pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +26 -9
- pulumi_vault/ad/secret_backend.py +16 -142
- pulumi_vault/ad/secret_library.py +16 -9
- pulumi_vault/ad/secret_role.py +14 -9
- pulumi_vault/alicloud/auth_backend_role.py +76 -190
- pulumi_vault/approle/auth_backend_login.py +12 -7
- pulumi_vault/approle/auth_backend_role.py +77 -191
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
- pulumi_vault/audit.py +30 -21
- pulumi_vault/audit_request_header.py +11 -2
- pulumi_vault/auth_backend.py +66 -14
- pulumi_vault/aws/auth_backend_cert.py +18 -9
- pulumi_vault/aws/auth_backend_client.py +267 -22
- pulumi_vault/aws/auth_backend_config_identity.py +14 -9
- pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +77 -191
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
- pulumi_vault/aws/auth_backend_sts_role.py +14 -9
- pulumi_vault/aws/get_access_credentials.py +38 -9
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +77 -9
- pulumi_vault/aws/secret_backend_role.py +185 -9
- pulumi_vault/aws/secret_backend_static_role.py +20 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +153 -15
- pulumi_vault/azure/auth_backend_role.py +77 -191
- pulumi_vault/azure/backend.py +227 -21
- pulumi_vault/azure/backend_role.py +42 -37
- pulumi_vault/azure/get_access_credentials.py +41 -7
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -267
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +28 -19
- pulumi_vault/consul/secret_backend_role.py +18 -78
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +119 -112
- pulumi_vault/database/secret_backend_role.py +31 -22
- pulumi_vault/database/secret_backend_static_role.py +87 -13
- pulumi_vault/database/secrets_mount.py +427 -136
- pulumi_vault/egp_policy.py +16 -11
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +250 -33
- pulumi_vault/gcp/auth_backend_role.py +77 -269
- pulumi_vault/gcp/get_auth_backend_role.py +43 -5
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -12
- pulumi_vault/gcp/secret_impersonated_account.py +76 -15
- pulumi_vault/gcp/secret_roleset.py +31 -24
- pulumi_vault/gcp/secret_static_account.py +39 -32
- pulumi_vault/generic/endpoint.py +24 -17
- pulumi_vault/generic/get_secret.py +64 -8
- pulumi_vault/generic/secret.py +21 -16
- pulumi_vault/get_auth_backend.py +24 -7
- pulumi_vault/get_auth_backends.py +51 -9
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -11
- pulumi_vault/get_policy_document.py +34 -19
- pulumi_vault/get_raft_autopilot_state.py +29 -10
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +19 -14
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +16 -11
- pulumi_vault/github/user.py +16 -11
- pulumi_vault/identity/entity.py +20 -13
- pulumi_vault/identity/entity_alias.py +20 -13
- pulumi_vault/identity/entity_policies.py +28 -11
- pulumi_vault/identity/get_entity.py +42 -10
- pulumi_vault/identity/get_group.py +47 -9
- pulumi_vault/identity/get_oidc_client_creds.py +21 -7
- pulumi_vault/identity/get_oidc_openid_config.py +39 -9
- pulumi_vault/identity/get_oidc_public_keys.py +29 -10
- pulumi_vault/identity/group.py +58 -39
- pulumi_vault/identity/group_alias.py +16 -9
- pulumi_vault/identity/group_member_entity_ids.py +28 -66
- pulumi_vault/identity/group_member_group_ids.py +40 -19
- pulumi_vault/identity/group_policies.py +20 -7
- pulumi_vault/identity/mfa_duo.py +11 -6
- pulumi_vault/identity/mfa_login_enforcement.py +15 -6
- pulumi_vault/identity/mfa_okta.py +11 -6
- pulumi_vault/identity/mfa_pingid.py +7 -2
- pulumi_vault/identity/mfa_totp.py +7 -2
- pulumi_vault/identity/oidc.py +12 -7
- pulumi_vault/identity/oidc_assignment.py +24 -11
- pulumi_vault/identity/oidc_client.py +36 -23
- pulumi_vault/identity/oidc_key.py +30 -17
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
- pulumi_vault/identity/oidc_provider.py +36 -21
- pulumi_vault/identity/oidc_role.py +42 -21
- pulumi_vault/identity/oidc_scope.py +20 -13
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +45 -40
- pulumi_vault/jwt/auth_backend_role.py +133 -254
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +24 -19
- pulumi_vault/kmip/secret_role.py +14 -9
- pulumi_vault/kmip/secret_scope.py +14 -9
- pulumi_vault/kubernetes/auth_backend_config.py +57 -5
- pulumi_vault/kubernetes/auth_backend_role.py +70 -177
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -11
- pulumi_vault/kubernetes/secret_backend.py +316 -27
- pulumi_vault/kubernetes/secret_backend_role.py +137 -46
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +25 -8
- pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
- pulumi_vault/kv/get_secret_v2.py +85 -9
