pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +22 -7
  5. pulumi_vault/ad/secret_backend.py +14 -144
  6. pulumi_vault/ad/secret_library.py +14 -11
  7. pulumi_vault/ad/secret_role.py +12 -11
  8. pulumi_vault/alicloud/auth_backend_role.py +74 -192
  9. pulumi_vault/approle/auth_backend_login.py +12 -11
  10. pulumi_vault/approle/auth_backend_role.py +75 -193
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
  13. pulumi_vault/audit.py +24 -27
  14. pulumi_vault/audit_request_header.py +11 -6
  15. pulumi_vault/auth_backend.py +64 -12
  16. pulumi_vault/aws/auth_backend_cert.py +12 -7
  17. pulumi_vault/aws/auth_backend_client.py +265 -24
  18. pulumi_vault/aws/auth_backend_config_identity.py +12 -11
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +75 -193
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
  24. pulumi_vault/aws/auth_backend_sts_role.py +12 -11
  25. pulumi_vault/aws/get_access_credentials.py +34 -7
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +75 -7
  28. pulumi_vault/aws/secret_backend_role.py +183 -11
  29. pulumi_vault/aws/secret_backend_static_role.py +14 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +151 -17
  32. pulumi_vault/azure/auth_backend_role.py +75 -193
  33. pulumi_vault/azure/backend.py +223 -29
  34. pulumi_vault/azure/backend_role.py +42 -41
  35. pulumi_vault/azure/get_access_credentials.py +39 -11
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -271
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +22 -25
  44. pulumi_vault/consul/secret_backend_role.py +14 -80
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +117 -114
  48. pulumi_vault/database/secret_backend_role.py +29 -24
  49. pulumi_vault/database/secret_backend_static_role.py +85 -15
  50. pulumi_vault/database/secrets_mount.py +425 -138
  51. pulumi_vault/egp_policy.py +16 -15
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +248 -35
  54. pulumi_vault/gcp/auth_backend_role.py +75 -271
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -9
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -16
  58. pulumi_vault/gcp/secret_impersonated_account.py +74 -17
  59. pulumi_vault/gcp/secret_roleset.py +29 -26
  60. pulumi_vault/gcp/secret_static_account.py +37 -34
  61. pulumi_vault/generic/endpoint.py +22 -21
  62. pulumi_vault/generic/get_secret.py +68 -12
  63. pulumi_vault/generic/secret.py +19 -14
  64. pulumi_vault/get_auth_backend.py +24 -11
  65. pulumi_vault/get_auth_backends.py +33 -11
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -15
  69. pulumi_vault/get_policy_document.py +34 -23
  70. pulumi_vault/get_raft_autopilot_state.py +29 -14
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +17 -16
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +14 -13
  75. pulumi_vault/github/user.py +14 -13
  76. pulumi_vault/identity/entity.py +18 -15
  77. pulumi_vault/identity/entity_alias.py +18 -15
  78. pulumi_vault/identity/entity_policies.py +24 -19
  79. pulumi_vault/identity/get_entity.py +40 -14
  80. pulumi_vault/identity/get_group.py +45 -13
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -11
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -13
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -14
  84. pulumi_vault/identity/group.py +50 -49
  85. pulumi_vault/identity/group_alias.py +14 -11
  86. pulumi_vault/identity/group_member_entity_ids.py +24 -74
  87. pulumi_vault/identity/group_member_group_ids.py +36 -27
  88. pulumi_vault/identity/group_policies.py +16 -15
  89. pulumi_vault/identity/mfa_duo.py +9 -8
  90. pulumi_vault/identity/mfa_login_enforcement.py +13 -8
  91. pulumi_vault/identity/mfa_okta.py +9 -8
  92. pulumi_vault/identity/mfa_pingid.py +5 -4
  93. pulumi_vault/identity/mfa_totp.py +5 -4
  94. pulumi_vault/identity/oidc.py +12 -11
  95. pulumi_vault/identity/oidc_assignment.py +22 -13
  96. pulumi_vault/identity/oidc_client.py +34 -25
  97. pulumi_vault/identity/oidc_key.py +28 -19
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
  99. pulumi_vault/identity/oidc_provider.py +34 -23
  100. pulumi_vault/identity/oidc_role.py +40 -27
  101. pulumi_vault/identity/oidc_scope.py +18 -15
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +39 -46
  105. pulumi_vault/jwt/auth_backend_role.py +131 -260
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +22 -21
  108. pulumi_vault/kmip/secret_role.py +12 -11
  109. pulumi_vault/kmip/secret_scope.py +12 -11
  110. pulumi_vault/kubernetes/auth_backend_config.py +55 -7
  111. pulumi_vault/kubernetes/auth_backend_role.py +68 -179
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -15
  115. pulumi_vault/kubernetes/secret_backend.py +314 -29
  116. pulumi_vault/kubernetes/secret_backend_role.py +135 -56
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +23 -12
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
  120. pulumi_vault/kv/get_secret_v2.py +89 -9
  121. pulumi_vault/kv/get_secrets_list.py +22 -15
  122. pulumi_vault/kv/get_secrets_list_v2.py +35 -19
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +19 -18
  125. pulumi_vault/kv/secret_backend_v2.py +12 -11
  126. pulumi_vault/kv/secret_v2.py +55 -52
  127. pulumi_vault/ldap/auth_backend.py +125 -168
  128. pulumi_vault/ldap/auth_backend_group.py +12 -11
  129. pulumi_vault/ldap/auth_backend_user.py +12 -11
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +352 -84
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +14 -11
  135. pulumi_vault/ldap/secret_backend_static_role.py +67 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +27 -43
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +16 -13
  140. pulumi_vault/mfa_okta.py +16 -13
  141. pulumi_vault/mfa_pingid.py +16 -13
  142. pulumi_vault/mfa_totp.py +22 -19
  143. pulumi_vault/mongodbatlas/secret_backend.py +18 -17
  144. pulumi_vault/mongodbatlas/secret_role.py +41 -38
  145. pulumi_vault/mount.py +389 -65
  146. pulumi_vault/namespace.py +26 -21
  147. pulumi_vault/nomad_secret_backend.py +16 -15
  148. pulumi_vault/nomad_secret_role.py +12 -11
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +483 -41
