pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +26 -9
  5. pulumi_vault/ad/secret_backend.py +16 -142
  6. pulumi_vault/ad/secret_library.py +16 -9
  7. pulumi_vault/ad/secret_role.py +14 -9
  8. pulumi_vault/alicloud/auth_backend_role.py +76 -190
  9. pulumi_vault/approle/auth_backend_login.py +12 -7
  10. pulumi_vault/approle/auth_backend_role.py +77 -191
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
  13. pulumi_vault/audit.py +30 -21
  14. pulumi_vault/audit_request_header.py +11 -2
  15. pulumi_vault/auth_backend.py +66 -14
  16. pulumi_vault/aws/auth_backend_cert.py +18 -9
  17. pulumi_vault/aws/auth_backend_client.py +267 -22
  18. pulumi_vault/aws/auth_backend_config_identity.py +14 -9
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +77 -191
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
  24. pulumi_vault/aws/auth_backend_sts_role.py +14 -9
  25. pulumi_vault/aws/get_access_credentials.py +38 -9
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +77 -9
  28. pulumi_vault/aws/secret_backend_role.py +185 -9
  29. pulumi_vault/aws/secret_backend_static_role.py +20 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +153 -15
  32. pulumi_vault/azure/auth_backend_role.py +77 -191
  33. pulumi_vault/azure/backend.py +227 -21
  34. pulumi_vault/azure/backend_role.py +42 -37
  35. pulumi_vault/azure/get_access_credentials.py +41 -7
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -267
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +28 -19
  44. pulumi_vault/consul/secret_backend_role.py +18 -78
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +119 -112
  48. pulumi_vault/database/secret_backend_role.py +31 -22
  49. pulumi_vault/database/secret_backend_static_role.py +87 -13
  50. pulumi_vault/database/secrets_mount.py +427 -136
  51. pulumi_vault/egp_policy.py +16 -11
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +250 -33
  54. pulumi_vault/gcp/auth_backend_role.py +77 -269
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -5
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -12
  58. pulumi_vault/gcp/secret_impersonated_account.py +76 -15
  59. pulumi_vault/gcp/secret_roleset.py +31 -24
  60. pulumi_vault/gcp/secret_static_account.py +39 -32
  61. pulumi_vault/generic/endpoint.py +24 -17
  62. pulumi_vault/generic/get_secret.py +64 -8
  63. pulumi_vault/generic/secret.py +21 -16
  64. pulumi_vault/get_auth_backend.py +24 -7
  65. pulumi_vault/get_auth_backends.py +51 -9
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -11
  69. pulumi_vault/get_policy_document.py +34 -19
  70. pulumi_vault/get_raft_autopilot_state.py +29 -10
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +19 -14
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +16 -11
  75. pulumi_vault/github/user.py +16 -11
  76. pulumi_vault/identity/entity.py +20 -13
  77. pulumi_vault/identity/entity_alias.py +20 -13
  78. pulumi_vault/identity/entity_policies.py +28 -11
  79. pulumi_vault/identity/get_entity.py +42 -10
  80. pulumi_vault/identity/get_group.py +47 -9
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -7
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -9
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -10
  84. pulumi_vault/identity/group.py +58 -39
  85. pulumi_vault/identity/group_alias.py +16 -9
  86. pulumi_vault/identity/group_member_entity_ids.py +28 -66
  87. pulumi_vault/identity/group_member_group_ids.py +40 -19
  88. pulumi_vault/identity/group_policies.py +20 -7
  89. pulumi_vault/identity/mfa_duo.py +11 -6
  90. pulumi_vault/identity/mfa_login_enforcement.py +15 -6
  91. pulumi_vault/identity/mfa_okta.py +11 -6
  92. pulumi_vault/identity/mfa_pingid.py +7 -2
  93. pulumi_vault/identity/mfa_totp.py +7 -2
  94. pulumi_vault/identity/oidc.py +12 -7
  95. pulumi_vault/identity/oidc_assignment.py +24 -11
  96. pulumi_vault/identity/oidc_client.py +36 -23
  97. pulumi_vault/identity/oidc_key.py +30 -17
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
  99. pulumi_vault/identity/oidc_provider.py +36 -21
  100. pulumi_vault/identity/oidc_role.py +42 -21
  101. pulumi_vault/identity/oidc_scope.py +20 -13
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +45 -40
  105. pulumi_vault/jwt/auth_backend_role.py +133 -254
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +24 -19
  108. pulumi_vault/kmip/secret_role.py +14 -9
  109. pulumi_vault/kmip/secret_scope.py +14 -9
  110. pulumi_vault/kubernetes/auth_backend_config.py +57 -5
  111. pulumi_vault/kubernetes/auth_backend_role.py +70 -177
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -11
  115. pulumi_vault/kubernetes/secret_backend.py +316 -27
  116. pulumi_vault/kubernetes/secret_backend_role.py +137 -46
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +25 -8
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
  120. pulumi_vault/kv/get_secret_v2.py +85 -9
  121. pulumi_vault/kv/get_secrets_list.py +24 -11
  122. pulumi_vault/kv/get_secrets_list_v2.py +37 -15
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +23 -16
  125. pulumi_vault/kv/secret_backend_v2.py +20 -11
  126. pulumi_vault/kv/secret_v2.py +59 -50
  127. pulumi_vault/ldap/auth_backend.py +127 -166
  128. pulumi_vault/ldap/auth_backend_group.py +14 -9
  129. pulumi_vault/ldap/auth_backend_user.py +14 -9
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +354 -82
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +16 -9
  135. pulumi_vault/ldap/secret_backend_static_role.py +73 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +29 -57
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +18 -11
  140. pulumi_vault/mfa_okta.py +18 -11
  141. pulumi_vault/mfa_pingid.py +18 -11
  142. pulumi_vault/mfa_totp.py +24 -17
  143. pulumi_vault/mongodbatlas/secret_backend.py +20 -15
  144. pulumi_vault/mongodbatlas/secret_role.py +47 -38
  145. pulumi_vault/mount.py +391 -51
  146. pulumi_vault/namespace.py +68 -83
  147. pulumi_vault/nomad_secret_backend.py +18 -13
  148. pulumi_vault/nomad_secret_role.py +14 -9
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +485 -39
  151. pulumi_vault/okta/auth_backend_group.py +14 -9
  152. pulumi_vault/okta/auth_backend_user.py +14 -9
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +20 -13
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -9
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -8
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
  174. pulumi_vault/pkisecret/secret_backend_key.py +14 -9
  175. pulumi_vault/pkisecret/secret_backend_role.py +21 -14
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +14 -9
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +60 -6
  185. pulumi_vault/quota_rate_limit.py +56 -2
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +18 -13
  189. pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
  190. pulumi_vault/raft_autopilot.py +14 -9
  191. pulumi_vault/raft_snapshot_agent_config.py +129 -224
  192. pulumi_vault/rgp_policy.py +14 -9
  193. pulumi_vault/saml/auth_backend.py +22 -17
  194. pulumi_vault/saml/auth_backend_role.py +92 -197
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -71
  199. pulumi_vault/secrets/sync_aws_destination.py +242 -27
  200. pulumi_vault/secrets/sync_azure_destination.py +92 -31
  201. pulumi_vault/secrets/sync_config.py +9 -4
  202. pulumi_vault/secrets/sync_gcp_destination.py +158 -25