- pulumi_vault/kv/get_secrets_list.py +24 -11
- pulumi_vault/kv/get_secrets_list_v2.py +37 -15
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +23 -16
- pulumi_vault/kv/secret_backend_v2.py +20 -11
- pulumi_vault/kv/secret_v2.py +59 -50
- pulumi_vault/ldap/auth_backend.py +127 -166
- pulumi_vault/ldap/auth_backend_group.py +14 -9
- pulumi_vault/ldap/auth_backend_user.py +14 -9
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +354 -82
- pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
- pulumi_vault/ldap/secret_backend_library_set.py +16 -9
- pulumi_vault/ldap/secret_backend_static_role.py +73 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +29 -57
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +18 -11
- pulumi_vault/mfa_okta.py +18 -11
- pulumi_vault/mfa_pingid.py +18 -11
- pulumi_vault/mfa_totp.py +24 -17
- pulumi_vault/mongodbatlas/secret_backend.py +20 -15
- pulumi_vault/mongodbatlas/secret_role.py +47 -38
- pulumi_vault/mount.py +391 -51
- pulumi_vault/namespace.py +68 -83
- pulumi_vault/nomad_secret_backend.py +18 -13
- pulumi_vault/nomad_secret_role.py +14 -9
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +485 -39
- pulumi_vault/okta/auth_backend_group.py +14 -9
- pulumi_vault/okta/auth_backend_user.py +14 -9
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +20 -13
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
- pulumi_vault/pkisecret/get_backend_key.py +24 -9
- pulumi_vault/pkisecret/get_backend_keys.py +21 -8
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
- pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
- pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
- pulumi_vault/pkisecret/secret_backend_key.py +14 -9
- pulumi_vault/pkisecret/secret_backend_role.py +21 -14
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +14 -9
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +60 -6
- pulumi_vault/quota_rate_limit.py +56 -2
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +18 -13
- pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
- pulumi_vault/raft_autopilot.py +14 -9
- pulumi_vault/raft_snapshot_agent_config.py +129 -224
- pulumi_vault/rgp_policy.py +14 -9
- pulumi_vault/saml/auth_backend.py +22 -17
- pulumi_vault/saml/auth_backend_role.py +92 -197
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -71
- pulumi_vault/secrets/sync_aws_destination.py +242 -27
- pulumi_vault/secrets/sync_azure_destination.py +92 -31
- pulumi_vault/secrets/sync_config.py +9 -4
- pulumi_vault/secrets/sync_gcp_destination.py +158 -25
- pulumi_vault/secrets/sync_gh_destination.py +189 -13
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +74 -13
- pulumi_vault/ssh/_inputs.py +28 -28
- pulumi_vault/ssh/outputs.py +11 -28
- pulumi_vault/ssh/secret_backend_ca.py +108 -9
- pulumi_vault/ssh/secret_backend_role.py +85 -118
- pulumi_vault/terraformcloud/secret_backend.py +7 -54
- pulumi_vault/terraformcloud/secret_creds.py +14 -20
- pulumi_vault/terraformcloud/secret_role.py +16 -74
- pulumi_vault/token.py +28 -23
- pulumi_vault/tokenauth/auth_backend_role.py +78 -199
- pulumi_vault/transform/alphabet.py +16 -9
- pulumi_vault/transform/get_decode.py +45 -17
- pulumi_vault/transform/get_encode.py +45 -17
- pulumi_vault/transform/role.py +16 -9
- pulumi_vault/transform/template.py +30 -21
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -21
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +27 -93
- pulumi_vault/transit/secret_cache_config.py +12 -7
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
pulumi_vault/gcp/auth_backend.py
CHANGED
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
from . import outputs
|
12
17
|
from ._inputs import *
|
@@ -22,11 +27,15 @@ class AuthBackendArgs:
|
|
22
27
|
custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
|
23
28
|
description: Optional[pulumi.Input[str]] = None,
|
24
29
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
30
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
31
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
32
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
25
33
|
local: Optional[pulumi.Input[bool]] = None,
|
26
34
|
namespace: Optional[pulumi.Input[str]] = None,
|
27
35
|
path: Optional[pulumi.Input[str]] = None,
|
28
36
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
29
37
|
project_id: Optional[pulumi.Input[str]] = None,
|
38
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
30
39
|
tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
|
31
40
|
"""
|
32
41
|
The set of arguments for constructing a AuthBackend resource.