  151. pulumi_vault/okta/auth_backend_group.py +12 -11
  152. pulumi_vault/okta/auth_backend_user.py +12 -11
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +18 -15
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -13
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -12
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
  174. pulumi_vault/pkisecret/secret_backend_key.py +12 -7
  175. pulumi_vault/pkisecret/secret_backend_role.py +19 -16
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +12 -7
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +58 -8
  185. pulumi_vault/quota_rate_limit.py +54 -4
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +16 -15
  189. pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
  190. pulumi_vault/raft_autopilot.py +12 -11
  191. pulumi_vault/raft_snapshot_agent_config.py +121 -311
  192. pulumi_vault/rgp_policy.py +14 -13
  193. pulumi_vault/saml/auth_backend.py +20 -19
  194. pulumi_vault/saml/auth_backend_role.py +90 -199
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -75
  199. pulumi_vault/secrets/sync_aws_destination.py +240 -29
  200. pulumi_vault/secrets/sync_azure_destination.py +90 -33
  201. pulumi_vault/secrets/sync_config.py +7 -6
  202. pulumi_vault/secrets/sync_gcp_destination.py +156 -27
  203. pulumi_vault/secrets/sync_gh_destination.py +187 -15
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +72 -15
  206. pulumi_vault/ssh/_inputs.py +28 -32
  207. pulumi_vault/ssh/outputs.py +11 -32
  208. pulumi_vault/ssh/secret_backend_ca.py +106 -11
  209. pulumi_vault/ssh/secret_backend_role.py +83 -120
  210. pulumi_vault/terraformcloud/secret_backend.py +5 -56
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -24
  212. pulumi_vault/terraformcloud/secret_role.py +14 -76
  213. pulumi_vault/token.py +26 -25
  214. pulumi_vault/tokenauth/auth_backend_role.py +76 -201
  215. pulumi_vault/transform/alphabet.py +16 -13
  216. pulumi_vault/transform/get_decode.py +45 -21
  217. pulumi_vault/transform/get_encode.py +45 -21
  218. pulumi_vault/transform/role.py +16 -13
  219. pulumi_vault/transform/template.py +30 -25
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -25
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +25 -97
  224. pulumi_vault/transit/secret_cache_config.py +12 -11
  225. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
@@ -40,45 +45,22 @@ class AuthBackendRoleArgs:
40
45
  The set of arguments for constructing a AuthBackendRole resource.
41
46
  :param pulumi.Input[str] role: Name of the GCP role
42
47
  :param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
43
- :param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
44
48
  :param pulumi.Input[str] backend: Path to the mounted GCP auth backend
45
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
46
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
47
49
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
48
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
49
50
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
50
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
51
- :param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
52
51
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
53
52
  The value should not contain leading or trailing forward slashes.
54
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
53
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
55
54
  *Available only for Vault Enterprise*.
56
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
57
- addresses which can authenticate successfully, and ties the resulting token to these blocks
58
- as well.
59
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
60
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
61
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
62
- `token_max_ttl` would otherwise allow a renewal.
63
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
64
- Its current value will be referenced at renewal time.
65
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
66
- generated tokens; otherwise it will be added to the policies set in token_policies.
67
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
68
- of times a generated token may be used (within its lifetime); 0 means unlimited.
69
- :param pulumi.Input[int] token_period: If set, indicates that the
70
- token generated using this role should never expire. The token should be renewed within the
71
- duration specified by this value. At each renewal, the token's TTL will be set to the
72
- value of this field. Specified in seconds.
73
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
74
- on the auth method, this list may be supplemented by user/group/other values.
75
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
76
- Its current value will be referenced at renewal time.
77
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
78
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
79
- `service` tokens). For token store roles, there are two additional possibilities:
80
- `default-service` and `default-batch` which specify the type to return unless the client
81
- requests a different type at generation time.
55
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
56
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
57
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
58
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
59
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
60
+ :param pulumi.Input[int] token_period: Generated Token's Period
61
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
62
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
63
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
82
64
  """
83
65
  pulumi.set(__self__, "role", role)
84
66
  pulumi.set(__self__, "type", type)
@@ -159,9 +141,6 @@ class AuthBackendRoleArgs:
159
141
  @property
160
142
  @pulumi.getter(name="allowGceInference")
161
143
  def allow_gce_inference(self) -> Optional[pulumi.Input[bool]]:
162
- """
163
- A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
164
- """
165
144
  return pulumi.get(self, "allow_gce_inference")
166
145
 
