pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +26 -9
- pulumi_vault/ad/secret_backend.py +16 -142
- pulumi_vault/ad/secret_library.py +16 -9
- pulumi_vault/ad/secret_role.py +14 -9
- pulumi_vault/alicloud/auth_backend_role.py +76 -190
- pulumi_vault/approle/auth_backend_login.py +12 -7
- pulumi_vault/approle/auth_backend_role.py +77 -191
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
- pulumi_vault/audit.py +30 -21
- pulumi_vault/audit_request_header.py +11 -2
- pulumi_vault/auth_backend.py +66 -14
- pulumi_vault/aws/auth_backend_cert.py +18 -9
- pulumi_vault/aws/auth_backend_client.py +267 -22
- pulumi_vault/aws/auth_backend_config_identity.py +14 -9
- pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +77 -191
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
- pulumi_vault/aws/auth_backend_sts_role.py +14 -9
- pulumi_vault/aws/get_access_credentials.py +38 -9
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +77 -9
- pulumi_vault/aws/secret_backend_role.py +185 -9
- pulumi_vault/aws/secret_backend_static_role.py +20 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +153 -15
- pulumi_vault/azure/auth_backend_role.py +77 -191
- pulumi_vault/azure/backend.py +227 -21
- pulumi_vault/azure/backend_role.py +42 -37
- pulumi_vault/azure/get_access_credentials.py +41 -7
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -267
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +28 -19
- pulumi_vault/consul/secret_backend_role.py +18 -78
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +119 -112
- pulumi_vault/database/secret_backend_role.py +31 -22
- pulumi_vault/database/secret_backend_static_role.py +87 -13
- pulumi_vault/database/secrets_mount.py +427 -136
- pulumi_vault/egp_policy.py +16 -11
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +250 -33
- pulumi_vault/gcp/auth_backend_role.py +77 -269
- pulumi_vault/gcp/get_auth_backend_role.py +43 -5
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -12
- pulumi_vault/gcp/secret_impersonated_account.py +76 -15
- pulumi_vault/gcp/secret_roleset.py +31 -24
- pulumi_vault/gcp/secret_static_account.py +39 -32
- pulumi_vault/generic/endpoint.py +24 -17
- pulumi_vault/generic/get_secret.py +64 -8
- pulumi_vault/generic/secret.py +21 -16
- pulumi_vault/get_auth_backend.py +24 -7
- pulumi_vault/get_auth_backends.py +51 -9
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -11
- pulumi_vault/get_policy_document.py +34 -19
- pulumi_vault/get_raft_autopilot_state.py +29 -10
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +19 -14
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +16 -11
- pulumi_vault/github/user.py +16 -11
- pulumi_vault/identity/entity.py +20 -13
- pulumi_vault/identity/entity_alias.py +20 -13
- pulumi_vault/identity/entity_policies.py +28 -11
- pulumi_vault/identity/get_entity.py +42 -10
- pulumi_vault/identity/get_group.py +47 -9
- pulumi_vault/identity/get_oidc_client_creds.py +21 -7
- pulumi_vault/identity/get_oidc_openid_config.py +39 -9
- pulumi_vault/identity/get_oidc_public_keys.py +29 -10
- pulumi_vault/identity/group.py +58 -39
- pulumi_vault/identity/group_alias.py +16 -9
- pulumi_vault/identity/group_member_entity_ids.py +28 -66
- pulumi_vault/identity/group_member_group_ids.py +40 -19
- pulumi_vault/identity/group_policies.py +20 -7
- pulumi_vault/identity/mfa_duo.py +11 -6
- pulumi_vault/identity/mfa_login_enforcement.py +15 -6
- pulumi_vault/identity/mfa_okta.py +11 -6
- pulumi_vault/identity/mfa_pingid.py +7 -2
- pulumi_vault/identity/mfa_totp.py +7 -2
- pulumi_vault/identity/oidc.py +12 -7
- pulumi_vault/identity/oidc_assignment.py +24 -11
- pulumi_vault/identity/oidc_client.py +36 -23
- pulumi_vault/identity/oidc_key.py +30 -17
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
- pulumi_vault/identity/oidc_provider.py +36 -21
- pulumi_vault/identity/oidc_role.py +42 -21
- pulumi_vault/identity/oidc_scope.py +20 -13
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +45 -40
- pulumi_vault/jwt/auth_backend_role.py +133 -254
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +24 -19
- pulumi_vault/kmip/secret_role.py +14 -9
- pulumi_vault/kmip/secret_scope.py +14 -9
- pulumi_vault/kubernetes/auth_backend_config.py +57 -5
- pulumi_vault/kubernetes/auth_backend_role.py +70 -177
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -11
- pulumi_vault/kubernetes/secret_backend.py +316 -27
- pulumi_vault/kubernetes/secret_backend_role.py +137 -46
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +25 -8
- pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
- pulumi_vault/kv/get_secret_v2.py +85 -9
- pulumi_vault/kv/get_secrets_list.py +24 -11
- pulumi_vault/kv/get_secrets_list_v2.py +37 -15
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +23 -16
- pulumi_vault/kv/secret_backend_v2.py +20 -11
- pulumi_vault/kv/secret_v2.py +59 -50
- pulumi_vault/ldap/auth_backend.py +127 -166
- pulumi_vault/ldap/auth_backend_group.py +14 -9
- pulumi_vault/ldap/auth_backend_user.py +14 -9
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +354 -82
- pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
- pulumi_vault/ldap/secret_backend_library_set.py +16 -9
- pulumi_vault/ldap/secret_backend_static_role.py +73 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +29 -57
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +18 -11
- pulumi_vault/mfa_okta.py +18 -11
- pulumi_vault/mfa_pingid.py +18 -11
- pulumi_vault/mfa_totp.py +24 -17
- pulumi_vault/mongodbatlas/secret_backend.py +20 -15
- pulumi_vault/mongodbatlas/secret_role.py +47 -38
- pulumi_vault/mount.py +391 -51
- pulumi_vault/namespace.py +68 -83
- pulumi_vault/nomad_secret_backend.py +18 -13