|
@@ -43,14 +52,22 @@ class AuthBackendArgs:
|
|
43
52
|
:param pulumi.Input[str] description: A description of the auth method.
|
44
53
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
45
54
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
55
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
56
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
57
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
58
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
59
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
60
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
46
61
|
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
47
62
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
48
63
|
The value should not contain leading or trailing forward slashes.
|
49
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
64
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
50
65
|
*Available only for Vault Enterprise*.
|
51
66
|
:param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
|
52
67
|
:param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
|
53
68
|
:param pulumi.Input[str] project_id: The GCP Project ID
|
69
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
70
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
54
71
|
:param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
|
55
72
|
|
56
73
|
The `tune` block is used to tune the auth backend:
|
@@ -67,6 +84,12 @@ class AuthBackendArgs:
|
|
67
84
|
pulumi.set(__self__, "description", description)
|
68
85
|
if disable_remount is not None:
|
69
86
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
87
|
+
if identity_token_audience is not None:
|
88
|
+
pulumi.set(__self__, "identity_token_audience", identity_token_audience)
|
89
|
+
if identity_token_key is not None:
|
90
|
+
pulumi.set(__self__, "identity_token_key", identity_token_key)
|
91
|
+
if identity_token_ttl is not None:
|
92
|
+
pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
|
70
93
|
if local is not None:
|
71
94
|
pulumi.set(__self__, "local", local)
|
72
95
|
if namespace is not None:
|
@@ -77,6 +100,8 @@ class AuthBackendArgs:
|
|
77
100
|
pulumi.set(__self__, "private_key_id", private_key_id)
|
78
101
|
if project_id is not None:
|
79
102
|
pulumi.set(__self__, "project_id", project_id)
|
103
|
+
if service_account_email is not None:
|
104
|
+
pulumi.set(__self__, "service_account_email", service_account_email)
|
80
105
|
if tune is not None:
|
81
106
|
pulumi.set(__self__, "tune", tune)
|
82
107
|
|
@@ -159,6 +184,45 @@ class AuthBackendArgs:
|
|
159
184
|
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
160
185
|
pulumi.set(self, "disable_remount", value)
|
161
186
|
|
187
|
+
@property
|
188
|
+
@pulumi.getter(name="identityTokenAudience")
|
189
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
190
|
+
"""
|
191
|
+
The audience claim value for plugin identity
|
192
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
193
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
194
|
+
"""
|
195
|
+
return pulumi.get(self, "identity_token_audience")
|
196
|
+
|
197
|
+
@identity_token_audience.setter
|
198
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
199
|
+
pulumi.set(self, "identity_token_audience", value)
|
200
|
+
|
201
|
+
@property
|
202
|
+
@pulumi.getter(name="identityTokenKey")
|
203
|
+
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
204
|
+
"""
|
205
|
+
The key to use for signing plugin identity
|
206
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
207
|
+
"""
|
208
|
+
return pulumi.get(self, "identity_token_key")
|
209
|
+
|
210
|
+
@identity_token_key.setter
|
211
|
+
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
212
|
+
pulumi.set(self, "identity_token_key", value)
|
213
|
+
|
214
|
+
@property
|
215
|
+
@pulumi.getter(name="identityTokenTtl")
|
216
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
217
|
+
"""
|
218
|
+
The TTL of generated tokens.
