pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +22 -7
  5. pulumi_vault/ad/secret_backend.py +14 -144
  6. pulumi_vault/ad/secret_library.py +14 -11
  7. pulumi_vault/ad/secret_role.py +12 -11
  8. pulumi_vault/alicloud/auth_backend_role.py +74 -192
  9. pulumi_vault/approle/auth_backend_login.py +12 -11
  10. pulumi_vault/approle/auth_backend_role.py +75 -193
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
  13. pulumi_vault/audit.py +24 -27
  14. pulumi_vault/audit_request_header.py +11 -6
  15. pulumi_vault/auth_backend.py +64 -12
  16. pulumi_vault/aws/auth_backend_cert.py +12 -7
  17. pulumi_vault/aws/auth_backend_client.py +265 -24
  18. pulumi_vault/aws/auth_backend_config_identity.py +12 -11
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +75 -193
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
  24. pulumi_vault/aws/auth_backend_sts_role.py +12 -11
  25. pulumi_vault/aws/get_access_credentials.py +34 -7
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +75 -7
  28. pulumi_vault/aws/secret_backend_role.py +183 -11
  29. pulumi_vault/aws/secret_backend_static_role.py +14 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +151 -17
  32. pulumi_vault/azure/auth_backend_role.py +75 -193
  33. pulumi_vault/azure/backend.py +223 -29
  34. pulumi_vault/azure/backend_role.py +42 -41
  35. pulumi_vault/azure/get_access_credentials.py +39 -11
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -271
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +22 -25
  44. pulumi_vault/consul/secret_backend_role.py +14 -80
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +117 -114
  48. pulumi_vault/database/secret_backend_role.py +29 -24
  49. pulumi_vault/database/secret_backend_static_role.py +85 -15
  50. pulumi_vault/database/secrets_mount.py +425 -138
  51. pulumi_vault/egp_policy.py +16 -15
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +248 -35
  54. pulumi_vault/gcp/auth_backend_role.py +75 -271
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -9
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -16
  58. pulumi_vault/gcp/secret_impersonated_account.py +74 -17
  59. pulumi_vault/gcp/secret_roleset.py +29 -26
  60. pulumi_vault/gcp/secret_static_account.py +37 -34
  61. pulumi_vault/generic/endpoint.py +22 -21
  62. pulumi_vault/generic/get_secret.py +68 -12
  63. pulumi_vault/generic/secret.py +19 -14
  64. pulumi_vault/get_auth_backend.py +24 -11
  65. pulumi_vault/get_auth_backends.py +33 -11
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -15
  69. pulumi_vault/get_policy_document.py +34 -23
  70. pulumi_vault/get_raft_autopilot_state.py +29 -14
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +17 -16
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +14 -13
  75. pulumi_vault/github/user.py +14 -13
  76. pulumi_vault/identity/entity.py +18 -15
  77. pulumi_vault/identity/entity_alias.py +18 -15
  78. pulumi_vault/identity/entity_policies.py +24 -19
  79. pulumi_vault/identity/get_entity.py +40 -14
  80. pulumi_vault/identity/get_group.py +45 -13
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -11
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -13
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -14
  84. pulumi_vault/identity/group.py +50 -49
  85. pulumi_vault/identity/group_alias.py +14 -11
  86. pulumi_vault/identity/group_member_entity_ids.py +24 -74
  87. pulumi_vault/identity/group_member_group_ids.py +36 -27
  88. pulumi_vault/identity/group_policies.py +16 -15
  89. pulumi_vault/identity/mfa_duo.py +9 -8
  90. pulumi_vault/identity/mfa_login_enforcement.py +13 -8
  91. pulumi_vault/identity/mfa_okta.py +9 -8
  92. pulumi_vault/identity/mfa_pingid.py +5 -4
  93. pulumi_vault/identity/mfa_totp.py +5 -4
  94. pulumi_vault/identity/oidc.py +12 -11
  95. pulumi_vault/identity/oidc_assignment.py +22 -13
  96. pulumi_vault/identity/oidc_client.py +34 -25
  97. pulumi_vault/identity/oidc_key.py +28 -19
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
  99. pulumi_vault/identity/oidc_provider.py +34 -23
  100. pulumi_vault/identity/oidc_role.py +40 -27
  101. pulumi_vault/identity/oidc_scope.py +18 -15
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +39 -46
  105. pulumi_vault/jwt/auth_backend_role.py +131 -260
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +22 -21
  108. pulumi_vault/kmip/secret_role.py +12 -11
  109. pulumi_vault/kmip/secret_scope.py +12 -11
  110. pulumi_vault/kubernetes/auth_backend_config.py +55 -7
  111. pulumi_vault/kubernetes/auth_backend_role.py +68 -179
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -15
  115. pulumi_vault/kubernetes/secret_backend.py +314 -29
  116. pulumi_vault/kubernetes/secret_backend_role.py +135 -56
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +23 -12
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
  120. pulumi_vault/kv/get_secret_v2.py +89 -9
  121. pulumi_vault/kv/get_secrets_list.py +22 -15
  122. pulumi_vault/kv/get_secrets_list_v2.py +35 -19
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +19 -18
  125. pulumi_vault/kv/secret_backend_v2.py +12 -11
  126. pulumi_vault/kv/secret_v2.py +55 -52
  127. pulumi_vault/ldap/auth_backend.py +125 -168
  128. pulumi_vault/ldap/auth_backend_group.py +12 -11
  129. pulumi_vault/ldap/auth_backend_user.py +12 -11
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +352 -84
