pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +26 -9
  5. pulumi_vault/ad/secret_backend.py +16 -142
  6. pulumi_vault/ad/secret_library.py +16 -9
  7. pulumi_vault/ad/secret_role.py +14 -9
  8. pulumi_vault/alicloud/auth_backend_role.py +76 -190
  9. pulumi_vault/approle/auth_backend_login.py +12 -7
  10. pulumi_vault/approle/auth_backend_role.py +77 -191
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
  13. pulumi_vault/audit.py +30 -21
  14. pulumi_vault/audit_request_header.py +11 -2
  15. pulumi_vault/auth_backend.py +66 -14
  16. pulumi_vault/aws/auth_backend_cert.py +18 -9
  17. pulumi_vault/aws/auth_backend_client.py +267 -22
  18. pulumi_vault/aws/auth_backend_config_identity.py +14 -9
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +77 -191
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
  24. pulumi_vault/aws/auth_backend_sts_role.py +14 -9
  25. pulumi_vault/aws/get_access_credentials.py +38 -9
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +77 -9
  28. pulumi_vault/aws/secret_backend_role.py +185 -9
  29. pulumi_vault/aws/secret_backend_static_role.py +20 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +153 -15
  32. pulumi_vault/azure/auth_backend_role.py +77 -191
  33. pulumi_vault/azure/backend.py +227 -21
  34. pulumi_vault/azure/backend_role.py +42 -37
  35. pulumi_vault/azure/get_access_credentials.py +41 -7
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -267
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +28 -19
  44. pulumi_vault/consul/secret_backend_role.py +18 -78
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +119 -112
  48. pulumi_vault/database/secret_backend_role.py +31 -22
  49. pulumi_vault/database/secret_backend_static_role.py +87 -13
  50. pulumi_vault/database/secrets_mount.py +427 -136
  51. pulumi_vault/egp_policy.py +16 -11
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +250 -33
  54. pulumi_vault/gcp/auth_backend_role.py +77 -269
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -5
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -12
  58. pulumi_vault/gcp/secret_impersonated_account.py +76 -15
  59. pulumi_vault/gcp/secret_roleset.py +31 -24
  60. pulumi_vault/gcp/secret_static_account.py +39 -32
  61. pulumi_vault/generic/endpoint.py +24 -17
  62. pulumi_vault/generic/get_secret.py +64 -8
  63. pulumi_vault/generic/secret.py +21 -16
  64. pulumi_vault/get_auth_backend.py +24 -7
  65. pulumi_vault/get_auth_backends.py +51 -9
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -11
  69. pulumi_vault/get_policy_document.py +34 -19
  70. pulumi_vault/get_raft_autopilot_state.py +29 -10
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +19 -14
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +16 -11
  75. pulumi_vault/github/user.py +16 -11
  76. pulumi_vault/identity/entity.py +20 -13
  77. pulumi_vault/identity/entity_alias.py +20 -13
  78. pulumi_vault/identity/entity_policies.py +28 -11
  79. pulumi_vault/identity/get_entity.py +42 -10
  80. pulumi_vault/identity/get_group.py +47 -9
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -7
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -9
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -10
  84. pulumi_vault/identity/group.py +58 -39
  85. pulumi_vault/identity/group_alias.py +16 -9
  86. pulumi_vault/identity/group_member_entity_ids.py +28 -66
  87. pulumi_vault/identity/group_member_group_ids.py +40 -19
  88. pulumi_vault/identity/group_policies.py +20 -7
  89. pulumi_vault/identity/mfa_duo.py +11 -6
  90. pulumi_vault/identity/mfa_login_enforcement.py +15 -6
  91. pulumi_vault/identity/mfa_okta.py +11 -6
  92. pulumi_vault/identity/mfa_pingid.py +7 -2
  93. pulumi_vault/identity/mfa_totp.py +7 -2
  94. pulumi_vault/identity/oidc.py +12 -7
  95. pulumi_vault/identity/oidc_assignment.py +24 -11
  96. pulumi_vault/identity/oidc_client.py +36 -23
  97. pulumi_vault/identity/oidc_key.py +30 -17
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
  99. pulumi_vault/identity/oidc_provider.py +36 -21
  100. pulumi_vault/identity/oidc_role.py +42 -21
  101. pulumi_vault/identity/oidc_scope.py +20 -13
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +45 -40
  105. pulumi_vault/jwt/auth_backend_role.py +133 -254
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +24 -19
  108. pulumi_vault/kmip/secret_role.py +14 -9
  109. pulumi_vault/kmip/secret_scope.py +14 -9
  110. pulumi_vault/kubernetes/auth_backend_config.py +57 -5
  111. pulumi_vault/kubernetes/auth_backend_role.py +70 -177
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -11
  115. pulumi_vault/kubernetes/secret_backend.py +316 -27
  116. pulumi_vault/kubernetes/secret_backend_role.py +137 -46
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +25 -8
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
  120. pulumi_vault/kv/get_secret_v2.py +85 -9
  121. pulumi_vault/kv/get_secrets_list.py +24 -11
  122. pulumi_vault/kv/get_secrets_list_v2.py +37 -15
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +23 -16
  125. pulumi_vault/kv/secret_backend_v2.py +20 -11
  126. pulumi_vault/kv/secret_v2.py +59 -50
  127. pulumi_vault/ldap/auth_backend.py +127 -166
  128. pulumi_vault/ldap/auth_backend_group.py +14 -9
  129. pulumi_vault/ldap/auth_backend_user.py +14 -9
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +354 -82
