pulumi-vault 6.6.0a1741415971__py3-none-any.whl → 6.6.0a1741836364__py3-none-any.whl

pulumi_vault/pkisecret/secret_backend_sign.py

@@ -24,6 +24,7 @@ class SecretBackendSignArgs:
                  csr: pulumi.Input[str],
                  alt_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  auto_renew: Optional[pulumi.Input[bool]] = None,
+                 cert_metadata: Optional[pulumi.Input[str]] = None,
                  exclude_cn_from_sans: Optional[pulumi.Input[bool]] = None,
                  format: Optional[pulumi.Input[str]] = None,
                  ip_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
@@ -31,6 +32,7 @@ class SecretBackendSignArgs:
                  min_seconds_remaining: Optional[pulumi.Input[int]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
+                 not_after: Optional[pulumi.Input[str]] = None,
                  other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  ttl: Optional[pulumi.Input[str]] = None,
                  uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
@@ -41,6 +43,7 @@ class SecretBackendSignArgs:
         :param pulumi.Input[str] csr: The CSR
         :param pulumi.Input[Sequence[pulumi.Input[str]]] alt_names: List of alternative names
         :param pulumi.Input[bool] auto_renew: If set to `true`, certs will be renewed if the expiration is within `min_seconds_remaining`. Default `false`
+        :param pulumi.Input[str] cert_metadata: A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's no_store_metadata must be set to false, otherwise an error is returned when specified.
         :param pulumi.Input[bool] exclude_cn_from_sans: Flag to exclude CN from SANs
         :param pulumi.Input[str] format: The format of data
         :param pulumi.Input[Sequence[pulumi.Input[str]]] ip_sans: List of alternative IPs
@@ -54,6 +57,7 @@ class SecretBackendSignArgs:
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] not_after: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] other_sans: List of other SANs
         :param pulumi.Input[str] ttl: Time to live
         :param pulumi.Input[Sequence[pulumi.Input[str]]] uri_sans: List of alternative URIs
@@ -65,6 +69,8 @@ class SecretBackendSignArgs:
             pulumi.set(__self__, "alt_names", alt_names)
         if auto_renew is not None:
             pulumi.set(__self__, "auto_renew", auto_renew)
+        if cert_metadata is not None:
+            pulumi.set(__self__, "cert_metadata", cert_metadata)
         if exclude_cn_from_sans is not None:
             pulumi.set(__self__, "exclude_cn_from_sans", exclude_cn_from_sans)
         if format is not None:
@@ -79,6 +85,8 @@ class SecretBackendSignArgs:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
+        if not_after is not None:
+            pulumi.set(__self__, "not_after", not_after)
         if other_sans is not None:
             pulumi.set(__self__, "other_sans", other_sans)
         if ttl is not None:
@@ -146,6 +154,18 @@ class SecretBackendSignArgs:
     def auto_renew(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "auto_renew", value)
 
+    @property
+    @pulumi.getter(name="certMetadata")
+    def cert_metadata(self) -> Optional[pulumi.Input[str]]:
+        """
+        A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's no_store_metadata must be set to false, otherwise an error is returned when specified.
+        """
+        return pulumi.get(self, "cert_metadata")
+
+    @cert_metadata.setter
+    def cert_metadata(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "cert_metadata", value)
+
     @property
     @pulumi.getter(name="excludeCnFromSans")
     def exclude_cn_from_sans(self) -> Optional[pulumi.Input[bool]]:
@@ -236,6 +256,18 @@ class SecretBackendSignArgs:
     def namespace(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "namespace", value)
 