167
146
  @allow_gce_inference.setter
@@ -183,9 +162,6 @@ class AuthBackendRoleArgs:
183
162
  @property
184
163
  @pulumi.getter(name="boundInstanceGroups")
185
164
  def bound_instance_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
186
- """
187
- The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
188
- """
189
165
  return pulumi.get(self, "bound_instance_groups")
190
166
 
191
167
  @bound_instance_groups.setter
@@ -195,9 +171,6 @@ class AuthBackendRoleArgs:
195
171
  @property
196
172
  @pulumi.getter(name="boundLabels")
197
173
  def bound_labels(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
198
- """
199
- A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
200
- """
201
174
  return pulumi.get(self, "bound_labels")
202
175
 
203
176
  @bound_labels.setter
@@ -219,9 +192,6 @@ class AuthBackendRoleArgs:
219
192
  @property
220
193
  @pulumi.getter(name="boundRegions")
221
194
  def bound_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
222
- """
223
- The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
224
- """
225
195
  return pulumi.get(self, "bound_regions")
226
196
 
227
197
  @bound_regions.setter
@@ -243,9 +213,6 @@ class AuthBackendRoleArgs:
243
213
  @property
244
214
  @pulumi.getter(name="boundZones")
245
215
  def bound_zones(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
246
- """
247
- The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
248
- """
249
216
  return pulumi.get(self, "bound_zones")
250
217
 