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +16 -9
  135. pulumi_vault/ldap/secret_backend_static_role.py +73 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +29 -57
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +18 -11
  140. pulumi_vault/mfa_okta.py +18 -11
  141. pulumi_vault/mfa_pingid.py +18 -11
  142. pulumi_vault/mfa_totp.py +24 -17
  143. pulumi_vault/mongodbatlas/secret_backend.py +20 -15
  144. pulumi_vault/mongodbatlas/secret_role.py +47 -38
  145. pulumi_vault/mount.py +391 -51
  146. pulumi_vault/namespace.py +68 -83
  147. pulumi_vault/nomad_secret_backend.py +18 -13
  148. pulumi_vault/nomad_secret_role.py +14 -9
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +485 -39
  151. pulumi_vault/okta/auth_backend_group.py +14 -9
  152. pulumi_vault/okta/auth_backend_user.py +14 -9
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +20 -13
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -9
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -8
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
  174. pulumi_vault/pkisecret/secret_backend_key.py +14 -9
  175. pulumi_vault/pkisecret/secret_backend_role.py +21 -14
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +14 -9
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +60 -6
  185. pulumi_vault/quota_rate_limit.py +56 -2
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +18 -13
  189. pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
  190. pulumi_vault/raft_autopilot.py +14 -9
  191. pulumi_vault/raft_snapshot_agent_config.py +129 -224
  192. pulumi_vault/rgp_policy.py +14 -9
  193. pulumi_vault/saml/auth_backend.py +22 -17
  194. pulumi_vault/saml/auth_backend_role.py +92 -197
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -71
  199. pulumi_vault/secrets/sync_aws_destination.py +242 -27
  200. pulumi_vault/secrets/sync_azure_destination.py +92 -31
  201. pulumi_vault/secrets/sync_config.py +9 -4
  202. pulumi_vault/secrets/sync_gcp_destination.py +158 -25
  203. pulumi_vault/secrets/sync_gh_destination.py +189 -13
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +74 -13
  206. pulumi_vault/ssh/_inputs.py +28 -28
  207. pulumi_vault/ssh/outputs.py +11 -28
  208. pulumi_vault/ssh/secret_backend_ca.py +108 -9
  209. pulumi_vault/ssh/secret_backend_role.py +85 -118
  210. pulumi_vault/terraformcloud/secret_backend.py +7 -54
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -20
  212. pulumi_vault/terraformcloud/secret_role.py +16 -74
  213. pulumi_vault/token.py +28 -23
  214. pulumi_vault/tokenauth/auth_backend_role.py +78 -199
  215. pulumi_vault/transform/alphabet.py +16 -9
  216. pulumi_vault/transform/get_decode.py +45 -17
  217. pulumi_vault/transform/get_encode.py +45 -17
  218. pulumi_vault/transform/role.py +16 -9
  219. pulumi_vault/transform/template.py +30 -21
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -21
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +27 -93
  224. pulumi_vault/transit/secret_cache_config.py +12 -7
  225. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
  from . import outputs
12
17
  from ._inputs import *
@@ -22,11 +27,15 @@ class AuthBackendArgs:
22
27
  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
23
28
  description: Optional[pulumi.Input[str]] = None,
24
29
  disable_remount: Optional[pulumi.Input[bool]] = None,
30
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
31
+ identity_token_key: Optional[pulumi.Input[str]] = None,
32
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
25
33
  local: Optional[pulumi.Input[bool]] = None,
26
34
  namespace: Optional[pulumi.Input[str]] = None,
27
35
  path: Optional[pulumi.Input[str]] = None,
28
36
  private_key_id: Optional[pulumi.Input[str]] = None,
29
37
  project_id: Optional[pulumi.Input[str]] = None,
38
+ service_account_email: Optional[pulumi.Input[str]] = None,
30
39
  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
31
40
  """
32
41
  The set of arguments for constructing a AuthBackend resource.
@@ -43,14 +52,22 @@ class AuthBackendArgs:
43
52
  :param pulumi.Input[str] description: A description of the auth method.
44
53
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
45
54
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
55
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
56
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
57
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
58
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
59
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
60
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
46
61
  :param pulumi.Input[bool] local: Specifies if the auth method is local only.
47
62
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
48
63
  The value should not contain leading or trailing forward slashes.
49
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
64
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
50
65
  *Available only for Vault Enterprise*.
51
66
  :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
52
67
  :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
53
68
  :param pulumi.Input[str] project_id: The GCP Project ID
69
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
70
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
54
71
  :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
55
72
 
