pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +22 -7
- pulumi_vault/ad/secret_backend.py +14 -144
- pulumi_vault/ad/secret_library.py +14 -11
- pulumi_vault/ad/secret_role.py +12 -11
- pulumi_vault/alicloud/auth_backend_role.py +74 -192
- pulumi_vault/approle/auth_backend_login.py +12 -11
- pulumi_vault/approle/auth_backend_role.py +75 -193
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
- pulumi_vault/audit.py +24 -27
- pulumi_vault/audit_request_header.py +11 -6
- pulumi_vault/auth_backend.py +64 -12
- pulumi_vault/aws/auth_backend_cert.py +12 -7
- pulumi_vault/aws/auth_backend_client.py +265 -24
- pulumi_vault/aws/auth_backend_config_identity.py +12 -11
- pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +75 -193
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
- pulumi_vault/aws/auth_backend_sts_role.py +12 -11
- pulumi_vault/aws/get_access_credentials.py +34 -7
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +75 -7
- pulumi_vault/aws/secret_backend_role.py +183 -11
- pulumi_vault/aws/secret_backend_static_role.py +14 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +151 -17
- pulumi_vault/azure/auth_backend_role.py +75 -193
- pulumi_vault/azure/backend.py +223 -29
- pulumi_vault/azure/backend_role.py +42 -41
- pulumi_vault/azure/get_access_credentials.py +39 -11
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -271
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +22 -25
- pulumi_vault/consul/secret_backend_role.py +14 -80
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +117 -114
- pulumi_vault/database/secret_backend_role.py +29 -24
- pulumi_vault/database/secret_backend_static_role.py +85 -15
- pulumi_vault/database/secrets_mount.py +425 -138
- pulumi_vault/egp_policy.py +16 -15
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +248 -35
- pulumi_vault/gcp/auth_backend_role.py +75 -271
- pulumi_vault/gcp/get_auth_backend_role.py +43 -9
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -16
- pulumi_vault/gcp/secret_impersonated_account.py +74 -17
- pulumi_vault/gcp/secret_roleset.py +29 -26
- pulumi_vault/gcp/secret_static_account.py +37 -34
- pulumi_vault/generic/endpoint.py +22 -21
- pulumi_vault/generic/get_secret.py +68 -12
- pulumi_vault/generic/secret.py +19 -14
- pulumi_vault/get_auth_backend.py +24 -11
- pulumi_vault/get_auth_backends.py +33 -11
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -15
- pulumi_vault/get_policy_document.py +34 -23
- pulumi_vault/get_raft_autopilot_state.py +29 -14
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +17 -16
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +14 -13
- pulumi_vault/github/user.py +14 -13
- pulumi_vault/identity/entity.py +18 -15
- pulumi_vault/identity/entity_alias.py +18 -15
- pulumi_vault/identity/entity_policies.py +24 -19
- pulumi_vault/identity/get_entity.py +40 -14
- pulumi_vault/identity/get_group.py +45 -13
- pulumi_vault/identity/get_oidc_client_creds.py +21 -11
- pulumi_vault/identity/get_oidc_openid_config.py +39 -13
- pulumi_vault/identity/get_oidc_public_keys.py +29 -14
- pulumi_vault/identity/group.py +50 -49
- pulumi_vault/identity/group_alias.py +14 -11
- pulumi_vault/identity/group_member_entity_ids.py +24 -74
- pulumi_vault/identity/group_member_group_ids.py +36 -27
- pulumi_vault/identity/group_policies.py +16 -15
- pulumi_vault/identity/mfa_duo.py +9 -8
- pulumi_vault/identity/mfa_login_enforcement.py +13 -8
- pulumi_vault/identity/mfa_okta.py +9 -8
- pulumi_vault/identity/mfa_pingid.py +5 -4
- pulumi_vault/identity/mfa_totp.py +5 -4
- pulumi_vault/identity/oidc.py +12 -11
- pulumi_vault/identity/oidc_assignment.py +22 -13
- pulumi_vault/identity/oidc_client.py +34 -25
- pulumi_vault/identity/oidc_key.py +28 -19
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
- pulumi_vault/identity/oidc_provider.py +34 -23
- pulumi_vault/identity/oidc_role.py +40 -27
- pulumi_vault/identity/oidc_scope.py +18 -15
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +39 -46
- pulumi_vault/jwt/auth_backend_role.py +131 -260
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +22 -21
- pulumi_vault/kmip/secret_role.py +12 -11
- pulumi_vault/kmip/secret_scope.py +12 -11
- pulumi_vault/kubernetes/auth_backend_config.py +55 -7
- pulumi_vault/kubernetes/auth_backend_role.py +68 -179
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -15
- pulumi_vault/kubernetes/secret_backend.py +314 -29
- pulumi_vault/kubernetes/secret_backend_role.py +135 -56
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +23 -12
- pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