251
218
  @bound_zones.setter
@@ -255,9 +222,6 @@ class AuthBackendRoleArgs:
255
222
  @property
256
223
  @pulumi.getter(name="maxJwtExp")
257
224
  def max_jwt_exp(self) -> Optional[pulumi.Input[str]]:
258
- """
259
- The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
260
- """
261
225
  return pulumi.get(self, "max_jwt_exp")
262
226
 
263
227
  @max_jwt_exp.setter
@@ -270,7 +234,7 @@ class AuthBackendRoleArgs:
270
234
  """
271
235
  The namespace to provision the resource in.
272
236
  The value should not contain leading or trailing forward slashes.
273
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
237
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
274
238
  *Available only for Vault Enterprise*.
275
239
  """
276
240
  return pulumi.get(self, "namespace")
@@ -283,9 +247,7 @@ class AuthBackendRoleArgs:
283
247
  @pulumi.getter(name="tokenBoundCidrs")
284
248
  def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
285
249
  """
286
- List of CIDR blocks; if set, specifies blocks of IP
287
- addresses which can authenticate successfully, and ties the resulting token to these blocks
288
- as well.
250
+ Specifies the blocks of IP addresses which are allowed to use the generated token
289
251
  """
290
252
  return pulumi.get(self, "token_bound_cidrs")
291
253
 
@@ -297,10 +259,7 @@ class AuthBackendRoleArgs:
297
259
  @pulumi.getter(name="tokenExplicitMaxTtl")
298
260
  def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
299
261
  """
300
- If set, will encode an
301
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
302
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
303
- `token_max_ttl` would otherwise allow a renewal.
262
+ Generated Token's Explicit Maximum TTL in seconds
304
263
  """
305
264
  return pulumi.get(self, "token_explicit_max_ttl")
306
265
 
@@ -312,8 +271,7 @@ class AuthBackendRoleArgs:
312
271
  @pulumi.getter(name="tokenMaxTtl")
313
272
  def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
314
273
  """
315
- The maximum lifetime for generated tokens in number of seconds.
316
- Its current value will be referenced at renewal time.
274
+ The maximum lifetime of the generated token
317
275
  """
318
276
  return pulumi.get(self, "token_max_ttl")
319
277
 
@@ -325,8 +283,7 @@ class AuthBackendRoleArgs:
325
283
  @pulumi.getter(name="tokenNoDefaultPolicy")
326
284
  def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
327
285
  """
328
- If set, the default policy will not be set on
329
- generated tokens; otherwise it will be added to the policies set in token_policies.
286
+ If true, the 'default' policy will not automatically be added to generated tokens
330
287
  """
331
288
  return pulumi.get(self, "token_no_default_policy")
332
289
 
@@ -338,8 +295,7 @@ class AuthBackendRoleArgs:
338
295
  @pulumi.getter(name="tokenNumUses")
339
296
  def token_num_uses(self) -> Optional[pulumi.Input[int]]:
340
297
  """
341
- The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
342
- of times a generated token may be used (within its lifetime); 0 means unlimited.
298
+ The maximum number of times a token may be used, a value of zero means unlimited
343
299
  """
344
300
  return pulumi.get(self, "token_num_uses")
345
301
 
@@ -351,10 +307,7 @@ class AuthBackendRoleArgs:
351
307
  @pulumi.getter(name="tokenPeriod")
352
308
  def token_period(self) -> Optional[pulumi.Input[int]]:
353
309
  """
354
- If set, indicates that the
355
- token generated using this role should never expire. The token should be renewed within the
356
- duration specified by this value. At each renewal, the token's TTL will be set to the
357
- value of this field. Specified in seconds.
310
+ Generated Token's Period
358
311
  """
359
312
  return pulumi.get(self, "token_period")
360
313
 
@@ -366,8 +319,7 @@ class AuthBackendRoleArgs:
366
319
  @pulumi.getter(name="tokenPolicies")
367
320
  def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
368
321
  """
369
- List of policies to encode onto generated tokens. Depending
370
- on the auth method, this list may be supplemented by user/group/other values.
322
+ Generated Token's Policies
371
323
  """
372
324
  return pulumi.get(self, "token_policies")
373
325
 