56
73
  The `tune` block is used to tune the auth backend:
@@ -67,6 +84,12 @@ class AuthBackendArgs:
67
84
  pulumi.set(__self__, "description", description)
68
85
  if disable_remount is not None:
69
86
  pulumi.set(__self__, "disable_remount", disable_remount)
87
+ if identity_token_audience is not None:
88
+ pulumi.set(__self__, "identity_token_audience", identity_token_audience)
89
+ if identity_token_key is not None:
90
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
91
+ if identity_token_ttl is not None:
92
+ pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
70
93
  if local is not None:
71
94
  pulumi.set(__self__, "local", local)
72
95
  if namespace is not None:
@@ -77,6 +100,8 @@ class AuthBackendArgs:
77
100
  pulumi.set(__self__, "private_key_id", private_key_id)
78
101
  if project_id is not None:
79
102
  pulumi.set(__self__, "project_id", project_id)
103
+ if service_account_email is not None:
104
+ pulumi.set(__self__, "service_account_email", service_account_email)
80
105
  if tune is not None:
81
106
  pulumi.set(__self__, "tune", tune)
82
107
 
@@ -159,6 +184,45 @@ class AuthBackendArgs:
159
184
  def disable_remount(self, value: Optional[pulumi.Input[bool]]):
160
185
  pulumi.set(self, "disable_remount", value)
161
186
 