- pulumi_vault/kv/get_secret_v2.py +89 -9
- pulumi_vault/kv/get_secrets_list.py +22 -15
- pulumi_vault/kv/get_secrets_list_v2.py +35 -19
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +19 -18
- pulumi_vault/kv/secret_backend_v2.py +12 -11
- pulumi_vault/kv/secret_v2.py +55 -52
- pulumi_vault/ldap/auth_backend.py +125 -168
- pulumi_vault/ldap/auth_backend_group.py +12 -11
- pulumi_vault/ldap/auth_backend_user.py +12 -11
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +352 -84
- pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
- pulumi_vault/ldap/secret_backend_library_set.py +14 -11
- pulumi_vault/ldap/secret_backend_static_role.py +67 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +27 -43
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +16 -13
- pulumi_vault/mfa_okta.py +16 -13
- pulumi_vault/mfa_pingid.py +16 -13
- pulumi_vault/mfa_totp.py +22 -19
- pulumi_vault/mongodbatlas/secret_backend.py +18 -17
- pulumi_vault/mongodbatlas/secret_role.py +41 -38
- pulumi_vault/mount.py +389 -65
- pulumi_vault/namespace.py +26 -21
- pulumi_vault/nomad_secret_backend.py +16 -15
- pulumi_vault/nomad_secret_role.py +12 -11
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +483 -41
- pulumi_vault/okta/auth_backend_group.py +12 -11
- pulumi_vault/okta/auth_backend_user.py +12 -11
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +18 -15
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
- pulumi_vault/pkisecret/get_backend_key.py +24 -13
- pulumi_vault/pkisecret/get_backend_keys.py +21 -12
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
- pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
- pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
- pulumi_vault/pkisecret/secret_backend_key.py +12 -7
- pulumi_vault/pkisecret/secret_backend_role.py +19 -16
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +12 -7
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +58 -8
- pulumi_vault/quota_rate_limit.py +54 -4
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +16 -15
- pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
- pulumi_vault/raft_autopilot.py +12 -11
- pulumi_vault/raft_snapshot_agent_config.py +121 -311
- pulumi_vault/rgp_policy.py +14 -13
- pulumi_vault/saml/auth_backend.py +20 -19
- pulumi_vault/saml/auth_backend_role.py +90 -199
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -75
- pulumi_vault/secrets/sync_aws_destination.py +240 -29
- pulumi_vault/secrets/sync_azure_destination.py +90 -33
- pulumi_vault/secrets/sync_config.py +7 -6
- pulumi_vault/secrets/sync_gcp_destination.py +156 -27
- pulumi_vault/secrets/sync_gh_destination.py +187 -15
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +72 -15
- pulumi_vault/ssh/_inputs.py +28 -32
- pulumi_vault/ssh/outputs.py +11 -32
- pulumi_vault/ssh/secret_backend_ca.py +106 -11
- pulumi_vault/ssh/secret_backend_role.py +83 -120
- pulumi_vault/terraformcloud/secret_backend.py +5 -56
- pulumi_vault/terraformcloud/secret_creds.py +14 -24
- pulumi_vault/terraformcloud/secret_role.py +14 -76
- pulumi_vault/token.py +26 -25
- pulumi_vault/tokenauth/auth_backend_role.py +76 -201
- pulumi_vault/transform/alphabet.py +16 -13
- pulumi_vault/transform/get_decode.py +45 -21
- pulumi_vault/transform/get_encode.py +45 -21
- pulumi_vault/transform/role.py +16 -13
- pulumi_vault/transform/template.py +30 -25
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -25
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +25 -97
- pulumi_vault/transit/secret_cache_config.py +12 -11
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
|
@@ -40,45 +45,22 @@ class AuthBackendRoleArgs:
|
|
40
45
|
The set of arguments for constructing a AuthBackendRole resource.
|
41
46
|
:param pulumi.Input[str] role: Name of the GCP role
|
42
47
|
:param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
|
43
|
-
:param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
|
44
48
|
:param pulumi.Input[str] backend: Path to the mounted GCP auth backend
|
45
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
|
46
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
|
47
49
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
|
48
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
|
49
50
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
|
50
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
|
51
|
-
:param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
|
52
51
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
53
52
|
The value should not contain leading or trailing forward slashes.
