vault.ldap.SecretBackendStaticRole

HashiCorp Vault v7.9.0, May 21 26

Viewing docs for HashiCorp Vault v7.9.0
published on Thursday, May 21, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Viewing docs for HashiCorp Vault v7.9.0
published on Thursday, May 21, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const config = new vault.ldap.SecretBackend("config", {
    path: "my-custom-ldap",
    binddn: "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
    bindpass: "SuperSecretPassw0rd",
    url: "ldaps://localhost",
    insecureTls: true,
    userdn: "CN=Users,DC=corp,DC=example,DC=net",
});
const role = new vault.ldap.SecretBackendStaticRole("role", {
    mount: config.path,
    username: "alice",
    dn: "cn=alice,ou=Users,DC=corp,DC=example,DC=net",
    roleName: "alice",
    rotationPeriod: 60,
});

import pulumi
import pulumi_vault as vault

config = vault.ldap.SecretBackend("config",
    path="my-custom-ldap",
    binddn="CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
    bindpass="SuperSecretPassw0rd",
    url="ldaps://localhost",
    insecure_tls=True,
    userdn="CN=Users,DC=corp,DC=example,DC=net")
role = vault.ldap.SecretBackendStaticRole("role",
    mount=config.path,
    username="alice",
    dn="cn=alice,ou=Users,DC=corp,DC=example,DC=net",
    role_name="alice",
    rotation_period=60)

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ldap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		config, err := ldap.NewSecretBackend(ctx, "config", &ldap.SecretBackendArgs{
			Path:        pulumi.String("my-custom-ldap"),
			Binddn:      pulumi.String("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net"),
			Bindpass:    pulumi.String("SuperSecretPassw0rd"),
			Url:         pulumi.String("ldaps://localhost"),
			InsecureTls: pulumi.Bool(true),
			Userdn:      pulumi.String("CN=Users,DC=corp,DC=example,DC=net"),
		})
		if err != nil {
			return err
		}
		_, err = ldap.NewSecretBackendStaticRole(ctx, "role", &ldap.SecretBackendStaticRoleArgs{
			Mount:          config.Path,
			Username:       pulumi.String("alice"),
			Dn:             pulumi.String("cn=alice,ou=Users,DC=corp,DC=example,DC=net"),
			RoleName:       pulumi.String("alice"),
			RotationPeriod: pulumi.Int(60),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var config = new Vault.Ldap.SecretBackend("config", new()
    {
        Path = "my-custom-ldap",
        Binddn = "CN=Administrator,CN=Users,DC=corp,DC=example,DC=net",
        Bindpass = "SuperSecretPassw0rd",
        Url = "ldaps://localhost",
        InsecureTls = true,
        Userdn = "CN=Users,DC=corp,DC=example,DC=net",
    });

    var role = new Vault.Ldap.SecretBackendStaticRole("role", new()
    {
        Mount = config.Path,
        Username = "alice",
        Dn = "cn=alice,ou=Users,DC=corp,DC=example,DC=net",
        RoleName = "alice",
        RotationPeriod = 60,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.ldap.SecretBackend;
import com.pulumi.vault.ldap.SecretBackendArgs;
import com.pulumi.vault.ldap.SecretBackendStaticRole;
import com.pulumi.vault.ldap.SecretBackendStaticRoleArgs;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var config = new SecretBackend("config", SecretBackendArgs.builder()
            .path("my-custom-ldap")
            .binddn("CN=Administrator,CN=Users,DC=corp,DC=example,DC=net")
            .bindpass("SuperSecretPassw0rd")
            .url("ldaps://localhost")
            .insecureTls(true)
            .userdn("CN=Users,DC=corp,DC=example,DC=net")
            .build());

        var role = new SecretBackendStaticRole("role", SecretBackendStaticRoleArgs.builder()
            .mount(config.path())
            .username("alice")
            .dn("cn=alice,ou=Users,DC=corp,DC=example,DC=net")
            .roleName("alice")
            .rotationPeriod(60)
            .build());

    }
}

resources:
  config:
    type: vault:ldap:SecretBackend
    properties:
      path: my-custom-ldap
      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net
      bindpass: SuperSecretPassw0rd
      url: ldaps://localhost
      insecureTls: 'true'
      userdn: CN=Users,DC=corp,DC=example,DC=net
  role:
    type: vault:ldap:SecretBackendStaticRole
    properties:
      mount: ${config.path}
      username: alice
      dn: cn=alice,ou=Users,DC=corp,DC=example,DC=net
      roleName: alice
      rotationPeriod: 60

Example coming soon!