187
+ @property
188
+ @pulumi.getter(name="identityTokenAudience")
189
+ def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
190
+ """
191
+ The audience claim value for plugin identity
192
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
193
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
194
+ """
195
+ return pulumi.get(self, "identity_token_audience")
196
+
197
+ @identity_token_audience.setter
198
+ def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
199
+ pulumi.set(self, "identity_token_audience", value)
200
+
201
+ @property
202
+ @pulumi.getter(name="identityTokenKey")
203
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
204
+ """
205
+ The key to use for signing plugin identity
206
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
207
+ """
208
+ return pulumi.get(self, "identity_token_key")
209
+
210
+ @identity_token_key.setter
211
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
212
+ pulumi.set(self, "identity_token_key", value)
213
+
214
+ @property
215
+ @pulumi.getter(name="identityTokenTtl")
216
+ def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
217
+ """
218
+ The TTL of generated tokens.
219
+ """
220
+ return pulumi.get(self, "identity_token_ttl")
221
+
222
+ @identity_token_ttl.setter
223
+ def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
224
+ pulumi.set(self, "identity_token_ttl", value)
225
+
162
226
  @property
163
227
  @pulumi.getter
164
228
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -177,7 +241,7 @@ class AuthBackendArgs:
177
241
  """
178
242
  The namespace to provision the resource in.
179
243
  The value should not contain leading or trailing forward slashes.
180
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
244
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
181
245
  *Available only for Vault Enterprise*.
182
246
  """
183
247
  return pulumi.get(self, "namespace")
@@ -222,6 +286,19 @@ class AuthBackendArgs:
222
286
  def project_id(self, value: Optional[pulumi.Input[str]]):
223
287
  pulumi.set(self, "project_id", value)
224
288
 
289
+ @property
290
+ @pulumi.getter(name="serviceAccountEmail")
291
+ def service_account_email(self) -> Optional[pulumi.Input[str]]:
292
+ """
293
+ Service Account to impersonate for plugin workload identity federation.
294
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
295
+ """
296
+ return pulumi.get(self, "service_account_email")
297
+
298
+ @service_account_email.setter
299
+ def service_account_email(self, value: Optional[pulumi.Input[str]]):
300
+ pulumi.set(self, "service_account_email", value)
301
+
225
302
  @property
226
303
  @pulumi.getter
227
304
  def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
@@ -247,11 +324,15 @@ class _AuthBackendState:
247
324
  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
248
325
  description: Optional[pulumi.Input[str]] = None,
249
326
  disable_remount: Optional[pulumi.Input[bool]] = None,
327
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
328
+ identity_token_key: Optional[pulumi.Input[str]] = None,
329
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
250
330
  local: Optional[pulumi.Input[bool]] = None,
251
331
  namespace: Optional[pulumi.Input[str]] = None,
252
332
  path: Optional[pulumi.Input[str]] = None,
253
333
  private_key_id: Optional[pulumi.Input[str]] = None,
254
334
  project_id: Optional[pulumi.Input[str]] = None,
335
+ service_account_email: Optional[pulumi.Input[str]] = None,
255
336
  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
256
337
  """
257
338
  Input properties used for looking up and filtering AuthBackend resources.
@@ -269,14 +350,22 @@ class _AuthBackendState:
269
350
  :param pulumi.Input[str] description: A description of the auth method.
270
351
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
271
352
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
353
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
354
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
355
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
356
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
357
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
358
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
272
359
  :param pulumi.Input[bool] local: Specifies if the auth method is local only.
273
360
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
274
361
  The value should not contain leading or trailing forward slashes.
275
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
362
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
276
363
  *Available only for Vault Enterprise*.
277
364
  :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
278
365
  :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
279
366
  :param pulumi.Input[str] project_id: The GCP Project ID
367
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
368
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
280
369
  :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
281
370
 
282
371
  The `tune` block is used to tune the auth backend:
@@ -295,6 +384,12 @@ class _AuthBackendState:
295
384
  pulumi.set(__self__, "description", description)
296
385
  if disable_remount is not None:
297
386
  pulumi.set(__self__, "disable_remount", disable_remount)
387
+ if identity_token_audience is not None:
388
+ pulumi.set(__self__, "identity_token_audience", identity_token_audience)
389
+ if identity_token_key is not None:
390
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
391
+ if identity_token_ttl is not None:
392
+ pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
298
393
  if local is not None:
299
394
  pulumi.set(__self__, "local", local)
300
395
  if namespace is not None:
@@ -305,6 +400,8 @@ class _AuthBackendState:
305
400
  pulumi.set(__self__, "private_key_id", private_key_id)
306
401
  if project_id is not None:
307
402
  pulumi.set(__self__, "project_id", project_id)
403
+ if service_account_email is not None:
404
+ pulumi.set(__self__, "service_account_email", service_account_email)
308
405
  if tune is not None:
309
406
  pulumi.set(__self__, "tune", tune)
310
407
 
