pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +26 -9
  5. pulumi_vault/ad/secret_backend.py +16 -142
  6. pulumi_vault/ad/secret_library.py +16 -9
  7. pulumi_vault/ad/secret_role.py +14 -9
  8. pulumi_vault/alicloud/auth_backend_role.py +76 -190
  9. pulumi_vault/approle/auth_backend_login.py +12 -7
  10. pulumi_vault/approle/auth_backend_role.py +77 -191
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
  13. pulumi_vault/audit.py +30 -21
  14. pulumi_vault/audit_request_header.py +11 -2
  15. pulumi_vault/auth_backend.py +66 -14
  16. pulumi_vault/aws/auth_backend_cert.py +18 -9
  17. pulumi_vault/aws/auth_backend_client.py +267 -22
  18. pulumi_vault/aws/auth_backend_config_identity.py +14 -9
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +77 -191
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
  24. pulumi_vault/aws/auth_backend_sts_role.py +14 -9
  25. pulumi_vault/aws/get_access_credentials.py +38 -9
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +77 -9
  28. pulumi_vault/aws/secret_backend_role.py +185 -9
  29. pulumi_vault/aws/secret_backend_static_role.py +20 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +153 -15
  32. pulumi_vault/azure/auth_backend_role.py +77 -191
  33. pulumi_vault/azure/backend.py +227 -21
  34. pulumi_vault/azure/backend_role.py +42 -37
  35. pulumi_vault/azure/get_access_credentials.py +41 -7
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -267
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +28 -19
  44. pulumi_vault/consul/secret_backend_role.py +18 -78
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +119 -112
  48. pulumi_vault/database/secret_backend_role.py +31 -22
  49. pulumi_vault/database/secret_backend_static_role.py +87 -13
  50. pulumi_vault/database/secrets_mount.py +427 -136
  51. pulumi_vault/egp_policy.py +16 -11
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +250 -33
  54. pulumi_vault/gcp/auth_backend_role.py +77 -269
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -5
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -12
  58. pulumi_vault/gcp/secret_impersonated_account.py +76 -15
  59. pulumi_vault/gcp/secret_roleset.py +31 -24
  60. pulumi_vault/gcp/secret_static_account.py +39 -32
  61. pulumi_vault/generic/endpoint.py +24 -17
  62. pulumi_vault/generic/get_secret.py +64 -8
  63. pulumi_vault/generic/secret.py +21 -16
  64. pulumi_vault/get_auth_backend.py +24 -7
  65. pulumi_vault/get_auth_backends.py +51 -9
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -11
  69. pulumi_vault/get_policy_document.py +34 -19
  70. pulumi_vault/get_raft_autopilot_state.py +29 -10
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +19 -14
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +16 -11
  75. pulumi_vault/github/user.py +16 -11
  76. pulumi_vault/identity/entity.py +20 -13
  77. pulumi_vault/identity/entity_alias.py +20 -13
  78. pulumi_vault/identity/entity_policies.py +28 -11
  79. pulumi_vault/identity/get_entity.py +42 -10
  80. pulumi_vault/identity/get_group.py +47 -9
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -7
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -9
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -10
  84. pulumi_vault/identity/group.py +58 -39
  85. pulumi_vault/identity/group_alias.py +16 -9
  86. pulumi_vault/identity/group_member_entity_ids.py +28 -66
  87. pulumi_vault/identity/group_member_group_ids.py +40 -19
  88. pulumi_vault/identity/group_policies.py +20 -7
  89. pulumi_vault/identity/mfa_duo.py +11 -6
  90. pulumi_vault/identity/mfa_login_enforcement.py +15 -6
  91. pulumi_vault/identity/mfa_okta.py +11 -6
  92. pulumi_vault/identity/mfa_pingid.py +7 -2
  93. pulumi_vault/identity/mfa_totp.py +7 -2
  94. pulumi_vault/identity/oidc.py +12 -7
  95. pulumi_vault/identity/oidc_assignment.py +24 -11
  96. pulumi_vault/identity/oidc_client.py +36 -23
  97. pulumi_vault/identity/oidc_key.py +30 -17
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
  99. pulumi_vault/identity/oidc_provider.py +36 -21
  100. pulumi_vault/identity/oidc_role.py +42 -21
  101. pulumi_vault/identity/oidc_scope.py +20 -13
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +45 -40
  105. pulumi_vault/jwt/auth_backend_role.py +133 -254
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +24 -19
  108. pulumi_vault/kmip/secret_role.py +14 -9
  109. pulumi_vault/kmip/secret_scope.py +14 -9
  110. pulumi_vault/kubernetes/auth_backend_config.py +57 -5
  111. pulumi_vault/kubernetes/auth_backend_role.py +70 -177
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -11
  115. pulumi_vault/kubernetes/secret_backend.py +316 -27
  116. pulumi_vault/kubernetes/secret_backend_role.py +137 -46
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +25 -8