@@ -379,8 +331,7 @@ class AuthBackendRoleArgs:
379
331
  @pulumi.getter(name="tokenTtl")
380
332
  def token_ttl(self) -> Optional[pulumi.Input[int]]:
381
333
  """
382
- The incremental lifetime for generated tokens in number of seconds.
383
- Its current value will be referenced at renewal time.
334
+ The initial ttl of the token to generate in seconds
384
335
  """
385
336
  return pulumi.get(self, "token_ttl")
386
337
 
@@ -392,11 +343,7 @@ class AuthBackendRoleArgs:
392
343
  @pulumi.getter(name="tokenType")
393
344
  def token_type(self) -> Optional[pulumi.Input[str]]:
394
345
  """
395
- The type of token that should be generated. Can be `service`,
396
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
397
- `service` tokens). For token store roles, there are two additional possibilities:
398
- `default-service` and `default-batch` which specify the type to return unless the client
399
- requests a different type at generation time.
346
+ The type of token to generate, service or batch
400
347
  """
401
348
  return pulumi.get(self, "token_type")
402
349
 
@@ -432,46 +379,23 @@ class _AuthBackendRoleState:
432
379
  type: Optional[pulumi.Input[str]] = None):
433
380
  """
434
381
  Input properties used for looking up and filtering AuthBackendRole resources.
435
- :param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
436
382
  :param pulumi.Input[str] backend: Path to the mounted GCP auth backend
437
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
438
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
439
383
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
440
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
441
384
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
442
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
443
- :param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
444
385
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
445
386
  The value should not contain leading or trailing forward slashes.
446
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
387
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
447
388
  *Available only for Vault Enterprise*.
448
389
  :param pulumi.Input[str] role: Name of the GCP role
449
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
450
- addresses which can authenticate successfully, and ties the resulting token to these blocks
451
- as well.
452
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
453
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
454
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
455
- `token_max_ttl` would otherwise allow a renewal.
456
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
457
- Its current value will be referenced at renewal time.
458
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
459
- generated tokens; otherwise it will be added to the policies set in token_policies.
460
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
461
- of times a generated token may be used (within its lifetime); 0 means unlimited.
462
- :param pulumi.Input[int] token_period: If set, indicates that the
463
- token generated using this role should never expire. The token should be renewed within the
464
- duration specified by this value. At each renewal, the token's TTL will be set to the
465
- value of this field. Specified in seconds.
466
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
467
- on the auth method, this list may be supplemented by user/group/other values.
468
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
469
- Its current value will be referenced at renewal time.
470
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
471
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
472
- `service` tokens). For token store roles, there are two additional possibilities:
473
- `default-service` and `default-batch` which specify the type to return unless the client
474
- requests a different type at generation time.
390
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
391
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
392
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
393
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
394
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
395
+ :param pulumi.Input[int] token_period: Generated Token's Period
396
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
397
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
398
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
475
399
  :param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
476
400
  """
477
401
  if add_group_aliases is not None:
@@ -531,9 +455,6 @@ class _AuthBackendRoleState:
531
455
  @property
532
456
  @pulumi.getter(name="allowGceInference")
533
457
  def allow_gce_inference(self) -> Optional[pulumi.Input[bool]]:
534
- """
535
- A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
536
- """
537
458
  return pulumi.get(self, "allow_gce_inference")
538
459
 
539
460
  @allow_gce_inference.setter
@@ -555,9 +476,6 @@ class _AuthBackendRoleState:
555
476
  @property
556
477
  @pulumi.getter(name="boundInstanceGroups")
557
478
  def bound_instance_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
558
- """
559
- The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
560
- """
561
479
  return pulumi.get(self, "bound_instance_groups")
562
480
 
563
481
  @bound_instance_groups.setter
@@ -567,9 +485,6 @@ class _AuthBackendRoleState:
567
485
  @property
568
486
  @pulumi.getter(name="boundLabels")
569
487
  def bound_labels(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
570
- """
571
- A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
572
- """
573
488
  return pulumi.get(self, "bound_labels")
574
489
 