Ephemeral Attributes Reference

passwordWo - (Optional) The password for the user. Can be updated. Note: This property is write-only and will not be read from the API. Requires Vault Enterprise 2.0+.

Create SecretBackendStaticRole Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new SecretBackendStaticRole(name: string, args: SecretBackendStaticRoleArgs, opts?: CustomResourceOptions);

@overload
def SecretBackendStaticRole(resource_name: str,
                            args: SecretBackendStaticRoleArgs,
                            opts: Optional[ResourceOptions] = None)

@overload
def SecretBackendStaticRole(resource_name: str,
                            opts: Optional[ResourceOptions] = None,
                            role_name: Optional[str] = None,
                            username: Optional[str] = None,
                            namespace: Optional[str] = None,
                            disable_automated_rotation: Optional[bool] = None,
                            password_wo: Optional[str] = None,
                            password_wo_version: Optional[int] = None,
                            mount: Optional[str] = None,
                            rotation_period: Optional[int] = None,
                            rotation_policy: Optional[str] = None,
                            rotation_schedule: Optional[str] = None,
                            rotation_window: Optional[int] = None,
                            skip_import_rotation: Optional[bool] = None,
                            dn: Optional[str] = None)

func NewSecretBackendStaticRole(ctx *Context, name string, args SecretBackendStaticRoleArgs, opts ...ResourceOption) (*SecretBackendStaticRole, error)

public SecretBackendStaticRole(string name, SecretBackendStaticRoleArgs args, CustomResourceOptions? opts = null)

public SecretBackendStaticRole(String name, SecretBackendStaticRoleArgs args)
public SecretBackendStaticRole(String name, SecretBackendStaticRoleArgs args, CustomResourceOptions options)

type: vault:ldap:SecretBackendStaticRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

resource "vault_ldap_secretbackendstaticrole" "name" {
    # resource properties
}

Parameters

name string: The unique name of the resource.
args SecretBackendStaticRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args SecretBackendStaticRoleArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args SecretBackendStaticRoleArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args SecretBackendStaticRoleArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args SecretBackendStaticRoleArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole = new Vault.Ldap.SecretBackendStaticRole("examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole", new()
{
    RoleName = "string",
    Username = "string",
    Namespace = "string",
    DisableAutomatedRotation = false,
    PasswordWo = "string",
    PasswordWoVersion = 0,
    Mount = "string",
    RotationPeriod = 0,
    RotationPolicy = "string",
    RotationSchedule = "string",
    RotationWindow = 0,
    SkipImportRotation = false,
    Dn = "string",
});

example, err := ldap.NewSecretBackendStaticRole(ctx, "examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole", &ldap.SecretBackendStaticRoleArgs{
	RoleName:                 pulumi.String("string"),
	Username:                 pulumi.String("string"),
	Namespace:                pulumi.String("string"),
	DisableAutomatedRotation: pulumi.Bool(false),
	PasswordWo:               pulumi.String("string"),
	PasswordWoVersion:        pulumi.Int(0),
	Mount:                    pulumi.String("string"),
	RotationPeriod:           pulumi.Int(0),
	RotationPolicy:           pulumi.String("string"),
	RotationSchedule:         pulumi.String("string"),
	RotationWindow:           pulumi.Int(0),
	SkipImportRotation:       pulumi.Bool(false),
	Dn:                       pulumi.String("string"),
})

resource "vault_ldap_secretbackendstaticrole" "examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole" {
  role_name                  = "string"
  username                   = "string"
  namespace                  = "string"
  disable_automated_rotation = false
  password_wo                = "string"
  password_wo_version        = 0
  mount                      = "string"
  rotation_period            = 0
  rotation_policy            = "string"
  rotation_schedule          = "string"
  rotation_window            = 0
  skip_import_rotation       = false
  dn                         = "string"
}

var examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole = new com.pulumi.vault.ldap.SecretBackendStaticRole("examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole", com.pulumi.vault.ldap.SecretBackendStaticRoleArgs.builder()
    .roleName("string")
    .username("string")
    .namespace("string")
    .disableAutomatedRotation(false)
    .passwordWo("string")
    .passwordWoVersion(0)
    .mount("string")
    .rotationPeriod(0)
    .rotationPolicy("string")
    .rotationSchedule("string")
    .rotationWindow(0)
    .skipImportRotation(false)
    .dn("string")
    .build());