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
  120. pulumi_vault/kv/get_secret_v2.py +85 -9
  121. pulumi_vault/kv/get_secrets_list.py +24 -11
  122. pulumi_vault/kv/get_secrets_list_v2.py +37 -15
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +23 -16
  125. pulumi_vault/kv/secret_backend_v2.py +20 -11
  126. pulumi_vault/kv/secret_v2.py +59 -50
  127. pulumi_vault/ldap/auth_backend.py +127 -166
  128. pulumi_vault/ldap/auth_backend_group.py +14 -9
  129. pulumi_vault/ldap/auth_backend_user.py +14 -9
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +354 -82
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +16 -9
  135. pulumi_vault/ldap/secret_backend_static_role.py +73 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +29 -57
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +18 -11
  140. pulumi_vault/mfa_okta.py +18 -11
  141. pulumi_vault/mfa_pingid.py +18 -11
  142. pulumi_vault/mfa_totp.py +24 -17
  143. pulumi_vault/mongodbatlas/secret_backend.py +20 -15
  144. pulumi_vault/mongodbatlas/secret_role.py +47 -38
  145. pulumi_vault/mount.py +391 -51
  146. pulumi_vault/namespace.py +68 -83
  147. pulumi_vault/nomad_secret_backend.py +18 -13
  148. pulumi_vault/nomad_secret_role.py +14 -9
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +485 -39
  151. pulumi_vault/okta/auth_backend_group.py +14 -9
  152. pulumi_vault/okta/auth_backend_user.py +14 -9
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +20 -13
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -9
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -8
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
  174. pulumi_vault/pkisecret/secret_backend_key.py +14 -9
  175. pulumi_vault/pkisecret/secret_backend_role.py +21 -14
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +14 -9
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +60 -6
  185. pulumi_vault/quota_rate_limit.py +56 -2
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +18 -13
  189. pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
  190. pulumi_vault/raft_autopilot.py +14 -9
  191. pulumi_vault/raft_snapshot_agent_config.py +129 -224
  192. pulumi_vault/rgp_policy.py +14 -9
  193. pulumi_vault/saml/auth_backend.py +22 -17
  194. pulumi_vault/saml/auth_backend_role.py +92 -197
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -71
  199. pulumi_vault/secrets/sync_aws_destination.py +242 -27
  200. pulumi_vault/secrets/sync_azure_destination.py +92 -31
  201. pulumi_vault/secrets/sync_config.py +9 -4
  202. pulumi_vault/secrets/sync_gcp_destination.py +158 -25
  203. pulumi_vault/secrets/sync_gh_destination.py +189 -13
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +74 -13
  206. pulumi_vault/ssh/_inputs.py +28 -28
  207. pulumi_vault/ssh/outputs.py +11 -28
  208. pulumi_vault/ssh/secret_backend_ca.py +108 -9
  209. pulumi_vault/ssh/secret_backend_role.py +85 -118
  210. pulumi_vault/terraformcloud/secret_backend.py +7 -54
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -20
  212. pulumi_vault/terraformcloud/secret_role.py +16 -74
  213. pulumi_vault/token.py +28 -23
  214. pulumi_vault/tokenauth/auth_backend_role.py +78 -199
  215. pulumi_vault/transform/alphabet.py +16 -9
  216. pulumi_vault/transform/get_decode.py +45 -17
  217. pulumi_vault/transform/get_encode.py +45 -17
  218. pulumi_vault/transform/role.py +16 -9
  219. pulumi_vault/transform/template.py +30 -21
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -21
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +27 -93
  224. pulumi_vault/transit/secret_cache_config.py +12 -7
  225. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = [
@@ -393,9 +398,6 @@ def get_auth_backend_role(backend: Optional[str] = None,
393
398
  token_ttl=pulumi.get(__ret__, 'token_ttl'),
394
399
  token_type=pulumi.get(__ret__, 'token_type'),
395
400
  type=pulumi.get(__ret__, 'type'))
396
-
397
-
398
- @_utilities.lift_output_func(get_auth_backend_role)
399
401
  def get_auth_backend_role_output(backend: Optional[pulumi.Input[Optional[str]]] = None,
400
402
  namespace: Optional[pulumi.Input[Optional[str]]] = None,
401
403
  role_name: Optional[pulumi.Input[str]] = None,
@@ -408,7 +410,7 @@ def get_auth_backend_role_output(backend: Optional[pulumi.Input[Optional[str]]]
408
410
  token_policies: Optional[pulumi.Input[Optional[Sequence[str]]]] = None,
409
411
  token_ttl: Optional[pulumi.Input[Optional[int]]] = None,
410
412
  token_type: Optional[pulumi.Input[Optional[str]]] = None,
411
- opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetAuthBackendRoleResult]:
413
+ opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetAuthBackendRoleResult]:
412
414
  """
413
415
  Reads a GCP auth role from a Vault server.
414
416
 