  203. pulumi_vault/secrets/sync_gh_destination.py +189 -13
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +74 -13
  206. pulumi_vault/ssh/_inputs.py +28 -28
  207. pulumi_vault/ssh/outputs.py +11 -28
  208. pulumi_vault/ssh/secret_backend_ca.py +108 -9
  209. pulumi_vault/ssh/secret_backend_role.py +85 -118
  210. pulumi_vault/terraformcloud/secret_backend.py +7 -54
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -20
  212. pulumi_vault/terraformcloud/secret_role.py +16 -74
  213. pulumi_vault/token.py +28 -23
  214. pulumi_vault/tokenauth/auth_backend_role.py +78 -199
  215. pulumi_vault/transform/alphabet.py +16 -9
  216. pulumi_vault/transform/get_decode.py +45 -17
  217. pulumi_vault/transform/get_encode.py +45 -17
  218. pulumi_vault/transform/role.py +16 -9
  219. pulumi_vault/transform/template.py +30 -21
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -21
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +27 -93
  224. pulumi_vault/transit/secret_cache_config.py +12 -7
  225. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
@@ -19,10 +24,10 @@ class AuthBackendRoleArgs:
19
24
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
20
25
  backend: Optional[pulumi.Input[str]] = None,
21
26
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
22
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
27
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
23
28
  bound_claims_type: Optional[pulumi.Input[str]] = None,
24
29
  bound_subject: Optional[pulumi.Input[str]] = None,
25
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
30
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
26
31
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
27
32
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
28
33
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -53,10 +58,9 @@ class AuthBackendRoleArgs:
53
58
  Required for OIDC roles
54
59
  :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
55
60
  Defaults to `jwt`.
56
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
57
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
58
- Any match is sufficient.
59
- :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
61
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
62
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
63
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
60
64
  A claim's value must be a string, which may contain one value or multiple
61
65
  comma-separated values, e.g. `"red"` or `"red,green,blue"`.
62
66
  :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -64,14 +68,14 @@ class AuthBackendRoleArgs:
64
68
  match). Requires Vault 1.4.0 or above.
65
69
  :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
66
70
  this value.
67
- :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
71
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
68
72
  to specified metadata fields (values).
69
73
  :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
70
74
  seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
71
75
  Only applicable with "jwt" roles.
72
76
  :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
73
77
  :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
74
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
78
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
75
79
  Only applicable with "jwt" roles.
76
80
  :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
77
81
  the set of groups to which the user belongs; this will be used as the names
@@ -81,40 +85,23 @@ class AuthBackendRoleArgs:
81
85
  the user was actively authenticated with the OIDC provider.
82
86
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
83
87
  The value should not contain leading or trailing forward slashes.
84
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
88
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
85
89
  *Available only for Vault Enterprise*.
86
90
  :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
87
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
91
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
88
92
  Only applicable with "jwt" roles.
89
93
  :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
90
94
  The standard scope "openid" is automatically included and need not be specified.
91
95
  :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
92
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
93
- addresses which can authenticate successfully, and ties the resulting token to these blocks
94
- as well.
95
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
96
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
97
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
98
- `token_max_ttl` would otherwise allow a renewal.
99
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
100
- Its current value will be referenced at renewal time.
101
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
102
- generated tokens; otherwise it will be added to the policies set in token_policies.
103
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
104
- of times a generated token may be used (within its lifetime); 0 means unlimited.
105
- :param pulumi.Input[int] token_period: If set, indicates that the
106
- token generated using this role should never expire. The token should be renewed within the
107
- duration specified by this value. At each renewal, the token's TTL will be set to the
108
- value of this field. Specified in seconds.
109
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
110
- on the auth method, this list may be supplemented by user/group/other values.
111
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
112
- Its current value will be referenced at renewal time.
113
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
114
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
115
- `service` tokens). For token store roles, there are two additional possibilities:
116
- `default-service` and `default-batch` which specify the type to return unless the client
117
- requests a different type at generation time.
96
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
97
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
98
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
99
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
100
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
101
+ :param pulumi.Input[int] token_period: Generated Token's Period
102
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
103
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
104
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
118
105
  :param pulumi.Input[bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
119
106
  [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
120
107
  syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
@@ -236,9 +223,8 @@ class AuthBackendRoleArgs:
236
223
  @pulumi.getter(name="boundAudiences")
237
224
  def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
238
225
  """
239
- (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
240
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
241
- Any match is sufficient.
226
+ (Required for roles of type `jwt`, optional for roles of
227
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
242
228
  """
243
229
  return pulumi.get(self, "bound_audiences")
244
230
 