|
54
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
53
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
55
54
|
*Available only for Vault Enterprise*.
|
56
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
57
|
-
|
58
|
-
|
59
|
-
:param pulumi.Input[
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
:param pulumi.Input[int]
|
64
|
-
|
65
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
66
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
67
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
|
68
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
69
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
70
|
-
token generated using this role should never expire. The token should be renewed within the
|
71
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
72
|
-
value of this field. Specified in seconds.
|
73
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
74
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
75
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
76
|
-
Its current value will be referenced at renewal time.
|
77
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
78
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
79
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
80
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
81
|
-
requests a different type at generation time.
|
55
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
56
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
57
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
58
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
59
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
60
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
61
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
62
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
63
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
82
64
|
"""
|
83
65
|
pulumi.set(__self__, "role", role)
|
84
66
|
pulumi.set(__self__, "type", type)
|
@@ -159,9 +141,6 @@ class AuthBackendRoleArgs:
|
|
159
141
|
@property
|
160
142
|
@pulumi.getter(name="allowGceInference")
|
161
143
|
def allow_gce_inference(self) -> Optional[pulumi.Input[bool]]:
|
162
|
-
"""
|
163
|
-
A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
|
164
|
-
"""
|
165
144
|
return pulumi.get(self, "allow_gce_inference")
|
166
145
|
|
167
146
|
@allow_gce_inference.setter
|
@@ -183,9 +162,6 @@ class AuthBackendRoleArgs:
|
|
183
162
|
@property
|
184
163
|
@pulumi.getter(name="boundInstanceGroups")
|
185
164
|
def bound_instance_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
186
|
-
"""
|
187
|
-
The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
|
188
|
-
"""
|
189
165
|
return pulumi.get(self, "bound_instance_groups")
|
190
166
|
|
191
167
|
@bound_instance_groups.setter
|
@@ -195,9 +171,6 @@ class AuthBackendRoleArgs:
|
|
195
171
|
@property
|
196
172
|
@pulumi.getter(name="boundLabels")
|
197
173
|
def bound_labels(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
198
|
-
"""
|
199
|
-
A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
|
200
|
-
"""
|
201
174
|
return pulumi.get(self, "bound_labels")
|
202
175
|
|
203
176
|
@bound_labels.setter
|
@@ -219,9 +192,6 @@ class AuthBackendRoleArgs:
|
|
219
192
|
@property
|
220
193
|
@pulumi.getter(name="boundRegions")
|
221
194
|
def bound_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
222
|
-
"""
|
223
|
-
The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
|
224
|
-
"""
|
225
195
|
return pulumi.get(self, "bound_regions")
|
226
196
|
|
227
197
|
@bound_regions.setter
|
@@ -243,9 +213,6 @@ class AuthBackendRoleArgs:
|
|
243
213
|
@property
|
244
214
|
@pulumi.getter(name="boundZones")
|
245
215
|
def bound_zones(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
246
|
-
"""
|
247
|
-
The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
|
248
|
-
"""
|
249
216
|
return pulumi.get(self, "bound_zones")
|
250
217
|
|
251
218
|
@bound_zones.setter
|
@@ -255,9 +222,6 @@ class AuthBackendRoleArgs:
|
|
255
222
|
@property
|
256
223
|
@pulumi.getter(name="maxJwtExp")
|
257
224
|
def max_jwt_exp(self) -> Optional[pulumi.Input[str]]:
|
258
|
-
"""
|
259
|
-
The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
|
260
|
-
"""
|
261
225
|
return pulumi.get(self, "max_jwt_exp")
|
262
226
|
|
263
227
|
@max_jwt_exp.setter
|
@@ -270,7 +234,7 @@ class AuthBackendRoleArgs:
|
|
270
234
|
"""
|
271
235
|
The namespace to provision the resource in.
|
272
236
|
The value should not contain leading or trailing forward slashes.
|
273
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
237
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
274
238
|
*Available only for Vault Enterprise*.
|
275
239
|
"""
|
276
240
|
return pulumi.get(self, "namespace")
|
@@ -283,9 +247,7 @@ class AuthBackendRoleArgs:
|
|
283
247
|
@pulumi.getter(name="tokenBoundCidrs")
|
284
248
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
285
249
|
"""
|
286
|
-
|
287
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
288
|
-
as well.
|
250
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
289
251
|
"""
|
290
252
|
return pulumi.get(self, "token_bound_cidrs")
|
291
253
|
|
@@ -297,10 +259,7 @@ class AuthBackendRoleArgs:
|
|
297
259
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
298
260
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
299
261
|
"""
|
300
|
-
|
301
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
302
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
303
|
-
`token_max_ttl` would otherwise allow a renewal.