|
219
|
+
"""
|
220
|
+
return pulumi.get(self, "identity_token_ttl")
|
221
|
+
|
222
|
+
@identity_token_ttl.setter
|
223
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
224
|
+
pulumi.set(self, "identity_token_ttl", value)
|
225
|
+
|
162
226
|
@property
|
163
227
|
@pulumi.getter
|
164
228
|
def local(self) -> Optional[pulumi.Input[bool]]:
|
@@ -177,7 +241,7 @@ class AuthBackendArgs:
|
|
177
241
|
"""
|
178
242
|
The namespace to provision the resource in.
|
179
243
|
The value should not contain leading or trailing forward slashes.
|
180
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
244
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
181
245
|
*Available only for Vault Enterprise*.
|
182
246
|
"""
|
183
247
|
return pulumi.get(self, "namespace")
|
@@ -222,6 +286,19 @@ class AuthBackendArgs:
|
|
222
286
|
def project_id(self, value: Optional[pulumi.Input[str]]):
|
223
287
|
pulumi.set(self, "project_id", value)
|
224
288
|
|
289
|
+
@property
|
290
|
+
@pulumi.getter(name="serviceAccountEmail")
|
291
|
+
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
292
|
+
"""
|
293
|
+
Service Account to impersonate for plugin workload identity federation.
|
294
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
295
|
+
"""
|
296
|
+
return pulumi.get(self, "service_account_email")
|
297
|
+
|
298
|
+
@service_account_email.setter
|
299
|
+
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
300
|
+
pulumi.set(self, "service_account_email", value)
|
301
|
+
|
225
302
|
@property
|
226
303
|
@pulumi.getter
|
227
304
|
def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
|
@@ -247,11 +324,15 @@ class _AuthBackendState:
|
|
247
324
|
custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
|
248
325
|
description: Optional[pulumi.Input[str]] = None,
|
249
326
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
327
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
328
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
329
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
250
330
|
local: Optional[pulumi.Input[bool]] = None,
|
251
331
|
namespace: Optional[pulumi.Input[str]] = None,
|
252
332
|
path: Optional[pulumi.Input[str]] = None,
|
253
333
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
254
334
|
project_id: Optional[pulumi.Input[str]] = None,
|
335
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
255
336
|
tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
|
256
337
|
"""
|
257
338
|
Input properties used for looking up and filtering AuthBackend resources.
|
@@ -269,14 +350,22 @@ class _AuthBackendState:
|
|
269
350
|
:param pulumi.Input[str] description: A description of the auth method.
|
270
351
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
271
352
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
353
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
354
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
355
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
356
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
357
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
358
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
272
359
|
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
273
360
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
274
361
|
The value should not contain leading or trailing forward slashes.
|
275
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
362
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
276
363
|
*Available only for Vault Enterprise*.