@@ -248,7 +234,7 @@ class AuthBackendRoleArgs:
248
234
 
249
235
  @property
250
236
  @pulumi.getter(name="boundClaims")
251
- def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
237
+ def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
252
238
  """
253
239
  If set, a map of claims to values to match against.
254
240
  A claim's value must be a string, which may contain one value or multiple
@@ -257,7 +243,7 @@ class AuthBackendRoleArgs:
257
243
  return pulumi.get(self, "bound_claims")
258
244
 
259
245
  @bound_claims.setter
260
- def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
246
+ def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
261
247
  pulumi.set(self, "bound_claims", value)
262
248
 
263
249
  @property
@@ -289,7 +275,7 @@ class AuthBackendRoleArgs:
289
275
 
290
276
  @property
291
277
  @pulumi.getter(name="claimMappings")
292
- def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
278
+ def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
293
279
  """
294
280
  If set, a map of claims (keys) to be copied
295
281
  to specified metadata fields (values).
@@ -297,7 +283,7 @@ class AuthBackendRoleArgs:
297
283
  return pulumi.get(self, "claim_mappings")
298
284
 
299
285
  @claim_mappings.setter
300
- def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
286
+ def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
301
287
  pulumi.set(self, "claim_mappings", value)
302
288
 
303
289
  @property
@@ -331,7 +317,7 @@ class AuthBackendRoleArgs:
331
317
  def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
332
318
  """
333
319
  The amount of leeway to add to expiration (`exp`) claims to account for
334
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
320
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
335
321
  Only applicable with "jwt" roles.
336
322
  """
337
323
  return pulumi.get(self, "expiration_leeway")
@@ -374,7 +360,7 @@ class AuthBackendRoleArgs:
374
360
  """
375
361
  The namespace to provision the resource in.
376
362
  The value should not contain leading or trailing forward slashes.
377
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
363
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
378
364
  *Available only for Vault Enterprise*.
379
365
  """
380
366
  return pulumi.get(self, "namespace")
@@ -388,7 +374,7 @@ class AuthBackendRoleArgs:
388
374
  def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
389
375
  """
390
376
  The amount of leeway to add to not before (`nbf`) claims to account for
391
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
377
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
392
378
  Only applicable with "jwt" roles.
393
379
  """
394
380
  return pulumi.get(self, "not_before_leeway")
@@ -426,9 +412,7 @@ class AuthBackendRoleArgs:
426
412
  @pulumi.getter(name="tokenBoundCidrs")
427
413
  def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
428
414
  """
429
- List of CIDR blocks; if set, specifies blocks of IP
430
- addresses which can authenticate successfully, and ties the resulting token to these blocks
431
- as well.
415
+ Specifies the blocks of IP addresses which are allowed to use the generated token
432
416
  """
433
417
  return pulumi.get(self, "token_bound_cidrs")
434
418
 
@@ -440,10 +424,7 @@ class AuthBackendRoleArgs:
440
424
  @pulumi.getter(name="tokenExplicitMaxTtl")
441
425
  def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
442
426
  """
443
- If set, will encode an
444
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
445
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
446
- `token_max_ttl` would otherwise allow a renewal.
427
+ Generated Token's Explicit Maximum TTL in seconds
447
428
  """
448
429
  return pulumi.get(self, "token_explicit_max_ttl")
449
430
 
@@ -455,8 +436,7 @@ class AuthBackendRoleArgs:
455
436
  @pulumi.getter(name="tokenMaxTtl")
456
437
  def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
457
438
  """
458
- The maximum lifetime for generated tokens in number of seconds.
459
- Its current value will be referenced at renewal time.
439
+ The maximum lifetime of the generated token
460
440
  """
461
441
  return pulumi.get(self, "token_max_ttl")
462
442
 
@@ -468,8 +448,7 @@ class AuthBackendRoleArgs:
468
448
  @pulumi.getter(name="tokenNoDefaultPolicy")
469
449
  def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
470
450
  """
471
- If set, the default policy will not be set on
472
- generated tokens; otherwise it will be added to the policies set in token_policies.
451
+ If true, the 'default' policy will not automatically be added to generated tokens
473
452
  """
474
453
  return pulumi.get(self, "token_no_default_policy")
475
454
 
@@ -481,8 +460,7 @@ class AuthBackendRoleArgs:
481
460
  @pulumi.getter(name="tokenNumUses")
482
461
  def token_num_uses(self) -> Optional[pulumi.Input[int]]:
483
462
  """
484
- The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
485
- of times a generated token may be used (within its lifetime); 0 means unlimited.
463
+ The maximum number of times a token may be used, a value of zero means unlimited
486
464
  """
487
465
  return pulumi.get(self, "token_num_uses")
488
466
 