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +14 -11
  135. pulumi_vault/ldap/secret_backend_static_role.py +67 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +27 -43
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +16 -13
  140. pulumi_vault/mfa_okta.py +16 -13
  141. pulumi_vault/mfa_pingid.py +16 -13
  142. pulumi_vault/mfa_totp.py +22 -19
  143. pulumi_vault/mongodbatlas/secret_backend.py +18 -17
  144. pulumi_vault/mongodbatlas/secret_role.py +41 -38
  145. pulumi_vault/mount.py +389 -65
  146. pulumi_vault/namespace.py +26 -21
  147. pulumi_vault/nomad_secret_backend.py +16 -15
  148. pulumi_vault/nomad_secret_role.py +12 -11
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +483 -41
  151. pulumi_vault/okta/auth_backend_group.py +12 -11
  152. pulumi_vault/okta/auth_backend_user.py +12 -11
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +18 -15
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -13
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -12
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
  174. pulumi_vault/pkisecret/secret_backend_key.py +12 -7
  175. pulumi_vault/pkisecret/secret_backend_role.py +19 -16
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +12 -7
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +58 -8
  185. pulumi_vault/quota_rate_limit.py +54 -4
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +16 -15
  189. pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
  190. pulumi_vault/raft_autopilot.py +12 -11
  191. pulumi_vault/raft_snapshot_agent_config.py +121 -311
  192. pulumi_vault/rgp_policy.py +14 -13
  193. pulumi_vault/saml/auth_backend.py +20 -19
  194. pulumi_vault/saml/auth_backend_role.py +90 -199
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -75
  199. pulumi_vault/secrets/sync_aws_destination.py +240 -29
  200. pulumi_vault/secrets/sync_azure_destination.py +90 -33
  201. pulumi_vault/secrets/sync_config.py +7 -6
  202. pulumi_vault/secrets/sync_gcp_destination.py +156 -27
  203. pulumi_vault/secrets/sync_gh_destination.py +187 -15
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +72 -15
  206. pulumi_vault/ssh/_inputs.py +28 -32
  207. pulumi_vault/ssh/outputs.py +11 -32
  208. pulumi_vault/ssh/secret_backend_ca.py +106 -11
  209. pulumi_vault/ssh/secret_backend_role.py +83 -120
  210. pulumi_vault/terraformcloud/secret_backend.py +5 -56
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -24
  212. pulumi_vault/terraformcloud/secret_role.py +14 -76
  213. pulumi_vault/token.py +26 -25
  214. pulumi_vault/tokenauth/auth_backend_role.py +76 -201
  215. pulumi_vault/transform/alphabet.py +16 -13
  216. pulumi_vault/transform/get_decode.py +45 -21
  217. pulumi_vault/transform/get_encode.py +45 -21
  218. pulumi_vault/transform/role.py +16 -13
  219. pulumi_vault/transform/template.py +30 -25
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -25
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +25 -97
  224. pulumi_vault/transit/secret_cache_config.py +12 -11
  225. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
  from . import outputs
12
17
  from ._inputs import *
@@ -22,11 +27,15 @@ class AuthBackendArgs:
22
27
  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
23
28
  description: Optional[pulumi.Input[str]] = None,
24
29
  disable_remount: Optional[pulumi.Input[bool]] = None,
30
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
31
+ identity_token_key: Optional[pulumi.Input[str]] = None,
32
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
25
33
  local: Optional[pulumi.Input[bool]] = None,
26
34
  namespace: Optional[pulumi.Input[str]] = None,
27
35
  path: Optional[pulumi.Input[str]] = None,
28
36
  private_key_id: Optional[pulumi.Input[str]] = None,
29
37
  project_id: Optional[pulumi.Input[str]] = None,
38
+ service_account_email: Optional[pulumi.Input[str]] = None,
30
39
  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
31
40
  """
32
41
  The set of arguments for constructing a AuthBackend resource.
@@ -43,14 +52,22 @@ class AuthBackendArgs:
43
52
  :param pulumi.Input[str] description: A description of the auth method.
44
53
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
45
54
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
55
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
56
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
57
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
58
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
59
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
60
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
46
61
  :param pulumi.Input[bool] local: Specifies if the auth method is local only.
47
62
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
48
63
  The value should not contain leading or trailing forward slashes.
49
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
64
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
50
65
  *Available only for Vault Enterprise*.
51
66
  :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
52
67
  :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
53
68
  :param pulumi.Input[str] project_id: The GCP Project ID
69
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
70
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
54
71
  :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
55
72
 