+    @property
+    @pulumi.getter(name="notAfter")
+    def not_after(self) -> Optional[pulumi.Input[str]]:
+        """
+        Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        """
+        return pulumi.get(self, "not_after")
+
+    @not_after.setter
+    def not_after(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "not_after", value)
+
     @property
     @pulumi.getter(name="otherSans")
     def other_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -280,6 +312,7 @@ class _SecretBackendSignState:
                  auto_renew: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  ca_chains: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 cert_metadata: Optional[pulumi.Input[str]] = None,
                  certificate: Optional[pulumi.Input[str]] = None,
                  common_name: Optional[pulumi.Input[str]] = None,
                  csr: Optional[pulumi.Input[str]] = None,
@@ -292,6 +325,7 @@ class _SecretBackendSignState:
                  min_seconds_remaining: Optional[pulumi.Input[int]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
+                 not_after: Optional[pulumi.Input[str]] = None,
                  other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  renew_pending: Optional[pulumi.Input[bool]] = None,
                  serial_number: Optional[pulumi.Input[str]] = None,
@@ -303,6 +337,7 @@ class _SecretBackendSignState:
         :param pulumi.Input[bool] auto_renew: If set to `true`, certs will be renewed if the expiration is within `min_seconds_remaining`. Default `false`
         :param pulumi.Input[str] backend: The PKI secret backend the resource belongs to.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] ca_chains: The CA chain
+        :param pulumi.Input[str] cert_metadata: A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's no_store_metadata must be set to false, otherwise an error is returned when specified.
         :param pulumi.Input[str] certificate: The certificate
         :param pulumi.Input[str] common_name: CN of certificate to create
         :param pulumi.Input[str] csr: The CSR
@@ -321,6 +356,7 @@ class _SecretBackendSignState:
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] not_after: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] other_sans: List of other SANs
         :param pulumi.Input[bool] renew_pending: `true` if the current time (during refresh) is after the start of the early renewal window declared by `min_seconds_remaining`, and `false` otherwise; if `auto_renew` is set to `true` then the provider will plan to replace the certificate once renewal is pending.
         :param pulumi.Input[str] serial_number: The certificate's serial number, hex formatted.
@@ -335,6 +371,8 @@ class _SecretBackendSignState:
             pulumi.set(__self__, "backend", backend)
         if ca_chains is not None:
             pulumi.set(__self__, "ca_chains", ca_chains)
+        if cert_metadata is not None:
+            pulumi.set(__self__, "cert_metadata", cert_metadata)
         if certificate is not None:
             pulumi.set(__self__, "certificate", certificate)
         if common_name is not None:
@@ -359,6 +397,8 @@ class _SecretBackendSignState:
             pulumi.set(__self__, "name", name)
         if namespace is not None:
             pulumi.set(__self__, "namespace", namespace)
+        if not_after is not None:
+            pulumi.set(__self__, "not_after", not_after)
         if other_sans is not None:
             pulumi.set(__self__, "other_sans", other_sans)
         if renew_pending is not None:
@@ -418,6 +458,18 @@ class _SecretBackendSignState:
     def ca_chains(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "ca_chains", value)
 
+    @property
+    @pulumi.getter(name="certMetadata")
+    def cert_metadata(self) -> Optional[pulumi.Input[str]]:
+        """
+        A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's no_store_metadata must be set to false, otherwise an error is returned when specified.
+        """
+        return pulumi.get(self, "cert_metadata")
+
+    @cert_metadata.setter
+    def cert_metadata(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "cert_metadata", value)
+
     @property
     @pulumi.getter
     def certificate(self) -> Optional[pulumi.Input[str]]:
@@ -568,6 +620,18 @@ class _SecretBackendSignState:
     def namespace(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "namespace", value)
 