- pulumi_vault/nomad_secret_role.py +14 -9
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +485 -39
- pulumi_vault/okta/auth_backend_group.py +14 -9
- pulumi_vault/okta/auth_backend_user.py +14 -9
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +20 -13
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
- pulumi_vault/pkisecret/get_backend_key.py +24 -9
- pulumi_vault/pkisecret/get_backend_keys.py +21 -8
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
- pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
- pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
- pulumi_vault/pkisecret/secret_backend_key.py +14 -9
- pulumi_vault/pkisecret/secret_backend_role.py +21 -14
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +14 -9
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +60 -6
- pulumi_vault/quota_rate_limit.py +56 -2
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +18 -13
- pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
- pulumi_vault/raft_autopilot.py +14 -9
- pulumi_vault/raft_snapshot_agent_config.py +129 -224
- pulumi_vault/rgp_policy.py +14 -9
- pulumi_vault/saml/auth_backend.py +22 -17
- pulumi_vault/saml/auth_backend_role.py +92 -197
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -71
- pulumi_vault/secrets/sync_aws_destination.py +242 -27
- pulumi_vault/secrets/sync_azure_destination.py +92 -31
- pulumi_vault/secrets/sync_config.py +9 -4
- pulumi_vault/secrets/sync_gcp_destination.py +158 -25
- pulumi_vault/secrets/sync_gh_destination.py +189 -13
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +74 -13
- pulumi_vault/ssh/_inputs.py +28 -28
- pulumi_vault/ssh/outputs.py +11 -28
- pulumi_vault/ssh/secret_backend_ca.py +108 -9
- pulumi_vault/ssh/secret_backend_role.py +85 -118
- pulumi_vault/terraformcloud/secret_backend.py +7 -54
- pulumi_vault/terraformcloud/secret_creds.py +14 -20
- pulumi_vault/terraformcloud/secret_role.py +16 -74
- pulumi_vault/token.py +28 -23
- pulumi_vault/tokenauth/auth_backend_role.py +78 -199
- pulumi_vault/transform/alphabet.py +16 -9
- pulumi_vault/transform/get_decode.py +45 -17
- pulumi_vault/transform/get_encode.py +45 -17
- pulumi_vault/transform/role.py +16 -9
- pulumi_vault/transform/template.py +30 -21
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -21
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +27 -93
- pulumi_vault/transit/secret_cache_config.py +12 -7
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
|
@@ -19,10 +24,10 @@ class AuthBackendRoleArgs:
|
|
19
24
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
20
25
|
backend: Optional[pulumi.Input[str]] = None,
|
21
26
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
22
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
27
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
23
28
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
24
29
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
25
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
30
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
26
31
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
27
32
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
28
33
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -53,10 +58,9 @@ class AuthBackendRoleArgs:
|
|
53
58
|
Required for OIDC roles
|
54
59
|
:param pulumi.Input[str] backend: The unique name of the auth backend to configure.
|
55
60
|
Defaults to `jwt`.
|
56
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (
|
57
|
-
|
58
|
-
|
59
|
-
:param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
|
61
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
62
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
63
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
|
60
64
|
A claim's value must be a string, which may contain one value or multiple
|
61
65
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
62
66
|
:param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
|
@@ -64,14 +68,14 @@ class AuthBackendRoleArgs:
|
|
64
68
|
match). Requires Vault 1.4.0 or above.
|
65
69
|
:param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
|
66
70
|
this value.
|
67
|
-
:param pulumi.Input[Mapping[str,
|
71
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
68
72
|
to specified metadata fields (values).
|
69
73
|
:param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
70
74
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
71
75
|
Only applicable with "jwt" roles.
|
72
76
|
:param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
73
77
|
:param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
74
|
-
clock skew, in seconds. Defaults to `
|
78
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
75
79
|
Only applicable with "jwt" roles.
|
76
80
|
:param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
|
77
81
|
the set of groups to which the user belongs; this will be used as the names
|
@@ -81,40 +85,23 @@ class AuthBackendRoleArgs:
|
|
81
85
|
the user was actively authenticated with the OIDC provider.
|
82
86
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
83
87
|
The value should not contain leading or trailing forward slashes.
|
84
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
88
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
85
89
|
*Available only for Vault Enterprise*.
|
86
90
|
:param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
87
|
-
clock skew, in seconds. Defaults to `
|
91
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
88
92
|
Only applicable with "jwt" roles.
|
89
93
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
90
94
|
The standard scope "openid" is automatically included and need not be specified.
|
91
95
|
:param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
|
92
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
93
|
-
|
94
|
-
|
95
|
-
:param pulumi.Input[
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
:param pulumi.Input[int]
|
100
|
-
|
101
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
102
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
103
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
|
104
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
105
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
106
|
-
token generated using this role should never expire. The token should be renewed within the
|
107
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
108
|
-
value of this field. Specified in seconds.
|
109
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
110
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
111
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
112
|
-
Its current value will be referenced at renewal time.
|
113
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
114
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
115
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
116
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
117
|
-
requests a different type at generation time.
|
96
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
97
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
98
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
99
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
100
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
101
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
102
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
103
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
104
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
118
105
|
:param pulumi.Input[bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
|
119
106
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
120
107
|
syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
|
@@ -236,9 +223,8 @@ class AuthBackendRoleArgs:
|
|
236
223
|
@pulumi.getter(name="boundAudiences")
|
237
224
|
def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
238
225
|
"""
|
239
|
-
(
|
240
|
-
|
241
|
-
Any match is sufficient.
|
226
|
+
(Required for roles of type `jwt`, optional for roles of
|
227
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
242
228
|
"""
|
243
229
|
return pulumi.get(self, "bound_audiences")
|
244
230
|
|
@@ -248,7 +234,7 @@ class AuthBackendRoleArgs:
|
|
248
234
|
|
249
235
|
@property
|
250
236
|
@pulumi.getter(name="boundClaims")
|
251
|
-
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str,
|
237
|
+
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
252
238
|
"""
|
253
239
|
If set, a map of claims to values to match against.
|
254
240
|
A claim's value must be a string, which may contain one value or multiple
|
@@ -257,7 +243,7 @@ class AuthBackendRoleArgs:
|
|
257
243
|
return pulumi.get(self, "bound_claims")
|
258
244
|
|
259
245
|
@bound_claims.setter
|
260
|
-
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str,
|
246
|
+
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
261
247
|
pulumi.set(self, "bound_claims", value)
|
262
248
|
|
263
249
|
@property
|
@@ -289,7 +275,7 @@ class AuthBackendRoleArgs:
|
|
289
275
|
|
290
276
|
@property
|
291
277
|
@pulumi.getter(name="claimMappings")
|
292
|
-
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str,
|
278
|
+
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
293
279
|
"""
|
294
280
|
If set, a map of claims (keys) to be copied
|
295
281
|
to specified metadata fields (values).
|
@@ -297,7 +283,7 @@ class AuthBackendRoleArgs:
|
|
297
283
|
return pulumi.get(self, "claim_mappings")
|
298
284
|
|
299
285
|
@claim_mappings.setter
|
300
|
-
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str,
|
286
|
+
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
301
287
|
pulumi.set(self, "claim_mappings", value)
|
302
288
|
|
303
289
|
@property
|
@@ -331,7 +317,7 @@ class AuthBackendRoleArgs:
|
|
331
317
|
def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
|
332
318
|
"""
|
333
319
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
334
|
-
clock skew, in seconds. Defaults to `
|
320
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
335
321
|
Only applicable with "jwt" roles.
|
336
322
|
"""
|
337
323
|
return pulumi.get(self, "expiration_leeway")
|
@@ -374,7 +360,7 @@ class AuthBackendRoleArgs:
|
|
374
360
|
"""
|
375
361
|
The namespace to provision the resource in.
|
376
362
|
The value should not contain leading or trailing forward slashes.
|
377
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
363
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
378
364
|
*Available only for Vault Enterprise*.
|
379
365
|
"""
|
380
366
|
return pulumi.get(self, "namespace")
|
@@ -388,7 +374,7 @@ class AuthBackendRoleArgs:
|
|
388
374
|
def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
|
389
375
|
"""
|
390
376
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
391
|
-
clock skew, in seconds. Defaults to `
|
377
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
392
378
|
Only applicable with "jwt" roles.
|
393
379
|
"""
|
394
380
|
return pulumi.get(self, "not_before_leeway")
|
@@ -426,9 +412,7 @@ class AuthBackendRoleArgs:
|
|
426
412
|
@pulumi.getter(name="tokenBoundCidrs")
|
427
413
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
428
414
|
"""
|
429
|
-
|
430
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
431
|
-
as well.
|
415
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
432
416
|
"""
|
433
417
|
return pulumi.get(self, "token_bound_cidrs")
|
434
418
|
|
@@ -440,10 +424,7 @@ class AuthBackendRoleArgs:
|
|
440
424
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
441
425
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
442
426
|
"""
|
443
|
-
|
444
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
445
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
446
|
-
`token_max_ttl` would otherwise allow a renewal.
|
427
|
+
Generated Token's Explicit Maximum TTL in seconds
|
447
428
|
"""
|
448
429
|
return pulumi.get(self, "token_explicit_max_ttl")
|
449
430
|
|
@@ -455,8 +436,7 @@ class AuthBackendRoleArgs:
|
|
455
436
|
@pulumi.getter(name="tokenMaxTtl")
|
456
437
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
457
438
|
"""
|
458
|
-
The maximum lifetime
|
459
|
-
Its current value will be referenced at renewal time.
|
439
|
+
The maximum lifetime of the generated token
|
460
440
|
"""
|
461
441
|
return pulumi.get(self, "token_max_ttl")
|
462
442
|
|
@@ -468,8 +448,7 @@ class AuthBackendRoleArgs:
|
|
468
448
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
469
449
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
470
450
|
"""
|
471
|
-
If
|
472
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
451
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
473
452
|
"""
|
474
453
|
return pulumi.get(self, "token_no_default_policy")
|
475
454
|
|
@@ -481,8 +460,7 @@ class AuthBackendRoleArgs:
|
|
481
460
|
@pulumi.getter(name="tokenNumUses")
|
482
461
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
483
462
|
"""
|
484
|
-
The
|
485
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
463
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
486
464
|
"""
|
487
465
|
return pulumi.get(self, "token_num_uses")
|
488
466
|
|
@@ -494,10 +472,7 @@ class AuthBackendRoleArgs:
|
|
494
472
|
@pulumi.getter(name="tokenPeriod")
|
495
473
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
496
474
|
"""
|
497
|
-
|
498
|
-
token generated using this role should never expire. The token should be renewed within the
|
499
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
500
|
-
value of this field. Specified in seconds.
|
475
|
+
Generated Token's Period
|
501
476
|
"""
|
502
477
|
return pulumi.get(self, "token_period")
|
503
478
|
|
@@ -509,8 +484,7 @@ class AuthBackendRoleArgs:
|
|
509
484
|
@pulumi.getter(name="tokenPolicies")
|
510
485
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
511
486
|
"""
|
512
|
-
|
513
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
487
|
+
Generated Token's Policies
|
514
488
|
"""
|
515
489
|
return pulumi.get(self, "token_policies")
|
516
490
|
|
@@ -522,8 +496,7 @@ class AuthBackendRoleArgs:
|
|
522
496
|
@pulumi.getter(name="tokenTtl")
|
523
497
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
524
498
|
"""
|
525
|
-
The
|
526
|
-
Its current value will be referenced at renewal time.
|
499
|
+
The initial ttl of the token to generate in seconds
|
527
500
|
"""
|
528
501
|
return pulumi.get(self, "token_ttl")
|
529
502
|
|
@@ -535,11 +508,7 @@ class AuthBackendRoleArgs:
|
|
535
508
|
@pulumi.getter(name="tokenType")
|
536
509
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
537
510
|
"""
|
538
|
-
The type of token
|
539
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
540
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
541
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
542
|
-
requests a different type at generation time.
|
511
|
+
The type of token to generate, service or batch
|
543
512
|
"""
|
544
513
|
return pulumi.get(self, "token_type")
|
545
514
|
|
@@ -583,10 +552,10 @@ class _AuthBackendRoleState:
|
|
583
552
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
584
553
|
backend: Optional[pulumi.Input[str]] = None,
|
585
554
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
586
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
555
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
587
556
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
588
557
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
589
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
558
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
590
559
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
591
560
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
592
561
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -615,10 +584,9 @@ class _AuthBackendRoleState:
|
|
615
584
|
Required for OIDC roles
|
616
585
|
:param pulumi.Input[str] backend: The unique name of the auth backend to configure.
|
617
586
|
Defaults to `jwt`.
|
618
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (
|
619
|
-
|
620
|
-
|
621
|
-
:param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
|
587
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
588
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
589
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
|
622
590
|
A claim's value must be a string, which may contain one value or multiple
|
623
591
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
624
592
|
:param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
|
@@ -626,14 +594,14 @@ class _AuthBackendRoleState:
|
|
626
594
|
match). Requires Vault 1.4.0 or above.
|
627
595
|
:param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
|
628
596
|
this value.
|
629
|
-
:param pulumi.Input[Mapping[str,
|
597
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
630
598
|
to specified metadata fields (values).
|
631
599
|
:param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
632
600
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
633
601
|
Only applicable with "jwt" roles.
|
634
602
|
:param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
635
603
|
:param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
636
|
-
clock skew, in seconds. Defaults to `
|
604
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
637
605
|
Only applicable with "jwt" roles.
|
638
606
|
:param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
|
639
607
|
the set of groups to which the user belongs; this will be used as the names
|
@@ -643,41 +611,24 @@ class _AuthBackendRoleState:
|
|
643
611
|
the user was actively authenticated with the OIDC provider.
|
644
612
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
645
613
|
The value should not contain leading or trailing forward slashes.
|
646
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
614
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
647
615
|
*Available only for Vault Enterprise*.
|
648
616
|
:param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
649
|
-
clock skew, in seconds. Defaults to `
|
617
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
650
618
|
Only applicable with "jwt" roles.
|
651
619
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
652
620
|
The standard scope "openid" is automatically included and need not be specified.
|
653
621
|
:param pulumi.Input[str] role_name: The name of the role.
|
654
622
|
:param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
|
655
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
656
|
-
|
657
|
-
|
658
|
-
:param pulumi.Input[
|
659
|
-
|
660
|
-
|
661
|
-
|
662
|
-
:param pulumi.Input[int]
|
663
|
-
|
664
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
665
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
666
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
|
667
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
668
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
669
|
-
token generated using this role should never expire. The token should be renewed within the
|
670
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
671
|
-
value of this field. Specified in seconds.
|
672
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
673
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
674
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
675
|
-
Its current value will be referenced at renewal time.
|
676
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
677
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
678
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
679
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
680
|
-
requests a different type at generation time.
|
623
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
624
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
625
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
626
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
627
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
628
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
629
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
630
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
631
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
681
632
|
:param pulumi.Input[str] user_claim: The claim to use to uniquely identify
|
682
633
|
the user; this will be used as the name for the Identity entity alias created
|
683
634
|
due to a successful login.
|
@@ -778,9 +729,8 @@ class _AuthBackendRoleState:
|
|
778
729
|
@pulumi.getter(name="boundAudiences")
|
779
730
|
def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
780
731
|
"""
|
781
|
-
(
|
782
|
-
|
783
|
-
Any match is sufficient.
|
732
|
+
(Required for roles of type `jwt`, optional for roles of
|
733
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
784
734
|
"""
|
785
735
|
return pulumi.get(self, "bound_audiences")
|
786
736
|
|
@@ -790,7 +740,7 @@ class _AuthBackendRoleState:
|
|
790
740
|
|
791
741
|
@property
|
792
742
|
@pulumi.getter(name="boundClaims")
|
793
|
-
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str,
|
743
|
+
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
794
744
|
"""
|
795
745
|
If set, a map of claims to values to match against.
|
796
746
|
A claim's value must be a string, which may contain one value or multiple
|
@@ -799,7 +749,7 @@ class _AuthBackendRoleState:
|
|
799
749
|
return pulumi.get(self, "bound_claims")
|
800
750
|
|
801
751
|
@bound_claims.setter
|
802
|
-
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str,
|
752
|
+
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
803
753
|
pulumi.set(self, "bound_claims", value)
|
804
754
|
|
805
755
|
@property
|
@@ -831,7 +781,7 @@ class _AuthBackendRoleState:
|
|
831
781
|
|
832
782
|
@property
|
833
783
|
@pulumi.getter(name="claimMappings")
|
834
|
-
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str,
|
784
|
+
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
835
785
|
"""
|
836
786
|
If set, a map of claims (keys) to be copied
|
837
787
|
to specified metadata fields (values).
|
@@ -839,7 +789,7 @@ class _AuthBackendRoleState:
|
|
839
789
|
return pulumi.get(self, "claim_mappings")
|
840
790
|
|
841
791
|
@claim_mappings.setter
|
842
|
-
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str,
|
792
|
+
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
843
793
|
pulumi.set(self, "claim_mappings", value)
|
844
794
|
|
845
795
|
@property
|
@@ -873,7 +823,7 @@ class _AuthBackendRoleState:
|
|
873
823
|
def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
|
874
824
|
"""
|
875
825
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
876
|
-
clock skew, in seconds. Defaults to `
|
826
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
877
827
|
Only applicable with "jwt" roles.
|
878
828
|
"""
|
879
829
|
return pulumi.get(self, "expiration_leeway")
|
@@ -916,7 +866,7 @@ class _AuthBackendRoleState:
|
|
916
866
|
"""
|
917
867
|
The namespace to provision the resource in.
|
918
868
|
The value should not contain leading or trailing forward slashes.
|
919
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
869
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
920
870
|
*Available only for Vault Enterprise*.
|
921
871
|
"""
|
922
872
|
return pulumi.get(self, "namespace")
|
@@ -930,7 +880,7 @@ class _AuthBackendRoleState:
|
|
930
880
|
def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
|
931
881
|
"""
|
932
882
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
933
|
-
clock skew, in seconds. Defaults to `
|
883
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
934
884
|
Only applicable with "jwt" roles.
|
935
885
|
"""
|
936
886
|
return pulumi.get(self, "not_before_leeway")
|
@@ -980,9 +930,7 @@ class _AuthBackendRoleState:
|
|
980
930
|
@pulumi.getter(name="tokenBoundCidrs")
|
981
931
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
982
932
|
"""
|
983
|
-
|
984
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
985
|
-
as well.
|
933
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
986
934
|
"""
|
987
935
|
return pulumi.get(self, "token_bound_cidrs")
|
988
936
|
|
@@ -994,10 +942,7 @@ class _AuthBackendRoleState:
|
|
994
942
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
995
943
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
996
944
|
"""
|
997
|
-
|
998
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
999
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
1000
|
-
`token_max_ttl` would otherwise allow a renewal.
|
945
|
+
Generated Token's Explicit Maximum TTL in seconds
|
1001
946
|
"""
|
1002
947
|
return pulumi.get(self, "token_explicit_max_ttl")
|
1003
948
|
|
@@ -1009,8 +954,7 @@ class _AuthBackendRoleState:
|
|
1009
954
|
@pulumi.getter(name="tokenMaxTtl")
|
1010
955
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
1011
956
|
"""
|
1012
|
-
The maximum lifetime
|
1013
|
-
Its current value will be referenced at renewal time.
|
957
|
+
The maximum lifetime of the generated token
|
1014
958
|
"""
|
1015
959
|
return pulumi.get(self, "token_max_ttl")
|
1016
960
|
|
@@ -1022,8 +966,7 @@ class _AuthBackendRoleState:
|
|
1022
966
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
1023
967
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
1024
968
|
"""
|
1025
|
-
If
|
1026
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
969
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
1027
970
|
"""
|
1028
971
|
return pulumi.get(self, "token_no_default_policy")
|
1029
972
|
|
@@ -1035,8 +978,7 @@ class _AuthBackendRoleState:
|
|
1035
978
|
@pulumi.getter(name="tokenNumUses")
|
1036
979
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
1037
980
|
"""
|
1038
|
-
The
|
1039
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
981
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
1040
982
|
"""
|
1041
983
|
return pulumi.get(self, "token_num_uses")
|
1042
984
|
|
@@ -1048,10 +990,7 @@ class _AuthBackendRoleState:
|
|
1048
990
|
@pulumi.getter(name="tokenPeriod")
|
1049
991
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
1050
992
|
"""
|
1051
|
-
|
1052
|
-
token generated using this role should never expire. The token should be renewed within the
|
1053
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1054
|
-
value of this field. Specified in seconds.
|
993
|
+
Generated Token's Period
|
1055
994
|
"""
|
1056
995
|
return pulumi.get(self, "token_period")
|
1057
996
|
|
@@ -1063,8 +1002,7 @@ class _AuthBackendRoleState:
|
|
1063
1002
|
@pulumi.getter(name="tokenPolicies")
|
1064
1003
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
1065
1004
|
"""
|
1066
|
-
|
1067
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1005
|
+
Generated Token's Policies
|
1068
1006
|
"""
|
1069
1007
|
return pulumi.get(self, "token_policies")
|
1070
1008
|
|
@@ -1076,8 +1014,7 @@ class _AuthBackendRoleState:
|
|
1076
1014
|
@pulumi.getter(name="tokenTtl")
|
1077
1015
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
1078
1016
|
"""
|
1079
|
-
The
|
1080
|
-
Its current value will be referenced at renewal time.
|
1017
|
+
The initial ttl of the token to generate in seconds
|
1081
1018
|
"""
|
1082
1019
|
return pulumi.get(self, "token_ttl")
|
1083
1020
|
|
@@ -1089,11 +1026,7 @@ class _AuthBackendRoleState:
|
|
1089
1026
|
@pulumi.getter(name="tokenType")
|
1090
1027
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
1091
1028
|
"""
|
1092
|
-
The type of token
|
1093
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1094
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1095
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1096
|
-
requests a different type at generation time.
|
1029
|
+
The type of token to generate, service or batch
|
1097
1030
|
"""
|
1098
1031
|
return pulumi.get(self, "token_type")
|
1099
1032
|
|
@@ -1153,10 +1086,10 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1153
1086
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1154
1087
|
backend: Optional[pulumi.Input[str]] = None,
|
1155
1088
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1156
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
1089
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1157
1090
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
1158
1091
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
1159
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
1092
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1160
1093
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
1161
1094
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
1162
1095
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -1237,7 +1170,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1237
1170
|
JWT authentication backend roles can be imported using the `path`, e.g.
|
1238
1171
|
|
1239
1172
|
```sh
|
1240
|
-
|
1173
|
+
$ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-role
|
1241
1174
|
```
|
1242
1175
|
|
1243
1176
|
:param str resource_name: The name of the resource.
|
@@ -1246,10 +1179,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1246
1179
|
Required for OIDC roles
|
1247
1180
|
:param pulumi.Input[str] backend: The unique name of the auth backend to configure.
|
1248
1181
|
Defaults to `jwt`.
|
1249
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (
|
1250
|
-
|
1251
|
-
|
1252
|
-
:param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
|
1182
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
1183
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
1184
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
|
1253
1185
|
A claim's value must be a string, which may contain one value or multiple
|
1254
1186
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
1255
1187
|
:param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
|
@@ -1257,14 +1189,14 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1257
1189
|
match). Requires Vault 1.4.0 or above.
|
1258
1190
|
:param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
|
1259
1191
|
this value.
|
1260
|
-
:param pulumi.Input[Mapping[str,
|
1192
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
1261
1193
|
to specified metadata fields (values).
|
1262
1194
|
:param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
1263
1195
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
1264
1196
|
Only applicable with "jwt" roles.
|
1265
1197
|
:param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
1266
1198
|
:param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
1267
|
-
clock skew, in seconds. Defaults to `
|
1199
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1268
1200
|
Only applicable with "jwt" roles.
|
1269
1201
|
:param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
|
1270
1202
|
the set of groups to which the user belongs; this will be used as the names
|
@@ -1274,41 +1206,24 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1274
1206
|
the user was actively authenticated with the OIDC provider.
|
1275
1207
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1276
1208
|
The value should not contain leading or trailing forward slashes.
|
1277
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1209
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1278
1210
|
*Available only for Vault Enterprise*.
|
1279
1211
|
:param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
1280
|
-
clock skew, in seconds. Defaults to `
|
1212
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1281
1213
|
Only applicable with "jwt" roles.
|
1282
1214
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
1283
1215
|
The standard scope "openid" is automatically included and need not be specified.
|
1284
1216
|
:param pulumi.Input[str] role_name: The name of the role.
|
1285
1217
|
:param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
|
1286
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1287
|
-
|
1288
|
-
|
1289
|
-
:param pulumi.Input[
|
1290
|
-
|
1291
|
-
|
1292
|
-
|
1293
|
-
:param pulumi.Input[int]
|
1294
|
-
|
1295
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1296
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1297
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
|
1298
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1299
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1300
|
-
token generated using this role should never expire. The token should be renewed within the
|
1301
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1302
|
-
value of this field. Specified in seconds.
|
1303
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1304
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1305
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1306
|
-
Its current value will be referenced at renewal time.
|
1307
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1308
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1309
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1310
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1311
|
-
requests a different type at generation time.
|
1218
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
1219
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
1220
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
1221
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
1222
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
1223
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
1224
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
1225
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
1226
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1312
1227
|
:param pulumi.Input[str] user_claim: The claim to use to uniquely identify
|
1313
1228
|
the user; this will be used as the name for the Identity entity alias created
|
1314
1229
|
due to a successful login.
|
@@ -1383,7 +1298,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1383
1298
|
JWT authentication backend roles can be imported using the `path`, e.g.
|
1384
1299
|
|
1385
1300
|
```sh
|
1386
|
-
|
1301
|
+
$ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-role
|
1387
1302
|
```
|
1388
1303
|
|
1389
1304
|
:param str resource_name: The name of the resource.
|
@@ -1404,10 +1319,10 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1404
1319
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1405
1320
|
backend: Optional[pulumi.Input[str]] = None,
|
1406
1321
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1407
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
1322
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1408
1323
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
1409
1324
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
1410
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
1325
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1411
1326
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
1412
1327
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
1413
1328
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -1485,10 +1400,10 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1485
1400
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1486
1401
|
backend: Optional[pulumi.Input[str]] = None,
|
1487
1402
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1488
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
1403
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1489
1404
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
1490
1405
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
1491
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
1406
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1492
1407
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
1493
1408
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
1494
1409
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -1522,10 +1437,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1522
1437
|
Required for OIDC roles
|
1523
1438
|
:param pulumi.Input[str] backend: The unique name of the auth backend to configure.
|
1524
1439
|
Defaults to `jwt`.
|
1525
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (
|
1526
|
-
|
1527
|
-
|
1528
|
-
:param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
|
1440
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
1441
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
1442
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
|
1529
1443
|
A claim's value must be a string, which may contain one value or multiple
|
1530
1444
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
1531
1445
|
:param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
|
@@ -1533,14 +1447,14 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1533
1447
|
match). Requires Vault 1.4.0 or above.
|
1534
1448
|
:param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
|
1535
1449
|
this value.
|
1536
|
-
:param pulumi.Input[Mapping[str,
|
1450
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
1537
1451
|
to specified metadata fields (values).
|
1538
1452
|
:param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
1539
1453
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
1540
1454
|
Only applicable with "jwt" roles.
|
1541
1455
|
:param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
1542
1456
|
:param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
1543
|
-
clock skew, in seconds. Defaults to `
|
1457
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1544
1458
|
Only applicable with "jwt" roles.
|
1545
1459
|
:param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
|
1546
1460
|
the set of groups to which the user belongs; this will be used as the names
|
@@ -1550,41 +1464,24 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1550
1464
|
the user was actively authenticated with the OIDC provider.
|
1551
1465
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1552
1466
|
The value should not contain leading or trailing forward slashes.
|
1553
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1467
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1554
1468
|
*Available only for Vault Enterprise*.
|
1555
1469
|
:param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
1556
|
-
clock skew, in seconds. Defaults to `
|
1470
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1557
1471
|
Only applicable with "jwt" roles.
|
1558
1472
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
1559
1473
|
The standard scope "openid" is automatically included and need not be specified.
|
1560
1474
|
:param pulumi.Input[str] role_name: The name of the role.
|
1561
1475
|
:param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
|
1562
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1563
|
-
|
1564
|
-
|
1565
|
-
:param pulumi.Input[
|
1566
|
-
|
1567
|
-
|
1568
|
-
|
1569
|
-
:param pulumi.Input[int]
|
1570
|
-
|
1571
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1572
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1573
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
|
1574
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1575
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1576
|
-
token generated using this role should never expire. The token should be renewed within the
|
1577
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1578
|
-
value of this field. Specified in seconds.
|
1579
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1580
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1581
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1582
|
-
Its current value will be referenced at renewal time.
|
1583
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1584
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1585
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1586
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1587
|
-
requests a different type at generation time.
|
1476
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
1477
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
1478
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
1479
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
1480
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
1481
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
1482
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
1483
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
1484
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1588
1485
|
:param pulumi.Input[str] user_claim: The claim to use to uniquely identify
|
1589
1486
|
the user; this will be used as the name for the Identity entity alias created
|
1590
1487
|
due to a successful login.
|
@@ -1653,15 +1550,14 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1653
1550
|
@pulumi.getter(name="boundAudiences")
|
1654
1551
|
def bound_audiences(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1655
1552
|
"""
|
1656
|
-
(
|
1657
|
-
|
1658
|
-
Any match is sufficient.
|
1553
|
+
(Required for roles of type `jwt`, optional for roles of
|
1554
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
1659
1555
|
"""
|
1660
1556
|
return pulumi.get(self, "bound_audiences")
|
1661
1557
|
|
1662
1558
|
@property
|
1663
1559
|
@pulumi.getter(name="boundClaims")
|
1664
|
-
def bound_claims(self) -> pulumi.Output[Optional[Mapping[str,
|
1560
|
+
def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
|
1665
1561
|
"""
|
1666
1562
|
If set, a map of claims to values to match against.
|
1667
1563
|
A claim's value must be a string, which may contain one value or multiple
|
@@ -1690,7 +1586,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1690
1586
|
|
1691
1587
|
@property
|
1692
1588
|
@pulumi.getter(name="claimMappings")
|
1693
|
-
def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str,
|
1589
|
+
def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
|
1694
1590
|
"""
|
1695
1591
|
If set, a map of claims (keys) to be copied
|
1696
1592
|
to specified metadata fields (values).
|
@@ -1720,7 +1616,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1720
1616
|
def expiration_leeway(self) -> pulumi.Output[Optional[int]]:
|
1721
1617
|
"""
|
1722
1618
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
1723
|
-
clock skew, in seconds. Defaults to `
|
1619
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1724
1620
|
Only applicable with "jwt" roles.
|
1725
1621
|
"""
|
1726
1622
|
return pulumi.get(self, "expiration_leeway")
|
@@ -1751,7 +1647,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1751
1647
|
"""
|
1752
1648
|
The namespace to provision the resource in.
|
1753
1649
|
The value should not contain leading or trailing forward slashes.
|
1754
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1650
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1755
1651
|
*Available only for Vault Enterprise*.
|
1756
1652
|
"""
|
1757
1653
|
return pulumi.get(self, "namespace")
|
@@ -1761,7 +1657,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1761
1657
|
def not_before_leeway(self) -> pulumi.Output[Optional[int]]:
|
1762
1658
|
"""
|
1763
1659
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
1764
|
-
clock skew, in seconds. Defaults to `
|
1660
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1765
1661
|
Only applicable with "jwt" roles.
|
1766
1662
|
"""
|
1767
1663
|
return pulumi.get(self, "not_before_leeway")
|
@@ -1795,9 +1691,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1795
1691
|
@pulumi.getter(name="tokenBoundCidrs")
|
1796
1692
|
def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1797
1693
|
"""
|
1798
|
-
|
1799
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
1800
|
-
as well.
|
1694
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
1801
1695
|
"""
|
1802
1696
|
return pulumi.get(self, "token_bound_cidrs")
|
1803
1697
|
|
@@ -1805,10 +1699,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1805
1699
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
1806
1700
|
def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1807
1701
|
"""
|
1808
|
-
|
1809
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
1810
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
1811
|
-
`token_max_ttl` would otherwise allow a renewal.
|
1702
|
+
Generated Token's Explicit Maximum TTL in seconds
|
1812
1703
|
"""
|
1813
1704
|
return pulumi.get(self, "token_explicit_max_ttl")
|
1814
1705
|
|
@@ -1816,8 +1707,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1816
1707
|
@pulumi.getter(name="tokenMaxTtl")
|
1817
1708
|
def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1818
1709
|
"""
|
1819
|
-
The maximum lifetime
|
1820
|
-
Its current value will be referenced at renewal time.
|
1710
|
+
The maximum lifetime of the generated token
|
1821
1711
|
"""
|
1822
1712
|
return pulumi.get(self, "token_max_ttl")
|
1823
1713
|
|
@@ -1825,8 +1715,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1825
1715
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
1826
1716
|
def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
|
1827
1717
|
"""
|
1828
|
-
If
|
1829
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1718
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
1830
1719
|
"""
|
1831
1720
|
return pulumi.get(self, "token_no_default_policy")
|
1832
1721
|
|
@@ -1834,8 +1723,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1834
1723
|
@pulumi.getter(name="tokenNumUses")
|
1835
1724
|
def token_num_uses(self) -> pulumi.Output[Optional[int]]:
|
1836
1725
|
"""
|
1837
|
-
The
|
1838
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1726
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
1839
1727
|
"""
|
1840
1728
|
return pulumi.get(self, "token_num_uses")
|
1841
1729
|
|
@@ -1843,10 +1731,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1843
1731
|
@pulumi.getter(name="tokenPeriod")
|
1844
1732
|
def token_period(self) -> pulumi.Output[Optional[int]]:
|
1845
1733
|
"""
|
1846
|
-
|
1847
|
-
token generated using this role should never expire. The token should be renewed within the
|
1848
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1849
|
-
value of this field. Specified in seconds.
|
1734
|
+
Generated Token's Period
|
1850
1735
|
"""
|
1851
1736
|
return pulumi.get(self, "token_period")
|
1852
1737
|
|
@@ -1854,8 +1739,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1854
1739
|
@pulumi.getter(name="tokenPolicies")
|
1855
1740
|
def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1856
1741
|
"""
|
1857
|
-
|
1858
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1742
|
+
Generated Token's Policies
|
1859
1743
|
"""
|
1860
1744
|
return pulumi.get(self, "token_policies")
|
1861
1745
|
|
@@ -1863,8 +1747,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1863
1747
|
@pulumi.getter(name="tokenTtl")
|
1864
1748
|
def token_ttl(self) -> pulumi.Output[Optional[int]]:
|
1865
1749
|
"""
|
1866
|
-
The
|
1867
|
-
Its current value will be referenced at renewal time.
|
1750
|
+
The initial ttl of the token to generate in seconds
|
1868
1751
|
"""
|
1869
1752
|
return pulumi.get(self, "token_ttl")
|
1870
1753
|
|
@@ -1872,11 +1755,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1872
1755
|
@pulumi.getter(name="tokenType")
|
1873
1756
|
def token_type(self) -> pulumi.Output[Optional[str]]:
|
1874
1757
|
"""
|
1875
|
-
The type of token
|
1876
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1877
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1878
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1879
|
-
requests a different type at generation time.
|
1758
|
+
The type of token to generate, service or batch
|
1880
1759
|
"""
|
1881
1760
|
return pulumi.get(self, "token_type")
|
1882
1761
|
|