56
73
  The `tune` block is used to tune the auth backend:
@@ -67,6 +84,12 @@ class AuthBackendArgs:
67
84
  pulumi.set(__self__, "description", description)
68
85
  if disable_remount is not None:
69
86
  pulumi.set(__self__, "disable_remount", disable_remount)
87
+ if identity_token_audience is not None:
88
+ pulumi.set(__self__, "identity_token_audience", identity_token_audience)
89
+ if identity_token_key is not None:
90
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
91
+ if identity_token_ttl is not None:
92
+ pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
70
93
  if local is not None:
71
94
  pulumi.set(__self__, "local", local)
72
95
  if namespace is not None:
@@ -77,6 +100,8 @@ class AuthBackendArgs:
77
100
  pulumi.set(__self__, "private_key_id", private_key_id)
78
101
  if project_id is not None:
79
102
  pulumi.set(__self__, "project_id", project_id)
103
+ if service_account_email is not None:
104
+ pulumi.set(__self__, "service_account_email", service_account_email)
80
105
  if tune is not None:
81
106
  pulumi.set(__self__, "tune", tune)
82
107
 
@@ -159,6 +184,45 @@ class AuthBackendArgs:
159
184
  def disable_remount(self, value: Optional[pulumi.Input[bool]]):
160
185
  pulumi.set(self, "disable_remount", value)
161
186
 