|
262
|
+
Generated Token's Explicit Maximum TTL in seconds
|
304
263
|
"""
|
305
264
|
return pulumi.get(self, "token_explicit_max_ttl")
|
306
265
|
|
@@ -312,8 +271,7 @@ class AuthBackendRoleArgs:
|
|
312
271
|
@pulumi.getter(name="tokenMaxTtl")
|
313
272
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
314
273
|
"""
|
315
|
-
The maximum lifetime
|
316
|
-
Its current value will be referenced at renewal time.
|
274
|
+
The maximum lifetime of the generated token
|
317
275
|
"""
|
318
276
|
return pulumi.get(self, "token_max_ttl")
|
319
277
|
|
@@ -325,8 +283,7 @@ class AuthBackendRoleArgs:
|
|
325
283
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
326
284
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
327
285
|
"""
|
328
|
-
If
|
329
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
286
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
330
287
|
"""
|
331
288
|
return pulumi.get(self, "token_no_default_policy")
|
332
289
|
|
@@ -338,8 +295,7 @@ class AuthBackendRoleArgs:
|
|
338
295
|
@pulumi.getter(name="tokenNumUses")
|
339
296
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
340
297
|
"""
|
341
|
-
The
|
342
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
298
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
343
299
|
"""
|
344
300
|
return pulumi.get(self, "token_num_uses")
|
345
301
|
|
@@ -351,10 +307,7 @@ class AuthBackendRoleArgs:
|
|
351
307
|
@pulumi.getter(name="tokenPeriod")
|
352
308
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
353
309
|
"""
|
354
|
-
|
355
|
-
token generated using this role should never expire. The token should be renewed within the
|
356
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
357
|
-
value of this field. Specified in seconds.
|
310
|
+
Generated Token's Period
|
358
311
|
"""
|
359
312
|
return pulumi.get(self, "token_period")
|
360
313
|
|
@@ -366,8 +319,7 @@ class AuthBackendRoleArgs:
|
|
366
319
|
@pulumi.getter(name="tokenPolicies")
|
367
320
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
368
321
|
"""
|
369
|
-
|
370
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
322
|
+
Generated Token's Policies
|
371
323
|
"""
|
372
324
|
return pulumi.get(self, "token_policies")
|
373
325
|
|
@@ -379,8 +331,7 @@ class AuthBackendRoleArgs:
|
|
379
331
|
@pulumi.getter(name="tokenTtl")
|
380
332
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
381
333
|
"""
|
382
|
-
The
|
383
|
-
Its current value will be referenced at renewal time.
|
334
|
+
The initial ttl of the token to generate in seconds
|
384
335
|
"""
|
385
336
|
return pulumi.get(self, "token_ttl")
|
386
337
|
|
@@ -392,11 +343,7 @@ class AuthBackendRoleArgs:
|
|
392
343
|
@pulumi.getter(name="tokenType")
|
393
344
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
394
345
|
"""
|
395
|
-
The type of token
|
396
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
397
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
398
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
399
|
-
requests a different type at generation time.
|
346
|
+
The type of token to generate, service or batch
|
400
347
|
"""
|
401
348
|
return pulumi.get(self, "token_type")
|
402
349
|
|
@@ -432,46 +379,23 @@ class _AuthBackendRoleState:
|
|
432
379
|
type: Optional[pulumi.Input[str]] = None):
|
433
380
|
"""
|
434
381
|
Input properties used for looking up and filtering AuthBackendRole resources.
|
435
|
-
:param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
|
436
382
|
:param pulumi.Input[str] backend: Path to the mounted GCP auth backend
|
437
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
|
438
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
|
439
383
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
|
440
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
|
441
384
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
|
442
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
|
443
|
-
:param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
|
444
385
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
445
386
|
The value should not contain leading or trailing forward slashes.
|
446
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
387
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
447
388
|
*Available only for Vault Enterprise*.
|
448
389
|
:param pulumi.Input[str] role: Name of the GCP role
|
449
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
450
|
-
|
451
|
-
|
452
|
-
:param pulumi.Input[
|
453
|
-
|
454
|
-
|
455
|
-
|
456
|
-
:param pulumi.Input[int]
|
457
|
-
|
458
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
459
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
460
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
|
461
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
462
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
463
|
-
token generated using this role should never expire. The token should be renewed within the
|
464
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
465
|
-
value of this field. Specified in seconds.
|
466
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
467
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
468
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
469
|
-
Its current value will be referenced at renewal time.