examplesecret_backend_static_role_resource_resource_from_ldapsecret_backend_static_role = vault.ldap.SecretBackendStaticRole("examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole",
    role_name="string",
    username="string",
    namespace="string",
    disable_automated_rotation=False,
    password_wo="string",
    password_wo_version=0,
    mount="string",
    rotation_period=0,
    rotation_policy="string",
    rotation_schedule="string",
    rotation_window=0,
    skip_import_rotation=False,
    dn="string")

const examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole = new vault.ldap.SecretBackendStaticRole("examplesecretBackendStaticRoleResourceResourceFromLdapsecretBackendStaticRole", {
    roleName: "string",
    username: "string",
    namespace: "string",
    disableAutomatedRotation: false,
    passwordWo: "string",
    passwordWoVersion: 0,
    mount: "string",
    rotationPeriod: 0,
    rotationPolicy: "string",
    rotationSchedule: "string",
    rotationWindow: 0,
    skipImportRotation: false,
    dn: "string",
});

type: vault:ldap:SecretBackendStaticRole
properties:
    disableAutomatedRotation: false
    dn: string
    mount: string
    namespace: string
    passwordWo: string
    passwordWoVersion: 0
    roleName: string
    rotationPeriod: 0
    rotationPolicy: string
    rotationSchedule: string
    rotationWindow: 0
    skipImportRotation: false
    username: string

SecretBackendStaticRole Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The SecretBackendStaticRole resource accepts the following input properties:

RoleName string: Name of the role.
Username string: The username of the existing LDAP entry to manage password rotation for.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
Dn string: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
Mount string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
PasswordWoVersion int: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
RotationPolicy string: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
SkipImportRotation bool: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.

RoleName string: Name of the role.
Username string: The username of the existing LDAP entry to manage password rotation for.
DisableAutomatedRotation bool: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
Dn string: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
Mount string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
PasswordWoVersion int: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
RotationPolicy string: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
SkipImportRotation bool: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.

role_name string: Name of the role.
username string: The username of the existing LDAP entry to manage password rotation for.
disable_automated_rotation bool: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn string: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
password_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
password_wo_version number: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
rotation_period number: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotation_policy string: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotation_schedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotation_window number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skip_import_rotation bool: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.

roleName String: Name of the role.
username String: The username of the existing LDAP entry to manage password rotation for.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn String: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount String: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
passwordWoVersion Integer: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
rotationPeriod Integer: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotationPolicy String: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotationWindow Integer: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skipImportRotation Boolean: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.

roleName string: Name of the role.
username string: The username of the existing LDAP entry to manage password rotation for.
disableAutomatedRotation boolean: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn string: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
passwordWoVersion number: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
rotationPeriod number: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotationPolicy string: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotationWindow number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skipImportRotation boolean: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.

role_name str: Name of the role.
username str: The username of the existing LDAP entry to manage password rotation for.
disable_automated_rotation bool: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn str: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount str: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
password_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
password_wo_version int: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
rotation_period int: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotation_policy str: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotation_schedule str: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotation_window int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skip_import_rotation bool: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.

roleName String: Name of the role.
username String: The username of the existing LDAP entry to manage password rotation for.
disableAutomatedRotation Boolean: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn String: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount String: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
passwordWoVersion Number: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
rotationPeriod Number: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotationPolicy String: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotationWindow Number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skipImportRotation Boolean: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.

Outputs

All input properties are implicitly available as output properties. Additionally, the SecretBackendStaticRole resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing SecretBackendStaticRole Resource

Get an existing SecretBackendStaticRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: SecretBackendStaticRoleState, opts?: CustomResourceOptions): SecretBackendStaticRole

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        disable_automated_rotation: Optional[bool] = None,
        dn: Optional[str] = None,
        mount: Optional[str] = None,
        namespace: Optional[str] = None,
        password_wo: Optional[str] = None,
        password_wo_version: Optional[int] = None,
        role_name: Optional[str] = None,
        rotation_period: Optional[int] = None,
        rotation_policy: Optional[str] = None,
        rotation_schedule: Optional[str] = None,
        rotation_window: Optional[int] = None,
        skip_import_rotation: Optional[bool] = None,
        username: Optional[str] = None) -> SecretBackendStaticRole

func GetSecretBackendStaticRole(ctx *Context, name string, id IDInput, state *SecretBackendStaticRoleState, opts ...ResourceOption) (*SecretBackendStaticRole, error)

public static SecretBackendStaticRole Get(string name, Input<string> id, SecretBackendStaticRoleState? state, CustomResourceOptions? opts = null)

public static SecretBackendStaticRole get(String name, Output<String> id, SecretBackendStaticRoleState state, CustomResourceOptions options)

resources:  _:    type: vault:ldap:SecretBackendStaticRole    get:      id: ${id}

import {
  to = vault_ldap_secretbackendstaticrole.example
  id = "${id}"
}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

DisableAutomatedRotation bool: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
Dn string: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
Mount string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
PasswordWoVersion int: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
RoleName string: Name of the role.
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
RotationPolicy string: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
SkipImportRotation bool: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.
Username string: The username of the existing LDAP entry to manage password rotation for.