187
+ @property
188
+ @pulumi.getter(name="identityTokenAudience")
189
+ def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
190
+ """
191
+ The audience claim value for plugin identity
192
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
193
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
194
+ """
195
+ return pulumi.get(self, "identity_token_audience")
196
+
197
+ @identity_token_audience.setter
198
+ def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
199
+ pulumi.set(self, "identity_token_audience", value)
200
+
201
+ @property
202
+ @pulumi.getter(name="identityTokenKey")
203
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
204
+ """
205
+ The key to use for signing plugin identity
206
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
207
+ """
208
+ return pulumi.get(self, "identity_token_key")
209
+
210
+ @identity_token_key.setter
211
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
212
+ pulumi.set(self, "identity_token_key", value)
213
+
214
+ @property
215
+ @pulumi.getter(name="identityTokenTtl")
216
+ def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
217
+ """
218
+ The TTL of generated tokens.
219
+ """
220
+ return pulumi.get(self, "identity_token_ttl")
221
+
222
+ @identity_token_ttl.setter
223
+ def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
224
+ pulumi.set(self, "identity_token_ttl", value)
225
+
162
226
  @property
163
227
  @pulumi.getter
164
228
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -177,7 +241,7 @@ class AuthBackendArgs:
177
241
  """
178
242
  The namespace to provision the resource in.
179
243
  The value should not contain leading or trailing forward slashes.
180
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
244
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
181
245
  *Available only for Vault Enterprise*.
182
246
  """
183
247
  return pulumi.get(self, "namespace")
@@ -222,6 +286,19 @@ class AuthBackendArgs:
222
286
  def project_id(self, value: Optional[pulumi.Input[str]]):
223
287
  pulumi.set(self, "project_id", value)
224
288
 
289
+ @property
290
+ @pulumi.getter(name="serviceAccountEmail")
291
+ def service_account_email(self) -> Optional[pulumi.Input[str]]:
292
+ """
293
+ Service Account to impersonate for plugin workload identity federation.
294
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
295
+ """
296
+ return pulumi.get(self, "service_account_email")
297
+
298
+ @service_account_email.setter
299
+ def service_account_email(self, value: Optional[pulumi.Input[str]]):
300
+ pulumi.set(self, "service_account_email", value)
301
+
225
302
  @property
226
303
  @pulumi.getter
227
304
  def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
@@ -247,11 +324,15 @@ class _AuthBackendState:
247
324
  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
248
325
  description: Optional[pulumi.Input[str]] = None,
249
326
  disable_remount: Optional[pulumi.Input[bool]] = None,
327
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
328
+ identity_token_key: Optional[pulumi.Input[str]] = None,
329
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
250
330
  local: Optional[pulumi.Input[bool]] = None,
251
331
  namespace: Optional[pulumi.Input[str]] = None,
252
332
  path: Optional[pulumi.Input[str]] = None,
253
333
  private_key_id: Optional[pulumi.Input[str]] = None,
254
334
  project_id: Optional[pulumi.Input[str]] = None,
335
+ service_account_email: Optional[pulumi.Input[str]] = None,
255
336
  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
256
337
  """
257
338
  Input properties used for looking up and filtering AuthBackend resources.
@@ -269,14 +350,22 @@ class _AuthBackendState:
269
350
  :param pulumi.Input[str] description: A description of the auth method.
270
351
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
271
352
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
353
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
354
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
355
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
356
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
357
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
358
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
272
359
  :param pulumi.Input[bool] local: Specifies if the auth method is local only.
273
360
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
274
361
  The value should not contain leading or trailing forward slashes.
275
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
362
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
276
363
  *Available only for Vault Enterprise*.
277
364
  :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
278
365
  :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
279
366
  :param pulumi.Input[str] project_id: The GCP Project ID
367
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
368
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
280
369
  :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
281
370
 