@@ -494,10 +472,7 @@ class AuthBackendRoleArgs:
494
472
  @pulumi.getter(name="tokenPeriod")
495
473
  def token_period(self) -> Optional[pulumi.Input[int]]:
496
474
  """
497
- If set, indicates that the
498
- token generated using this role should never expire. The token should be renewed within the
499
- duration specified by this value. At each renewal, the token's TTL will be set to the
500
- value of this field. Specified in seconds.
475
+ Generated Token's Period
501
476
  """
502
477
  return pulumi.get(self, "token_period")
503
478
 
@@ -509,8 +484,7 @@ class AuthBackendRoleArgs:
509
484
  @pulumi.getter(name="tokenPolicies")
510
485
  def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
511
486
  """
512
- List of policies to encode onto generated tokens. Depending
513
- on the auth method, this list may be supplemented by user/group/other values.
487
+ Generated Token's Policies
514
488
  """
515
489
  return pulumi.get(self, "token_policies")
516
490
 
@@ -522,8 +496,7 @@ class AuthBackendRoleArgs:
522
496
  @pulumi.getter(name="tokenTtl")
523
497
  def token_ttl(self) -> Optional[pulumi.Input[int]]:
524
498
  """
525
- The incremental lifetime for generated tokens in number of seconds.
526
- Its current value will be referenced at renewal time.
499
+ The initial ttl of the token to generate in seconds
527
500
  """
528
501
  return pulumi.get(self, "token_ttl")
529
502
 
@@ -535,11 +508,7 @@ class AuthBackendRoleArgs:
535
508
  @pulumi.getter(name="tokenType")
536
509
  def token_type(self) -> Optional[pulumi.Input[str]]:
537
510
  """
538
- The type of token that should be generated. Can be `service`,
539
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
540
- `service` tokens). For token store roles, there are two additional possibilities:
541
- `default-service` and `default-batch` which specify the type to return unless the client
542
- requests a different type at generation time.
511
+ The type of token to generate, service or batch
543
512
  """
544
513
  return pulumi.get(self, "token_type")
545
514
 
@@ -583,10 +552,10 @@ class _AuthBackendRoleState:
583
552
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
584
553
  backend: Optional[pulumi.Input[str]] = None,
585
554
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
586
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
555
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
587
556
  bound_claims_type: Optional[pulumi.Input[str]] = None,
588
557
  bound_subject: Optional[pulumi.Input[str]] = None,
589
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
558
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
590
559
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
591
560
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
592
561
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -615,10 +584,9 @@ class _AuthBackendRoleState:
615
584
  Required for OIDC roles
616
585
  :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
617
586
  Defaults to `jwt`.
618
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
619
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
620
- Any match is sufficient.
621
- :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
587
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
588
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
589
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
622
590
  A claim's value must be a string, which may contain one value or multiple
623
591
  comma-separated values, e.g. `"red"` or `"red,green,blue"`.
624
592
  :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -626,14 +594,14 @@ class _AuthBackendRoleState:
626
594
  match). Requires Vault 1.4.0 or above.
627
595
  :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
628
596
  this value.
629
- :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
597
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
630
598
  to specified metadata fields (values).
631
599
  :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
632
600
  seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
633
601
  Only applicable with "jwt" roles.
634
602
  :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
635
603
  :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
636
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
604
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
637
605
  Only applicable with "jwt" roles.
638
606
  :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
639
607
  the set of groups to which the user belongs; this will be used as the names
@@ -643,41 +611,24 @@ class _AuthBackendRoleState:
643
611
  the user was actively authenticated with the OIDC provider.
644
612
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
645
613
  The value should not contain leading or trailing forward slashes.
646
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
614
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
647
615
  *Available only for Vault Enterprise*.
648
616
  :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
649
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
617
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
650
618
  Only applicable with "jwt" roles.
651
619
  :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
652
620
  The standard scope "openid" is automatically included and need not be specified.
653
621
  :param pulumi.Input[str] role_name: The name of the role.
654
622
  :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
655
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
656
- addresses which can authenticate successfully, and ties the resulting token to these blocks
657
- as well.
658
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
659
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
660
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
661
- `token_max_ttl` would otherwise allow a renewal.
662
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
663
- Its current value will be referenced at renewal time.
664
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
665
- generated tokens; otherwise it will be added to the policies set in token_policies.
666
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
667
- of times a generated token may be used (within its lifetime); 0 means unlimited.
668
- :param pulumi.Input[int] token_period: If set, indicates that the
669
- token generated using this role should never expire. The token should be renewed within the
670
- duration specified by this value. At each renewal, the token's TTL will be set to the
671
- value of this field. Specified in seconds.
672
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
673
- on the auth method, this list may be supplemented by user/group/other values.
674
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
675
- Its current value will be referenced at renewal time.
676
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
677
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
678
- `service` tokens). For token store roles, there are two additional possibilities:
679
- `default-service` and `default-batch` which specify the type to return unless the client
680
- requests a different type at generation time.
623
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
624
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
625
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
626
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
627
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
628
+ :param pulumi.Input[int] token_period: Generated Token's Period
629
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
630
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
631
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
681
632
  :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
682
633
  the user; this will be used as the name for the Identity entity alias created
683
634
  due to a successful login.
@@ -778,9 +729,8 @@ class _AuthBackendRoleState:
778
729
  @pulumi.getter(name="boundAudiences")
779
730
  def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
780
731
  """
781
- (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
782
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
783
- Any match is sufficient.
732
+ (Required for roles of type `jwt`, optional for roles of
733
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
784
734
  """
785
735
  return pulumi.get(self, "bound_audiences")
786
736
 
@@ -790,7 +740,7 @@ class _AuthBackendRoleState:
790
740
 
791
741
  @property
792
742
  @pulumi.getter(name="boundClaims")
793
- def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
743
+ def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
794
744
  """
795
745
  If set, a map of claims to values to match against.
796
746
  A claim's value must be a string, which may contain one value or multiple
@@ -799,7 +749,7 @@ class _AuthBackendRoleState:
799
749
  return pulumi.get(self, "bound_claims")
800
750
 
801
751
  @bound_claims.setter
802
- def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
752
+ def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
803
753
  pulumi.set(self, "bound_claims", value)
804
754
 
805
755
  @property
@@ -831,7 +781,7 @@ class _AuthBackendRoleState:
831
781
 
832
782
  @property
833
783
  @pulumi.getter(name="claimMappings")
834
- def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
784
+ def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
835
785
  """
836
786
  If set, a map of claims (keys) to be copied
837
787
  to specified metadata fields (values).
@@ -839,7 +789,7 @@ class _AuthBackendRoleState:
839
789
  return pulumi.get(self, "claim_mappings")
840
790
 
841
791
  @claim_mappings.setter
842
- def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
792
+ def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
843
793
  pulumi.set(self, "claim_mappings", value)
844
794
 
845
795
  @property
@@ -873,7 +823,7 @@ class _AuthBackendRoleState:
873
823
  def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
874
824
  """
875
825
  The amount of leeway to add to expiration (`exp`) claims to account for
876
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
826
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
877
827
  Only applicable with "jwt" roles.
878
828
  """
879
829
  return pulumi.get(self, "expiration_leeway")
@@ -916,7 +866,7 @@ class _AuthBackendRoleState:
916
866
  """
917
867
  The namespace to provision the resource in.
918
868
  The value should not contain leading or trailing forward slashes.
919
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
869
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
920
870
  *Available only for Vault Enterprise*.
921
871
  """
922
872
  return pulumi.get(self, "namespace")
@@ -930,7 +880,7 @@ class _AuthBackendRoleState:
930
880
  def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
931
881
  """
932
882
  The amount of leeway to add to not before (`nbf`) claims to account for
933
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
883
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
934
884
  Only applicable with "jwt" roles.
935
885
  """
936
886
  return pulumi.get(self, "not_before_leeway")
@@ -980,9 +930,7 @@ class _AuthBackendRoleState:
980
930
  @pulumi.getter(name="tokenBoundCidrs")
981
931
  def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
982
932
  """
983
- List of CIDR blocks; if set, specifies blocks of IP
984
- addresses which can authenticate successfully, and ties the resulting token to these blocks
985
- as well.
933
+ Specifies the blocks of IP addresses which are allowed to use the generated token
986
934
  """
987
935
  return pulumi.get(self, "token_bound_cidrs")
988
936
 
@@ -994,10 +942,7 @@ class _AuthBackendRoleState:
994
942
  @pulumi.getter(name="tokenExplicitMaxTtl")
995
943
  def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
996
944
  """
997
- If set, will encode an
998
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
999
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1000
- `token_max_ttl` would otherwise allow a renewal.
945
+ Generated Token's Explicit Maximum TTL in seconds
1001
946
  """
1002
947
  return pulumi.get(self, "token_explicit_max_ttl")
1003
948
 
@@ -1009,8 +954,7 @@ class _AuthBackendRoleState:
1009
954
  @pulumi.getter(name="tokenMaxTtl")
1010
955
  def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
1011
956
  """
1012
- The maximum lifetime for generated tokens in number of seconds.
1013
- Its current value will be referenced at renewal time.
957
+ The maximum lifetime of the generated token
1014
958
  """
1015
959
  return pulumi.get(self, "token_max_ttl")
1016
960
 
@@ -1022,8 +966,7 @@ class _AuthBackendRoleState:
1022
966
  @pulumi.getter(name="tokenNoDefaultPolicy")
1023
967
  def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
1024
968
  """
1025
- If set, the default policy will not be set on
1026
- generated tokens; otherwise it will be added to the policies set in token_policies.
969
+ If true, the 'default' policy will not automatically be added to generated tokens
1027
970
  """
1028
971
  return pulumi.get(self, "token_no_default_policy")
1029
972
 
@@ -1035,8 +978,7 @@ class _AuthBackendRoleState:
1035
978
  @pulumi.getter(name="tokenNumUses")
1036
979
  def token_num_uses(self) -> Optional[pulumi.Input[int]]:
1037
980
  """
1038
- The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
1039
- of times a generated token may be used (within its lifetime); 0 means unlimited.
981
+ The maximum number of times a token may be used, a value of zero means unlimited
1040
982
  """
1041
983
  return pulumi.get(self, "token_num_uses")
1042
984
 
@@ -1048,10 +990,7 @@ class _AuthBackendRoleState:
1048
990
  @pulumi.getter(name="tokenPeriod")
1049
991
  def token_period(self) -> Optional[pulumi.Input[int]]:
1050
992
  """
1051
- If set, indicates that the
1052
- token generated using this role should never expire. The token should be renewed within the
1053
- duration specified by this value. At each renewal, the token's TTL will be set to the
1054
- value of this field. Specified in seconds.
993
+ Generated Token's Period
1055
994
  """
1056
995
  return pulumi.get(self, "token_period")
1057
996
 
@@ -1063,8 +1002,7 @@ class _AuthBackendRoleState:
1063
1002
  @pulumi.getter(name="tokenPolicies")
1064
1003
  def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
1065
1004
  """
1066
- List of policies to encode onto generated tokens. Depending
1067
- on the auth method, this list may be supplemented by user/group/other values.
1005
+ Generated Token's Policies
1068
1006
  """
1069
1007
  return pulumi.get(self, "token_policies")
1070
1008
 