|
470
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
471
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
472
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
473
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
474
|
-
requests a different type at generation time.
|
390
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
391
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
392
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
393
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
394
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
395
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
396
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
397
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
398
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
475
399
|
:param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
|
476
400
|
"""
|
477
401
|
if add_group_aliases is not None:
|
@@ -531,9 +455,6 @@ class _AuthBackendRoleState:
|
|
531
455
|
@property
|
532
456
|
@pulumi.getter(name="allowGceInference")
|
533
457
|
def allow_gce_inference(self) -> Optional[pulumi.Input[bool]]:
|
534
|
-
"""
|
535
|
-
A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
|
536
|
-
"""
|
537
458
|
return pulumi.get(self, "allow_gce_inference")
|
538
459
|
|
539
460
|
@allow_gce_inference.setter
|
@@ -555,9 +476,6 @@ class _AuthBackendRoleState:
|
|
555
476
|
@property
|
556
477
|
@pulumi.getter(name="boundInstanceGroups")
|
557
478
|
def bound_instance_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
558
|
-
"""
|
559
|
-
The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
|
560
|
-
"""
|
561
479
|
return pulumi.get(self, "bound_instance_groups")
|
562
480
|
|
563
481
|
@bound_instance_groups.setter
|
@@ -567,9 +485,6 @@ class _AuthBackendRoleState:
|
|
567
485
|
@property
|
568
486
|
@pulumi.getter(name="boundLabels")
|
569
487
|
def bound_labels(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
570
|
-
"""
|
571
|
-
A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
|
572
|
-
"""
|
573
488
|
return pulumi.get(self, "bound_labels")
|
574
489
|
|
575
490
|
@bound_labels.setter
|
@@ -591,9 +506,6 @@ class _AuthBackendRoleState:
|
|
591
506
|
@property
|
592
507
|
@pulumi.getter(name="boundRegions")
|
593
508
|
def bound_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
594
|
-
"""
|
595
|
-
The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
|
596
|
-
"""
|
597
509
|
return pulumi.get(self, "bound_regions")
|
598
510
|
|
599
511
|
@bound_regions.setter
|
@@ -615,9 +527,6 @@ class _AuthBackendRoleState:
|
|
615
527
|
@property
|
616
528
|
@pulumi.getter(name="boundZones")
|
617
529
|
def bound_zones(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
618
|
-
"""
|
619
|
-
The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
|
620
|
-
"""
|
621
530
|
return pulumi.get(self, "bound_zones")
|
622
531
|
|
623
532
|
@bound_zones.setter
|
@@ -627,9 +536,6 @@ class _AuthBackendRoleState:
|
|
627
536
|
@property
|
628
537
|
@pulumi.getter(name="maxJwtExp")
|
629
538
|
def max_jwt_exp(self) -> Optional[pulumi.Input[str]]:
|
630
|
-
"""
|
631
|
-
The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
|
632
|
-
"""
|
633
539
|
return pulumi.get(self, "max_jwt_exp")
|
634
540
|
|
635
541
|
@max_jwt_exp.setter
|
@@ -642,7 +548,7 @@ class _AuthBackendRoleState:
|
|
642
548
|
"""
|
643
549
|
The namespace to provision the resource in.
|
644
550
|
The value should not contain leading or trailing forward slashes.
|
645
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
551
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
646
552
|
*Available only for Vault Enterprise*.
|
647
553
|
"""
|
648
554
|
return pulumi.get(self, "namespace")
|
@@ -667,9 +573,7 @@ class _AuthBackendRoleState:
|
|
667
573
|
@pulumi.getter(name="tokenBoundCidrs")
|
668
574
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
669
575
|
"""
|
670
|
-
|
671
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
672
|
-
as well.
|
576
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
673
577
|
"""
|
674
578
|
return pulumi.get(self, "token_bound_cidrs")
|
675
579
|
|
@@ -681,10 +585,7 @@ class _AuthBackendRoleState:
|
|
681
585
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
682
586
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
683
587
|
"""
|
684
|
-
|
685
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
686
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
687
|
-
`token_max_ttl` would otherwise allow a renewal.
|
588
|
+
Generated Token's Explicit Maximum TTL in seconds
|
688
589
|
"""
|
689
590
|
return pulumi.get(self, "token_explicit_max_ttl")
|
690
591
|
|
@@ -696,8 +597,7 @@ class _AuthBackendRoleState:
|
|
696
597
|
@pulumi.getter(name="tokenMaxTtl")
|
697
598
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
698
599
|
"""
|
699
|
-
The maximum lifetime
|
700
|
-
Its current value will be referenced at renewal time.