|
277
364
|
:param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
|
278
365
|
:param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
|
279
366
|
:param pulumi.Input[str] project_id: The GCP Project ID
|
367
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
368
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
280
369
|
:param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
|
281
370
|
|
282
371
|
The `tune` block is used to tune the auth backend:
|
@@ -295,6 +384,12 @@ class _AuthBackendState:
|
|
295
384
|
pulumi.set(__self__, "description", description)
|
296
385
|
if disable_remount is not None:
|
297
386
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
387
|
+
if identity_token_audience is not None:
|
388
|
+
pulumi.set(__self__, "identity_token_audience", identity_token_audience)
|
389
|
+
if identity_token_key is not None:
|
390
|
+
pulumi.set(__self__, "identity_token_key", identity_token_key)
|
391
|
+
if identity_token_ttl is not None:
|
392
|
+
pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
|
298
393
|
if local is not None:
|
299
394
|
pulumi.set(__self__, "local", local)
|
300
395
|
if namespace is not None:
|
@@ -305,6 +400,8 @@ class _AuthBackendState:
|
|
305
400
|
pulumi.set(__self__, "private_key_id", private_key_id)
|
306
401
|
if project_id is not None:
|
307
402
|
pulumi.set(__self__, "project_id", project_id)
|
403
|
+
if service_account_email is not None:
|
404
|
+
pulumi.set(__self__, "service_account_email", service_account_email)
|
308
405
|
if tune is not None:
|
309
406
|
pulumi.set(__self__, "tune", tune)
|
310
407
|
|
@@ -399,6 +496,45 @@ class _AuthBackendState:
|
|
399
496
|
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
400
497
|
pulumi.set(self, "disable_remount", value)
|
401
498
|
|
499
|
+
@property
|
500
|
+
@pulumi.getter(name="identityTokenAudience")
|
501
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
502
|
+
"""
|
503
|
+
The audience claim value for plugin identity
|
504
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
505
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
506
|
+
"""
|
507
|
+
return pulumi.get(self, "identity_token_audience")
|
508
|
+
|
509
|
+
@identity_token_audience.setter
|
510
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
511
|
+
pulumi.set(self, "identity_token_audience", value)
|
512
|
+
|
513
|
+
@property
|
514
|
+
@pulumi.getter(name="identityTokenKey")
|
515
|
+
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
516
|
+
"""
|
517
|
+
The key to use for signing plugin identity
|
518
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
519
|
+
"""
|
520
|
+
return pulumi.get(self, "identity_token_key")
|
521
|
+
|
522
|
+
@identity_token_key.setter
|
523
|
+
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
524
|
+
pulumi.set(self, "identity_token_key", value)
|
525
|
+
|
526
|
+
@property
|
527
|
+
@pulumi.getter(name="identityTokenTtl")
|
528
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
529
|
+
"""
|
530
|
+
The TTL of generated tokens.
|
531
|
+
"""
|
532
|
+
return pulumi.get(self, "identity_token_ttl")
|
533
|
+
|
534
|
+
@identity_token_ttl.setter
|
535
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
536
|
+
pulumi.set(self, "identity_token_ttl", value)
|
537
|
+
|
402
538
|
@property
|
403
539
|
@pulumi.getter
|
404
540
|
def local(self) -> Optional[pulumi.Input[bool]]:
|
@@ -417,7 +553,7 @@ class _AuthBackendState:
|
|
417
553
|
"""
|
418
554
|
The namespace to provision the resource in.
|
419
555
|
The value should not contain leading or trailing forward slashes.
|
420
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
556
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
421
557
|
*Available only for Vault Enterprise*.
|
422
558
|
"""
|
423
559
|
return pulumi.get(self, "namespace")
|
@@ -462,6 +598,19 @@ class _AuthBackendState:
|
|
462
598
|
def project_id(self, value: Optional[pulumi.Input[str]]):
|
463
599
|
pulumi.set(self, "project_id", value)
|
464
600
|
|
601
|
+
@property
|
602
|
+
@pulumi.getter(name="serviceAccountEmail")
|
603
|
+
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
604
|
+
"""
|
605
|
+
Service Account to impersonate for plugin workload identity federation.
|
606
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
607
|
+
"""
|
608
|
+
return pulumi.get(self, "service_account_email")
|
609
|
+
|
610
|
+
@service_account_email.setter
|
611
|
+
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
612
|
+
pulumi.set(self, "service_account_email", value)
|
613
|
+
|
465
614
|
@property
|
466
615
|
@pulumi.getter
|
467
616
|
def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
|
@@ -485,33 +634,35 @@ class AuthBackend(pulumi.CustomResource):
|
|
485
634
|
client_email: Optional[pulumi.Input[str]] = None,
|
486
635
|
client_id: Optional[pulumi.Input[str]] = None,
|
487
636
|
credentials: Optional[pulumi.Input[str]] = None,
|
488
|
-
custom_endpoint: Optional[pulumi.Input[
|
637
|
+
custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
|
489
638
|
description: Optional[pulumi.Input[str]] = None,
|
490
639
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
640
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
641
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
642
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
491
643
|
local: Optional[pulumi.Input[bool]] = None,
|
492
644
|
namespace: Optional[pulumi.Input[str]] = None,
|
493
645
|
path: Optional[pulumi.Input[str]] = None,
|
494
646
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
495
647
|
project_id: Optional[pulumi.Input[str]] = None,
|
496
|
-
|
648
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
649
|
+
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
|
497
650
|
__props__=None):
|
498
651
|
"""
|
499
652
|
Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
|
500
653
|
|
501
654
|
## Example Usage
|
502
655
|
|
656
|
+
You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
|
503
657
|
```python
|
504
658
|
import pulumi
|
505
659
|
import pulumi_vault as vault
|
506
660
|
|
507
661
|
gcp = vault.gcp.AuthBackend("gcp",
|
508
|
-
|
509
|
-
|
510
|
-
|
511
|
-
|
512
|
-
crm="cloudresourcemanager.googleapis.com",
|
513
|
-
compute="compute.googleapis.com",
|
514
|
-
))
|
662
|
+
identity_token_key="example-key",
|
663
|
+
identity_token_ttl=1800,
|
664
|
+
identity_token_audience="<TOKEN_AUDIENCE>",
|
665
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
|
515
666
|
```
|
516
667
|
|
517
668
|
## Import
|
@@ -519,7 +670,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
519
670
|
GCP authentication backends can be imported using the backend name, e.g.
|
520
671
|
|
521
672
|
```sh
|
522
|
-
|
673
|
+
$ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
|
523
674
|
```
|
524
675
|
|
525
676
|
:param str resource_name: The name of the resource.
|
@@ -527,7 +678,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
527
678
|
:param pulumi.Input[str] client_email: The clients email associated with the credentials
|
528
679
|
:param pulumi.Input[str] client_id: The Client ID of the credentials
|
529
680
|
:param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
|
530
|
-
:param pulumi.Input[
|
681
|
+
:param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
|
531
682
|
[service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
|
532
683
|
used when making API requests. This allows specific requests made during authentication
|
533
684
|
to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
|
@@ -537,15 +688,23 @@ class AuthBackend(pulumi.CustomResource):
|
|
537
688
|
:param pulumi.Input[str] description: A description of the auth method.
|
538
689
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
539
690
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
691
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
692
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
693
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
694
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
695
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
696
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
540
697
|
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
541
698
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
542
699
|
The value should not contain leading or trailing forward slashes.
|
543
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
700
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
544
701
|
*Available only for Vault Enterprise*.
|
545
702
|
:param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
|
546
703
|
:param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
|
547
704
|
:param pulumi.Input[str] project_id: The GCP Project ID
|
548
|
-
:param pulumi.Input[
|
705
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
706
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
707
|
+
:param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
|
549
708
|
|
550
709
|
The `tune` block is used to tune the auth backend:
|
551
710
|
"""
|
@@ -560,18 +719,16 @@ class AuthBackend(pulumi.CustomResource):
|
|
560
719
|
|
561
720
|
## Example Usage
|
562
721
|
|
722
|
+
You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
|
563
723
|
```python
|
564
724
|
import pulumi
|
565
725
|
import pulumi_vault as vault
|
566
726
|
|
567
727
|
gcp = vault.gcp.AuthBackend("gcp",
|
568
|
-
|
569
|
-
|
570
|
-
|
571
|
-
|
572
|
-
crm="cloudresourcemanager.googleapis.com",
|
573
|
-
compute="compute.googleapis.com",
|
574
|
-
))
|
728
|
+
identity_token_key="example-key",
|
729
|
+
identity_token_ttl=1800,
|
730
|
+
identity_token_audience="<TOKEN_AUDIENCE>",
|
731
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
|
575
732
|
```
|
576
733
|
|
577
734
|
## Import
|
@@ -579,7 +736,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
579
736
|
GCP authentication backends can be imported using the backend name, e.g.
|
580
737
|
|
581
738
|
```sh
|
582
|
-
|
739
|
+
$ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
|
583
740
|
```
|
584
741
|
|
585
742
|
:param str resource_name: The name of the resource.