282
371
  The `tune` block is used to tune the auth backend:
@@ -295,6 +384,12 @@ class _AuthBackendState:
295
384
  pulumi.set(__self__, "description", description)
296
385
  if disable_remount is not None:
297
386
  pulumi.set(__self__, "disable_remount", disable_remount)
387
+ if identity_token_audience is not None:
388
+ pulumi.set(__self__, "identity_token_audience", identity_token_audience)
389
+ if identity_token_key is not None:
390
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
391
+ if identity_token_ttl is not None:
392
+ pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
298
393
  if local is not None:
299
394
  pulumi.set(__self__, "local", local)
300
395
  if namespace is not None:
@@ -305,6 +400,8 @@ class _AuthBackendState:
305
400
  pulumi.set(__self__, "private_key_id", private_key_id)
306
401
  if project_id is not None:
307
402
  pulumi.set(__self__, "project_id", project_id)
403
+ if service_account_email is not None:
404
+ pulumi.set(__self__, "service_account_email", service_account_email)
308
405
  if tune is not None:
309
406
  pulumi.set(__self__, "tune", tune)
310
407
 
@@ -399,6 +496,45 @@ class _AuthBackendState:
399
496
  def disable_remount(self, value: Optional[pulumi.Input[bool]]):
400
497
  pulumi.set(self, "disable_remount", value)
401
498
 
499
+ @property
500
+ @pulumi.getter(name="identityTokenAudience")
501
+ def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
502
+ """
503
+ The audience claim value for plugin identity
504
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
505
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
506
+ """
507
+ return pulumi.get(self, "identity_token_audience")
508
+
509
+ @identity_token_audience.setter
510
+ def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
511
+ pulumi.set(self, "identity_token_audience", value)
512
+
513
+ @property
514
+ @pulumi.getter(name="identityTokenKey")
515
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
516
+ """
517
+ The key to use for signing plugin identity
518
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
519
+ """
520
+ return pulumi.get(self, "identity_token_key")
521
+
522
+ @identity_token_key.setter
523
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
524
+ pulumi.set(self, "identity_token_key", value)
525
+
526
+ @property
527
+ @pulumi.getter(name="identityTokenTtl")
528
+ def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
529
+ """
530
+ The TTL of generated tokens.
531
+ """
532
+ return pulumi.get(self, "identity_token_ttl")
533
+
534
+ @identity_token_ttl.setter
535
+ def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
536
+ pulumi.set(self, "identity_token_ttl", value)
537
+
402
538
  @property
403
539
  @pulumi.getter
404
540
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -417,7 +553,7 @@ class _AuthBackendState:
417
553
  """
418
554
  The namespace to provision the resource in.
419
555
  The value should not contain leading or trailing forward slashes.
420
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
556
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
421
557
  *Available only for Vault Enterprise*.
422
558
  """
423
559
  return pulumi.get(self, "namespace")
@@ -462,6 +598,19 @@ class _AuthBackendState:
462
598
  def project_id(self, value: Optional[pulumi.Input[str]]):
463
599
  pulumi.set(self, "project_id", value)
464
600
 
601
+ @property
602
+ @pulumi.getter(name="serviceAccountEmail")
603
+ def service_account_email(self) -> Optional[pulumi.Input[str]]:
604
+ """
605
+ Service Account to impersonate for plugin workload identity federation.
606
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
607
+ """
608
+ return pulumi.get(self, "service_account_email")
609
+
610
+ @service_account_email.setter
611
+ def service_account_email(self, value: Optional[pulumi.Input[str]]):
612
+ pulumi.set(self, "service_account_email", value)
613
+
465
614
  @property
466
615
  @pulumi.getter
467
616
  def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
@@ -485,36 +634,36 @@ class AuthBackend(pulumi.CustomResource):
485
634
  client_email: Optional[pulumi.Input[str]] = None,
486
635
  client_id: Optional[pulumi.Input[str]] = None,
487
636
  credentials: Optional[pulumi.Input[str]] = None,
488
- custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
637
+ custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
489
638
  description: Optional[pulumi.Input[str]] = None,
490
639
  disable_remount: Optional[pulumi.Input[bool]] = None,
640
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
641
+ identity_token_key: Optional[pulumi.Input[str]] = None,
642
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
491
643
  local: Optional[pulumi.Input[bool]] = None,
492
644
  namespace: Optional[pulumi.Input[str]] = None,
493
645
  path: Optional[pulumi.Input[str]] = None,
494
646
  private_key_id: Optional[pulumi.Input[str]] = None,
495
647
  project_id: Optional[pulumi.Input[str]] = None,
496
- tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None,
648
+ service_account_email: Optional[pulumi.Input[str]] = None,
649
+ tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
497
650
  __props__=None):
498
651
  """
499
652
  Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
500
653
 