@@ -1076,8 +1014,7 @@ class _AuthBackendRoleState:
1076
1014
  @pulumi.getter(name="tokenTtl")
1077
1015
  def token_ttl(self) -> Optional[pulumi.Input[int]]:
1078
1016
  """
1079
- The incremental lifetime for generated tokens in number of seconds.
1080
- Its current value will be referenced at renewal time.
1017
+ The initial ttl of the token to generate in seconds
1081
1018
  """
1082
1019
  return pulumi.get(self, "token_ttl")
1083
1020
 
@@ -1089,11 +1026,7 @@ class _AuthBackendRoleState:
1089
1026
  @pulumi.getter(name="tokenType")
1090
1027
  def token_type(self) -> Optional[pulumi.Input[str]]:
1091
1028
  """
1092
- The type of token that should be generated. Can be `service`,
1093
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1094
- `service` tokens). For token store roles, there are two additional possibilities:
1095
- `default-service` and `default-batch` which specify the type to return unless the client
1096
- requests a different type at generation time.
1029
+ The type of token to generate, service or batch
1097
1030
  """
1098
1031
  return pulumi.get(self, "token_type")
1099
1032
 
@@ -1153,10 +1086,10 @@ class AuthBackendRole(pulumi.CustomResource):
1153
1086
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1154
1087
  backend: Optional[pulumi.Input[str]] = None,
1155
1088
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1156
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1089
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1157
1090
  bound_claims_type: Optional[pulumi.Input[str]] = None,
1158
1091
  bound_subject: Optional[pulumi.Input[str]] = None,
1159
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1092
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1160
1093
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
1161
1094
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
1162
1095
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1237,7 +1170,7 @@ class AuthBackendRole(pulumi.CustomResource):
1237
1170
  JWT authentication backend roles can be imported using the `path`, e.g.
1238
1171
 
1239
1172
  ```sh
1240
- $ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-role
1173
+ $ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-role
1241
1174
  ```
1242
1175
 
1243
1176
  :param str resource_name: The name of the resource.
@@ -1246,10 +1179,9 @@ class AuthBackendRole(pulumi.CustomResource):
1246
1179
  Required for OIDC roles
1247
1180
  :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
1248
1181
  Defaults to `jwt`.
1249
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
1250
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
1251
- Any match is sufficient.
1252
- :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
1182
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
1183
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
1184
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
1253
1185
  A claim's value must be a string, which may contain one value or multiple
1254
1186
  comma-separated values, e.g. `"red"` or `"red,green,blue"`.
1255
1187
  :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -1257,14 +1189,14 @@ class AuthBackendRole(pulumi.CustomResource):
1257
1189
  match). Requires Vault 1.4.0 or above.
1258
1190
  :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
1259
1191
  this value.
1260
- :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
1192
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
1261
1193
  to specified metadata fields (values).
1262
1194
  :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
1263
1195
  seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1264
1196
  Only applicable with "jwt" roles.
1265
1197
  :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
1266
1198
  :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
1267
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1199
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1268
1200
  Only applicable with "jwt" roles.
1269
1201
  :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
1270
1202
  the set of groups to which the user belongs; this will be used as the names
@@ -1274,41 +1206,24 @@ class AuthBackendRole(pulumi.CustomResource):
1274
1206
  the user was actively authenticated with the OIDC provider.
1275
1207
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
1276
1208
  The value should not contain leading or trailing forward slashes.
1277
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1209
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1278
1210
  *Available only for Vault Enterprise*.
1279
1211
  :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
1280
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1212
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1281
1213
  Only applicable with "jwt" roles.
1282
1214
  :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
1283
1215
  The standard scope "openid" is automatically included and need not be specified.
1284
1216
  :param pulumi.Input[str] role_name: The name of the role.
1285
1217
  :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
1286
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
1287
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1288
- as well.
1289
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
1290
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1291
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1292
- `token_max_ttl` would otherwise allow a renewal.
1293
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
1294
- Its current value will be referenced at renewal time.
1295
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
1296
- generated tokens; otherwise it will be added to the policies set in token_policies.
1297
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
1298
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1299
- :param pulumi.Input[int] token_period: If set, indicates that the
1300
- token generated using this role should never expire. The token should be renewed within the
1301
- duration specified by this value. At each renewal, the token's TTL will be set to the
1302
- value of this field. Specified in seconds.
1303
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
1304
- on the auth method, this list may be supplemented by user/group/other values.
1305
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
1306
- Its current value will be referenced at renewal time.
1307
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
1308
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1309
- `service` tokens). For token store roles, there are two additional possibilities:
1310
- `default-service` and `default-batch` which specify the type to return unless the client
1311
- requests a different type at generation time.
1218
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
1219
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
1220
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
1221
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
1222
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
1223
+ :param pulumi.Input[int] token_period: Generated Token's Period
1224
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
1225
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
1226
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
1312
1227
  :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
1313
1228
  the user; this will be used as the name for the Identity entity alias created
1314
1229
  due to a successful login.
@@ -1383,7 +1298,7 @@ class AuthBackendRole(pulumi.CustomResource):
1383
1298
  JWT authentication backend roles can be imported using the `path`, e.g.
1384
1299
 
1385
1300
  ```sh
1386
- $ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-role
1301
+ $ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-role
1387
1302
  ```
1388
1303
 
1389
1304
  :param str resource_name: The name of the resource.
@@ -1404,10 +1319,10 @@ class AuthBackendRole(pulumi.CustomResource):
1404
1319
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1405
1320
  backend: Optional[pulumi.Input[str]] = None,
1406
1321
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1407
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1322
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1408
1323
  bound_claims_type: Optional[pulumi.Input[str]] = None,
1409
1324
  bound_subject: Optional[pulumi.Input[str]] = None,
1410
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1325
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1411
1326
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
1412
1327
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
1413
1328
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1485,10 +1400,10 @@ class AuthBackendRole(pulumi.CustomResource):
1485
1400
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1486
1401
  backend: Optional[pulumi.Input[str]] = None,
1487
1402
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1488
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1403
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1489
1404
  bound_claims_type: Optional[pulumi.Input[str]] = None,
1490
1405
  bound_subject: Optional[pulumi.Input[str]] = None,
1491
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1406
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1492
1407
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
1493
1408
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
1494
1409
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1522,10 +1437,9 @@ class AuthBackendRole(pulumi.CustomResource):
1522
1437
  Required for OIDC roles
1523
1438
  :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
1524
1439
  Defaults to `jwt`.
1525
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
1526
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
1527
- Any match is sufficient.
1528
- :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
1440
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
1441
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
1442
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
1529
1443
  A claim's value must be a string, which may contain one value or multiple
1530
1444
  comma-separated values, e.g. `"red"` or `"red,green,blue"`.
1531
1445
  :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -1533,14 +1447,14 @@ class AuthBackendRole(pulumi.CustomResource):
1533
1447
  match). Requires Vault 1.4.0 or above.
1534
1448
  :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
1535
1449
  this value.
1536
- :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
1450
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
1537
1451
  to specified metadata fields (values).
1538
1452
  :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
1539
1453
  seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1540
1454
  Only applicable with "jwt" roles.
1541
1455
  :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
1542
1456
  :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
1543
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1457
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1544
1458
  Only applicable with "jwt" roles.
1545
1459
  :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
1546
1460
  the set of groups to which the user belongs; this will be used as the names
@@ -1550,41 +1464,24 @@ class AuthBackendRole(pulumi.CustomResource):
1550
1464
  the user was actively authenticated with the OIDC provider.
1551
1465
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
1552
1466
  The value should not contain leading or trailing forward slashes.
1553
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1467
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1554
1468
  *Available only for Vault Enterprise*.
1555
1469
  :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
1556
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1470
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1557
1471
  Only applicable with "jwt" roles.
1558
1472
  :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
1559
1473
  The standard scope "openid" is automatically included and need not be specified.
1560
1474
  :param pulumi.Input[str] role_name: The name of the role.
1561
1475
  :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
1562
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
1563
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1564
- as well.
1565
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
1566
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1567
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1568
- `token_max_ttl` would otherwise allow a renewal.
1569
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
1570
- Its current value will be referenced at renewal time.
1571
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
1572
- generated tokens; otherwise it will be added to the policies set in token_policies.
1573
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
1574
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1575
- :param pulumi.Input[int] token_period: If set, indicates that the
1576
- token generated using this role should never expire. The token should be renewed within the
1577
- duration specified by this value. At each renewal, the token's TTL will be set to the
1578
- value of this field. Specified in seconds.
1579
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
1580
- on the auth method, this list may be supplemented by user/group/other values.
1581
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
1582
- Its current value will be referenced at renewal time.
1583
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
1584
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1585
- `service` tokens). For token store roles, there are two additional possibilities:
1586
- `default-service` and `default-batch` which specify the type to return unless the client
1587
- requests a different type at generation time.
1476
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
1477
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
1478
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
1479
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
1480
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
1481
+ :param pulumi.Input[int] token_period: Generated Token's Period
1482
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
1483
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
1484
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
1588
1485
  :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
1589
1486
  the user; this will be used as the name for the Identity entity alias created
1590
1487
  due to a successful login.
@@ -1653,15 +1550,14 @@ class AuthBackendRole(pulumi.CustomResource):
1653
1550
  @pulumi.getter(name="boundAudiences")
1654
1551
  def bound_audiences(self) -> pulumi.Output[Optional[Sequence[str]]]:
1655
1552
  """
1656
- (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
1657
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
1658
- Any match is sufficient.
1553
+ (Required for roles of type `jwt`, optional for roles of
1554
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
1659
1555
  """
1660
1556
  return pulumi.get(self, "bound_audiences")
1661
1557
 
1662
1558
  @property
1663
1559
  @pulumi.getter(name="boundClaims")
1664
- def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
1560
+ def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
1665
1561
  """
1666
1562
  If set, a map of claims to values to match against.
1667
1563
  A claim's value must be a string, which may contain one value or multiple
@@ -1690,7 +1586,7 @@ class AuthBackendRole(pulumi.CustomResource):
1690
1586
 