|
@@ -600,15 +757,19 @@ class AuthBackend(pulumi.CustomResource):
|
|
600
757
|
client_email: Optional[pulumi.Input[str]] = None,
|
601
758
|
client_id: Optional[pulumi.Input[str]] = None,
|
602
759
|
credentials: Optional[pulumi.Input[str]] = None,
|
603
|
-
custom_endpoint: Optional[pulumi.Input[
|
760
|
+
custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
|
604
761
|
description: Optional[pulumi.Input[str]] = None,
|
605
762
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
763
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
764
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
765
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
606
766
|
local: Optional[pulumi.Input[bool]] = None,
|
607
767
|
namespace: Optional[pulumi.Input[str]] = None,
|
608
768
|
path: Optional[pulumi.Input[str]] = None,
|
609
769
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
610
770
|
project_id: Optional[pulumi.Input[str]] = None,
|
611
|
-
|
771
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
772
|
+
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
|
612
773
|
__props__=None):
|
613
774
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
614
775
|
if not isinstance(opts, pulumi.ResourceOptions):
|
@@ -624,11 +785,15 @@ class AuthBackend(pulumi.CustomResource):
|
|
624
785
|
__props__.__dict__["custom_endpoint"] = custom_endpoint
|
625
786
|
__props__.__dict__["description"] = description
|
626
787
|
__props__.__dict__["disable_remount"] = disable_remount
|
788
|
+
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
789
|
+
__props__.__dict__["identity_token_key"] = identity_token_key
|
790
|
+
__props__.__dict__["identity_token_ttl"] = identity_token_ttl
|
627
791
|
__props__.__dict__["local"] = local
|
628
792
|
__props__.__dict__["namespace"] = namespace
|
629
793
|
__props__.__dict__["path"] = path
|
630
794
|
__props__.__dict__["private_key_id"] = private_key_id
|
631
795
|
__props__.__dict__["project_id"] = project_id
|
796
|
+
__props__.__dict__["service_account_email"] = service_account_email
|
632
797
|
__props__.__dict__["tune"] = tune
|
633
798
|
__props__.__dict__["accessor"] = None
|
634
799
|
secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
|
@@ -647,15 +812,19 @@ class AuthBackend(pulumi.CustomResource):
|
|
647
812
|
client_email: Optional[pulumi.Input[str]] = None,
|
648
813
|
client_id: Optional[pulumi.Input[str]] = None,
|
649
814
|
credentials: Optional[pulumi.Input[str]] = None,
|
650
|
-
custom_endpoint: Optional[pulumi.Input[
|
815
|
+
custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
|
651
816
|
description: Optional[pulumi.Input[str]] = None,
|
652
817
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
818
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
819
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
820
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
653
821
|
local: Optional[pulumi.Input[bool]] = None,
|
654
822
|
namespace: Optional[pulumi.Input[str]] = None,
|
655
823
|
path: Optional[pulumi.Input[str]] = None,
|
656
824
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
657
825
|
project_id: Optional[pulumi.Input[str]] = None,
|
658
|
-
|
826
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
827
|
+
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None) -> 'AuthBackend':
|
659
828
|
"""
|
660
829
|
Get an existing AuthBackend resource's state with the given name, id, and optional extra
|
661
830
|
properties used to qualify the lookup.
|
@@ -667,7 +836,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
667
836
|
:param pulumi.Input[str] client_email: The clients email associated with the credentials
|
668
837
|
:param pulumi.Input[str] client_id: The Client ID of the credentials
|
669
838
|
:param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
|
670
|
-
:param pulumi.Input[
|
839
|
+
:param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
|
671
840
|
[service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
|
672
841
|
used when making API requests. This allows specific requests made during authentication
|
673
842
|
to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
|
@@ -677,15 +846,23 @@ class AuthBackend(pulumi.CustomResource):
|
|
677
846
|
:param pulumi.Input[str] description: A description of the auth method.
|
678
847
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
679
848
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
849
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
850
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
851
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
852
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
853
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
854
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
680
855
|
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
681
856
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
682
857
|
The value should not contain leading or trailing forward slashes.
|
683
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
858
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
684
859
|
*Available only for Vault Enterprise*.
|
685
860
|
:param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
|
686
861
|
:param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
|
687
862
|
:param pulumi.Input[str] project_id: The GCP Project ID
|
688
|
-
:param pulumi.Input[
|
863
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
864
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
865
|
+
:param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
|
689
866
|
|
690
867
|
The `tune` block is used to tune the auth backend:
|
691
868
|
"""
|
@@ -700,11 +877,15 @@ class AuthBackend(pulumi.CustomResource):
|
|
700
877
|
__props__.__dict__["custom_endpoint"] = custom_endpoint
|
701
878
|
__props__.__dict__["description"] = description
|
702
879
|
__props__.__dict__["disable_remount"] = disable_remount
|
880
|
+
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
881
|
+
__props__.__dict__["identity_token_key"] = identity_token_key
|
882
|
+
__props__.__dict__["identity_token_ttl"] = identity_token_ttl
|
703
883
|
__props__.__dict__["local"] = local
|
704
884
|
__props__.__dict__["namespace"] = namespace
|
705
885
|
__props__.__dict__["path"] = path
|
706
886
|
__props__.__dict__["private_key_id"] = private_key_id
|
707
887
|
__props__.__dict__["project_id"] = project_id
|
888
|
+
__props__.__dict__["service_account_email"] = service_account_email
|
708
889
|
__props__.__dict__["tune"] = tune
|
709
890
|
return AuthBackend(resource_name, opts=opts, __props__=__props__)
|
710
891
|
|
@@ -771,6 +952,33 @@ class AuthBackend(pulumi.CustomResource):
|
|
771
952
|
"""
|
772
953
|
return pulumi.get(self, "disable_remount")
|
773
954
|
|
955
|
+
@property
|
956
|
+
@pulumi.getter(name="identityTokenAudience")
|
957
|
+
def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
|
958
|
+
"""
|
959
|
+
The audience claim value for plugin identity
|
960
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
961
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
962
|
+
"""
|
963
|
+
return pulumi.get(self, "identity_token_audience")
|
964
|
+
|
965
|
+
@property
|
966
|
+
@pulumi.getter(name="identityTokenKey")
|
967
|
+
def identity_token_key(self) -> pulumi.Output[Optional[str]]:
|
968
|
+
"""
|
969
|
+
The key to use for signing plugin identity
|
970
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
971
|
+
"""
|
972
|
+
return pulumi.get(self, "identity_token_key")
|
973
|
+
|
974
|
+
@property
|
975
|
+
@pulumi.getter(name="identityTokenTtl")
|
976
|
+
def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
|
977
|
+
"""
|
978
|
+
The TTL of generated tokens.
|
979
|
+
"""
|
980
|
+
return pulumi.get(self, "identity_token_ttl")
|
981
|
+
|
774
982
|
@property
|
775
983
|
@pulumi.getter
|
776
984
|
def local(self) -> pulumi.Output[Optional[bool]]:
|
@@ -785,7 +993,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
785
993
|
"""
|
786
994
|
The namespace to provision the resource in.
|
787
995
|
The value should not contain leading or trailing forward slashes.
|
788
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
996
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
789
997
|
*Available only for Vault Enterprise*.
|
790
998
|
"""
|
791
999
|
return pulumi.get(self, "namespace")
|
@@ -814,6 +1022,15 @@ class AuthBackend(pulumi.CustomResource):
|
|
814
1022
|
"""
|
815
1023
|
return pulumi.get(self, "project_id")
|
816
1024
|
|
1025
|
+
@property
|
1026
|
+
@pulumi.getter(name="serviceAccountEmail")
|
1027
|
+
def service_account_email(self) -> pulumi.Output[Optional[str]]:
|
1028
|
+
"""
|
1029
|
+
Service Account to impersonate for plugin workload identity federation.
|
1030
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
1031
|
+
"""
|
1032
|
+
return pulumi.get(self, "service_account_email")
|
1033
|
+
|
817
1034
|
@property
|
818
1035
|
@pulumi.getter
|
819
1036
|
def tune(self) -> pulumi.Output['outputs.AuthBackendTune']:
|