pulumi-vault 5.21.0a1709368526__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +26 -9
- pulumi_vault/ad/secret_backend.py +16 -142
- pulumi_vault/ad/secret_library.py +16 -9
- pulumi_vault/ad/secret_role.py +14 -9
- pulumi_vault/alicloud/auth_backend_role.py +76 -190
- pulumi_vault/approle/auth_backend_login.py +12 -7
- pulumi_vault/approle/auth_backend_role.py +77 -191
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -7
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -5
- pulumi_vault/audit.py +30 -21
- pulumi_vault/audit_request_header.py +11 -2
- pulumi_vault/auth_backend.py +66 -14
- pulumi_vault/aws/auth_backend_cert.py +18 -9
- pulumi_vault/aws/auth_backend_client.py +267 -22
- pulumi_vault/aws/auth_backend_config_identity.py +14 -9
- pulumi_vault/aws/auth_backend_identity_whitelist.py +20 -15
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +77 -191
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -13
- pulumi_vault/aws/auth_backend_sts_role.py +14 -9
- pulumi_vault/aws/get_access_credentials.py +38 -9
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +77 -9
- pulumi_vault/aws/secret_backend_role.py +185 -9
- pulumi_vault/aws/secret_backend_static_role.py +20 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +153 -15
- pulumi_vault/azure/auth_backend_role.py +77 -191
- pulumi_vault/azure/backend.py +227 -21
- pulumi_vault/azure/backend_role.py +42 -37
- pulumi_vault/azure/get_access_credentials.py +41 -7
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -267
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +28 -19
- pulumi_vault/consul/secret_backend_role.py +18 -78
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +119 -112
- pulumi_vault/database/secret_backend_role.py +31 -22
- pulumi_vault/database/secret_backend_static_role.py +87 -13
- pulumi_vault/database/secrets_mount.py +427 -136
- pulumi_vault/egp_policy.py +16 -11
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +250 -33
- pulumi_vault/gcp/auth_backend_role.py +77 -269
- pulumi_vault/gcp/get_auth_backend_role.py +43 -5
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -12
- pulumi_vault/gcp/secret_impersonated_account.py +76 -15
- pulumi_vault/gcp/secret_roleset.py +31 -24
- pulumi_vault/gcp/secret_static_account.py +39 -32
- pulumi_vault/generic/endpoint.py +24 -17
- pulumi_vault/generic/get_secret.py +64 -8
- pulumi_vault/generic/secret.py +21 -16
- pulumi_vault/get_auth_backend.py +24 -7
- pulumi_vault/get_auth_backends.py +51 -9
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -11
- pulumi_vault/get_policy_document.py +34 -19
- pulumi_vault/get_raft_autopilot_state.py +29 -10
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +19 -14
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +16 -11
- pulumi_vault/github/user.py +16 -11
- pulumi_vault/identity/entity.py +20 -13
- pulumi_vault/identity/entity_alias.py +20 -13
- pulumi_vault/identity/entity_policies.py +28 -11
- pulumi_vault/identity/get_entity.py +42 -10
- pulumi_vault/identity/get_group.py +47 -9
- pulumi_vault/identity/get_oidc_client_creds.py +21 -7
- pulumi_vault/identity/get_oidc_openid_config.py +39 -9
- pulumi_vault/identity/get_oidc_public_keys.py +29 -10
- pulumi_vault/identity/group.py +58 -39
- pulumi_vault/identity/group_alias.py +16 -9
- pulumi_vault/identity/group_member_entity_ids.py +28 -66
- pulumi_vault/identity/group_member_group_ids.py +40 -19
- pulumi_vault/identity/group_policies.py +20 -7
- pulumi_vault/identity/mfa_duo.py +11 -6
- pulumi_vault/identity/mfa_login_enforcement.py +15 -6
- pulumi_vault/identity/mfa_okta.py +11 -6
- pulumi_vault/identity/mfa_pingid.py +7 -2
- pulumi_vault/identity/mfa_totp.py +7 -2
- pulumi_vault/identity/oidc.py +12 -7
- pulumi_vault/identity/oidc_assignment.py +24 -11
- pulumi_vault/identity/oidc_client.py +36 -23
- pulumi_vault/identity/oidc_key.py +30 -17
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -15
- pulumi_vault/identity/oidc_provider.py +36 -21
- pulumi_vault/identity/oidc_role.py +42 -21
- pulumi_vault/identity/oidc_scope.py +20 -13
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +45 -40
- pulumi_vault/jwt/auth_backend_role.py +133 -254
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +24 -19
- pulumi_vault/kmip/secret_role.py +14 -9
- pulumi_vault/kmip/secret_scope.py +14 -9
- pulumi_vault/kubernetes/auth_backend_config.py +57 -5
- pulumi_vault/kubernetes/auth_backend_role.py +70 -177
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -11
- pulumi_vault/kubernetes/secret_backend.py +316 -27