1691
1587
  @property
1692
1588
  @pulumi.getter(name="claimMappings")
1693
- def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
1589
+ def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
1694
1590
  """
1695
1591
  If set, a map of claims (keys) to be copied
1696
1592
  to specified metadata fields (values).
@@ -1720,7 +1616,7 @@ class AuthBackendRole(pulumi.CustomResource):
1720
1616
  def expiration_leeway(self) -> pulumi.Output[Optional[int]]:
1721
1617
  """
1722
1618
  The amount of leeway to add to expiration (`exp`) claims to account for
1723
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1619
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1724
1620
  Only applicable with "jwt" roles.
1725
1621
  """
1726
1622
  return pulumi.get(self, "expiration_leeway")
@@ -1751,7 +1647,7 @@ class AuthBackendRole(pulumi.CustomResource):
1751
1647
  """
1752
1648
  The namespace to provision the resource in.
1753
1649
  The value should not contain leading or trailing forward slashes.
1754
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1650
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1755
1651
  *Available only for Vault Enterprise*.
1756
1652
  """
1757
1653
  return pulumi.get(self, "namespace")
@@ -1761,7 +1657,7 @@ class AuthBackendRole(pulumi.CustomResource):
1761
1657
  def not_before_leeway(self) -> pulumi.Output[Optional[int]]:
1762
1658
  """
1763
1659
  The amount of leeway to add to not before (`nbf`) claims to account for
1764
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1660
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1765
1661
  Only applicable with "jwt" roles.
1766
1662
  """
1767
1663
  return pulumi.get(self, "not_before_leeway")
@@ -1795,9 +1691,7 @@ class AuthBackendRole(pulumi.CustomResource):
1795
1691
  @pulumi.getter(name="tokenBoundCidrs")
1796
1692
  def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
1797
1693
  """
1798
- List of CIDR blocks; if set, specifies blocks of IP
1799
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1800
- as well.
1694
+ Specifies the blocks of IP addresses which are allowed to use the generated token
1801
1695
  """
1802
1696
  return pulumi.get(self, "token_bound_cidrs")
1803
1697
 
@@ -1805,10 +1699,7 @@ class AuthBackendRole(pulumi.CustomResource):
1805
1699
  @pulumi.getter(name="tokenExplicitMaxTtl")
1806
1700
  def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
1807
1701
  """
1808
- If set, will encode an
1809
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1810
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1811
- `token_max_ttl` would otherwise allow a renewal.
1702
+ Generated Token's Explicit Maximum TTL in seconds
1812
1703
  """
1813
1704
  return pulumi.get(self, "token_explicit_max_ttl")
1814
1705
 
@@ -1816,8 +1707,7 @@ class AuthBackendRole(pulumi.CustomResource):
1816
1707
  @pulumi.getter(name="tokenMaxTtl")
1817
1708
  def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
1818
1709
  """
1819
- The maximum lifetime for generated tokens in number of seconds.
1820
- Its current value will be referenced at renewal time.
1710
+ The maximum lifetime of the generated token
1821
1711
  """
1822
1712
  return pulumi.get(self, "token_max_ttl")
1823
1713
 
@@ -1825,8 +1715,7 @@ class AuthBackendRole(pulumi.CustomResource):
1825
1715
  @pulumi.getter(name="tokenNoDefaultPolicy")
1826
1716
  def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
1827
1717
  """
1828
- If set, the default policy will not be set on
1829
- generated tokens; otherwise it will be added to the policies set in token_policies.
1718
+ If true, the 'default' policy will not automatically be added to generated tokens
1830
1719
  """
1831
1720
  return pulumi.get(self, "token_no_default_policy")
1832
1721
 
@@ -1834,8 +1723,7 @@ class AuthBackendRole(pulumi.CustomResource):
1834
1723
  @pulumi.getter(name="tokenNumUses")
1835
1724
  def token_num_uses(self) -> pulumi.Output[Optional[int]]:
1836
1725
  """
1837
- The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
1838
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1726
+ The maximum number of times a token may be used, a value of zero means unlimited
1839
1727
  """
1840
1728
  return pulumi.get(self, "token_num_uses")
1841
1729
 
@@ -1843,10 +1731,7 @@ class AuthBackendRole(pulumi.CustomResource):
1843
1731
  @pulumi.getter(name="tokenPeriod")
1844
1732
  def token_period(self) -> pulumi.Output[Optional[int]]:
1845
1733
  """
1846
- If set, indicates that the
1847
- token generated using this role should never expire. The token should be renewed within the
1848
- duration specified by this value. At each renewal, the token's TTL will be set to the
1849
- value of this field. Specified in seconds.
1734
+ Generated Token's Period
1850
1735
  """
1851
1736
  return pulumi.get(self, "token_period")
1852
1737
 
@@ -1854,8 +1739,7 @@ class AuthBackendRole(pulumi.CustomResource):
1854
1739
  @pulumi.getter(name="tokenPolicies")
1855
1740
  def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
1856
1741
  """
1857
- List of policies to encode onto generated tokens. Depending
1858
- on the auth method, this list may be supplemented by user/group/other values.
1742
+ Generated Token's Policies
1859
1743
  """
1860
1744
  return pulumi.get(self, "token_policies")
1861
1745
 
@@ -1863,8 +1747,7 @@ class AuthBackendRole(pulumi.CustomResource):
1863
1747
  @pulumi.getter(name="tokenTtl")
1864
1748
  def token_ttl(self) -> pulumi.Output[Optional[int]]:
1865
1749
  """
1866
- The incremental lifetime for generated tokens in number of seconds.
1867
- Its current value will be referenced at renewal time.
1750
+ The initial ttl of the token to generate in seconds
1868
1751
  """
1869
1752
  return pulumi.get(self, "token_ttl")
1870
1753
 
@@ -1872,11 +1755,7 @@ class AuthBackendRole(pulumi.CustomResource):
1872
1755
  @pulumi.getter(name="tokenType")
1873
1756
  def token_type(self) -> pulumi.Output[Optional[str]]:
1874
1757
  """
1875
- The type of token that should be generated. Can be `service`,
1876
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1877
- `service` tokens). For token store roles, there are two additional possibilities:
1878
- `default-service` and `default-batch` which specify the type to return unless the client
1879
- requests a different type at generation time.
1758
+ The type of token to generate, service or batch
1880
1759
  """
1881
1760
  return pulumi.get(self, "token_type")
1882
1761