@@ -399,6 +496,45 @@ class _AuthBackendState:
399
496
  def disable_remount(self, value: Optional[pulumi.Input[bool]]):
400
497
  pulumi.set(self, "disable_remount", value)
401
498
 
499
+ @property
500
+ @pulumi.getter(name="identityTokenAudience")
501
+ def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
502
+ """
503
+ The audience claim value for plugin identity
504
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
505
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
506
+ """
507
+ return pulumi.get(self, "identity_token_audience")
508
+
509
+ @identity_token_audience.setter
510
+ def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
511
+ pulumi.set(self, "identity_token_audience", value)
512
+
513
+ @property
514
+ @pulumi.getter(name="identityTokenKey")
515
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
516
+ """
517
+ The key to use for signing plugin identity
518
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
519
+ """
520
+ return pulumi.get(self, "identity_token_key")
521
+
522
+ @identity_token_key.setter
523
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
524
+ pulumi.set(self, "identity_token_key", value)
525
+
526
+ @property
527
+ @pulumi.getter(name="identityTokenTtl")
528
+ def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
529
+ """
530
+ The TTL of generated tokens.
531
+ """
532
+ return pulumi.get(self, "identity_token_ttl")
533
+
534
+ @identity_token_ttl.setter
535
+ def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
536
+ pulumi.set(self, "identity_token_ttl", value)
537
+
402
538
  @property
403
539
  @pulumi.getter
404
540
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -417,7 +553,7 @@ class _AuthBackendState:
417
553
  """
418
554
  The namespace to provision the resource in.
419
555
  The value should not contain leading or trailing forward slashes.
420
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
556
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
421
557
  *Available only for Vault Enterprise*.
422
558
  """
423
559
  return pulumi.get(self, "namespace")
@@ -462,6 +598,19 @@ class _AuthBackendState:
462
598
  def project_id(self, value: Optional[pulumi.Input[str]]):
463
599
  pulumi.set(self, "project_id", value)
464
600
 
601
+ @property
602
+ @pulumi.getter(name="serviceAccountEmail")
603
+ def service_account_email(self) -> Optional[pulumi.Input[str]]:
604
+ """
605
+ Service Account to impersonate for plugin workload identity federation.
606
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
607
+ """
608
+ return pulumi.get(self, "service_account_email")
609
+
610
+ @service_account_email.setter
611
+ def service_account_email(self, value: Optional[pulumi.Input[str]]):
612
+ pulumi.set(self, "service_account_email", value)
613
+
465
614
  @property
466
615
  @pulumi.getter
467
616
  def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
@@ -485,33 +634,35 @@ class AuthBackend(pulumi.CustomResource):
485
634
  client_email: Optional[pulumi.Input[str]] = None,
486
635
  client_id: Optional[pulumi.Input[str]] = None,
487
636
  credentials: Optional[pulumi.Input[str]] = None,
488
- custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
637
+ custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
489
638
  description: Optional[pulumi.Input[str]] = None,
490
639
  disable_remount: Optional[pulumi.Input[bool]] = None,
640
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
641
+ identity_token_key: Optional[pulumi.Input[str]] = None,
642
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
491
643
  local: Optional[pulumi.Input[bool]] = None,
492
644
  namespace: Optional[pulumi.Input[str]] = None,
493
645
  path: Optional[pulumi.Input[str]] = None,
494
646
  private_key_id: Optional[pulumi.Input[str]] = None,
495
647
  project_id: Optional[pulumi.Input[str]] = None,
496
- tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None,
648
+ service_account_email: Optional[pulumi.Input[str]] = None,
649
+ tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
497
650
  __props__=None):
498
651
  """
499
652
  Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
500
653
 