- pulumi_vault/kubernetes/secret_backend_role.py +137 -46
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +25 -8
- pulumi_vault/kv/get_secret_subkeys_v2.py +33 -10
- pulumi_vault/kv/get_secret_v2.py +85 -9
- pulumi_vault/kv/get_secrets_list.py +24 -11
- pulumi_vault/kv/get_secrets_list_v2.py +37 -15
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +23 -16
- pulumi_vault/kv/secret_backend_v2.py +20 -11
- pulumi_vault/kv/secret_v2.py +59 -50
- pulumi_vault/ldap/auth_backend.py +127 -166
- pulumi_vault/ldap/auth_backend_group.py +14 -9
- pulumi_vault/ldap/auth_backend_user.py +14 -9
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +354 -82
- pulumi_vault/ldap/secret_backend_dynamic_role.py +18 -11
- pulumi_vault/ldap/secret_backend_library_set.py +16 -9
- pulumi_vault/ldap/secret_backend_static_role.py +73 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +29 -57
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +18 -11
- pulumi_vault/mfa_okta.py +18 -11
- pulumi_vault/mfa_pingid.py +18 -11
- pulumi_vault/mfa_totp.py +24 -17
- pulumi_vault/mongodbatlas/secret_backend.py +20 -15
- pulumi_vault/mongodbatlas/secret_role.py +47 -38
- pulumi_vault/mount.py +391 -51
- pulumi_vault/namespace.py +68 -83
- pulumi_vault/nomad_secret_backend.py +18 -13
- pulumi_vault/nomad_secret_role.py +14 -9
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +485 -39
- pulumi_vault/okta/auth_backend_group.py +14 -9
- pulumi_vault/okta/auth_backend_user.py +14 -9
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +20 -13
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +67 -9
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -8
- pulumi_vault/pkisecret/get_backend_key.py +24 -9
- pulumi_vault/pkisecret/get_backend_keys.py +21 -8
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -11
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -11
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +14 -9
- pulumi_vault/pkisecret/secret_backend_config_urls.py +67 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -9
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -11
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -17
- pulumi_vault/pkisecret/secret_backend_issuer.py +14 -9
- pulumi_vault/pkisecret/secret_backend_key.py +14 -9
- pulumi_vault/pkisecret/secret_backend_role.py +21 -14
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -48
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -56
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -54
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +14 -9
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +60 -6
- pulumi_vault/quota_rate_limit.py +56 -2
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +18 -13
- pulumi_vault/rabbitmq/secret_backend_role.py +54 -47
- pulumi_vault/raft_autopilot.py +14 -9
- pulumi_vault/raft_snapshot_agent_config.py +129 -224
- pulumi_vault/rgp_policy.py +14 -9
- pulumi_vault/saml/auth_backend.py +22 -17
- pulumi_vault/saml/auth_backend_role.py +92 -197
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -71
- pulumi_vault/secrets/sync_aws_destination.py +242 -27
- pulumi_vault/secrets/sync_azure_destination.py +92 -31
- pulumi_vault/secrets/sync_config.py +9 -4
- pulumi_vault/secrets/sync_gcp_destination.py +158 -25
- pulumi_vault/secrets/sync_gh_destination.py +189 -13
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +74 -13
- pulumi_vault/ssh/_inputs.py +28 -28
- pulumi_vault/ssh/outputs.py +11 -28
- pulumi_vault/ssh/secret_backend_ca.py +108 -9
- pulumi_vault/ssh/secret_backend_role.py +85 -118
- pulumi_vault/terraformcloud/secret_backend.py +7 -54
- pulumi_vault/terraformcloud/secret_creds.py +14 -20
- pulumi_vault/terraformcloud/secret_role.py +16 -74
- pulumi_vault/token.py +28 -23
- pulumi_vault/tokenauth/auth_backend_role.py +78 -199
- pulumi_vault/transform/alphabet.py +16 -9
- pulumi_vault/transform/get_decode.py +45 -17
- pulumi_vault/transform/get_encode.py +45 -17
- pulumi_vault/transform/role.py +16 -9
- pulumi_vault/transform/template.py +30 -21
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -21
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +27 -93
- pulumi_vault/transit/secret_cache_config.py +12 -7
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1709368526.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1709368526.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = [
|
@@ -21,7 +26,7 @@ class GetAuthBackendConfigResult:
|
|
21
26
|
"""
|
22
27
|
A collection of values returned by getAuthBackendConfig.