+    @property
+    @pulumi.getter(name="notAfter")
+    def not_after(self) -> Optional[pulumi.Input[str]]:
+        """
+        Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        """
+        return pulumi.get(self, "not_after")
+
+    @not_after.setter
+    def not_after(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "not_after", value)
+
     @property
     @pulumi.getter(name="otherSans")
     def other_sans(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -637,6 +701,7 @@ class SecretBackendSign(pulumi.CustomResource):
                  alt_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  auto_renew: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
+                 cert_metadata: Optional[pulumi.Input[str]] = None,
                  common_name: Optional[pulumi.Input[str]] = None,
                  csr: Optional[pulumi.Input[str]] = None,
                  exclude_cn_from_sans: Optional[pulumi.Input[bool]] = None,
@@ -646,6 +711,7 @@ class SecretBackendSign(pulumi.CustomResource):
                  min_seconds_remaining: Optional[pulumi.Input[int]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
+                 not_after: Optional[pulumi.Input[str]] = None,
                  other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  ttl: Optional[pulumi.Input[str]] = None,
                  uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
@@ -697,6 +763,7 @@ class SecretBackendSign(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] alt_names: List of alternative names
         :param pulumi.Input[bool] auto_renew: If set to `true`, certs will be renewed if the expiration is within `min_seconds_remaining`. Default `false`
         :param pulumi.Input[str] backend: The PKI secret backend the resource belongs to.
+        :param pulumi.Input[str] cert_metadata: A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's no_store_metadata must be set to false, otherwise an error is returned when specified.
         :param pulumi.Input[str] common_name: CN of certificate to create
         :param pulumi.Input[str] csr: The CSR
         :param pulumi.Input[bool] exclude_cn_from_sans: Flag to exclude CN from SANs
@@ -712,6 +779,7 @@ class SecretBackendSign(pulumi.CustomResource):
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] not_after: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] other_sans: List of other SANs
         :param pulumi.Input[str] ttl: Time to live
         :param pulumi.Input[Sequence[pulumi.Input[str]]] uri_sans: List of alternative URIs
@@ -782,6 +850,7 @@ class SecretBackendSign(pulumi.CustomResource):
                  alt_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  auto_renew: Optional[pulumi.Input[bool]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
+                 cert_metadata: Optional[pulumi.Input[str]] = None,
                  common_name: Optional[pulumi.Input[str]] = None,
                  csr: Optional[pulumi.Input[str]] = None,
                  exclude_cn_from_sans: Optional[pulumi.Input[bool]] = None,
@@ -791,6 +860,7 @@ class SecretBackendSign(pulumi.CustomResource):
                  min_seconds_remaining: Optional[pulumi.Input[int]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
+                 not_after: Optional[pulumi.Input[str]] = None,
                  other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  ttl: Optional[pulumi.Input[str]] = None,
                  uri_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
@@ -808,6 +878,7 @@ class SecretBackendSign(pulumi.CustomResource):
             if backend is None and not opts.urn:
                 raise TypeError("Missing required property 'backend'")
             __props__.__dict__["backend"] = backend
+            __props__.__dict__["cert_metadata"] = cert_metadata
             if common_name is None and not opts.urn:
                 raise TypeError("Missing required property 'common_name'")
             __props__.__dict__["common_name"] = common_name
@@ -821,6 +892,7 @@ class SecretBackendSign(pulumi.CustomResource):
             __props__.__dict__["min_seconds_remaining"] = min_seconds_remaining
             __props__.__dict__["name"] = name
             __props__.__dict__["namespace"] = namespace
+            __props__.__dict__["not_after"] = not_after
             __props__.__dict__["other_sans"] = other_sans
             __props__.__dict__["ttl"] = ttl
             __props__.__dict__["uri_sans"] = uri_sans
@@ -844,6 +916,7 @@ class SecretBackendSign(pulumi.CustomResource):
             auto_renew: Optional[pulumi.Input[bool]] = None,
             backend: Optional[pulumi.Input[str]] = None,
             ca_chains: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+            cert_metadata: Optional[pulumi.Input[str]] = None,
             certificate: Optional[pulumi.Input[str]] = None,
             common_name: Optional[pulumi.Input[str]] = None,
             csr: Optional[pulumi.Input[str]] = None,
@@ -856,6 +929,7 @@ class SecretBackendSign(pulumi.CustomResource):
             min_seconds_remaining: Optional[pulumi.Input[int]] = None,
             name: Optional[pulumi.Input[str]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
+            not_after: Optional[pulumi.Input[str]] = None,
             other_sans: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             renew_pending: Optional[pulumi.Input[bool]] = None,
             serial_number: Optional[pulumi.Input[str]] = None,
@@ -872,6 +946,7 @@ class SecretBackendSign(pulumi.CustomResource):
         :param pulumi.Input[bool] auto_renew: If set to `true`, certs will be renewed if the expiration is within `min_seconds_remaining`. Default `false`
         :param pulumi.Input[str] backend: The PKI secret backend the resource belongs to.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] ca_chains: The CA chain
+        :param pulumi.Input[str] cert_metadata: A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's no_store_metadata must be set to false, otherwise an error is returned when specified.
         :param pulumi.Input[str] certificate: The certificate
         :param pulumi.Input[str] common_name: CN of certificate to create
         :param pulumi.Input[str] csr: The CSR
@@ -890,6 +965,7 @@ class SecretBackendSign(pulumi.CustomResource):
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] not_after: Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] other_sans: List of other SANs
         :param pulumi.Input[bool] renew_pending: `true` if the current time (during refresh) is after the start of the early renewal window declared by `min_seconds_remaining`, and `false` otherwise; if `auto_renew` is set to `true` then the provider will plan to replace the certificate once renewal is pending.
         :param pulumi.Input[str] serial_number: The certificate's serial number, hex formatted.
@@ -904,6 +980,7 @@ class SecretBackendSign(pulumi.CustomResource):
         __props__.__dict__["auto_renew"] = auto_renew
         __props__.__dict__["backend"] = backend
         __props__.__dict__["ca_chains"] = ca_chains
+        __props__.__dict__["cert_metadata"] = cert_metadata
         __props__.__dict__["certificate"] = certificate
         __props__.__dict__["common_name"] = common_name
         __props__.__dict__["csr"] = csr
@@ -916,6 +993,7 @@ class SecretBackendSign(pulumi.CustomResource):
         __props__.__dict__["min_seconds_remaining"] = min_seconds_remaining
         __props__.__dict__["name"] = name
         __props__.__dict__["namespace"] = namespace
+        __props__.__dict__["not_after"] = not_after
         __props__.__dict__["other_sans"] = other_sans
         __props__.__dict__["renew_pending"] = renew_pending
         __props__.__dict__["serial_number"] = serial_number
@@ -955,6 +1033,14 @@ class SecretBackendSign(pulumi.CustomResource):
         """
         return pulumi.get(self, "ca_chains")
 