DisableAutomatedRotation bool: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
Dn string: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
Mount string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PasswordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
PasswordWoVersion int: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
RoleName string: Name of the role.
RotationPeriod int: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
RotationPolicy string: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
RotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
RotationWindow int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
SkipImportRotation bool: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.
Username string: The username of the existing LDAP entry to manage password rotation for.

disable_automated_rotation bool: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn string: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
password_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
password_wo_version number: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
role_name string: Name of the role.
rotation_period number: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotation_policy string: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotation_schedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotation_window number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skip_import_rotation bool: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.
username string: The username of the existing LDAP entry to manage password rotation for.

disableAutomatedRotation Boolean: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn String: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount String: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
passwordWoVersion Integer: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
roleName String: Name of the role.
rotationPeriod Integer: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotationPolicy String: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotationWindow Integer: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skipImportRotation Boolean: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.
username String: The username of the existing LDAP entry to manage password rotation for.

disableAutomatedRotation boolean: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn string: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount string: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
passwordWoVersion number: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
roleName string: Name of the role.
rotationPeriod number: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotationPolicy string: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotationSchedule string: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotationWindow number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skipImportRotation boolean: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.
username string: The username of the existing LDAP entry to manage password rotation for.

disable_automated_rotation bool: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn str: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount str: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
password_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
password_wo_version int: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
role_name str: Name of the role.
rotation_period int: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotation_policy str: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotation_schedule str: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotation_window int: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skip_import_rotation bool: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.
username str: The username of the existing LDAP entry to manage password rotation for.

disableAutomatedRotation Boolean: Cancels all upcoming rotations of the static credential until unset. Requires Vault Enterprise 2.0+.
dn String: Distinguished name (DN) of the existing LDAP entry to manage password rotation for. If given, it will take precedence over username for the LDAP search performed during password rotation. Cannot be modified after creation.
mount String: The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to ldap.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
passwordWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Password for the static role. This is required for Vault to manage an existing account and enable rotation.
passwordWoVersion Number: The version of the passwordWo. For more info see updating write-only attributes. Requires Vault Enterprise 2.0+.
roleName String: Name of the role.
rotationPeriod Number: The amount of time in seconds Vault should wait before rotating the static credential. A zero value tells Vault not to rotate the credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 2.0+.
rotationPolicy String: The rotation policy to use for this credential. Requires Vault Enterprise 2.0+.
rotationSchedule String: The schedule, in cron-style time format, defining the schedule on which Vault should rotate the static credential. Requires Vault Enterprise 2.0+.
rotationWindow Number: The maximum amount of time in seconds allowed to complete a rotation when a scheduled rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 2.0+.
skipImportRotation Boolean: Causes vault to skip the initial secret rotation on import. Not applicable to updates. Requires Vault 1.16 or above.
username String: The username of the existing LDAP entry to manage password rotation for.

Import

LDAP secret backend static role can be imported using the full path to the role of the form: <mount_path>/static-role/<role_name> e.g.

$ pulumi import vault:ldap/secretBackendStaticRole:SecretBackendStaticRole role ldap/static-role/example-role

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

Viewing docs for HashiCorp Vault v7.9.0
published on Thursday, May 21, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

vault.ldap.SecretBackendStaticRole

On this page

On this page

Example Usage

Ephemeral Attributes Reference

Create SecretBackendStaticRole Resource

Constructor syntax

Parameters

Constructor example

SecretBackendStaticRole Resource Properties

Inputs

Outputs

Look up Existing SecretBackendStaticRole Resource

Import

Package Details

On this page

On this page

Try Pulumi Cloud free.
Your team will thank you.

vault.ldap.SecretBackendStaticRole

On this page

On this page

Example Usage

Ephemeral Attributes Reference

Create SecretBackendStaticRole Resource

Constructor syntax

Parameters

Constructor example

SecretBackendStaticRole Resource Properties

Inputs

Outputs

Look up Existing SecretBackendStaticRole Resource

Import

Package Details

On this page

On this page

Try Pulumi Cloud free.Your team will thank you.

Try Pulumi Cloud free.
Your team will thank you.