Docs Home
HashiCorp Vault v6.6.0 published on Thursday, Mar 13, 2025 by Pulumi
vault.pkiSecret.getBackendIssuer
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const pki = new vault.Mount("pki", {
path: "pki",
type: "pki",
description: "PKI secret engine mount",
});
const root = new vault.pkisecret.SecretBackendRootCert("root", {
backend: pki.path,
type: "internal",
commonName: "example",
ttl: "86400",
issuerName: "example",
});
const example = root.issuerId.apply(issuerId => vault.pkiSecret.getBackendIssuerOutput({
backend: root.path,
issuerRef: issuerId,
}));
import pulumi
import pulumi_vault as vault
pki = vault.Mount("pki",
path="pki",
type="pki",
description="PKI secret engine mount")
root = vault.pki_secret.SecretBackendRootCert("root",
backend=pki.path,
type="internal",
common_name="example",
ttl="86400",
issuer_name="example")
example = root.issuer_id.apply(lambda issuer_id: vault.pkiSecret.get_backend_issuer_output(backend=root.path,
issuer_ref=issuer_id))
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/pkisecret"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
pki, err := vault.NewMount(ctx, "pki", &vault.MountArgs{
Path: pulumi.String("pki"),
Type: pulumi.String("pki"),
Description: pulumi.String("PKI secret engine mount"),
})
if err != nil {
return err
}
root, err := pkisecret.NewSecretBackendRootCert(ctx, "root", &pkisecret.SecretBackendRootCertArgs{
Backend: pki.Path,
Type: pulumi.String("internal"),
CommonName: pulumi.String("example"),
Ttl: pulumi.String("86400"),
IssuerName: pulumi.String("example"),
})
if err != nil {
return err
}
_ = root.IssuerId.ApplyT(func(issuerId string) (pkisecret.GetBackendIssuerResult, error) {
return pkisecret.GetBackendIssuerResult(interface{}(pkisecret.GetBackendIssuerOutput(ctx, pkisecret.GetBackendIssuerOutputArgs{
Backend: root.Path,
IssuerRef: issuerId,
}, nil))), nil
}).(pkisecret.GetBackendIssuerResultOutput)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var pki = new Vault.Mount("pki", new()
{
Path = "pki",
Type = "pki",
Description = "PKI secret engine mount",
});
var root = new Vault.PkiSecret.SecretBackendRootCert("root", new()
{
Backend = pki.Path,
Type = "internal",
CommonName = "example",
Ttl = "86400",
IssuerName = "example",
});
var example = Vault.PkiSecret.GetBackendIssuer.Invoke(new()
{
Backend = root.Path,
IssuerRef = root.IssuerId,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.Mount;
import com.pulumi.vault.MountArgs;
import com.pulumi.vault.pkiSecret.SecretBackendRootCert;
import com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;
import com.pulumi.vault.pkiSecret.PkiSecretFunctions;
import com.pulumi.vault.pkiSecret.inputs.GetBackendIssuerArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var pki = new Mount("pki", MountArgs.builder()
.path("pki")
.type("pki")
.description("PKI secret engine mount")
.build());
var root = new SecretBackendRootCert("root", SecretBackendRootCertArgs.builder()
.backend(pki.path())
.type("internal")
.commonName("example")
.ttl("86400")
.issuerName("example")
.build());
final var example = PkiSecretFunctions.getBackendIssuer(GetBackendIssuerArgs.builder()
.backend(root.path())
.issuerRef(root.issuerId())
.build());
}
}
resources:
pki:
type: vault:Mount
properties:
path: pki
type: pki
description: PKI secret engine mount
root:
type: vault:pkiSecret:SecretBackendRootCert
properties:
backend: ${pki.path}
type: internal
commonName: example
ttl: '86400'
issuerName: example
variables:
example:
fn::invoke:
function: vault:pkiSecret:getBackendIssuer
arguments:
backend: ${root.path}
issuerRef: ${root.issuerId}
Using getBackendIssuer
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getBackendIssuer(args: GetBackendIssuerArgs, opts?: InvokeOptions): Promise<GetBackendIssuerResult>
function getBackendIssuerOutput(args: GetBackendIssuerOutputArgs, opts?: InvokeOptions): Output<GetBackendIssuerResult>def get_backend_issuer(backend: Optional[str] = None,
disable_critical_extension_checks: Optional[bool] = None,
disable_name_checks: Optional[bool] = None,
disable_name_constraint_checks: Optional[bool] = None,
disable_path_length_checks: Optional[bool] = None,
issuer_ref: Optional[str] = None,
namespace: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetBackendIssuerResult
def get_backend_issuer_output(backend: Optional[pulumi.Input[str]] = None,
disable_critical_extension_checks: Optional[pulumi.Input[bool]] = None,
disable_name_checks: Optional[pulumi.Input[bool]] = None,
disable_name_constraint_checks: Optional[pulumi.Input[bool]] = None,
disable_path_length_checks: Optional[pulumi.Input[bool]] = None,
issuer_ref: Optional[pulumi.Input[str]] = None,
namespace: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetBackendIssuerResult]func GetBackendIssuer(ctx *Context, args *GetBackendIssuerArgs, opts ...InvokeOption) (*GetBackendIssuerResult, error)
func GetBackendIssuerOutput(ctx *Context, args *GetBackendIssuerOutputArgs, opts ...InvokeOption) GetBackendIssuerResultOutput> Note: This function is named GetBackendIssuer in the Go SDK.
public static class GetBackendIssuer
{
public static Task<GetBackendIssuerResult> InvokeAsync(GetBackendIssuerArgs args, InvokeOptions? opts = null)
public static Output<GetBackendIssuerResult> Invoke(GetBackendIssuerInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetBackendIssuerResult> getBackendIssuer(GetBackendIssuerArgs args, InvokeOptions options)
public static Output<GetBackendIssuerResult> getBackendIssuer(GetBackendIssuerArgs args, InvokeOptions options)
fn::invoke:
function: vault:pkiSecret/getBackendIssuer:getBackendIssuer
arguments:
# arguments dictionaryThe following arguments are supported:
- Backend
string
This property is required. 
Changes to this property will trigger replacement. - The path to the PKI secret backend to
read the issuer from, with no leading or trailing
/s. - Issuer
Ref stringThis property is required. Changes to this property will trigger replacement. - Reference to an existing issuer.
- Disable
Critical boolExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- Disable
Name boolChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- Disable
Name boolConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- Disable
Path boolLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- Namespace
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- Backend
string
This property is required. Changes to this property will trigger replacement. - The path to the PKI secret backend to
read the issuer from, with no leading or trailing
/s. - Issuer
Ref stringThis property is required. Changes to this property will trigger replacement. - Reference to an existing issuer.
- Disable
Critical boolExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- Disable
Name boolChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- Disable
Name boolConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- Disable
Path boolLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- Namespace
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- backend
String
This property is required. Changes to this property will trigger replacement. - The path to the PKI secret backend to
read the issuer from, with no leading or trailing
/s. - issuer
Ref StringThis property is required. Changes to this property will trigger replacement. - Reference to an existing issuer.
- disable
Critical BooleanExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- disable
Name BooleanChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- disable
Name BooleanConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- disable
Path BooleanLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- namespace
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- backend
string
This property is required. Changes to this property will trigger replacement. - The path to the PKI secret backend to
read the issuer from, with no leading or trailing
/s. - issuer
Ref stringThis property is required. Changes to this property will trigger replacement. - Reference to an existing issuer.
- disable
Critical booleanExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- disable
Name booleanChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- disable
Name booleanConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- disable
Path booleanLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- namespace
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- backend
str
This property is required. Changes to this property will trigger replacement. - The path to the PKI secret backend to
read the issuer from, with no leading or trailing
/s. - issuer_
ref strThis property is required. Changes to this property will trigger replacement. - Reference to an existing issuer.
- disable_
critical_ boolextension_ checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- disable_
name_ boolchecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- disable_
name_ boolconstraint_ checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- disable_
path_ boollength_ checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- namespace
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
- backend
String
This property is required. Changes to this property will trigger replacement. - The path to the PKI secret backend to
read the issuer from, with no leading or trailing
/s. - issuer
Ref StringThis property is required. Changes to this property will trigger replacement. - Reference to an existing issuer.
- disable
Critical BooleanExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- disable
Name BooleanChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- disable
Name BooleanConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- disable
Path BooleanLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- namespace
- The namespace of the target resource.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.
getBackendIssuer Result
The following output properties are available:
- Backend string
- Ca
Chains List<string> - The CA chain as a list of format specific certificates.
- Certificate string
- Certificate associated with this issuer.
- Id string
- The provider-assigned unique ID for this managed resource.
- Issuer
Id string - ID of the issuer.
- Issuer
Name string - Name of the issuer.
- Issuer
Ref string - Key
Id string - ID of the key used by the issuer.
- Leaf
Not stringAfter Behavior - Behavior of a leaf's NotAfter field during issuance.
- Manual
Chains List<string> - Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
- Usage string
- Allowed usages for this issuer.
- Disable
Critical boolExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- Disable
Name boolChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- Disable
Name boolConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- Disable
Path boolLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- Namespace string
- Backend string
- Ca
Chains []string - The CA chain as a list of format specific certificates.
- Certificate string
- Certificate associated with this issuer.
- Id string
- The provider-assigned unique ID for this managed resource.
- Issuer
Id string - ID of the issuer.
- Issuer
Name string - Name of the issuer.
- Issuer
Ref string - Key
Id string - ID of the key used by the issuer.
- Leaf
Not stringAfter Behavior - Behavior of a leaf's NotAfter field during issuance.
- Manual
Chains []string - Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
- Usage string
- Allowed usages for this issuer.
- Disable
Critical boolExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- Disable
Name boolChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- Disable
Name boolConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- Disable
Path boolLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- Namespace string
- backend String
- ca
Chains List<String> - The CA chain as a list of format specific certificates.
- certificate String
- Certificate associated with this issuer.
- id String
- The provider-assigned unique ID for this managed resource.
- issuer
Id String - ID of the issuer.
- issuer
Name String - Name of the issuer.
- issuer
Ref String - key
Id String - ID of the key used by the issuer.
- leaf
Not StringAfter Behavior - Behavior of a leaf's NotAfter field during issuance.
- manual
Chains List<String> - Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
- usage String
- Allowed usages for this issuer.
- disable
Critical BooleanExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- disable
Name BooleanChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- disable
Name BooleanConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- disable
Path BooleanLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- namespace String
- backend string
- ca
Chains string[] - The CA chain as a list of format specific certificates.
- certificate string
- Certificate associated with this issuer.
- id string
- The provider-assigned unique ID for this managed resource.
- issuer
Id string - ID of the issuer.
- issuer
Name string - Name of the issuer.
- issuer
Ref string - key
Id string - ID of the key used by the issuer.
- leaf
Not stringAfter Behavior - Behavior of a leaf's NotAfter field during issuance.
- manual
Chains string[] - Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
- usage string
- Allowed usages for this issuer.
- disable
Critical booleanExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- disable
Name booleanChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- disable
Name booleanConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- disable
Path booleanLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- namespace string
- backend str
- ca_
chains Sequence[str] - The CA chain as a list of format specific certificates.
- certificate str
- Certificate associated with this issuer.
- id str
- The provider-assigned unique ID for this managed resource.
- issuer_
id str - ID of the issuer.
- issuer_
name str - Name of the issuer.
- issuer_
ref str - key_
id str - ID of the key used by the issuer.
- leaf_
not_ strafter_ behavior - Behavior of a leaf's NotAfter field during issuance.
- manual_
chains Sequence[str] - Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
- usage str
- Allowed usages for this issuer.
- disable_
critical_ boolextension_ checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- disable_
name_ boolchecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- disable_
name_ boolconstraint_ checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- disable_
path_ boollength_ checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- namespace str
- backend String
- ca
Chains List<String> - The CA chain as a list of format specific certificates.
- certificate String
- Certificate associated with this issuer.
- id String
- The provider-assigned unique ID for this managed resource.
- issuer
Id String - ID of the issuer.
- issuer
Name String - Name of the issuer.
- issuer
Ref String - key
Id String - ID of the key used by the issuer.
- leaf
Not StringAfter Behavior - Behavior of a leaf's NotAfter field during issuance.
- manual
Chains List<String> - Chain of issuer references to build this issuer's computed CAChain field from, when non-empty.
- usage String
- Allowed usages for this issuer.
- disable
Critical BooleanExtension Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the issued certificate) contain critical extensions not processed by Vault.
- disable
Name BooleanChecks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) contains a link in which the subject of the issuing certificate does not match the named issuer of the certificate it signed.
- disable
Name BooleanConstraint Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) violates the name constraints critical extension of one of the issuer certificates in the chain.
- disable
Path BooleanLength Checks - This determines whether this issuer is able to issue certificates where the chain of trust (including the final issued certificate) is longer than allowed by a certificate authority in that chain.
- namespace String
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.