» vault_cert_auth_backend_role

Provides a resource to create a role in an Cert auth backend within Vault.

» Example Usage

resource "vault_auth_backend" "cert" {
    path = "cert"
    type = "cert"
}

resource "vault_cert_auth_backend_role" "cert" {
    name          = "foo"
    certificate   = "${file("/path/to/certs/ca-cert.pem")}"
    backend       = "${vault_auth_backend.cert.path}"
    allowed_names = ["foo.example.org", "baz.example.org"]
    ttl           = 300
    max_ttl       = 600
    policies      = ["foo"]
}

» Argument Reference

The following arguments are supported:

  • name - (Required) Name of the role

  • certificate - (Required) CA certificate used to validate client certificates

  • allowed_names - (Optional) Allowed subject names for authenticated client certificates

  • allowed_common_names - (Optional) Allowed the common names for authenticated client certificates

  • allowed_dns_sans - (Optional) Allowed alternative dns names for authenticated client certificates

  • allowed_email_sans - (Optional) Allowed emails for authenticated client certificates

  • allowed_uri_sans - (Optional) Allowed URIs for authenticated client certificates

  • allowed_organization_units - (Optional) Allowed organization units for authenticated client certificates

  • required_extensions - (Optional) TLS extensions required on client certificates

  • ttl - (Optional) Default TTL of tokens issued by the backend

  • max_ttl - (Optional) Maximum TTL of tokens issued by the backend

  • period - (Optional) Duration in seconds for token. If set, the issued token is a periodic token.

  • policies - (Optional) Policies to grant on the issued token

  • display_name - (Optional) The name to display on tokens issued under this role.

  • bound_cidrs - (Optional) Restriction usage of the certificates to client IPs falling within the range of the specified CIDRs

  • backend - (Optional) Path to the mounted Cert auth backend

For more details on the usage of each argument consult the Vault Cert API documentation.

» Attribute Reference

No additional attributes are exposed by this resource.