pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

pulumi_vault/jwt/outputs.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = [

pulumi_vault/kmip/secret_backend.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretBackendArgs', 'SecretBackend']
@@ -40,7 +45,7 @@ class SecretBackendArgs:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] listen_addrs: Addresses the KMIP server should listen on (`host:port`).
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] server_hostnames: Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN).
         :param pulumi.Input[Sequence[pulumi.Input[str]]] server_ips: IPs to include in the server's TLS certificate as SAN IP addresses.
@@ -166,7 +171,7 @@ class SecretBackendArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -263,7 +268,7 @@ class _SecretBackendState:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] listen_addrs: Addresses the KMIP server should listen on (`host:port`).
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -379,7 +384,7 @@ class _SecretBackendState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -493,17 +498,17 @@ class SecretBackend(pulumi.CustomResource):
         import pulumi_vault as vault
 
         default = vault.kmip.SecretBackend("default",
-            default_tls_client_key_bits=4096,
-            default_tls_client_key_type="rsa",
-            default_tls_client_ttl=86400,
+            path="kmip",
             description="Vault KMIP backend",
             listen_addrs=[
                 "127.0.0.1:5696",
                 "127.0.0.1:8080",
             ],
-            path="kmip",
+            tls_ca_key_type="rsa",
             tls_ca_key_bits=4096,
-            tls_ca_key_type="rsa")
+            default_tls_client_key_type="rsa",
+            default_tls_client_key_bits=4096,
+            default_tls_client_ttl=86400)
         ```
 
         ## Import
@@ -511,7 +516,7 @@ class SecretBackend(pulumi.CustomResource):
         KMIP Secret backend can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:kmip/secretBackend:SecretBackend default kmip
+        $ pulumi import vault:kmip/secretBackend:SecretBackend default kmip
         ```
 
         :param str resource_name: The name of the resource.
@@ -525,7 +530,7 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] listen_addrs: Addresses the KMIP server should listen on (`host:port`).
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -553,17 +558,17 @@ class SecretBackend(pulumi.CustomResource):
         import pulumi_vault as vault
 
         default = vault.kmip.SecretBackend("default",
-            default_tls_client_key_bits=4096,
-            default_tls_client_key_type="rsa",
-            default_tls_client_ttl=86400,
+            path="kmip",
             description="Vault KMIP backend",
             listen_addrs=[
                 "127.0.0.1:5696",
                 "127.0.0.1:8080",
             ],
-            path="kmip",
+            tls_ca_key_type="rsa",
             tls_ca_key_bits=4096,
-            tls_ca_key_type="rsa")
+            default_tls_client_key_type="rsa",
+            default_tls_client_key_bits=4096,
+            default_tls_client_ttl=86400)
         ```
 
         ## Import
@@ -571,7 +576,7 @@ class SecretBackend(pulumi.CustomResource):
         KMIP Secret backend can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:kmip/secretBackend:SecretBackend default kmip
+        $ pulumi import vault:kmip/secretBackend:SecretBackend default kmip
         ```
 
         :param str resource_name: The name of the resource.
@@ -665,7 +670,7 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] listen_addrs: Addresses the KMIP server should listen on (`host:port`).
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -749,7 +754,7 @@ class SecretBackend(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi_vault/kmip/secret_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretRoleArgs', 'SecretRole']
@@ -43,7 +48,7 @@ class SecretRoleArgs:
         :param pulumi.Input[str] scope: Name of the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[bool] operation_activate: Grant permission to use the KMIP Activate operation.
         :param pulumi.Input[bool] operation_add_attribute: Grant permission to use the KMIP Add Attribute operation.
@@ -146,7 +151,7 @@ class SecretRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -388,7 +393,7 @@ class _SecretRoleState:
         Input properties used for looking up and filtering SecretRole resources.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[bool] operation_activate: Grant permission to use the KMIP Activate operation.
         :param pulumi.Input[bool] operation_add_attribute: Grant permission to use the KMIP Add Attribute operation.
@@ -461,7 +466,7 @@ class _SecretRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -775,14 +780,14 @@ class SecretRole(pulumi.CustomResource):
         KMIP Secret role can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:kmip/secretRole:SecretRole admin kmip
+        $ pulumi import vault:kmip/secretRole:SecretRole admin kmip
         ```
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[bool] operation_activate: Grant permission to use the KMIP Activate operation.
         :param pulumi.Input[bool] operation_add_attribute: Grant permission to use the KMIP Add Attribute operation.
@@ -848,7 +853,7 @@ class SecretRole(pulumi.CustomResource):
         KMIP Secret role can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:kmip/secretRole:SecretRole admin kmip
+        $ pulumi import vault:kmip/secretRole:SecretRole admin kmip
         ```
 
         :param str resource_name: The name of the resource.
@@ -963,7 +968,7 @@ class SecretRole(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[bool] operation_activate: Grant permission to use the KMIP Activate operation.
         :param pulumi.Input[bool] operation_add_attribute: Grant permission to use the KMIP Add Attribute operation.
@@ -1020,7 +1025,7 @@ class SecretRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi_vault/kmip/secret_scope.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretScopeArgs', 'SecretScope']
@@ -26,7 +31,7 @@ class SecretScopeArgs:
         :param pulumi.Input[bool] force: Boolean field to force deletion even if there are managed objects in the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         """
         pulumi.set(__self__, "path", path)
@@ -79,7 +84,7 @@ class SecretScopeArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -101,7 +106,7 @@ class _SecretScopeState:
         :param pulumi.Input[bool] force: Boolean field to force deletion even if there are managed objects in the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -134,7 +139,7 @@ class _SecretScopeState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -204,7 +209,7 @@ class SecretScope(pulumi.CustomResource):
         KMIP Secret scope can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:kmip/secretScope:SecretScope dev kmip
+        $ pulumi import vault:kmip/secretScope:SecretScope dev kmip
         ```
 
         :param str resource_name: The name of the resource.
@@ -212,7 +217,7 @@ class SecretScope(pulumi.CustomResource):
         :param pulumi.Input[bool] force: Boolean field to force deletion even if there are managed objects in the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -249,7 +254,7 @@ class SecretScope(pulumi.CustomResource):
         KMIP Secret scope can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:kmip/secretScope:SecretScope dev kmip
+        $ pulumi import vault:kmip/secretScope:SecretScope dev kmip
         ```
 
         :param str resource_name: The name of the resource.
@@ -312,7 +317,7 @@ class SecretScope(pulumi.CustomResource):
         :param pulumi.Input[bool] force: Boolean field to force deletion even if there are managed objects in the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -342,7 +347,7 @@ class SecretScope(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi_vault/kubernetes/auth_backend_config.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['AuthBackendConfigArgs', 'AuthBackendConfig']
@@ -22,7 +27,8 @@ class AuthBackendConfigArgs:
                  kubernetes_ca_cert: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 token_reviewer_jwt: Optional[pulumi.Input[str]] = None):
+                 token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+                 use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None):
         """
         The set of arguments for constructing a AuthBackendConfig resource.
         :param pulumi.Input[str] kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
@@ -37,6 +43,7 @@ class AuthBackendConfigArgs:
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
         :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
+        :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
         """
         pulumi.set(__self__, "kubernetes_host", kubernetes_host)
         if backend is not None:
@@ -55,6 +62,8 @@ class AuthBackendConfigArgs:
             pulumi.set(__self__, "pem_keys", pem_keys)
         if token_reviewer_jwt is not None:
             pulumi.set(__self__, "token_reviewer_jwt", token_reviewer_jwt)
+        if use_annotations_as_alias_metadata is not None:
+            pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata)
 
     @property
     @pulumi.getter(name="kubernetesHost")
@@ -167,6 +176,18 @@ class AuthBackendConfigArgs:
     def token_reviewer_jwt(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "token_reviewer_jwt", value)
 
+    @property
+    @pulumi.getter(name="useAnnotationsAsAliasMetadata")
+    def use_annotations_as_alias_metadata(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
+        """
+        return pulumi.get(self, "use_annotations_as_alias_metadata")
+
+    @use_annotations_as_alias_metadata.setter
+    def use_annotations_as_alias_metadata(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "use_annotations_as_alias_metadata", value)
+
 
 @pulumi.input_type
 class _AuthBackendConfigState:
@@ -179,7 +200,8 @@ class _AuthBackendConfigState:
                  kubernetes_host: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 token_reviewer_jwt: Optional[pulumi.Input[str]] = None):
+                 token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+                 use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None):
         """
         Input properties used for looking up and filtering AuthBackendConfig resources.
         :param pulumi.Input[str] backend: Unique name of the kubernetes backend to configure.
@@ -194,6 +216,7 @@ class _AuthBackendConfigState:
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
         :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
+        :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
         """
         if backend is not None:
             pulumi.set(__self__, "backend", backend)
@@ -213,6 +236,8 @@ class _AuthBackendConfigState:
             pulumi.set(__self__, "pem_keys", pem_keys)
         if token_reviewer_jwt is not None:
             pulumi.set(__self__, "token_reviewer_jwt", token_reviewer_jwt)
+        if use_annotations_as_alias_metadata is not None:
+            pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata)
 
     @property
     @pulumi.getter
@@ -325,6 +350,18 @@ class _AuthBackendConfigState:
     def token_reviewer_jwt(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "token_reviewer_jwt", value)
 
+    @property
+    @pulumi.getter(name="useAnnotationsAsAliasMetadata")
+    def use_annotations_as_alias_metadata(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
+        """
+        return pulumi.get(self, "use_annotations_as_alias_metadata")
+
+    @use_annotations_as_alias_metadata.setter
+    def use_annotations_as_alias_metadata(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "use_annotations_as_alias_metadata", value)
+
 
 class AuthBackendConfig(pulumi.CustomResource):
     @overload
@@ -340,6 +377,7 @@ class AuthBackendConfig(pulumi.CustomResource):
                  namespace: Optional[pulumi.Input[str]] = None,
                  pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+                 use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None,
                  __props__=None):
         """
         Manages an Kubernetes auth backend config in a Vault server. See the [Vault
@@ -369,7 +407,7 @@ class AuthBackendConfig(pulumi.CustomResource):
         Kubernetes authentication backend can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config
+        $ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config
         ```
 
         :param str resource_name: The name of the resource.
@@ -386,6 +424,7 @@ class AuthBackendConfig(pulumi.CustomResource):
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
         :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
+        :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
         """
         ...
     @overload
@@ -421,7 +460,7 @@ class AuthBackendConfig(pulumi.CustomResource):
         Kubernetes authentication backend can be imported using the `path`, e.g.
 
         ```sh
-         $ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config
+        $ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config
         ```
 
         :param str resource_name: The name of the resource.
@@ -448,6 +487,7 @@ class AuthBackendConfig(pulumi.CustomResource):
                  namespace: Optional[pulumi.Input[str]] = None,
                  pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+                 use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -468,6 +508,7 @@ class AuthBackendConfig(pulumi.CustomResource):
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["pem_keys"] = pem_keys
             __props__.__dict__["token_reviewer_jwt"] = None if token_reviewer_jwt is None else pulumi.Output.secret(token_reviewer_jwt)
+            __props__.__dict__["use_annotations_as_alias_metadata"] = use_annotations_as_alias_metadata
         secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["tokenReviewerJwt"])
         opts = pulumi.ResourceOptions.merge(opts, secret_opts)
         super(AuthBackendConfig, __self__).__init__(
@@ -488,7 +529,8 @@ class AuthBackendConfig(pulumi.CustomResource):
             kubernetes_host: Optional[pulumi.Input[str]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
             pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            token_reviewer_jwt: Optional[pulumi.Input[str]] = None) -> 'AuthBackendConfig':
+            token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+            use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None) -> 'AuthBackendConfig':
         """
         Get an existing AuthBackendConfig resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -508,6 +550,7 @@ class AuthBackendConfig(pulumi.CustomResource):
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
         :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
+        :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -522,6 +565,7 @@ class AuthBackendConfig(pulumi.CustomResource):
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["pem_keys"] = pem_keys
         __props__.__dict__["token_reviewer_jwt"] = token_reviewer_jwt
+        __props__.__dict__["use_annotations_as_alias_metadata"] = use_annotations_as_alias_metadata
         return AuthBackendConfig(resource_name, opts=opts, __props__=__props__)
 
     @property
@@ -599,3 +643,11 @@ class AuthBackendConfig(pulumi.CustomResource):
         """
         return pulumi.get(self, "token_reviewer_jwt")
 
+    @property
+    @pulumi.getter(name="useAnnotationsAsAliasMetadata")
+    def use_annotations_as_alias_metadata(self) -> pulumi.Output[bool]:
+        """
+        Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
+        """
+        return pulumi.get(self, "use_annotations_as_alias_metadata")
+