|
600
|
+
The maximum lifetime of the generated token
|
701
601
|
"""
|
702
602
|
return pulumi.get(self, "token_max_ttl")
|
703
603
|
|
@@ -709,8 +609,7 @@ class _AuthBackendRoleState:
|
|
709
609
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
710
610
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
711
611
|
"""
|
712
|
-
If
|
713
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
612
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
714
613
|
"""
|
715
614
|
return pulumi.get(self, "token_no_default_policy")
|
716
615
|
|
@@ -722,8 +621,7 @@ class _AuthBackendRoleState:
|
|
722
621
|
@pulumi.getter(name="tokenNumUses")
|
723
622
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
724
623
|
"""
|
725
|
-
The
|
726
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
624
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
727
625
|
"""
|
728
626
|
return pulumi.get(self, "token_num_uses")
|
729
627
|
|
@@ -735,10 +633,7 @@ class _AuthBackendRoleState:
|
|
735
633
|
@pulumi.getter(name="tokenPeriod")
|
736
634
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
737
635
|
"""
|
738
|
-
|
739
|
-
token generated using this role should never expire. The token should be renewed within the
|
740
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
741
|
-
value of this field. Specified in seconds.
|
636
|
+
Generated Token's Period
|
742
637
|
"""
|
743
638
|
return pulumi.get(self, "token_period")
|
744
639
|
|
@@ -750,8 +645,7 @@ class _AuthBackendRoleState:
|
|
750
645
|
@pulumi.getter(name="tokenPolicies")
|
751
646
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
752
647
|
"""
|
753
|
-
|
754
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
648
|
+
Generated Token's Policies
|
755
649
|
"""
|
756
650
|
return pulumi.get(self, "token_policies")
|
757
651
|
|
@@ -763,8 +657,7 @@ class _AuthBackendRoleState:
|
|
763
657
|
@pulumi.getter(name="tokenTtl")
|
764
658
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
765
659
|
"""
|
766
|
-
The
|
767
|
-
Its current value will be referenced at renewal time.
|
660
|
+
The initial ttl of the token to generate in seconds
|
768
661
|
"""
|
769
662
|
return pulumi.get(self, "token_ttl")
|
770
663
|
|
@@ -776,11 +669,7 @@ class _AuthBackendRoleState:
|
|
776
669
|
@pulumi.getter(name="tokenType")
|
777
670
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
778
671
|
"""
|
779
|
-
The type of token
|
780
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
781
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
782
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
783
|
-
requests a different type at generation time.
|
672
|
+
The type of token to generate, service or batch
|
784
673
|
"""
|
785
674
|
return pulumi.get(self, "token_type")
|
786
675
|
|
@@ -834,7 +723,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
834
723
|
|
835
724
|
## Example Usage
|
836
725
|
|
837
|
-
<!--Start PulumiCodeChooser -->
|
838
726
|
```python
|
839
727
|
import pulumi
|
840
728
|
import pulumi_vault as vault
|
@@ -856,7 +744,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
856
744
|
],
|
857
745
|
add_group_aliases=True)
|
858
746
|
```
|
859
|
-
<!--End PulumiCodeChooser -->
|
860
747
|
|
861
748
|
## Import
|
862
749
|
|
@@ -868,46 +755,23 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
868
755
|
|
869
756
|
:param str resource_name: The name of the resource.
|
870
757
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
871
|
-
:param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
|
872
758
|
:param pulumi.Input[str] backend: Path to the mounted GCP auth backend
|
873
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
|
874
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
|
875
759
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
|
876
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
|
877
760
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
|
878
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
|
879
|
-
:param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
|
880
761
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
881
762
|
The value should not contain leading or trailing forward slashes.
|
882
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
763
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
883
764
|
*Available only for Vault Enterprise*.
|
884
765
|
:param pulumi.Input[str] role: Name of the GCP role
|
885
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
886
|
-
|
887
|
-
|
888
|
-
:param pulumi.Input[
|
889
|
-
|
890
|
-
|
891
|
-
|
892
|
-
:param pulumi.Input[int]
|
893
|
-
|
894
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
895
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
896
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
|
897
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
898
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
899
|
-
token generated using this role should never expire. The token should be renewed within the
|
900
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
901
|
-
value of this field. Specified in seconds.
|
902
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
903
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
904
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
905
|
-
Its current value will be referenced at renewal time.
|
906
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
907
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
908
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
909
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
910
|
-
requests a different type at generation time.
|
766
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
767
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
768
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
769
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
770
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
771
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
772
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
773
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
774
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
911
775
|
:param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
|
912
776
|
"""
|
913
777
|
...