@@ -458,4 +460,40 @@ def get_auth_backend_role_output(backend: Optional[pulumi.Input[Optional[str]]]
458
460
  `default-service` and `default-batch` which specify the type to return unless the client
459
461
  requests a different type at generation time.
460
462
  """
461
- ...
463
+ __args__ = dict()
464
+ __args__['backend'] = backend
465
+ __args__['namespace'] = namespace
466
+ __args__['roleName'] = role_name
467
+ __args__['tokenBoundCidrs'] = token_bound_cidrs
468
+ __args__['tokenExplicitMaxTtl'] = token_explicit_max_ttl
469
+ __args__['tokenMaxTtl'] = token_max_ttl
470
+ __args__['tokenNoDefaultPolicy'] = token_no_default_policy
471
+ __args__['tokenNumUses'] = token_num_uses
472
+ __args__['tokenPeriod'] = token_period
473
+ __args__['tokenPolicies'] = token_policies
474
+ __args__['tokenTtl'] = token_ttl
475
+ __args__['tokenType'] = token_type
476
+ opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
477
+ __ret__ = pulumi.runtime.invoke_output('vault:gcp/getAuthBackendRole:getAuthBackendRole', __args__, opts=opts, typ=GetAuthBackendRoleResult)
478
+ return __ret__.apply(lambda __response__: GetAuthBackendRoleResult(
479
+ backend=pulumi.get(__response__, 'backend'),
480
+ bound_instance_groups=pulumi.get(__response__, 'bound_instance_groups'),
481
+ bound_labels=pulumi.get(__response__, 'bound_labels'),
482
+ bound_projects=pulumi.get(__response__, 'bound_projects'),
483
+ bound_regions=pulumi.get(__response__, 'bound_regions'),
484
+ bound_service_accounts=pulumi.get(__response__, 'bound_service_accounts'),
485
+ bound_zones=pulumi.get(__response__, 'bound_zones'),
486
+ id=pulumi.get(__response__, 'id'),
487
+ namespace=pulumi.get(__response__, 'namespace'),
488
+ role_id=pulumi.get(__response__, 'role_id'),
489
+ role_name=pulumi.get(__response__, 'role_name'),
490
+ token_bound_cidrs=pulumi.get(__response__, 'token_bound_cidrs'),
491
+ token_explicit_max_ttl=pulumi.get(__response__, 'token_explicit_max_ttl'),
492
+ token_max_ttl=pulumi.get(__response__, 'token_max_ttl'),
493
+ token_no_default_policy=pulumi.get(__response__, 'token_no_default_policy'),
494
+ token_num_uses=pulumi.get(__response__, 'token_num_uses'),
495
+ token_period=pulumi.get(__response__, 'token_period'),
496
+ token_policies=pulumi.get(__response__, 'token_policies'),
497
+ token_ttl=pulumi.get(__response__, 'token_ttl'),
498
+ token_type=pulumi.get(__response__, 'token_type'),
499
+ type=pulumi.get(__response__, 'type')))
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = [
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = ['SecretBackendArgs', 'SecretBackend']
@@ -18,10 +23,14 @@ class SecretBackendArgs:
18
23
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
19
24
  description: Optional[pulumi.Input[str]] = None,
20
25
  disable_remount: Optional[pulumi.Input[bool]] = None,
26
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
27
+ identity_token_key: Optional[pulumi.Input[str]] = None,
28
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
21
29
  local: Optional[pulumi.Input[bool]] = None,
22
30
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
23
31
  namespace: Optional[pulumi.Input[str]] = None,
24
- path: Optional[pulumi.Input[str]] = None):
32
+ path: Optional[pulumi.Input[str]] = None,
33
+ service_account_email: Optional[pulumi.Input[str]] = None):
25
34
  """
26
35
  The set of arguments for constructing a SecretBackend resource.
27
36
  :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
@@ -30,15 +39,23 @@ class SecretBackendArgs:
30
39
  :param pulumi.Input[str] description: A human-friendly description for this backend.
31
40
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
32
41
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
42
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
43
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
44
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
45
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
46
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
47
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
33
48
  :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
34
49
  :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
35
50
  for credentials issued by this backend. Defaults to '0'.
36
51
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
37
52
  The value should not contain leading or trailing forward slashes.
38
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
53
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
39
54
  *Available only for Vault Enterprise*.
40
55
  :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
41
56
  not begin or end with a `/`. Defaults to `gcp`.
57
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
58
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
42
59
  """
43
60
  if credentials is not None:
44
61
  pulumi.set(__self__, "credentials", credentials)
@@ -48,6 +65,12 @@ class SecretBackendArgs:
48
65
  pulumi.set(__self__, "description", description)
49
66
  if disable_remount is not None:
50
67
  pulumi.set(__self__, "disable_remount", disable_remount)
68
+ if identity_token_audience is not None:
69
+ pulumi.set(__self__, "identity_token_audience", identity_token_audience)
70
+ if identity_token_key is not None:
71
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
72
+ if identity_token_ttl is not None:
73
+ pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
51
74
  if local is not None:
52
75
  pulumi.set(__self__, "local", local)
53
76
  if max_lease_ttl_seconds is not None:
@@ -56,6 +79,8 @@ class SecretBackendArgs:
56
79
  pulumi.set(__self__, "namespace", namespace)
57
80
  if path is not None:
58
81
  pulumi.set(__self__, "path", path)
82
+ if service_account_email is not None:
83
+ pulumi.set(__self__, "service_account_email", service_account_email)
59
84
 