+    @property
+    @pulumi.getter(name="certMetadata")
+    def cert_metadata(self) -> pulumi.Output[Optional[str]]:
+        """
+        A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's no_store_metadata must be set to false, otherwise an error is returned when specified.
+        """
+        return pulumi.get(self, "cert_metadata")
+
     @property
     @pulumi.getter
     def certificate(self) -> pulumi.Output[str]:
@@ -1057,6 +1143,14 @@ class SecretBackendSign(pulumi.CustomResource):
         """
         return pulumi.get(self, "namespace")
 
+    @property
+    @pulumi.getter(name="notAfter")
+    def not_after(self) -> pulumi.Output[Optional[str]]:
+        """
+        Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.
+        """
+        return pulumi.get(self, "not_after")
+
     @property
     @pulumi.getter(name="otherSans")
     def other_sans(self) -> pulumi.Output[Optional[Sequence[str]]]:

pulumi_vault/pulumi-plugin.json

@@ -1,5 +1,5 @@
 {
   "resource": true,
   "name": "vault",
-  "version": "6.6.0-alpha.1741415971"
+  "version": "6.6.0-alpha.1741836364"
 }

pulumi_vault/ssh/__init__.py

@@ -5,6 +5,7 @@
 from .. import _utilities
 import typing
 # Export this package's modules as members:
+from .get_secret_backend_sign import *
 from .secret_backend_ca import *
 from .secret_backend_role import *
 from ._inputs import *

pulumi_vault/ssh/get_secret_backend_sign.py

@@ -0,0 +1,294 @@
+# coding=utf-8
+# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import copy
+import warnings
+import sys
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
+from .. import _utilities
+
+__all__ = [
+    'GetSecretBackendSignResult',
+    'AwaitableGetSecretBackendSignResult',
+    'get_secret_backend_sign',
+    'get_secret_backend_sign_output',
+]
+
+@pulumi.output_type
+class GetSecretBackendSignResult:
+    """
+    A collection of values returned by getSecretBackendSign.
+    """
+    def __init__(__self__, cert_type=None, critical_options=None, extensions=None, id=None, key_id=None, name=None, namespace=None, path=None, public_key=None, serial_number=None, signed_key=None, ttl=None, valid_principals=None):
+        if cert_type and not isinstance(cert_type, str):
+            raise TypeError("Expected argument 'cert_type' to be a str")
+        pulumi.set(__self__, "cert_type", cert_type)
+        if critical_options and not isinstance(critical_options, dict):
+            raise TypeError("Expected argument 'critical_options' to be a dict")
+        pulumi.set(__self__, "critical_options", critical_options)
+        if extensions and not isinstance(extensions, dict):
+            raise TypeError("Expected argument 'extensions' to be a dict")
+        pulumi.set(__self__, "extensions", extensions)
+        if id and not isinstance(id, str):
+            raise TypeError("Expected argument 'id' to be a str")
+        pulumi.set(__self__, "id", id)
+        if key_id and not isinstance(key_id, str):
+            raise TypeError("Expected argument 'key_id' to be a str")
+        pulumi.set(__self__, "key_id", key_id)
+        if name and not isinstance(name, str):
+            raise TypeError("Expected argument 'name' to be a str")
+        pulumi.set(__self__, "name", name)
+        if namespace and not isinstance(namespace, str):
+            raise TypeError("Expected argument 'namespace' to be a str")
+        pulumi.set(__self__, "namespace", namespace)
+        if path and not isinstance(path, str):
+            raise TypeError("Expected argument 'path' to be a str")
+        pulumi.set(__self__, "path", path)
+        if public_key and not isinstance(public_key, str):
+            raise TypeError("Expected argument 'public_key' to be a str")
+        pulumi.set(__self__, "public_key", public_key)
+        if serial_number and not isinstance(serial_number, str):
+            raise TypeError("Expected argument 'serial_number' to be a str")
+        pulumi.set(__self__, "serial_number", serial_number)
+        if signed_key and not isinstance(signed_key, str):
+            raise TypeError("Expected argument 'signed_key' to be a str")
+        pulumi.set(__self__, "signed_key", signed_key)
+        if ttl and not isinstance(ttl, str):
+            raise TypeError("Expected argument 'ttl' to be a str")
+        pulumi.set(__self__, "ttl", ttl)
+        if valid_principals and not isinstance(valid_principals, str):
+            raise TypeError("Expected argument 'valid_principals' to be a str")
+        pulumi.set(__self__, "valid_principals", valid_principals)
+
+    @property
+    @pulumi.getter(name="certType")
+    def cert_type(self) -> Optional[str]:
+        return pulumi.get(self, "cert_type")
+
+    @property
+    @pulumi.getter(name="criticalOptions")
+    def critical_options(self) -> Optional[Mapping[str, str]]:
+        return pulumi.get(self, "critical_options")
+
+    @property
+    @pulumi.getter
+    def extensions(self) -> Optional[Mapping[str, str]]:
+        return pulumi.get(self, "extensions")
+
+    @property
+    @pulumi.getter
+    def id(self) -> str:
+        """
+        The provider-assigned unique ID for this managed resource.
+        """
+        return pulumi.get(self, "id")
+
+    @property
+    @pulumi.getter(name="keyId")
+    def key_id(self) -> Optional[str]:
+        return pulumi.get(self, "key_id")
+
+    @property
+    @pulumi.getter
+    def name(self) -> str:
+        return pulumi.get(self, "name")
+
+    @property
+    @pulumi.getter
+    def namespace(self) -> Optional[str]:
+        return pulumi.get(self, "namespace")
+
+    @property
+    @pulumi.getter
+    def path(self) -> str:
+        return pulumi.get(self, "path")
+
+    @property
+    @pulumi.getter(name="publicKey")
+    def public_key(self) -> str:
+        return pulumi.get(self, "public_key")
+
+    @property
+    @pulumi.getter(name="serialNumber")
+    def serial_number(self) -> str:
+        """
+        The serial number of the certificate returned from Vault
+        """
+        return pulumi.get(self, "serial_number")
+
+    @property
+    @pulumi.getter(name="signedKey")
+    def signed_key(self) -> str:
+        """
+        The signed certificate returned from Vault
+        """
+        return pulumi.get(self, "signed_key")
+
+    @property
+    @pulumi.getter
+    def ttl(self) -> Optional[str]:
+        return pulumi.get(self, "ttl")
+
+    @property
+    @pulumi.getter(name="validPrincipals")
+    def valid_principals(self) -> Optional[str]:
+        return pulumi.get(self, "valid_principals")
+
+
+class AwaitableGetSecretBackendSignResult(GetSecretBackendSignResult):
+    # pylint: disable=using-constant-test
+    def __await__(self):
+        if False:
+            yield self
+        return GetSecretBackendSignResult(
+            cert_type=self.cert_type,
+            critical_options=self.critical_options,
+            extensions=self.extensions,
+            id=self.id,
+            key_id=self.key_id,
+            name=self.name,
+            namespace=self.namespace,
+            path=self.path,
+            public_key=self.public_key,
+            serial_number=self.serial_number,
+            signed_key=self.signed_key,
+            ttl=self.ttl,
+            valid_principals=self.valid_principals)
+
+
+def get_secret_backend_sign(cert_type: Optional[str] = None,
+                            critical_options: Optional[Mapping[str, str]] = None,
+                            extensions: Optional[Mapping[str, str]] = None,
+                            key_id: Optional[str] = None,
+                            name: Optional[str] = None,
+                            namespace: Optional[str] = None,
+                            path: Optional[str] = None,
+                            public_key: Optional[str] = None,
+                            ttl: Optional[str] = None,
+                            valid_principals: Optional[str] = None,
+                            opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetSecretBackendSignResult:
+    """
+    This is a data source which can be used to sign an SSH public key
+
+    ## Example Usage
+
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    test = vault.ssh.get_secret_backend_sign(path="ssh",
+        public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
+        name="test",
+        valid_principals="my-user")
+    ```
+
+
+    :param str cert_type: Specifies the type of certificate to be created; either "user" or "host".
+    :param Mapping[str, str] critical_options: Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
+    :param Mapping[str, str] extensions: Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
+    :param str key_id: Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
+    :param str name: Specifies the name of the role to sign.
+    :param str path: Full path where SSH backend is mounted.
+    :param str public_key: Specifies the SSH public key that should be signed.
+    :param str ttl: Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
+    :param str valid_principals: Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
+    """
+    __args__ = dict()
+    __args__['certType'] = cert_type
+    __args__['criticalOptions'] = critical_options
+    __args__['extensions'] = extensions
+    __args__['keyId'] = key_id
+    __args__['name'] = name
+    __args__['namespace'] = namespace
+    __args__['path'] = path
+    __args__['publicKey'] = public_key
+    __args__['ttl'] = ttl
+    __args__['validPrincipals'] = valid_principals
+    opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
+    __ret__ = pulumi.runtime.invoke('vault:ssh/getSecretBackendSign:getSecretBackendSign', __args__, opts=opts, typ=GetSecretBackendSignResult).value
+
+    return AwaitableGetSecretBackendSignResult(
+        cert_type=pulumi.get(__ret__, 'cert_type'),
+        critical_options=pulumi.get(__ret__, 'critical_options'),
+        extensions=pulumi.get(__ret__, 'extensions'),
+        id=pulumi.get(__ret__, 'id'),
+        key_id=pulumi.get(__ret__, 'key_id'),
+        name=pulumi.get(__ret__, 'name'),
+        namespace=pulumi.get(__ret__, 'namespace'),
+        path=pulumi.get(__ret__, 'path'),
+        public_key=pulumi.get(__ret__, 'public_key'),
+        serial_number=pulumi.get(__ret__, 'serial_number'),
+        signed_key=pulumi.get(__ret__, 'signed_key'),
+        ttl=pulumi.get(__ret__, 'ttl'),
+        valid_principals=pulumi.get(__ret__, 'valid_principals'))
+def get_secret_backend_sign_output(cert_type: Optional[pulumi.Input[Optional[str]]] = None,
+                                   critical_options: Optional[pulumi.Input[Optional[Mapping[str, str]]]] = None,
+                                   extensions: Optional[pulumi.Input[Optional[Mapping[str, str]]]] = None,
+                                   key_id: Optional[pulumi.Input[Optional[str]]] = None,
+                                   name: Optional[pulumi.Input[str]] = None,
+                                   namespace: Optional[pulumi.Input[Optional[str]]] = None,
+                                   path: Optional[pulumi.Input[str]] = None,
+                                   public_key: Optional[pulumi.Input[str]] = None,
+                                   ttl: Optional[pulumi.Input[Optional[str]]] = None,
+                                   valid_principals: Optional[pulumi.Input[Optional[str]]] = None,
+                                   opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetSecretBackendSignResult]:
+    """
+    This is a data source which can be used to sign an SSH public key
+
+    ## Example Usage
+
+    ```python
+    import pulumi
+    import pulumi_vault as vault
+
+    test = vault.ssh.get_secret_backend_sign(path="ssh",
+        public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com",
+        name="test",
+        valid_principals="my-user")
+    ```
+
+
+    :param str cert_type: Specifies the type of certificate to be created; either "user" or "host".
+    :param Mapping[str, str] critical_options: Specifies a map of the critical options that the certificate should be signed for. Defaults to none.
+    :param Mapping[str, str] extensions: Specifies a map of the extensions that the certificate should be signed for. Defaults to none.
+    :param str key_id: Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.
+    :param str name: Specifies the name of the role to sign.
+    :param str path: Full path where SSH backend is mounted.
+    :param str public_key: Specifies the SSH public key that should be signed.
+    :param str ttl: Specifies the Requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.
+    :param str valid_principals: Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified allow_empty_principals or a value has been set for either the default_user or default_user_template role parameters.
+    """
+    __args__ = dict()
+    __args__['certType'] = cert_type
+    __args__['criticalOptions'] = critical_options
+    __args__['extensions'] = extensions
+    __args__['keyId'] = key_id
+    __args__['name'] = name
+    __args__['namespace'] = namespace
+    __args__['path'] = path
+    __args__['publicKey'] = public_key
+    __args__['ttl'] = ttl
+    __args__['validPrincipals'] = valid_principals
+    opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
+    __ret__ = pulumi.runtime.invoke_output('vault:ssh/getSecretBackendSign:getSecretBackendSign', __args__, opts=opts, typ=GetSecretBackendSignResult)
+    return __ret__.apply(lambda __response__: GetSecretBackendSignResult(
+        cert_type=pulumi.get(__response__, 'cert_type'),
+        critical_options=pulumi.get(__response__, 'critical_options'),
+        extensions=pulumi.get(__response__, 'extensions'),
+        id=pulumi.get(__response__, 'id'),
+        key_id=pulumi.get(__response__, 'key_id'),
+        name=pulumi.get(__response__, 'name'),
+        namespace=pulumi.get(__response__, 'namespace'),
+        path=pulumi.get(__response__, 'path'),
+        public_key=pulumi.get(__response__, 'public_key'),
+        serial_number=pulumi.get(__response__, 'serial_number'),
+        signed_key=pulumi.get(__response__, 'signed_key'),
+        ttl=pulumi.get(__response__, 'ttl'),
+        valid_principals=pulumi.get(__response__, 'valid_principals')))