501
654
  ## Example Usage
502
655
 
656
+ You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
503
657
  ```python
504
658
  import pulumi
505
659
  import pulumi_vault as vault
506
660
 
507
661
  gcp = vault.gcp.AuthBackend("gcp",
508
- credentials=(lambda path: open(path).read())("vault-gcp-credentials.json"),
509
- custom_endpoint=vault.gcp.AuthBackendCustomEndpointArgs(
510
- api="www.googleapis.com",
511
- iam="iam.googleapis.com",
512
- crm="cloudresourcemanager.googleapis.com",
513
- compute="compute.googleapis.com",
514
- ))
662
+ identity_token_key="example-key",
663
+ identity_token_ttl=1800,
664
+ identity_token_audience="<TOKEN_AUDIENCE>",
665
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>")
515
666
  ```
516
667
 
517
668
  ## Import
@@ -519,7 +670,7 @@ class AuthBackend(pulumi.CustomResource):
519
670
  GCP authentication backends can be imported using the backend name, e.g.
520
671
 
521
672
  ```sh
522
- $ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
673
+ $ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
523
674
  ```
524
675
 
525
676
  :param str resource_name: The name of the resource.
@@ -527,7 +678,7 @@ class AuthBackend(pulumi.CustomResource):
527
678
  :param pulumi.Input[str] client_email: The clients email associated with the credentials
528
679
  :param pulumi.Input[str] client_id: The Client ID of the credentials
529
680
  :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
530
- :param pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']] custom_endpoint: Specifies overrides to
681
+ :param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
531
682
  [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
532
683
  used when making API requests. This allows specific requests made during authentication
533
684
  to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
@@ -537,15 +688,23 @@ class AuthBackend(pulumi.CustomResource):
537
688
  :param pulumi.Input[str] description: A description of the auth method.
538
689
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
539
690
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
691
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
692
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
693
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
694
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
695
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
696
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
540
697
  :param pulumi.Input[bool] local: Specifies if the auth method is local only.
541
698
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
542
699
  The value should not contain leading or trailing forward slashes.
543
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
700
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
544
701
  *Available only for Vault Enterprise*.
545
702
  :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
546
703
  :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
547
704
  :param pulumi.Input[str] project_id: The GCP Project ID
548
- :param pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']] tune: Extra configuration block. Structure is documented below.
705
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
706
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
707
+ :param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
549
708
 
550
709
  The `tune` block is used to tune the auth backend:
551
710
  """
@@ -560,18 +719,16 @@ class AuthBackend(pulumi.CustomResource):
560
719
 
561
720
  ## Example Usage
562
721
 
722
+ You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
563
723
  ```python
564
724
  import pulumi
565
725
  import pulumi_vault as vault
566
726
 
567
727
  gcp = vault.gcp.AuthBackend("gcp",
568
- credentials=(lambda path: open(path).read())("vault-gcp-credentials.json"),
569
- custom_endpoint=vault.gcp.AuthBackendCustomEndpointArgs(
570
- api="www.googleapis.com",
571
- iam="iam.googleapis.com",
572
- crm="cloudresourcemanager.googleapis.com",
573
- compute="compute.googleapis.com",
574
- ))
728
+ identity_token_key="example-key",
729
+ identity_token_ttl=1800,
730
+ identity_token_audience="<TOKEN_AUDIENCE>",
731
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>")
575
732
  ```
576
733
 
577
734
  ## Import
@@ -579,7 +736,7 @@ class AuthBackend(pulumi.CustomResource):
579
736
  GCP authentication backends can be imported using the backend name, e.g.
580
737
 
581
738
  ```sh
582
- $ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
739
+ $ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
583
740
  ```
584
741
 