|
@@ -921,7 +785,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
921
785
|
|
922
786
|
## Example Usage
|
923
787
|
|
924
|
-
<!--Start PulumiCodeChooser -->
|
925
788
|
```python
|
926
789
|
import pulumi
|
927
790
|
import pulumi_vault as vault
|
@@ -943,7 +806,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
943
806
|
],
|
944
807
|
add_group_aliases=True)
|
945
808
|
```
|
946
|
-
<!--End PulumiCodeChooser -->
|
947
809
|
|
948
810
|
## Import
|
949
811
|
|
@@ -1064,46 +926,23 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1064
926
|
:param str resource_name: The unique name of the resulting resource.
|
1065
927
|
:param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
|
1066
928
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
1067
|
-
:param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
|
1068
929
|
:param pulumi.Input[str] backend: Path to the mounted GCP auth backend
|
1069
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
|
1070
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
|
1071
930
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
|
1072
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
|
1073
931
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
|
1074
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
|
1075
|
-
:param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
|
1076
932
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1077
933
|
The value should not contain leading or trailing forward slashes.
|
1078
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
934
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1079
935
|
*Available only for Vault Enterprise*.
|
1080
936
|
:param pulumi.Input[str] role: Name of the GCP role
|
1081
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1082
|
-
|
1083
|
-
|
1084
|
-
:param pulumi.Input[
|
1085
|
-
|
1086
|
-
|
1087
|
-
|
1088
|
-
:param pulumi.Input[int]
|
1089
|
-
|
1090
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1091
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1092
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
|
1093
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1094
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1095
|
-
token generated using this role should never expire. The token should be renewed within the
|
1096
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1097
|
-
value of this field. Specified in seconds.
|
1098
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1099
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1100
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1101
|
-
Its current value will be referenced at renewal time.
|
1102
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1103
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1104
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1105
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1106
|
-
requests a different type at generation time.
|
937
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
938
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
939
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
940
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
941
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
942
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
943
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
944
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
945
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1107
946
|
:param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
|
1108
947
|
"""
|
1109
948
|
opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
|
@@ -1142,9 +981,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1142
981
|
@property
|
1143
982
|
@pulumi.getter(name="allowGceInference")
|
1144
983
|
def allow_gce_inference(self) -> pulumi.Output[bool]:
|
1145
|
-
"""
|
1146
|
-
A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
|
1147
|
-
"""
|
1148
984
|
return pulumi.get(self, "allow_gce_inference")
|
1149
985
|
|
1150
986
|
@property
|
@@ -1158,17 +994,11 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1158
994
|
@property
|
1159
995
|
@pulumi.getter(name="boundInstanceGroups")
|
1160
996
|
def bound_instance_groups(self) -> pulumi.Output[Sequence[str]]:
|
1161
|
-
"""
|
1162
|
-
The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
|
1163
|
-
"""
|
1164
997
|
return pulumi.get(self, "bound_instance_groups")
|
1165
998
|
|
1166
999
|
@property
|
1167
1000
|
@pulumi.getter(name="boundLabels")
|
1168
1001
|
def bound_labels(self) -> pulumi.Output[Sequence[str]]:
|
1169
|
-
"""
|
1170
|
-
A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
|
1171
|
-
"""
|
1172
1002
|
return pulumi.get(self, "bound_labels")
|
1173
1003
|
|
1174
1004
|
@property
|
@@ -1182,9 +1012,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1182
1012
|
@property
|
1183
1013
|
@pulumi.getter(name="boundRegions")
|
1184
1014
|
def bound_regions(self) -> pulumi.Output[Sequence[str]]:
|
1185
|
-
"""
|
1186
|
-
The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
|
1187
|
-
"""
|
1188
1015
|
return pulumi.get(self, "bound_regions")
|
1189
1016
|
|
1190
1017
|
@property
|
@@ -1198,17 +1025,11 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1198
1025
|
@property
|
1199
1026
|
@pulumi.getter(name="boundZones")
|
1200
1027
|
def bound_zones(self) -> pulumi.Output[Sequence[str]]:
|
1201
|
-
"""
|
1202
|
-
The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
|
1203
|
-
"""
|
1204
1028
|
return pulumi.get(self, "bound_zones")
|
1205
1029
|
|
1206
1030
|
@property
|
1207
1031
|
@pulumi.getter(name="maxJwtExp")
|
1208
1032
|
def max_jwt_exp(self) -> pulumi.Output[str]:
|
1209
|
-
"""
|
1210
|
-
The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
|
1211
|
-
"""
|
1212
1033
|
return pulumi.get(self, "max_jwt_exp")
|
1213
1034
|
|
1214
1035
|
@property
|
@@ -1217,7 +1038,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1217
1038
|
"""
|
1218
1039
|
The namespace to provision the resource in.
|
1219
1040
|
The value should not contain leading or trailing forward slashes.
|
1220
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1041
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1221
1042
|
*Available only for Vault Enterprise*.
|
1222
1043
|
"""
|
1223
1044
|
return pulumi.get(self, "namespace")
|
@@ -1234,9 +1055,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1234
1055
|
@pulumi.getter(name="tokenBoundCidrs")
|
1235
1056
|
def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1236
1057
|
"""
|
1237
|
-
|
1238
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
1239
|
-
as well.
|
1058
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
1240
1059
|
"""
|
1241
1060
|
return pulumi.get(self, "token_bound_cidrs")
|
1242
1061
|
|
@@ -1244,10 +1063,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1244
1063
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
1245
1064
|
def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1246
1065
|
"""
|
1247
|
-
|
1248
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
1249
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
1250
|
-
`token_max_ttl` would otherwise allow a renewal.
|
1066
|
+
Generated Token's Explicit Maximum TTL in seconds
|
1251
1067
|
"""
|
1252
1068
|
return pulumi.get(self, "token_explicit_max_ttl")
|
1253
1069
|
|
@@ -1255,8 +1071,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1255
1071
|
@pulumi.getter(name="tokenMaxTtl")
|
1256
1072
|
def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1257
1073
|
"""
|
1258
|
-
The maximum lifetime
|
1259
|
-
Its current value will be referenced at renewal time.
|
1074
|
+
The maximum lifetime of the generated token
|
1260
1075
|
"""
|
1261
1076
|
return pulumi.get(self, "token_max_ttl")
|
1262
1077
|
|
@@ -1264,8 +1079,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1264
1079
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
1265
1080
|
def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
|
1266
1081
|
"""
|
1267
|
-
If
|
1268
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1082
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
1269
1083
|
"""
|
1270
1084
|
return pulumi.get(self, "token_no_default_policy")
|
1271
1085
|
|
@@ -1273,8 +1087,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1273
1087
|
@pulumi.getter(name="tokenNumUses")
|
1274
1088
|
def token_num_uses(self) -> pulumi.Output[Optional[int]]:
|
1275
1089
|
"""
|
1276
|
-
The
|
1277
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1090
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
1278
1091
|
"""
|
1279
1092
|
return pulumi.get(self, "token_num_uses")
|
1280
1093
|
|
@@ -1282,10 +1095,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1282
1095
|
@pulumi.getter(name="tokenPeriod")
|
1283
1096
|
def token_period(self) -> pulumi.Output[Optional[int]]:
|
1284
1097
|
"""
|
1285
|
-
|
1286
|
-
token generated using this role should never expire. The token should be renewed within the
|
1287
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1288
|
-
value of this field. Specified in seconds.
|
1098
|
+
Generated Token's Period
|
1289
1099
|
"""
|
1290
1100
|
return pulumi.get(self, "token_period")
|
1291
1101
|
|
@@ -1293,8 +1103,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1293
1103
|
@pulumi.getter(name="tokenPolicies")
|
1294
1104
|
def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1295
1105
|
"""
|
1296
|
-
|
1297
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1106
|
+
Generated Token's Policies
|
1298
1107
|
"""
|
1299
1108
|
return pulumi.get(self, "token_policies")
|
1300
1109
|
|
@@ -1302,8 +1111,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1302
1111
|
@pulumi.getter(name="tokenTtl")
|
1303
1112
|
def token_ttl(self) -> pulumi.Output[Optional[int]]:
|
1304
1113
|
"""
|
1305
|
-
The
|
1306
|
-
Its current value will be referenced at renewal time.
|
1114
|
+
The initial ttl of the token to generate in seconds
|
1307
1115
|
"""
|
1308
1116
|
return pulumi.get(self, "token_ttl")
|
1309
1117
|
|
@@ -1311,11 +1119,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1311
1119
|
@pulumi.getter(name="tokenType")
|
1312
1120
|
def token_type(self) -> pulumi.Output[Optional[str]]:
|
1313
1121
|
"""
|
1314
|
-
The type of token
|
1315
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1316
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1317
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1318
|
-
requests a different type at generation time.
|
1122
|
+
The type of token to generate, service or batch
|
1319
1123
|
"""
|
1320
1124
|
return pulumi.get(self, "token_type")
|
1321
1125
|
|