60
85
  @property
61
86
  @pulumi.getter
@@ -107,6 +132,45 @@ class SecretBackendArgs:
107
132
  def disable_remount(self, value: Optional[pulumi.Input[bool]]):
108
133
  pulumi.set(self, "disable_remount", value)
109
134
 
135
+ @property
136
+ @pulumi.getter(name="identityTokenAudience")
137
+ def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
138
+ """
139
+ The audience claim value for plugin identity
140
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
141
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
142
+ """
143
+ return pulumi.get(self, "identity_token_audience")
144
+
145
+ @identity_token_audience.setter
146
+ def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
147
+ pulumi.set(self, "identity_token_audience", value)
148
+
149
+ @property
150
+ @pulumi.getter(name="identityTokenKey")
151
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
152
+ """
153
+ The key to use for signing plugin identity
154
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
155
+ """
156
+ return pulumi.get(self, "identity_token_key")
157
+
158
+ @identity_token_key.setter
159
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
160
+ pulumi.set(self, "identity_token_key", value)
161
+
162
+ @property
163
+ @pulumi.getter(name="identityTokenTtl")
164
+ def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
165
+ """
166
+ The TTL of generated tokens.
167
+ """
168
+ return pulumi.get(self, "identity_token_ttl")
169
+
170
+ @identity_token_ttl.setter
171
+ def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
172
+ pulumi.set(self, "identity_token_ttl", value)
173
+
110
174
  @property
111
175
  @pulumi.getter
112
176
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -138,7 +202,7 @@ class SecretBackendArgs:
138
202
  """
139
203
  The namespace to provision the resource in.
140
204
  The value should not contain leading or trailing forward slashes.
141
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
205
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
142
206
  *Available only for Vault Enterprise*.
143
207
  """
144
208
  return pulumi.get(self, "namespace")
@@ -160,36 +224,65 @@ class SecretBackendArgs:
160
224
  def path(self, value: Optional[pulumi.Input[str]]):
161
225
  pulumi.set(self, "path", value)
162
226
 
227
+ @property
228
+ @pulumi.getter(name="serviceAccountEmail")
229
+ def service_account_email(self) -> Optional[pulumi.Input[str]]:
230
+ """
231
+ Service Account to impersonate for plugin workload identity federation.
232
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
233
+ """
234
+ return pulumi.get(self, "service_account_email")
235
+
236
+ @service_account_email.setter
237
+ def service_account_email(self, value: Optional[pulumi.Input[str]]):
238
+ pulumi.set(self, "service_account_email", value)
239
+
163
240
 
164
241
  @pulumi.input_type
165
242
  class _SecretBackendState:
166
243
  def __init__(__self__, *,
244
+ accessor: Optional[pulumi.Input[str]] = None,
167
245
  credentials: Optional[pulumi.Input[str]] = None,
168
246
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
169
247
  description: Optional[pulumi.Input[str]] = None,
170
248
  disable_remount: Optional[pulumi.Input[bool]] = None,
249
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
250
+ identity_token_key: Optional[pulumi.Input[str]] = None,
251
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
171
252
  local: Optional[pulumi.Input[bool]] = None,
172
253
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
173
254
  namespace: Optional[pulumi.Input[str]] = None,
174
- path: Optional[pulumi.Input[str]] = None):
255
+ path: Optional[pulumi.Input[str]] = None,
256
+ service_account_email: Optional[pulumi.Input[str]] = None):
175
257
  """
176
258
  Input properties used for looking up and filtering SecretBackend resources.
259
+ :param pulumi.Input[str] accessor: The accessor of the created GCP mount.
177
260
  :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
178
261
  :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
179
262
  issued by this backend. Defaults to '0'.
180
263
  :param pulumi.Input[str] description: A human-friendly description for this backend.
181
264
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
182
265
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
266
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
267
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
268
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
269
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
270
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
271
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
183
272
  :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
184
273
  :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
185
274
  for credentials issued by this backend. Defaults to '0'.
186
275
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
187
276
  The value should not contain leading or trailing forward slashes.
188
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
277
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
189
278
  *Available only for Vault Enterprise*.
190
279
  :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
191
280
  not begin or end with a `/`. Defaults to `gcp`.
281
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
282
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
192
283
  """
284
+ if accessor is not None:
285
+ pulumi.set(__self__, "accessor", accessor)
193
286
  if credentials is not None:
194
287
  pulumi.set(__self__, "credentials", credentials)
195
288
  if default_lease_ttl_seconds is not None:
@@ -198,6 +291,12 @@ class _SecretBackendState:
198
291
  pulumi.set(__self__, "description", description)
199
292
  if disable_remount is not None:
200
293
  pulumi.set(__self__, "disable_remount", disable_remount)
294
+ if identity_token_audience is not None:
295
+ pulumi.set(__self__, "identity_token_audience", identity_token_audience)
296
+ if identity_token_key is not None:
297
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
298
+ if identity_token_ttl is not None:
299
+ pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
201
300
  if local is not None:
202
301
  pulumi.set(__self__, "local", local)
203
302
  if max_lease_ttl_seconds is not None:
@@ -206,6 +305,20 @@ class _SecretBackendState:
206
305
  pulumi.set(__self__, "namespace", namespace)
207
306
  if path is not None:
208
307
  pulumi.set(__self__, "path", path)
308
+ if service_account_email is not None:
309
+ pulumi.set(__self__, "service_account_email", service_account_email)
310
+
311
+ @property
312
+ @pulumi.getter
313
+ def accessor(self) -> Optional[pulumi.Input[str]]:
314
+ """
315
+ The accessor of the created GCP mount.
316
+ """
317
+ return pulumi.get(self, "accessor")
318
+
319
+ @accessor.setter
320
+ def accessor(self, value: Optional[pulumi.Input[str]]):
321
+ pulumi.set(self, "accessor", value)
209
322
 
210
323
  @property
211
324
  @pulumi.getter
@@ -257,6 +370,45 @@ class _SecretBackendState:
257
370
  def disable_remount(self, value: Optional[pulumi.Input[bool]]):
258
371
  pulumi.set(self, "disable_remount", value)
259
372
 
373
+ @property
374
+ @pulumi.getter(name="identityTokenAudience")
375
+ def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
376
+ """
377
+ The audience claim value for plugin identity
378
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
379
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
380
+ """
381
+ return pulumi.get(self, "identity_token_audience")
382
+
383
+ @identity_token_audience.setter
384
+ def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
385
+ pulumi.set(self, "identity_token_audience", value)
386
+
387
+ @property
388
+ @pulumi.getter(name="identityTokenKey")
389
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
390
+ """
391
+ The key to use for signing plugin identity
392
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
393
+ """
394
+ return pulumi.get(self, "identity_token_key")
395
+
396
+ @identity_token_key.setter
397
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
398
+ pulumi.set(self, "identity_token_key", value)
399
+
400
+ @property
401
+ @pulumi.getter(name="identityTokenTtl")
402
+ def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
403
+ """
404
+ The TTL of generated tokens.
405
+ """
406
+ return pulumi.get(self, "identity_token_ttl")
407
+
408
+ @identity_token_ttl.setter
409
+ def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
410
+ pulumi.set(self, "identity_token_ttl", value)
411
+
260
412
  @property
261
413
  @pulumi.getter
262
414
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -288,7 +440,7 @@ class _SecretBackendState:
288
440
  """
289
441
  The namespace to provision the resource in.
290
442
  The value should not contain leading or trailing forward slashes.
291
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
443
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
292
444
  *Available only for Vault Enterprise*.
293
445
  """
294
446
  return pulumi.get(self, "namespace")
@@ -310,6 +462,19 @@ class _SecretBackendState:
310
462
  def path(self, value: Optional[pulumi.Input[str]]):
311
463
  pulumi.set(self, "path", value)
312
464
 
465
+ @property
466
+ @pulumi.getter(name="serviceAccountEmail")
467
+ def service_account_email(self) -> Optional[pulumi.Input[str]]:
468
+ """
469
+ Service Account to impersonate for plugin workload identity federation.
470
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
471
+ """
472
+ return pulumi.get(self, "service_account_email")
473
+
474
+ @service_account_email.setter
475
+ def service_account_email(self, value: Optional[pulumi.Input[str]]):
476
+ pulumi.set(self, "service_account_email", value)
477
+
313
478
 
314
479
  class SecretBackend(pulumi.CustomResource):
315
480
  @overload
@@ -320,19 +485,36 @@ class SecretBackend(pulumi.CustomResource):
320
485
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
321
486
  description: Optional[pulumi.Input[str]] = None,
322
487
  disable_remount: Optional[pulumi.Input[bool]] = None,
488
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
489
+ identity_token_key: Optional[pulumi.Input[str]] = None,
490
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
323
491
  local: Optional[pulumi.Input[bool]] = None,
324
492
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
325
493
  namespace: Optional[pulumi.Input[str]] = None,
326
494
  path: Optional[pulumi.Input[str]] = None,
495
+ service_account_email: Optional[pulumi.Input[str]] = None,
327
496
  __props__=None):
328
497
  """
329
498
  ## Example Usage
330
499
 
500
+ You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
501
+ ```python
502
+ import pulumi
503
+ import pulumi_vault as vault
504
+
505
+ gcp = vault.gcp.SecretBackend("gcp",
506
+ identity_token_key="example-key",
507
+ identity_token_ttl=1800,
508
+ identity_token_audience="<TOKEN_AUDIENCE>",
509
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>")
510
+ ```
511
+
331
512
  ```python
332
513
  import pulumi
514
+ import pulumi_std as std
333
515
  import pulumi_vault as vault
334
516
 
335
- gcp = vault.gcp.SecretBackend("gcp", credentials=(lambda path: open(path).read())("credentials.json"))
517
+ gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
336
518
  ```
337
519
 
338
520
  :param str resource_name: The name of the resource.
@@ -343,15 +525,23 @@ class SecretBackend(pulumi.CustomResource):
343
525
  :param pulumi.Input[str] description: A human-friendly description for this backend.
344
526
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
345
527
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
528
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
529
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
530
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
531
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
532
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
533
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
346
534
  :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
347
535
  :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
348
536
  for credentials issued by this backend. Defaults to '0'.
349
537
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
350
538
  The value should not contain leading or trailing forward slashes.
351
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
539
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
352
540
  *Available only for Vault Enterprise*.
353
541
  :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
354
542
  not begin or end with a `/`. Defaults to `gcp`.
543
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
544
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
355
545
  """
356
546
  ...
357
547
  @overload
@@ -362,11 +552,24 @@ class SecretBackend(pulumi.CustomResource):
362
552
  """
363
553
  ## Example Usage
364
554
 
555
+ You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
556
+ ```python
557
+ import pulumi
558
+ import pulumi_vault as vault
559
+
560
+ gcp = vault.gcp.SecretBackend("gcp",
561
+ identity_token_key="example-key",
562
+ identity_token_ttl=1800,
563
+ identity_token_audience="<TOKEN_AUDIENCE>",
564
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>")
565
+ ```
566
+
365
567
  ```python
366
568
  import pulumi
569
+ import pulumi_std as std
367
570
  import pulumi_vault as vault
368
571
 
369
- gcp = vault.gcp.SecretBackend("gcp", credentials=(lambda path: open(path).read())("credentials.json"))
572
+ gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
370
573
  ```
371
574
 
372
575
  :param str resource_name: The name of the resource.
@@ -388,10 +591,14 @@ class SecretBackend(pulumi.CustomResource):
388
591
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
389
592
  description: Optional[pulumi.Input[str]] = None,
390
593
  disable_remount: Optional[pulumi.Input[bool]] = None,
594
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
595
+ identity_token_key: Optional[pulumi.Input[str]] = None,
596
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
391
597
  local: Optional[pulumi.Input[bool]] = None,
392
598
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
393
599
  namespace: Optional[pulumi.Input[str]] = None,
394
600
  path: Optional[pulumi.Input[str]] = None,
601
+ service_account_email: Optional[pulumi.Input[str]] = None,
395
602
  __props__=None):
396
603
  opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
397
604
  if not isinstance(opts, pulumi.ResourceOptions):
@@ -405,10 +612,15 @@ class SecretBackend(pulumi.CustomResource):
405
612
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
406
613
  __props__.__dict__["description"] = description
407
614
  __props__.__dict__["disable_remount"] = disable_remount
615
+ __props__.__dict__["identity_token_audience"] = identity_token_audience
616
+ __props__.__dict__["identity_token_key"] = identity_token_key
617
+ __props__.__dict__["identity_token_ttl"] = identity_token_ttl
408
618
  __props__.__dict__["local"] = local
409
619
  __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
410
620
  __props__.__dict__["namespace"] = namespace
411
621
  __props__.__dict__["path"] = path
622
+ __props__.__dict__["service_account_email"] = service_account_email
623
+ __props__.__dict__["accessor"] = None
412
624
  secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
413
625
  opts = pulumi.ResourceOptions.merge(opts, secret_opts)
414
626
  super(SecretBackend, __self__).__init__(
@@ -421,14 +633,19 @@ class SecretBackend(pulumi.CustomResource):
421
633
  def get(resource_name: str,
422
634
  id: pulumi.Input[str],
423
635
  opts: Optional[pulumi.ResourceOptions] = None,
636
+ accessor: Optional[pulumi.Input[str]] = None,
424
637
  credentials: Optional[pulumi.Input[str]] = None,
425
638
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
426
639
  description: Optional[pulumi.Input[str]] = None,
427
640
  disable_remount: Optional[pulumi.Input[bool]] = None,
641
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
642
+ identity_token_key: Optional[pulumi.Input[str]] = None,
643
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
428
644
  local: Optional[pulumi.Input[bool]] = None,
429
645
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
430
646
  namespace: Optional[pulumi.Input[str]] = None,
431
- path: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
647
+ path: Optional[pulumi.Input[str]] = None,
648
+ service_account_email: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
432
649
  """
433
650
  Get an existing SecretBackend resource's state with the given name, id, and optional extra
434
651
  properties used to qualify the lookup.
@@ -436,36 +653,58 @@ class SecretBackend(pulumi.CustomResource):
436
653
  :param str resource_name: The unique name of the resulting resource.
437
654
  :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
438
655
  :param pulumi.ResourceOptions opts: Options for the resource.
656
+ :param pulumi.Input[str] accessor: The accessor of the created GCP mount.
439
657
  :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
440
658
  :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
441
659
  issued by this backend. Defaults to '0'.
442
660
  :param pulumi.Input[str] description: A human-friendly description for this backend.
443
661
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
444
662
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
663
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
664
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
665
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
666
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
667
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
668
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
445
669
  :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
446
670
  :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
447
671
  for credentials issued by this backend. Defaults to '0'.
448
672
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
449
673
  The value should not contain leading or trailing forward slashes.
450
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
674
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
451
675
  *Available only for Vault Enterprise*.
452
676
  :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
453
677
  not begin or end with a `/`. Defaults to `gcp`.
678
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
679
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
454
680
  """
455
681
  opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
456
682
 
457
683
  __props__ = _SecretBackendState.__new__(_SecretBackendState)
458
684
 
685
+ __props__.__dict__["accessor"] = accessor
459
686
  __props__.__dict__["credentials"] = credentials
460
687
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
461
688
  __props__.__dict__["description"] = description
462
689
  __props__.__dict__["disable_remount"] = disable_remount
690
+ __props__.__dict__["identity_token_audience"] = identity_token_audience
691
+ __props__.__dict__["identity_token_key"] = identity_token_key
692
+ __props__.__dict__["identity_token_ttl"] = identity_token_ttl
463
693
  __props__.__dict__["local"] = local
464
694
  __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
465
695
  __props__.__dict__["namespace"] = namespace
466
696
  __props__.__dict__["path"] = path
697
+ __props__.__dict__["service_account_email"] = service_account_email
467
698
  return SecretBackend(resource_name, opts=opts, __props__=__props__)
468
699
 
700
+ @property
701
+ @pulumi.getter
702
+ def accessor(self) -> pulumi.Output[str]:
703
+ """
704
+ The accessor of the created GCP mount.
705
+ """
706
+ return pulumi.get(self, "accessor")
707
+
469
708
  @property
470
709
  @pulumi.getter
471
710
  def credentials(self) -> pulumi.Output[Optional[str]]:
@@ -500,6 +739,33 @@ class SecretBackend(pulumi.CustomResource):
500
739
  """
501
740
  return pulumi.get(self, "disable_remount")
502
741
 
742
+ @property
743
+ @pulumi.getter(name="identityTokenAudience")
744
+ def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
745
+ """
746
+ The audience claim value for plugin identity
747
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
748
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
749
+ """
750
+ return pulumi.get(self, "identity_token_audience")
751
+
752
+ @property
753
+ @pulumi.getter(name="identityTokenKey")
754
+ def identity_token_key(self) -> pulumi.Output[Optional[str]]:
755
+ """
756
+ The key to use for signing plugin identity
757
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
758
+ """
759
+ return pulumi.get(self, "identity_token_key")
760
+
761
+ @property
762
+ @pulumi.getter(name="identityTokenTtl")
763
+ def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
764
+ """
765
+ The TTL of generated tokens.
766
+ """
767
+ return pulumi.get(self, "identity_token_ttl")
768
+
503
769
  @property
504
770
  @pulumi.getter
505
771
  def local(self) -> pulumi.Output[Optional[bool]]:
@@ -523,7 +789,7 @@ class SecretBackend(pulumi.CustomResource):
523
789
  """
524
790
  The namespace to provision the resource in.
525
791
  The value should not contain leading or trailing forward slashes.
526
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
792
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
527
793
  *Available only for Vault Enterprise*.
528
794
  """
529
795
  return pulumi.get(self, "namespace")
@@ -537,3 +803,12 @@ class SecretBackend(pulumi.CustomResource):
537
803
  """
538
804
  return pulumi.get(self, "path")
539
805
 
806
+ @property
807
+ @pulumi.getter(name="serviceAccountEmail")
808
+ def service_account_email(self) -> pulumi.Output[Optional[str]]:
809
+ """
810
+ Service Account to impersonate for plugin workload identity federation.
811
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
812
+ """
813
+ return pulumi.get(self, "service_account_email")
814
+