585
742
  :param str resource_name: The name of the resource.
@@ -600,15 +757,19 @@ class AuthBackend(pulumi.CustomResource):
600
757
  client_email: Optional[pulumi.Input[str]] = None,
601
758
  client_id: Optional[pulumi.Input[str]] = None,
602
759
  credentials: Optional[pulumi.Input[str]] = None,
603
- custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
760
+ custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
604
761
  description: Optional[pulumi.Input[str]] = None,
605
762
  disable_remount: Optional[pulumi.Input[bool]] = None,
763
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
764
+ identity_token_key: Optional[pulumi.Input[str]] = None,
765
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
606
766
  local: Optional[pulumi.Input[bool]] = None,
607
767
  namespace: Optional[pulumi.Input[str]] = None,
608
768
  path: Optional[pulumi.Input[str]] = None,
609
769
  private_key_id: Optional[pulumi.Input[str]] = None,
610
770
  project_id: Optional[pulumi.Input[str]] = None,
611
- tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None,
771
+ service_account_email: Optional[pulumi.Input[str]] = None,
772
+ tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
612
773
  __props__=None):
613
774
  opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
614
775
  if not isinstance(opts, pulumi.ResourceOptions):
@@ -624,11 +785,15 @@ class AuthBackend(pulumi.CustomResource):
624
785
  __props__.__dict__["custom_endpoint"] = custom_endpoint
625
786
  __props__.__dict__["description"] = description
626
787
  __props__.__dict__["disable_remount"] = disable_remount
788
+ __props__.__dict__["identity_token_audience"] = identity_token_audience
789
+ __props__.__dict__["identity_token_key"] = identity_token_key
790
+ __props__.__dict__["identity_token_ttl"] = identity_token_ttl
627
791
  __props__.__dict__["local"] = local
628
792
  __props__.__dict__["namespace"] = namespace
629
793
  __props__.__dict__["path"] = path
630
794
  __props__.__dict__["private_key_id"] = private_key_id
631
795
  __props__.__dict__["project_id"] = project_id
796
+ __props__.__dict__["service_account_email"] = service_account_email
632
797
  __props__.__dict__["tune"] = tune
633
798
  __props__.__dict__["accessor"] = None
634
799
  secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
@@ -647,15 +812,19 @@ class AuthBackend(pulumi.CustomResource):
647
812
  client_email: Optional[pulumi.Input[str]] = None,
648
813
  client_id: Optional[pulumi.Input[str]] = None,
649
814
  credentials: Optional[pulumi.Input[str]] = None,
650
- custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
815
+ custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
651
816
  description: Optional[pulumi.Input[str]] = None,
652
817
  disable_remount: Optional[pulumi.Input[bool]] = None,
818
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
819
+ identity_token_key: Optional[pulumi.Input[str]] = None,
820
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
653
821
  local: Optional[pulumi.Input[bool]] = None,
654
822
  namespace: Optional[pulumi.Input[str]] = None,
655
823
  path: Optional[pulumi.Input[str]] = None,
656
824
  private_key_id: Optional[pulumi.Input[str]] = None,
657
825
  project_id: Optional[pulumi.Input[str]] = None,
658
- tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None) -> 'AuthBackend':
826
+ service_account_email: Optional[pulumi.Input[str]] = None,
827
+ tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None) -> 'AuthBackend':
659
828
  """
660
829
  Get an existing AuthBackend resource's state with the given name, id, and optional extra
661
830
  properties used to qualify the lookup.
@@ -667,7 +836,7 @@ class AuthBackend(pulumi.CustomResource):
667
836
  :param pulumi.Input[str] client_email: The clients email associated with the credentials
668
837
  :param pulumi.Input[str] client_id: The Client ID of the credentials
669
838
  :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
670
- :param pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']] custom_endpoint: Specifies overrides to
839
+ :param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
671
840
  [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
672
841
  used when making API requests. This allows specific requests made during authentication
673
842
  to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
@@ -677,15 +846,23 @@ class AuthBackend(pulumi.CustomResource):
677
846
  :param pulumi.Input[str] description: A description of the auth method.
678
847
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
679
848
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
849
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
850
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
851
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
852
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
853
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
854
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
680
855
  :param pulumi.Input[bool] local: Specifies if the auth method is local only.
681
856
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
682
857
  The value should not contain leading or trailing forward slashes.
683
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
858
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
684
859
  *Available only for Vault Enterprise*.
685
860
  :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
686
861
  :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
687
862
  :param pulumi.Input[str] project_id: The GCP Project ID
688
- :param pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']] tune: Extra configuration block. Structure is documented below.
863
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
864
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
865
+ :param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
689
866
 