501
654
  ## Example Usage
502
655
 
503
- <!--Start PulumiCodeChooser -->
656
+ You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
504
657
  ```python
505
658
  import pulumi
506
659
  import pulumi_vault as vault
507
660
 
508
661
  gcp = vault.gcp.AuthBackend("gcp",
509
- credentials=(lambda path: open(path).read())("vault-gcp-credentials.json"),
510
- custom_endpoint=vault.gcp.AuthBackendCustomEndpointArgs(
511
- api="www.googleapis.com",
512
- iam="iam.googleapis.com",
513
- crm="cloudresourcemanager.googleapis.com",
514
- compute="compute.googleapis.com",
515
- ))
662
+ identity_token_key="example-key",
663
+ identity_token_ttl=1800,
664
+ identity_token_audience="<TOKEN_AUDIENCE>",
665
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>")
516
666
  ```
517
- <!--End PulumiCodeChooser -->
518
667
 
519
668
  ## Import
520
669
 
@@ -529,7 +678,7 @@ class AuthBackend(pulumi.CustomResource):
529
678
  :param pulumi.Input[str] client_email: The clients email associated with the credentials
530
679
  :param pulumi.Input[str] client_id: The Client ID of the credentials
531
680
  :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
532
- :param pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']] custom_endpoint: Specifies overrides to
681
+ :param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
533
682
  [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
534
683
  used when making API requests. This allows specific requests made during authentication
535
684
  to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
@@ -539,15 +688,23 @@ class AuthBackend(pulumi.CustomResource):
539
688
  :param pulumi.Input[str] description: A description of the auth method.
540
689
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
541
690
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
691
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
692
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
693
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
694
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
695
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
696
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
542
697
  :param pulumi.Input[bool] local: Specifies if the auth method is local only.
543
698
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
544
699
  The value should not contain leading or trailing forward slashes.
545
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
700
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
546
701
  *Available only for Vault Enterprise*.
547
702
  :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
548
703
  :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
549
704
  :param pulumi.Input[str] project_id: The GCP Project ID
550
- :param pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']] tune: Extra configuration block. Structure is documented below.
705
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
706
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
707
+ :param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
551
708
 
552
709
  The `tune` block is used to tune the auth backend:
553
710
  """
@@ -562,21 +719,17 @@ class AuthBackend(pulumi.CustomResource):
562
719
 
563
720
  ## Example Usage
564
721
 
565
- <!--Start PulumiCodeChooser -->
722
+ You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
566
723
  ```python
567
724
  import pulumi
568
725
  import pulumi_vault as vault
569
726
 
570
727
  gcp = vault.gcp.AuthBackend("gcp",
571
- credentials=(lambda path: open(path).read())("vault-gcp-credentials.json"),
572
- custom_endpoint=vault.gcp.AuthBackendCustomEndpointArgs(
573
- api="www.googleapis.com",
574
- iam="iam.googleapis.com",
575
- crm="cloudresourcemanager.googleapis.com",
576
- compute="compute.googleapis.com",
577
- ))
728
+ identity_token_key="example-key",
729
+ identity_token_ttl=1800,
730
+ identity_token_audience="<TOKEN_AUDIENCE>",
731
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>")
578
732
  ```
579
- <!--End PulumiCodeChooser -->
580
733
 
581
734
  ## Import
582
735
 
@@ -604,15 +757,19 @@ class AuthBackend(pulumi.CustomResource):
604
757
  client_email: Optional[pulumi.Input[str]] = None,
605
758
  client_id: Optional[pulumi.Input[str]] = None,
606
759
  credentials: Optional[pulumi.Input[str]] = None,
607
- custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
760
+ custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
608
761
  description: Optional[pulumi.Input[str]] = None,
609
762
  disable_remount: Optional[pulumi.Input[bool]] = None,
763
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
764
+ identity_token_key: Optional[pulumi.Input[str]] = None,
765
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
610
766
  local: Optional[pulumi.Input[bool]] = None,
611
767
  namespace: Optional[pulumi.Input[str]] = None,
612
768
  path: Optional[pulumi.Input[str]] = None,
613
769
  private_key_id: Optional[pulumi.Input[str]] = None,
614
770
  project_id: Optional[pulumi.Input[str]] = None,
615
- tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None,
771
+ service_account_email: Optional[pulumi.Input[str]] = None,
772
+ tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
616
773
  __props__=None):
617
774
  opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
618
775
  if not isinstance(opts, pulumi.ResourceOptions):
@@ -628,11 +785,15 @@ class AuthBackend(pulumi.CustomResource):
628
785
  __props__.__dict__["custom_endpoint"] = custom_endpoint
629
786
  __props__.__dict__["description"] = description
630
787
  __props__.__dict__["disable_remount"] = disable_remount
788
+ __props__.__dict__["identity_token_audience"] = identity_token_audience
789
+ __props__.__dict__["identity_token_key"] = identity_token_key
790
+ __props__.__dict__["identity_token_ttl"] = identity_token_ttl
631
791
  __props__.__dict__["local"] = local
632
792
  __props__.__dict__["namespace"] = namespace
633
793
  __props__.__dict__["path"] = path
634
794
  __props__.__dict__["private_key_id"] = private_key_id
635
795
  __props__.__dict__["project_id"] = project_id
796
+ __props__.__dict__["service_account_email"] = service_account_email
636
797
  __props__.__dict__["tune"] = tune
637
798
  __props__.__dict__["accessor"] = None
638
799
  secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
@@ -651,15 +812,19 @@ class AuthBackend(pulumi.CustomResource):
651
812
  client_email: Optional[pulumi.Input[str]] = None,
652
813
  client_id: Optional[pulumi.Input[str]] = None,
653
814
  credentials: Optional[pulumi.Input[str]] = None,
654
- custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
815
+ custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
655
816
  description: Optional[pulumi.Input[str]] = None,
656
817
  disable_remount: Optional[pulumi.Input[bool]] = None,
818
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
819
+ identity_token_key: Optional[pulumi.Input[str]] = None,
820
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
657
821
  local: Optional[pulumi.Input[bool]] = None,
658
822
  namespace: Optional[pulumi.Input[str]] = None,
659
823
  path: Optional[pulumi.Input[str]] = None,
660
824
  private_key_id: Optional[pulumi.Input[str]] = None,
661
825
  project_id: Optional[pulumi.Input[str]] = None,
662
- tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None) -> 'AuthBackend':
826
+ service_account_email: Optional[pulumi.Input[str]] = None,
827
+ tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None) -> 'AuthBackend':
663
828
  """
664
829
  Get an existing AuthBackend resource's state with the given name, id, and optional extra
665
830
  properties used to qualify the lookup.
@@ -671,7 +836,7 @@ class AuthBackend(pulumi.CustomResource):
671
836
  :param pulumi.Input[str] client_email: The clients email associated with the credentials
672
837
  :param pulumi.Input[str] client_id: The Client ID of the credentials
673
838
  :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
674
- :param pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']] custom_endpoint: Specifies overrides to
839
+ :param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
675
840
  [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
676
841
  used when making API requests. This allows specific requests made during authentication
677
842
  to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
@@ -681,15 +846,23 @@ class AuthBackend(pulumi.CustomResource):
681
846
  :param pulumi.Input[str] description: A description of the auth method.
682
847
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
683
848
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
849
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
850
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
851
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
852
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
853
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
854
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
684
855
  :param pulumi.Input[bool] local: Specifies if the auth method is local only.
685
856
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
686
857
  The value should not contain leading or trailing forward slashes.
687
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
858
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
688
859
  *Available only for Vault Enterprise*.
689
860
  :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
690
861
  :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
691
862
  :param pulumi.Input[str] project_id: The GCP Project ID
692
- :param pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']] tune: Extra configuration block. Structure is documented below.
863
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
864
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
865
+ :param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
693
866
 