|
23
28
|
"""
|
24
|
-
def __init__(__self__, backend=None, disable_iss_validation=None, disable_local_ca_jwt=None, id=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, namespace=None, pem_keys=None):
|
29
|
+
def __init__(__self__, backend=None, disable_iss_validation=None, disable_local_ca_jwt=None, id=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, namespace=None, pem_keys=None, use_annotations_as_alias_metadata=None):
|
25
30
|
if backend and not isinstance(backend, str):
|
26
31
|
raise TypeError("Expected argument 'backend' to be a str")
|
27
32
|
pulumi.set(__self__, "backend", backend)
|
@@ -49,6 +54,9 @@ class GetAuthBackendConfigResult:
|
|
49
54
|
if pem_keys and not isinstance(pem_keys, list):
|
50
55
|
raise TypeError("Expected argument 'pem_keys' to be a list")
|
51
56
|
pulumi.set(__self__, "pem_keys", pem_keys)
|
57
|
+
if use_annotations_as_alias_metadata and not isinstance(use_annotations_as_alias_metadata, bool):
|
58
|
+
raise TypeError("Expected argument 'use_annotations_as_alias_metadata' to be a bool")
|
59
|
+
pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata)
|
52
60
|
|
53
61
|
@property
|
54
62
|
@pulumi.getter
|
@@ -58,11 +66,17 @@ class GetAuthBackendConfigResult:
|
|
58
66
|
@property
|
59
67
|
@pulumi.getter(name="disableIssValidation")
|
60
68
|
def disable_iss_validation(self) -> bool:
|
69
|
+
"""
|
70
|
+
(Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
71
|
+
"""
|
61
72
|
return pulumi.get(self, "disable_iss_validation")
|
62
73
|
|
63
74
|
@property
|
64
75
|
@pulumi.getter(name="disableLocalCaJwt")
|
65
76
|
def disable_local_ca_jwt(self) -> bool:
|
77
|
+
"""
|
78
|
+
(Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
79
|
+
"""
|
66
80
|
return pulumi.get(self, "disable_local_ca_jwt")
|
67
81
|
|
68
82
|
@property
|
@@ -110,6 +124,14 @@ class GetAuthBackendConfigResult:
|
|
110
124
|
"""
|
111
125
|
return pulumi.get(self, "pem_keys")
|
112
126
|
|
127
|
+
@property
|
128
|
+
@pulumi.getter(name="useAnnotationsAsAliasMetadata")
|
129
|
+
def use_annotations_as_alias_metadata(self) -> bool:
|
130
|
+
"""
|
131
|
+
(Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
|
132
|
+
"""
|
133
|
+
return pulumi.get(self, "use_annotations_as_alias_metadata")
|
134
|
+
|
113
135
|
|
114
136
|
class AwaitableGetAuthBackendConfigResult(GetAuthBackendConfigResult):
|
115
137
|
# pylint: disable=using-constant-test
|
@@ -125,7 +147,8 @@ class AwaitableGetAuthBackendConfigResult(GetAuthBackendConfigResult):
|
|
125
147
|
kubernetes_ca_cert=self.kubernetes_ca_cert,
|
126
148
|
kubernetes_host=self.kubernetes_host,
|
127
149
|
namespace=self.namespace,
|
128
|
-
pem_keys=self.pem_keys
|
150
|
+
pem_keys=self.pem_keys,
|
151
|
+
use_annotations_as_alias_metadata=self.use_annotations_as_alias_metadata)
|
129
152
|
|
130
153
|
|
131
154
|
def get_auth_backend_config(backend: Optional[str] = None,
|
@@ -136,6 +159,7 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
136
159
|
kubernetes_host: Optional[str] = None,
|
137
160
|
namespace: Optional[str] = None,
|
138
161
|
pem_keys: Optional[Sequence[str]] = None,
|
162
|
+
use_annotations_as_alias_metadata: Optional[bool] = None,
|
139
163
|
opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetAuthBackendConfigResult:
|
140
164
|
"""
|
141
165
|
Reads the Role of an Kubernetes from a Vault server. See the [Vault
|
@@ -145,6 +169,8 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
145
169
|
|
146
170
|
:param str backend: The unique name for the Kubernetes backend the config to
|
147
171
|
retrieve Role attributes for resides in. Defaults to "kubernetes".
|
172
|
+
:param bool disable_iss_validation: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
173
|
+
:param bool disable_local_ca_jwt: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
148
174
|
:param str issuer: Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
|
149
175
|
:param str kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
|
150
176
|
:param str kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
|
@@ -153,6 +179,7 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
153
179
|
The `namespace` is always relative to the provider's configured namespace.
|
154
180
|
*Available only for Vault Enterprise*.
|
155
181
|
:param Sequence[str] pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
|
182
|
+
:param bool use_annotations_as_alias_metadata: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
|
156
183
|
"""
|
157
184
|
__args__ = dict()
|
158
185
|
__args__['backend'] = backend
|
@@ -163,6 +190,7 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
163
190
|
__args__['kubernetesHost'] = kubernetes_host
|
164
191
|
__args__['namespace'] = namespace
|
165
192
|
__args__['pemKeys'] = pem_keys
|
193
|
+
__args__['useAnnotationsAsAliasMetadata'] = use_annotations_as_alias_metadata
|
166
194
|
opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
167
195
|
__ret__ = pulumi.runtime.invoke('vault:kubernetes/getAuthBackendConfig:getAuthBackendConfig', __args__, opts=opts, typ=GetAuthBackendConfigResult).value
|
168
196
|
|
@@ -175,10 +203,8 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
175
203
|
kubernetes_ca_cert=pulumi.get(__ret__, 'kubernetes_ca_cert'),
|
176
204
|
kubernetes_host=pulumi.get(__ret__, 'kubernetes_host'),
|
177
205
|
namespace=pulumi.get(__ret__, 'namespace'),
|
178
|
-
pem_keys=pulumi.get(__ret__, 'pem_keys')
|
179
|
-
|
180
|
-
|
181
|
-
@_utilities.lift_output_func(get_auth_backend_config)
|
206
|
+
pem_keys=pulumi.get(__ret__, 'pem_keys'),
|
207
|
+
use_annotations_as_alias_metadata=pulumi.get(__ret__, 'use_annotations_as_alias_metadata'))
|
182
208
|
def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]] = None,
|
183
209
|
disable_iss_validation: Optional[pulumi.Input[Optional[bool]]] = None,
|
184
210
|
disable_local_ca_jwt: Optional[pulumi.Input[Optional[bool]]] = None,
|
@@ -187,7 +213,8 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]
|
|
187
213
|
kubernetes_host: Optional[pulumi.Input[Optional[str]]] = None,
|
188
214
|
namespace: Optional[pulumi.Input[Optional[str]]] = None,
|
189
215
|
pem_keys: Optional[pulumi.Input[Optional[Sequence[str]]]] = None,
|
190
|
-
|
216
|
+
use_annotations_as_alias_metadata: Optional[pulumi.Input[Optional[bool]]] = None,
|
217
|
+
opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetAuthBackendConfigResult]:
|
191
218
|
"""
|
192
219
|
Reads the Role of an Kubernetes from a Vault server. See the [Vault
|
193
220
|
documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-config) for more
|
@@ -196,6 +223,8 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]
|
|
196
223
|
|
197
224
|
:param str backend: The unique name for the Kubernetes backend the config to
|
198
225
|
retrieve Role attributes for resides in. Defaults to "kubernetes".
|
226
|
+
:param bool disable_iss_validation: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
227
|
+
:param bool disable_local_ca_jwt: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
199
228
|
:param str issuer: Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
|
200
229
|
:param str kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
|
201
230
|
:param str kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
|
@@ -204,5 +233,28 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]
|
|
204
233
|
The `namespace` is always relative to the provider's configured namespace.
|
205
234
|
*Available only for Vault Enterprise*.
|
206
235
|
:param Sequence[str] pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
|
236
|
+
:param bool use_annotations_as_alias_metadata: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
|
207
237
|
"""
|
208
|
-
|
238
|
+
__args__ = dict()
|
239
|
+
__args__['backend'] = backend
|
240
|
+
__args__['disableIssValidation'] = disable_iss_validation
|
241
|
+
__args__['disableLocalCaJwt'] = disable_local_ca_jwt
|
242
|
+
__args__['issuer'] = issuer
|
243
|
+
__args__['kubernetesCaCert'] = kubernetes_ca_cert
|
244
|
+
__args__['kubernetesHost'] = kubernetes_host
|
245
|
+
__args__['namespace'] = namespace
|
246
|
+
__args__['pemKeys'] = pem_keys
|
247
|
+
__args__['useAnnotationsAsAliasMetadata'] = use_annotations_as_alias_metadata
|
248
|
+
opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
249
|
+
__ret__ = pulumi.runtime.invoke_output('vault:kubernetes/getAuthBackendConfig:getAuthBackendConfig', __args__, opts=opts, typ=GetAuthBackendConfigResult)
|
250
|
+
return __ret__.apply(lambda __response__: GetAuthBackendConfigResult(
|
251
|
+
backend=pulumi.get(__response__, 'backend'),
|
252
|
+
disable_iss_validation=pulumi.get(__response__, 'disable_iss_validation'),
|
253
|
+
disable_local_ca_jwt=pulumi.get(__response__, 'disable_local_ca_jwt'),
|
254
|
+
id=pulumi.get(__response__, 'id'),
|
255
|
+
issuer=pulumi.get(__response__, 'issuer'),
|
256
|
+
kubernetes_ca_cert=pulumi.get(__response__, 'kubernetes_ca_cert'),
|
257
|
+
kubernetes_host=pulumi.get(__response__, 'kubernetes_host'),
|
258
|
+
namespace=pulumi.get(__response__, 'namespace'),
|
259
|
+
pem_keys=pulumi.get(__response__, 'pem_keys'),
|
260
|
+
use_annotations_as_alias_metadata=pulumi.get(__response__, 'use_annotations_as_alias_metadata')))
|
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = [
|
@@ -336,9 +341,6 @@ def get_auth_backend_role(audience: Optional[str] = None,
|
|
336
341
|
token_policies=pulumi.get(__ret__, 'token_policies'),
|
337
342
|
token_ttl=pulumi.get(__ret__, 'token_ttl'),
|
338
343
|
token_type=pulumi.get(__ret__, 'token_type'))
|
339
|
-
|
340
|
-
|
341
|
-
@_utilities.lift_output_func(get_auth_backend_role)
|
342
344
|
def get_auth_backend_role_output(audience: Optional[pulumi.Input[Optional[str]]] = None,
|
343
345
|
backend: Optional[pulumi.Input[Optional[str]]] = None,
|
344
346
|
namespace: Optional[pulumi.Input[Optional[str]]] = None,
|
@@ -352,7 +354,7 @@ def get_auth_backend_role_output(audience: Optional[pulumi.Input[Optional[str]]]
|
|
352
354
|
token_policies: Optional[pulumi.Input[Optional[Sequence[str]]]] = None,
|
353
355
|
token_ttl: Optional[pulumi.Input[Optional[int]]] = None,
|
354
356
|
token_type: Optional[pulumi.Input[Optional[str]]] = None,
|
355
|
-
opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetAuthBackendRoleResult]:
|
357
|
+
opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetAuthBackendRoleResult]:
|
356
358
|
"""
|
357
359
|
Reads the Role of an Kubernetes from a Vault server. See the [Vault
|
358
360
|
documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-role) for more
|
@@ -395,4 +397,37 @@ def get_auth_backend_role_output(audience: Optional[pulumi.Input[Optional[str]]]
|
|
395
397
|
`default-service` and `default-batch` which specify the type to return unless the client
|
396
398
|
requests a different type at generation time.
|
397
399
|
"""
|
398
|
-
|
400
|
+
__args__ = dict()
|
401
|
+
__args__['audience'] = audience
|
402
|
+
__args__['backend'] = backend
|
403
|
+
__args__['namespace'] = namespace
|
404
|
+
__args__['roleName'] = role_name
|
405
|
+
__args__['tokenBoundCidrs'] = token_bound_cidrs
|
406
|
+
__args__['tokenExplicitMaxTtl'] = token_explicit_max_ttl
|
407
|
+
__args__['tokenMaxTtl'] = token_max_ttl
|
408
|
+
__args__['tokenNoDefaultPolicy'] = token_no_default_policy
|
409
|
+
__args__['tokenNumUses'] = token_num_uses
|
410
|
+
__args__['tokenPeriod'] = token_period
|
411
|
+
__args__['tokenPolicies'] = token_policies
|
412
|
+
__args__['tokenTtl'] = token_ttl
|
413
|
+
__args__['tokenType'] = token_type
|
414
|
+
opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
415
|
+
__ret__ = pulumi.runtime.invoke_output('vault:kubernetes/getAuthBackendRole:getAuthBackendRole', __args__, opts=opts, typ=GetAuthBackendRoleResult)
|
416
|
+
return __ret__.apply(lambda __response__: GetAuthBackendRoleResult(
|
417
|
+
alias_name_source=pulumi.get(__response__, 'alias_name_source'),
|
418
|
+
audience=pulumi.get(__response__, 'audience'),
|
419
|
+
backend=pulumi.get(__response__, 'backend'),
|
420
|
+
bound_service_account_names=pulumi.get(__response__, 'bound_service_account_names'),
|
421
|
+
bound_service_account_namespaces=pulumi.get(__response__, 'bound_service_account_namespaces'),
|
422
|
+
id=pulumi.get(__response__, 'id'),
|
423
|
+
namespace=pulumi.get(__response__, 'namespace'),
|
424
|
+
role_name=pulumi.get(__response__, 'role_name'),
|
425
|
+
token_bound_cidrs=pulumi.get(__response__, 'token_bound_cidrs'),
|
426
|
+
token_explicit_max_ttl=pulumi.get(__response__, 'token_explicit_max_ttl'),
|
427
|
+
token_max_ttl=pulumi.get(__response__, 'token_max_ttl'),
|
428
|
+
token_no_default_policy=pulumi.get(__response__, 'token_no_default_policy'),
|
429
|
+
token_num_uses=pulumi.get(__response__, 'token_num_uses'),
|
430
|
+
token_period=pulumi.get(__response__, 'token_period'),
|
431
|
+
token_policies=pulumi.get(__response__, 'token_policies'),
|
432
|
+
token_ttl=pulumi.get(__response__, 'token_ttl'),
|
433
|
+
token_type=pulumi.get(__response__, 'token_type')))
|
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = [
|
@@ -182,17 +187,19 @@ def get_service_account_token(backend: Optional[str] = None,
|
|
182
187
|
|
183
188
|
```python
|
184
189
|
import pulumi
|
190
|
+
import pulumi_std as std
|
185
191
|
import pulumi_vault as vault
|
186
192
|
|
187
193
|
config = vault.kubernetes.SecretBackend("config",
|
188
194
|
path="kubernetes",
|
189
195
|
description="kubernetes secrets engine description",
|
190
196
|
kubernetes_host="https://127.0.0.1:61233",
|
191
|
-
kubernetes_ca_cert=
|
192
|
-
service_account_jwt=
|
197
|
+
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
|
198
|
+
service_account_jwt=std.file(input="/path/to/token").result,
|
193
199
|
disable_local_ca_jwt=False)
|
194
200
|
role = vault.kubernetes.SecretBackendRole("role",
|
195
201
|
backend=config.path,
|
202
|
+
name="service-account-name-role",
|
196
203
|
allowed_kubernetes_namespaces=["*"],
|
197
204
|
token_max_ttl=43200,
|
198
205
|
token_default_ttl=21600,
|
@@ -221,7 +228,7 @@ def get_service_account_token(backend: Optional[str] = None,
|
|
221
228
|
generate the credentials.
|
222
229
|
:param str namespace: The namespace of the target resource.
|
223
230
|
The value should not contain leading or trailing forward slashes.
|
224
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
231
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
225
232
|
*Available only for Vault Enterprise*.
|
226
233
|
:param str role: The name of the Kubernetes secret backend role to generate service
|
227
234
|
account tokens from.
|
@@ -252,32 +259,31 @@ def get_service_account_token(backend: Optional[str] = None,
|
|
252
259
|
service_account_namespace=pulumi.get(__ret__, 'service_account_namespace'),
|
253
260
|
service_account_token=pulumi.get(__ret__, 'service_account_token'),
|
254
261
|
ttl=pulumi.get(__ret__, 'ttl'))
|
255
|
-
|
256
|
-
|
257
|
-
@_utilities.lift_output_func(get_service_account_token)
|
258
262
|
def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None,
|
259
263
|
cluster_role_binding: Optional[pulumi.Input[Optional[bool]]] = None,
|
260
264
|
kubernetes_namespace: Optional[pulumi.Input[str]] = None,
|
261
265
|
namespace: Optional[pulumi.Input[Optional[str]]] = None,
|
262
266
|
role: Optional[pulumi.Input[str]] = None,
|
263
267
|
ttl: Optional[pulumi.Input[Optional[str]]] = None,
|
264
|
-
opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetServiceAccountTokenResult]:
|
268
|
+
opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetServiceAccountTokenResult]:
|
265
269
|
"""
|
266
270
|
## Example Usage
|
267
271
|
|
268
272
|
```python
|
269
273
|
import pulumi
|
274
|
+
import pulumi_std as std
|
270
275
|
import pulumi_vault as vault
|
271
276
|
|
272
277
|
config = vault.kubernetes.SecretBackend("config",
|
273
278
|
path="kubernetes",
|
274
279
|
description="kubernetes secrets engine description",
|
275
280
|
kubernetes_host="https://127.0.0.1:61233",
|
276
|
-
kubernetes_ca_cert=
|
277
|
-
service_account_jwt=
|
281
|
+
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
|
282
|
+
service_account_jwt=std.file(input="/path/to/token").result,
|
278
283
|
disable_local_ca_jwt=False)
|
279
284
|
role = vault.kubernetes.SecretBackendRole("role",
|
280
285
|
backend=config.path,
|
286
|
+
name="service-account-name-role",
|
281
287
|
allowed_kubernetes_namespaces=["*"],
|
282
288
|
token_max_ttl=43200,
|
283
289
|
token_default_ttl=21600,
|
@@ -306,11 +312,33 @@ def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None
|
|
306
312
|
generate the credentials.
|
307
313
|
:param str namespace: The namespace of the target resource.
|
308
314
|
The value should not contain leading or trailing forward slashes.
|
309
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
315
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
310
316
|
*Available only for Vault Enterprise*.
|
311
317
|
:param str role: The name of the Kubernetes secret backend role to generate service
|
312
318
|
account tokens from.
|
313
319
|
:param str ttl: The TTL of the generated Kubernetes service account token, specified in
|
314
320
|
seconds or as a Go duration format string.
|
315
321
|
"""
|
316
|
-
|
322
|
+
__args__ = dict()
|
323
|
+
__args__['backend'] = backend
|
324
|
+
__args__['clusterRoleBinding'] = cluster_role_binding
|
325
|
+
__args__['kubernetesNamespace'] = kubernetes_namespace
|
326
|
+
__args__['namespace'] = namespace
|
327
|
+
__args__['role'] = role
|
328
|
+
__args__['ttl'] = ttl
|
329
|
+
opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
330
|
+
__ret__ = pulumi.runtime.invoke_output('vault:kubernetes/getServiceAccountToken:getServiceAccountToken', __args__, opts=opts, typ=GetServiceAccountTokenResult)
|
331
|
+
return __ret__.apply(lambda __response__: GetServiceAccountTokenResult(
|
332
|
+
backend=pulumi.get(__response__, 'backend'),
|
333
|
+
cluster_role_binding=pulumi.get(__response__, 'cluster_role_binding'),
|
334
|
+
id=pulumi.get(__response__, 'id'),
|
335
|
+
kubernetes_namespace=pulumi.get(__response__, 'kubernetes_namespace'),
|
336
|
+
lease_duration=pulumi.get(__response__, 'lease_duration'),
|
337
|
+
lease_id=pulumi.get(__response__, 'lease_id'),
|
338
|
+
lease_renewable=pulumi.get(__response__, 'lease_renewable'),
|
339
|
+
namespace=pulumi.get(__response__, 'namespace'),
|
340
|
+
role=pulumi.get(__response__, 'role'),
|
341
|
+
service_account_name=pulumi.get(__response__, 'service_account_name'),
|
342
|
+
service_account_namespace=pulumi.get(__response__, 'service_account_namespace'),
|
343
|
+
service_account_token=pulumi.get(__response__, 'service_account_token'),
|
344
|
+
ttl=pulumi.get(__response__, 'ttl')))
|