690
867
  The `tune` block is used to tune the auth backend:
691
868
  """
@@ -700,11 +877,15 @@ class AuthBackend(pulumi.CustomResource):
700
877
  __props__.__dict__["custom_endpoint"] = custom_endpoint
701
878
  __props__.__dict__["description"] = description
702
879
  __props__.__dict__["disable_remount"] = disable_remount
880
+ __props__.__dict__["identity_token_audience"] = identity_token_audience
881
+ __props__.__dict__["identity_token_key"] = identity_token_key
882
+ __props__.__dict__["identity_token_ttl"] = identity_token_ttl
703
883
  __props__.__dict__["local"] = local
704
884
  __props__.__dict__["namespace"] = namespace
705
885
  __props__.__dict__["path"] = path
706
886
  __props__.__dict__["private_key_id"] = private_key_id
707
887
  __props__.__dict__["project_id"] = project_id
888
+ __props__.__dict__["service_account_email"] = service_account_email
708
889
  __props__.__dict__["tune"] = tune
709
890
  return AuthBackend(resource_name, opts=opts, __props__=__props__)
710
891
 
@@ -771,6 +952,33 @@ class AuthBackend(pulumi.CustomResource):
771
952
  """
772
953
  return pulumi.get(self, "disable_remount")
773
954
 
955
+ @property
956
+ @pulumi.getter(name="identityTokenAudience")
957
+ def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
958
+ """
959
+ The audience claim value for plugin identity
960
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
961
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
962
+ """
963
+ return pulumi.get(self, "identity_token_audience")
964
+
965
+ @property
966
+ @pulumi.getter(name="identityTokenKey")
967
+ def identity_token_key(self) -> pulumi.Output[Optional[str]]:
968
+ """
969
+ The key to use for signing plugin identity
970
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
971
+ """
972
+ return pulumi.get(self, "identity_token_key")
973
+
974
+ @property
975
+ @pulumi.getter(name="identityTokenTtl")
976
+ def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
977
+ """
978
+ The TTL of generated tokens.
979
+ """
980
+ return pulumi.get(self, "identity_token_ttl")
981
+
774
982
  @property
775
983
  @pulumi.getter
776
984
  def local(self) -> pulumi.Output[Optional[bool]]:
@@ -785,7 +993,7 @@ class AuthBackend(pulumi.CustomResource):
785
993
  """
786
994
  The namespace to provision the resource in.
787
995
  The value should not contain leading or trailing forward slashes.
788
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
996
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
789
997
  *Available only for Vault Enterprise*.
790
998
  """
791
999
  return pulumi.get(self, "namespace")
@@ -814,6 +1022,15 @@ class AuthBackend(pulumi.CustomResource):
814
1022
  """
815
1023
  return pulumi.get(self, "project_id")
816
1024
 
1025
+ @property
1026
+ @pulumi.getter(name="serviceAccountEmail")
1027
+ def service_account_email(self) -> pulumi.Output[Optional[str]]:
1028
+ """
1029
+ Service Account to impersonate for plugin workload identity federation.
1030
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
1031
+ """
1032
+ return pulumi.get(self, "service_account_email")
1033
+
817
1034
  @property
818
1035
  @pulumi.getter
819
1036
  def tune(self) -> pulumi.Output['outputs.AuthBackendTune']: