PyPI - pulumi-vault - Versions diffs - 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl - Mend

pulumi-vault 5.21.0a1710160723py3-none-any.whl → 6.5.0a1736836139py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (229) hide show

pulumi_vault/__init__.py +52 -0
pulumi_vault/_inputs.py +560 -0
pulumi_vault/_utilities.py +41 -5
pulumi_vault/ad/get_access_credentials.py +22 -7
pulumi_vault/ad/secret_backend.py +14 -144
pulumi_vault/ad/secret_library.py +14 -11
pulumi_vault/ad/secret_role.py +12 -11
pulumi_vault/alicloud/auth_backend_role.py +74 -192
pulumi_vault/approle/auth_backend_login.py +12 -11
pulumi_vault/approle/auth_backend_role.py +75 -193
pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
pulumi_vault/audit.py +24 -27
pulumi_vault/audit_request_header.py +11 -6
pulumi_vault/auth_backend.py +64 -12
pulumi_vault/aws/auth_backend_cert.py +12 -7
pulumi_vault/aws/auth_backend_client.py +265 -24
pulumi_vault/aws/auth_backend_config_identity.py +12 -11
pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
pulumi_vault/aws/auth_backend_login.py +19 -22
pulumi_vault/aws/auth_backend_role.py +75 -193
pulumi_vault/aws/auth_backend_role_tag.py +12 -7
pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
pulumi_vault/aws/auth_backend_sts_role.py +12 -11
pulumi_vault/aws/get_access_credentials.py +34 -7
pulumi_vault/aws/get_static_access_credentials.py +19 -5
pulumi_vault/aws/secret_backend.py +75 -7
pulumi_vault/aws/secret_backend_role.py +183 -11
pulumi_vault/aws/secret_backend_static_role.py +14 -11
pulumi_vault/azure/_inputs.py +24 -0
pulumi_vault/azure/auth_backend_config.py +151 -17
pulumi_vault/azure/auth_backend_role.py +75 -193
pulumi_vault/azure/backend.py +223 -29
pulumi_vault/azure/backend_role.py +42 -41
pulumi_vault/azure/get_access_credentials.py +39 -11
pulumi_vault/azure/outputs.py +5 -0
pulumi_vault/cert_auth_backend_role.py +87 -271
pulumi_vault/config/__init__.pyi +5 -0
pulumi_vault/config/_inputs.py +73 -0
pulumi_vault/config/outputs.py +35 -0
pulumi_vault/config/ui_custom_message.py +529 -0
pulumi_vault/config/vars.py +5 -0
pulumi_vault/consul/secret_backend.py +22 -25
pulumi_vault/consul/secret_backend_role.py +14 -80
pulumi_vault/database/_inputs.py +2770 -881
pulumi_vault/database/outputs.py +721 -838
pulumi_vault/database/secret_backend_connection.py +117 -114
pulumi_vault/database/secret_backend_role.py +29 -24
pulumi_vault/database/secret_backend_static_role.py +85 -15
pulumi_vault/database/secrets_mount.py +425 -138
pulumi_vault/egp_policy.py +16 -15
pulumi_vault/gcp/_inputs.py +111 -0
pulumi_vault/gcp/auth_backend.py +248 -35
pulumi_vault/gcp/auth_backend_role.py +75 -271
pulumi_vault/gcp/get_auth_backend_role.py +43 -9
pulumi_vault/gcp/outputs.py +5 -0
pulumi_vault/gcp/secret_backend.py +287 -16
pulumi_vault/gcp/secret_impersonated_account.py +74 -17
pulumi_vault/gcp/secret_roleset.py +29 -26
pulumi_vault/gcp/secret_static_account.py +37 -34
pulumi_vault/generic/endpoint.py +22 -21
pulumi_vault/generic/get_secret.py +68 -12
pulumi_vault/generic/secret.py +19 -14
pulumi_vault/get_auth_backend.py +24 -11
pulumi_vault/get_auth_backends.py +33 -11
pulumi_vault/get_namespace.py +226 -0
pulumi_vault/get_namespaces.py +153 -0
pulumi_vault/get_nomad_access_token.py +31 -15
pulumi_vault/get_policy_document.py +34 -23
pulumi_vault/get_raft_autopilot_state.py +29 -14
pulumi_vault/github/_inputs.py +55 -0
pulumi_vault/github/auth_backend.py +17 -16
pulumi_vault/github/outputs.py +5 -0
pulumi_vault/github/team.py +14 -13
pulumi_vault/github/user.py +14 -13
pulumi_vault/identity/entity.py +18 -15
pulumi_vault/identity/entity_alias.py +18 -15
pulumi_vault/identity/entity_policies.py +24 -19
pulumi_vault/identity/get_entity.py +40 -14
pulumi_vault/identity/get_group.py +45 -13
pulumi_vault/identity/get_oidc_client_creds.py +21 -11
pulumi_vault/identity/get_oidc_openid_config.py +39 -13
pulumi_vault/identity/get_oidc_public_keys.py +29 -14
pulumi_vault/identity/group.py +50 -49
pulumi_vault/identity/group_alias.py +14 -11
pulumi_vault/identity/group_member_entity_ids.py +24 -74
pulumi_vault/identity/group_member_group_ids.py +36 -27
pulumi_vault/identity/group_policies.py +16 -15
pulumi_vault/identity/mfa_duo.py +9 -8
pulumi_vault/identity/mfa_login_enforcement.py +13 -8
pulumi_vault/identity/mfa_okta.py +9 -8
pulumi_vault/identity/mfa_pingid.py +5 -4
pulumi_vault/identity/mfa_totp.py +5 -4
pulumi_vault/identity/oidc.py +12 -11
pulumi_vault/identity/oidc_assignment.py +22 -13
pulumi_vault/identity/oidc_client.py +34 -25
pulumi_vault/identity/oidc_key.py +28 -19
pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
pulumi_vault/identity/oidc_provider.py +34 -23
pulumi_vault/identity/oidc_role.py +40 -27
pulumi_vault/identity/oidc_scope.py +18 -15
pulumi_vault/identity/outputs.py +8 -3
pulumi_vault/jwt/_inputs.py +55 -0
pulumi_vault/jwt/auth_backend.py +39 -46
pulumi_vault/jwt/auth_backend_role.py +131 -260
pulumi_vault/jwt/outputs.py +5 -0
pulumi_vault/kmip/secret_backend.py +22 -21
pulumi_vault/kmip/secret_role.py +12 -11
pulumi_vault/kmip/secret_scope.py +12 -11
pulumi_vault/kubernetes/auth_backend_config.py +55 -7
pulumi_vault/kubernetes/auth_backend_role.py +68 -179
pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
pulumi_vault/kubernetes/get_service_account_token.py +39 -15
pulumi_vault/kubernetes/secret_backend.py +314 -29
pulumi_vault/kubernetes/secret_backend_role.py +135 -56
pulumi_vault/kv/_inputs.py +36 -4
pulumi_vault/kv/get_secret.py +23 -12
pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
pulumi_vault/kv/get_secret_v2.py +89 -9
pulumi_vault/kv/get_secrets_list.py +22 -15
pulumi_vault/kv/get_secrets_list_v2.py +35 -19
pulumi_vault/kv/outputs.py +8 -3
pulumi_vault/kv/secret.py +19 -18
pulumi_vault/kv/secret_backend_v2.py +12 -11
pulumi_vault/kv/secret_v2.py +55 -52
pulumi_vault/ldap/auth_backend.py +125 -168
pulumi_vault/ldap/auth_backend_group.py +12 -11
pulumi_vault/ldap/auth_backend_user.py +12 -11
pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
pulumi_vault/ldap/get_static_credentials.py +24 -5
pulumi_vault/ldap/secret_backend.py +352 -84
pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
pulumi_vault/ldap/secret_backend_library_set.py +14 -11
pulumi_vault/ldap/secret_backend_static_role.py +67 -12
pulumi_vault/managed/_inputs.py +289 -132
pulumi_vault/managed/keys.py +27 -43
pulumi_vault/managed/outputs.py +89 -132
pulumi_vault/mfa_duo.py +16 -13
pulumi_vault/mfa_okta.py +16 -13
pulumi_vault/mfa_pingid.py +16 -13
pulumi_vault/mfa_totp.py +22 -19
pulumi_vault/mongodbatlas/secret_backend.py +18 -17
pulumi_vault/mongodbatlas/secret_role.py +41 -38
pulumi_vault/mount.py +389 -65
pulumi_vault/namespace.py +26 -21
pulumi_vault/nomad_secret_backend.py +16 -15
pulumi_vault/nomad_secret_role.py +12 -11
pulumi_vault/okta/_inputs.py +47 -8
pulumi_vault/okta/auth_backend.py +483 -41
pulumi_vault/okta/auth_backend_group.py +12 -11
pulumi_vault/okta/auth_backend_user.py +12 -11
pulumi_vault/okta/outputs.py +13 -8
pulumi_vault/outputs.py +5 -0
pulumi_vault/password_policy.py +18 -15
pulumi_vault/pkisecret/__init__.py +3 -0
pulumi_vault/pkisecret/_inputs.py +81 -0
pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
pulumi_vault/pkisecret/backend_config_est.py +619 -0
pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
pulumi_vault/pkisecret/get_backend_key.py +24 -13
pulumi_vault/pkisecret/get_backend_keys.py +21 -12
pulumi_vault/pkisecret/outputs.py +69 -0
pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
pulumi_vault/pkisecret/secret_backend_key.py +12 -7
pulumi_vault/pkisecret/secret_backend_role.py +19 -16
pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
pulumi_vault/plugin.py +595 -0
pulumi_vault/plugin_pinned_version.py +298 -0
pulumi_vault/policy.py +12 -7
pulumi_vault/provider.py +48 -53
pulumi_vault/pulumi-plugin.json +2 -1
pulumi_vault/quota_lease_count.py +58 -8
pulumi_vault/quota_rate_limit.py +54 -4
pulumi_vault/rabbitmq/_inputs.py +61 -0
pulumi_vault/rabbitmq/outputs.py +5 -0
pulumi_vault/rabbitmq/secret_backend.py +16 -15
pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
pulumi_vault/raft_autopilot.py +12 -11
pulumi_vault/raft_snapshot_agent_config.py +121 -311
pulumi_vault/rgp_policy.py +14 -13
pulumi_vault/saml/auth_backend.py +20 -19
pulumi_vault/saml/auth_backend_role.py +90 -199
pulumi_vault/secrets/__init__.py +3 -0
pulumi_vault/secrets/_inputs.py +110 -0
pulumi_vault/secrets/outputs.py +94 -0
pulumi_vault/secrets/sync_association.py +56 -75
pulumi_vault/secrets/sync_aws_destination.py +240 -29
pulumi_vault/secrets/sync_azure_destination.py +90 -33
pulumi_vault/secrets/sync_config.py +7 -6
pulumi_vault/secrets/sync_gcp_destination.py +156 -27
pulumi_vault/secrets/sync_gh_destination.py +187 -15
pulumi_vault/secrets/sync_github_apps.py +375 -0
pulumi_vault/secrets/sync_vercel_destination.py +72 -15
pulumi_vault/ssh/_inputs.py +28 -32
pulumi_vault/ssh/outputs.py +11 -32
pulumi_vault/ssh/secret_backend_ca.py +106 -11
pulumi_vault/ssh/secret_backend_role.py +83 -120
pulumi_vault/terraformcloud/secret_backend.py +5 -56
pulumi_vault/terraformcloud/secret_creds.py +14 -24
pulumi_vault/terraformcloud/secret_role.py +14 -76
pulumi_vault/token.py +26 -25
pulumi_vault/tokenauth/auth_backend_role.py +76 -201
pulumi_vault/transform/alphabet.py +16 -13
pulumi_vault/transform/get_decode.py +45 -21
pulumi_vault/transform/get_encode.py +45 -21
pulumi_vault/transform/role.py +16 -13
pulumi_vault/transform/template.py +30 -25
pulumi_vault/transform/transformation.py +12 -7
pulumi_vault/transit/get_decrypt.py +26 -25
pulumi_vault/transit/get_encrypt.py +24 -19
pulumi_vault/transit/secret_backend_key.py +25 -97
pulumi_vault/transit/secret_cache_config.py +12 -11
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
{pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0

pulumi_vault/gcp/auth_backend.py CHANGED Viewed

@@ -4,9 +4,14 @@
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 from . import outputs
 from ._inputs import *
@@ -22,11 +27,15 @@ class AuthBackendArgs:
                  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
                  private_key_id: Optional[pulumi.Input[str]] = None,
                  project_id: Optional[pulumi.Input[str]] = None,
+                 service_account_email: Optional[pulumi.Input[str]] = None,
                  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
         """
         The set of arguments for constructing a AuthBackend resource.
@@ -43,14 +52,22 @@ class AuthBackendArgs:
         :param pulumi.Input[str] description: A description of the auth method.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
+               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
+               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Specifies if the auth method is local only.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
         :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
         :param pulumi.Input[str] project_id: The GCP Project ID
+        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
+               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
                The `tune` block is used to tune the auth backend:
@@ -67,6 +84,12 @@ class AuthBackendArgs:
             pulumi.set(__self__, "description", description)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
+        if identity_token_audience is not None:
+            pulumi.set(__self__, "identity_token_audience", identity_token_audience)
+        if identity_token_key is not None:
+            pulumi.set(__self__, "identity_token_key", identity_token_key)
+        if identity_token_ttl is not None:
+            pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
         if local is not None:
             pulumi.set(__self__, "local", local)
         if namespace is not None:
@@ -77,6 +100,8 @@ class AuthBackendArgs:
             pulumi.set(__self__, "private_key_id", private_key_id)
         if project_id is not None:
             pulumi.set(__self__, "project_id", project_id)
+        if service_account_email is not None:
+            pulumi.set(__self__, "service_account_email", service_account_email)
         if tune is not None:
             pulumi.set(__self__, "tune", tune)
@@ -159,6 +184,45 @@ class AuthBackendArgs:
     def disable_remount(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "disable_remount", value)
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
+        """
+        The audience claim value for plugin identity
+        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_audience")
+    @identity_token_audience.setter
+    def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_audience", value)
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        The key to use for signing plugin identity
+        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_key")
+    @identity_token_key.setter
+    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_key", value)
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
+        """
+        The TTL of generated tokens.
+        """
+        return pulumi.get(self, "identity_token_ttl")
+    @identity_token_ttl.setter
+    def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "identity_token_ttl", value)
     @property
     @pulumi.getter
     def local(self) -> Optional[pulumi.Input[bool]]:
@@ -177,7 +241,7 @@ class AuthBackendArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -222,6 +286,19 @@ class AuthBackendArgs:
     def project_id(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "project_id", value)
+    @property
+    @pulumi.getter(name="serviceAccountEmail")
+    def service_account_email(self) -> Optional[pulumi.Input[str]]:
+        """
+        Service Account to impersonate for plugin workload identity federation.
+        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "service_account_email")
+    @service_account_email.setter
+    def service_account_email(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "service_account_email", value)
     @property
     @pulumi.getter
     def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
@@ -247,11 +324,15 @@ class _AuthBackendState:
                  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
                  private_key_id: Optional[pulumi.Input[str]] = None,
                  project_id: Optional[pulumi.Input[str]] = None,
+                 service_account_email: Optional[pulumi.Input[str]] = None,
                  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
         """
         Input properties used for looking up and filtering AuthBackend resources.
@@ -269,14 +350,22 @@ class _AuthBackendState:
         :param pulumi.Input[str] description: A description of the auth method.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
+               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
+               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Specifies if the auth method is local only.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
         :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
         :param pulumi.Input[str] project_id: The GCP Project ID
+        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
+               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
                The `tune` block is used to tune the auth backend:
@@ -295,6 +384,12 @@ class _AuthBackendState:
             pulumi.set(__self__, "description", description)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
+        if identity_token_audience is not None:
+            pulumi.set(__self__, "identity_token_audience", identity_token_audience)
+        if identity_token_key is not None:
+            pulumi.set(__self__, "identity_token_key", identity_token_key)
+        if identity_token_ttl is not None:
+            pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
         if local is not None:
             pulumi.set(__self__, "local", local)
         if namespace is not None:
@@ -305,6 +400,8 @@ class _AuthBackendState:
             pulumi.set(__self__, "private_key_id", private_key_id)
         if project_id is not None:
             pulumi.set(__self__, "project_id", project_id)
+        if service_account_email is not None:
+            pulumi.set(__self__, "service_account_email", service_account_email)
         if tune is not None:
             pulumi.set(__self__, "tune", tune)
@@ -399,6 +496,45 @@ class _AuthBackendState:
     def disable_remount(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "disable_remount", value)
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
+        """
+        The audience claim value for plugin identity
+        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_audience")
+    @identity_token_audience.setter
+    def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_audience", value)
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        The key to use for signing plugin identity
+        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_key")
+    @identity_token_key.setter
+    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_key", value)
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
+        """
+        The TTL of generated tokens.
+        """
+        return pulumi.get(self, "identity_token_ttl")
+    @identity_token_ttl.setter
+    def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "identity_token_ttl", value)
     @property
     @pulumi.getter
     def local(self) -> Optional[pulumi.Input[bool]]:
@@ -417,7 +553,7 @@ class _AuthBackendState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -462,6 +598,19 @@ class _AuthBackendState:
     def project_id(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "project_id", value)
+    @property
+    @pulumi.getter(name="serviceAccountEmail")
+    def service_account_email(self) -> Optional[pulumi.Input[str]]:
+        """
+        Service Account to impersonate for plugin workload identity federation.
+        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "service_account_email")
+    @service_account_email.setter
+    def service_account_email(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "service_account_email", value)
     @property
     @pulumi.getter
     def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
@@ -485,36 +634,36 @@ class AuthBackend(pulumi.CustomResource):
                  client_email: Optional[pulumi.Input[str]] = None,
                  client_id: Optional[pulumi.Input[str]] = None,
                  credentials: Optional[pulumi.Input[str]] = None,
-                 custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
+                 custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
                  private_key_id: Optional[pulumi.Input[str]] = None,
                  project_id: Optional[pulumi.Input[str]] = None,
-                 tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None,
+                 service_account_email: Optional[pulumi.Input[str]] = None,
+                 tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
                  __props__=None):
         """
         Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
         ## Example Usage
-        <!--Start PulumiCodeChooser -->
+        You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
         ```python
         import pulumi
         import pulumi_vault as vault
         gcp = vault.gcp.AuthBackend("gcp",
-            credentials=(lambda path: open(path).read())("vault-gcp-credentials.json"),
-            custom_endpoint=vault.gcp.AuthBackendCustomEndpointArgs(
-                api="www.googleapis.com",
-                iam="iam.googleapis.com",
-                crm="cloudresourcemanager.googleapis.com",
-                compute="compute.googleapis.com",
-            ))
+            identity_token_key="example-key",
+            identity_token_ttl=1800,
+            identity_token_audience="<TOKEN_AUDIENCE>",
+            service_account_email="<SERVICE_ACCOUNT_EMAIL>")
         ```
-        <!--End PulumiCodeChooser -->
         ## Import
@@ -529,7 +678,7 @@ class AuthBackend(pulumi.CustomResource):
         :param pulumi.Input[str] client_email: The clients email associated with the credentials
         :param pulumi.Input[str] client_id: The Client ID of the credentials
         :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
-        :param pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']] custom_endpoint: Specifies overrides to
+        :param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
                [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
                used when making API requests. This allows specific requests made during authentication
                to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
@@ -539,15 +688,23 @@ class AuthBackend(pulumi.CustomResource):
         :param pulumi.Input[str] description: A description of the auth method.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
+               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
+               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Specifies if the auth method is local only.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
         :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
         :param pulumi.Input[str] project_id: The GCP Project ID
-        :param pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']] tune: Extra configuration block. Structure is documented below.
+        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
+               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
                The `tune` block is used to tune the auth backend:
         """
@@ -562,21 +719,17 @@ class AuthBackend(pulumi.CustomResource):
         ## Example Usage
-        <!--Start PulumiCodeChooser -->
+        You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
         ```python
         import pulumi
         import pulumi_vault as vault
         gcp = vault.gcp.AuthBackend("gcp",
-            credentials=(lambda path: open(path).read())("vault-gcp-credentials.json"),
-            custom_endpoint=vault.gcp.AuthBackendCustomEndpointArgs(
-                api="www.googleapis.com",
-                iam="iam.googleapis.com",
-                crm="cloudresourcemanager.googleapis.com",
-                compute="compute.googleapis.com",
-            ))
+            identity_token_key="example-key",
+            identity_token_ttl=1800,
+            identity_token_audience="<TOKEN_AUDIENCE>",
+            service_account_email="<SERVICE_ACCOUNT_EMAIL>")
         ```
-        <!--End PulumiCodeChooser -->
         ## Import
@@ -604,15 +757,19 @@ class AuthBackend(pulumi.CustomResource):
                  client_email: Optional[pulumi.Input[str]] = None,
                  client_id: Optional[pulumi.Input[str]] = None,
                  credentials: Optional[pulumi.Input[str]] = None,
-                 custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
+                 custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
                  private_key_id: Optional[pulumi.Input[str]] = None,
                  project_id: Optional[pulumi.Input[str]] = None,
-                 tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None,
+                 service_account_email: Optional[pulumi.Input[str]] = None,
+                 tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -628,11 +785,15 @@ class AuthBackend(pulumi.CustomResource):
             __props__.__dict__["custom_endpoint"] = custom_endpoint
             __props__.__dict__["description"] = description
             __props__.__dict__["disable_remount"] = disable_remount
+            __props__.__dict__["identity_token_audience"] = identity_token_audience
+            __props__.__dict__["identity_token_key"] = identity_token_key
+            __props__.__dict__["identity_token_ttl"] = identity_token_ttl
             __props__.__dict__["local"] = local
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["path"] = path
             __props__.__dict__["private_key_id"] = private_key_id
             __props__.__dict__["project_id"] = project_id
+            __props__.__dict__["service_account_email"] = service_account_email
             __props__.__dict__["tune"] = tune
             __props__.__dict__["accessor"] = None
         secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
@@ -651,15 +812,19 @@ class AuthBackend(pulumi.CustomResource):
             client_email: Optional[pulumi.Input[str]] = None,
             client_id: Optional[pulumi.Input[str]] = None,
             credentials: Optional[pulumi.Input[str]] = None,
-            custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
+            custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
             description: Optional[pulumi.Input[str]] = None,
             disable_remount: Optional[pulumi.Input[bool]] = None,
+            identity_token_audience: Optional[pulumi.Input[str]] = None,
+            identity_token_key: Optional[pulumi.Input[str]] = None,
+            identity_token_ttl: Optional[pulumi.Input[int]] = None,
             local: Optional[pulumi.Input[bool]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
             path: Optional[pulumi.Input[str]] = None,
             private_key_id: Optional[pulumi.Input[str]] = None,
             project_id: Optional[pulumi.Input[str]] = None,
-            tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None) -> 'AuthBackend':
+            service_account_email: Optional[pulumi.Input[str]] = None,
+            tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None) -> 'AuthBackend':
         """
         Get an existing AuthBackend resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -671,7 +836,7 @@ class AuthBackend(pulumi.CustomResource):
         :param pulumi.Input[str] client_email: The clients email associated with the credentials
         :param pulumi.Input[str] client_id: The Client ID of the credentials
         :param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
-        :param pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']] custom_endpoint: Specifies overrides to
+        :param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
                [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
                used when making API requests. This allows specific requests made during authentication
                to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
@@ -681,15 +846,23 @@ class AuthBackend(pulumi.CustomResource):
         :param pulumi.Input[str] description: A description of the auth method.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
+               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
+               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Specifies if the auth method is local only.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
         :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
         :param pulumi.Input[str] project_id: The GCP Project ID
-        :param pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']] tune: Extra configuration block. Structure is documented below.
+        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
+               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
                The `tune` block is used to tune the auth backend:
         """
@@ -704,11 +877,15 @@ class AuthBackend(pulumi.CustomResource):
         __props__.__dict__["custom_endpoint"] = custom_endpoint
         __props__.__dict__["description"] = description
         __props__.__dict__["disable_remount"] = disable_remount
+        __props__.__dict__["identity_token_audience"] = identity_token_audience
+        __props__.__dict__["identity_token_key"] = identity_token_key
+        __props__.__dict__["identity_token_ttl"] = identity_token_ttl
         __props__.__dict__["local"] = local
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["path"] = path
         __props__.__dict__["private_key_id"] = private_key_id
         __props__.__dict__["project_id"] = project_id
+        __props__.__dict__["service_account_email"] = service_account_email
         __props__.__dict__["tune"] = tune
         return AuthBackend(resource_name, opts=opts, __props__=__props__)
@@ -775,6 +952,33 @@ class AuthBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "disable_remount")
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
+        """
+        The audience claim value for plugin identity
+        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_audience")
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> pulumi.Output[Optional[str]]:
+        """
+        The key to use for signing plugin identity
+        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_key")
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
+        """
+        The TTL of generated tokens.
+        """
+        return pulumi.get(self, "identity_token_ttl")
     @property
     @pulumi.getter
     def local(self) -> pulumi.Output[Optional[bool]]:
@@ -789,7 +993,7 @@ class AuthBackend(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -818,6 +1022,15 @@ class AuthBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "project_id")
+    @property
+    @pulumi.getter(name="serviceAccountEmail")
+    def service_account_email(self) -> pulumi.Output[Optional[str]]:
+        """
+        Service Account to impersonate for plugin workload identity federation.
+        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "service_account_email")
     @property
     @pulumi.getter
     def tune(self) -> pulumi.Output['outputs.AuthBackendTune']:

pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

pulumi-vault 5.21.0a1710160723py3-none-any.whl → 6.5.0a1736836139py3-none-any.whl