694
867
  The `tune` block is used to tune the auth backend:
695
868
  """
@@ -704,11 +877,15 @@ class AuthBackend(pulumi.CustomResource):
704
877
  __props__.__dict__["custom_endpoint"] = custom_endpoint
705
878
  __props__.__dict__["description"] = description
706
879
  __props__.__dict__["disable_remount"] = disable_remount
880
+ __props__.__dict__["identity_token_audience"] = identity_token_audience
881
+ __props__.__dict__["identity_token_key"] = identity_token_key
882
+ __props__.__dict__["identity_token_ttl"] = identity_token_ttl
707
883
  __props__.__dict__["local"] = local
708
884
  __props__.__dict__["namespace"] = namespace
709
885
  __props__.__dict__["path"] = path
710
886
  __props__.__dict__["private_key_id"] = private_key_id
711
887
  __props__.__dict__["project_id"] = project_id
888
+ __props__.__dict__["service_account_email"] = service_account_email
712
889
  __props__.__dict__["tune"] = tune
713
890
  return AuthBackend(resource_name, opts=opts, __props__=__props__)
714
891
 
@@ -775,6 +952,33 @@ class AuthBackend(pulumi.CustomResource):
775
952
  """
776
953
  return pulumi.get(self, "disable_remount")
777
954
 
955
+ @property
956
+ @pulumi.getter(name="identityTokenAudience")
957
+ def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
958
+ """
959
+ The audience claim value for plugin identity
960
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
961
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
962
+ """
963
+ return pulumi.get(self, "identity_token_audience")
964
+
965
+ @property
966
+ @pulumi.getter(name="identityTokenKey")
967
+ def identity_token_key(self) -> pulumi.Output[Optional[str]]:
968
+ """
969
+ The key to use for signing plugin identity
970
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
971
+ """
972
+ return pulumi.get(self, "identity_token_key")
973
+
974
+ @property
975
+ @pulumi.getter(name="identityTokenTtl")
976
+ def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
977
+ """
978
+ The TTL of generated tokens.
979
+ """
980
+ return pulumi.get(self, "identity_token_ttl")
981
+
778
982
  @property
779
983
  @pulumi.getter
780
984
  def local(self) -> pulumi.Output[Optional[bool]]:
@@ -789,7 +993,7 @@ class AuthBackend(pulumi.CustomResource):
789
993
  """
790
994
  The namespace to provision the resource in.
791
995
  The value should not contain leading or trailing forward slashes.
792
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
996
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
793
997
  *Available only for Vault Enterprise*.
794
998
  """
795
999
  return pulumi.get(self, "namespace")
@@ -818,6 +1022,15 @@ class AuthBackend(pulumi.CustomResource):
818
1022
  """
819
1023
  return pulumi.get(self, "project_id")
820
1024
 
1025
+ @property
1026
+ @pulumi.getter(name="serviceAccountEmail")
1027
+ def service_account_email(self) -> pulumi.Output[Optional[str]]:
1028
+ """
1029
+ Service Account to impersonate for plugin workload identity federation.
1030
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
1031
+ """
1032
+ return pulumi.get(self, "service_account_email")
1033
+
821
1034
  @property
822
1035
  @pulumi.getter
823
1036
  def tune(self) -> pulumi.Output['outputs.AuthBackendTune']: