackend Get(string name, Input<string> id, SecretBackendState? state, CustomResourceOptions? opts = null)
public static SecretBackend get(String name, Output<String> id, SecretBackendState state, CustomResourceOptions options)
resources:  _:    type: vault:ad:SecretBackend    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AnonymousGroupSearch bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
Binddn string
Distinguished name of object to bind when performing user and group search.
Bindpass string
Password to use along with binddn when performing user search.
CaseSensitiveNames bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int
Default lease duration for secrets in seconds.
DenyNullBind bool
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
Description string
Human-friendly description of the mount for the Active Directory backend.
DisableRemount bool
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int
Maximum possible lease duration for secrets in seconds.
MaxTtl int
In seconds, the maximum password time-to-live.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordPolicy string
Name of the password policy to use to generate passwords.
RequestTimeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int
In seconds, the default password time-to-live.
Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string
Attribute used when searching users. Defaults to cn.
Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
AnonymousGroupSearch bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
Backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
Binddn string
Distinguished name of object to bind when performing user and group search.
Bindpass string
Password to use along with binddn when performing user search.
CaseSensitiveNames bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
Certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
ClientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
ClientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
DefaultLeaseTtlSeconds int
Default lease duration for secrets in seconds.
DenyNullBind bool
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
Description string
Human-friendly description of the mount for the Active Directory backend.
DisableRemount bool
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
Discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
Groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
Groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
Groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
InsecureTls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
LastRotationTolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
Local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
MaxLeaseTtlSeconds int
Maximum possible lease duration for secrets in seconds.
MaxTtl int
In seconds, the maximum password time-to-live.
Namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordPolicy string
Name of the password policy to use to generate passwords.
RequestTimeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
Starttls bool
Issue a StartTLS command after establishing unencrypted connection.
TlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
TlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
Ttl int
In seconds, the default password time-to-live.
Upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
Url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
UsePre111GroupCnBehavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
UseTokenGroups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
Userattr string
Attribute used when searching users. Defaults to cn.
Userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
anonymousGroupSearch Boolean
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend String
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn String
Distinguished name of object to bind when performing user and group search.
bindpass String
Password to use along with binddn when performing user search.
caseSensitiveNames Boolean
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate String
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert String
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey String
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds Integer
Default lease duration for secrets in seconds.
denyNullBind Boolean
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description String
Human-friendly description of the mount for the Active Directory backend.
disableRemount Boolean
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn Boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr String
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn String
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter String
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls Boolean
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance Integer
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local Boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds Integer
Maximum possible lease duration for secrets in seconds.
maxTtl Integer
In seconds, the maximum password time-to-live.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy String
Name of the password policy to use to generate passwords.
requestTimeout Integer
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls Boolean
Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion String
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion String
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl Integer
In seconds, the default password time-to-live.
upndomain String
Enables userPrincipalDomain login with [username]@UPNDomain.
url String
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior Boolean
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups Boolean
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr String
Attribute used when searching users. Defaults to cn.
userdn String
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
anonymousGroupSearch boolean
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend string
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn string
Distinguished name of object to bind when performing user and group search.
bindpass string
Password to use along with binddn when performing user search.
caseSensitiveNames boolean
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate string
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert string
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey string
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds number
Default lease duration for secrets in seconds.
denyNullBind boolean
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description string
Human-friendly description of the mount for the Active Directory backend.
disableRemount boolean
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr string
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn string
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter string
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls boolean
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance number
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds number
Maximum possible lease duration for secrets in seconds.
maxTtl number
In seconds, the maximum password time-to-live.
namespace Changes to this property will trigger replacement. string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy string
Name of the password policy to use to generate passwords.
requestTimeout number
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls boolean
Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion string
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion string
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl number
In seconds, the default password time-to-live.
upndomain string
Enables userPrincipalDomain login with [username]@UPNDomain.
url string
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior boolean
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups boolean
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr string
Attribute used when searching users. Defaults to cn.
userdn string
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
anonymous_group_search bool
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend str
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn str
Distinguished name of object to bind when performing user and group search.
bindpass str
Password to use along with binddn when performing user search.
case_sensitive_names bool
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate str
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
client_tls_cert str
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
client_tls_key str
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
default_lease_ttl_seconds int
Default lease duration for secrets in seconds.
deny_null_bind bool
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description str
Human-friendly description of the mount for the Active Directory backend.
disable_remount bool
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn bool
Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr str
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn str
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter str
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecure_tls bool
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
last_rotation_tolerance int
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local bool
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
max_lease_ttl_seconds int
Maximum possible lease duration for secrets in seconds.
max_ttl int
In seconds, the maximum password time-to-live.
namespace Changes to this property will trigger replacement. str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
password_policy str
Name of the password policy to use to generate passwords.
request_timeout int
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls bool
Issue a StartTLS command after establishing unencrypted connection.
tls_max_version str
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tls_min_version str
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl int
In seconds, the default password time-to-live.
upndomain str
Enables userPrincipalDomain login with [username]@UPNDomain.
url str
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
use_pre111_group_cn_behavior bool
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
use_token_groups bool
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr str
Attribute used when searching users. Defaults to cn.
userdn str
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.
anonymousGroupSearch Boolean
Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test).
backend String
The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ad.
binddn String
Distinguished name of object to bind when performing user and group search.
bindpass String
Password to use along with binddn when performing user search.
caseSensitiveNames Boolean
If set, user and group names assigned to policies within the backend will be case sensitive. Otherwise, names will be normalized to lower case.
certificate String
CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
clientTlsCert String
Client certificate to provide to the LDAP server, must be x509 PEM encoded.
clientTlsKey String
Client certificate key to provide to the LDAP server, must be x509 PEM encoded.
defaultLeaseTtlSeconds Number
Default lease duration for secrets in seconds.
denyNullBind Boolean
Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true.
description String
Human-friendly description of the mount for the Active Directory backend.
disableRemount Boolean
If set, opts out of mount migration on path updates. See here for more info on Mount Migration
discoverdn Boolean
Use anonymous bind to discover the bind Distinguished Name of a user.
groupattr String
LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: cn or memberOf, etc. Defaults to cn.
groupdn String
LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).
groupfilter String
Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username. Defaults to (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
insecureTls Boolean
Skip LDAP server SSL Certificate verification. This is not recommended for production. Defaults to false.
lastRotationTolerance Number
The number of seconds after a Vault rotation where, if Active Directory shows a later rotation, it should be considered out-of-band
local Boolean
Mark the secrets engine as local-only. Local engines are not replicated or removed by replication.Tolerance duration to use when checking the last rotation time.
maxLeaseTtlSeconds Number
Maximum possible lease duration for secrets in seconds.
maxTtl Number
In seconds, the maximum password time-to-live.
namespace Changes to this property will trigger replacement. String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordPolicy String
Name of the password policy to use to generate passwords.
requestTimeout Number
Timeout, in seconds, for the connection when making requests against the server before returning back an error.
starttls Boolean
Issue a StartTLS command after establishing unencrypted connection.
tlsMaxVersion String
Maximum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
tlsMinVersion String
Minimum TLS version to use. Accepted values are tls10, tls11, tls12 or tls13. Defaults to tls12.
ttl Number
In seconds, the default password time-to-live.
upndomain String
Enables userPrincipalDomain login with [username]@UPNDomain.
url String
LDAP URL to connect to. Multiple URLs can be specified by concatenating them with commas; they will be tried in-order. Defaults to ldap://127.0.0.1.
usePre111GroupCnBehavior Boolean
In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations.
useTokenGroups Boolean
If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones.
userattr String
Attribute used when searching users. Defaults to cn.
userdn String
LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.

Import

AD secret backend can be imported using the backend, e.g.

$ pulumi import vault:ad/secretBackend:SecretBackend ad ad
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Vault pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi
pulumi/pulumi-vault