575
490
  @bound_labels.setter
@@ -591,9 +506,6 @@ class _AuthBackendRoleState:
591
506
  @property
592
507
  @pulumi.getter(name="boundRegions")
593
508
  def bound_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
594
- """
595
- The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
596
- """
597
509
  return pulumi.get(self, "bound_regions")
598
510
 
599
511
  @bound_regions.setter
@@ -615,9 +527,6 @@ class _AuthBackendRoleState:
615
527
  @property
616
528
  @pulumi.getter(name="boundZones")
617
529
  def bound_zones(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
618
- """
619
- The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
620
- """
621
530
  return pulumi.get(self, "bound_zones")
622
531
 
623
532
  @bound_zones.setter
@@ -627,9 +536,6 @@ class _AuthBackendRoleState:
627
536
  @property
628
537
  @pulumi.getter(name="maxJwtExp")
629
538
  def max_jwt_exp(self) -> Optional[pulumi.Input[str]]:
630
- """
631
- The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
632
- """
633
539
  return pulumi.get(self, "max_jwt_exp")
634
540
 
635
541
  @max_jwt_exp.setter
@@ -642,7 +548,7 @@ class _AuthBackendRoleState:
642
548
  """
643
549
  The namespace to provision the resource in.
644
550
  The value should not contain leading or trailing forward slashes.
645
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
551
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
646
552
  *Available only for Vault Enterprise*.
647
553
  """
648
554
  return pulumi.get(self, "namespace")
@@ -667,9 +573,7 @@ class _AuthBackendRoleState:
667
573
  @pulumi.getter(name="tokenBoundCidrs")
668
574
  def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
669
575
  """
670
- List of CIDR blocks; if set, specifies blocks of IP
671
- addresses which can authenticate successfully, and ties the resulting token to these blocks
672
- as well.
576
+ Specifies the blocks of IP addresses which are allowed to use the generated token
673
577
  """
674
578
  return pulumi.get(self, "token_bound_cidrs")
675
579
 
@@ -681,10 +585,7 @@ class _AuthBackendRoleState:
681
585
  @pulumi.getter(name="tokenExplicitMaxTtl")
682
586
  def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
683
587
  """
684
- If set, will encode an
685
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
686
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
687
- `token_max_ttl` would otherwise allow a renewal.
588
+ Generated Token's Explicit Maximum TTL in seconds
688
589
  """
689
590
  return pulumi.get(self, "token_explicit_max_ttl")
690
591
 
@@ -696,8 +597,7 @@ class _AuthBackendRoleState:
696
597
  @pulumi.getter(name="tokenMaxTtl")
697
598
  def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
698
599
  """
699
- The maximum lifetime for generated tokens in number of seconds.
700
- Its current value will be referenced at renewal time.
600
+ The maximum lifetime of the generated token
701
601
  """
702
602
  return pulumi.get(self, "token_max_ttl")
703
603
 
@@ -709,8 +609,7 @@ class _AuthBackendRoleState:
709
609
  @pulumi.getter(name="tokenNoDefaultPolicy")
710
610
  def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
711
611
  """
712
- If set, the default policy will not be set on
713
- generated tokens; otherwise it will be added to the policies set in token_policies.
612
+ If true, the 'default' policy will not automatically be added to generated tokens
714
613
  """
715
614
  return pulumi.get(self, "token_no_default_policy")
716
615
 
@@ -722,8 +621,7 @@ class _AuthBackendRoleState:
722
621
  @pulumi.getter(name="tokenNumUses")
723
622
  def token_num_uses(self) -> Optional[pulumi.Input[int]]:
724
623
  """
725
- The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
726
- of times a generated token may be used (within its lifetime); 0 means unlimited.
624
+ The maximum number of times a token may be used, a value of zero means unlimited
727
625
  """
728
626
  return pulumi.get(self, "token_num_uses")
729
627
 
@@ -735,10 +633,7 @@ class _AuthBackendRoleState:
735
633
  @pulumi.getter(name="tokenPeriod")
736
634
  def token_period(self) -> Optional[pulumi.Input[int]]:
737
635
  """
738
- If set, indicates that the
739
- token generated using this role should never expire. The token should be renewed within the
740
- duration specified by this value. At each renewal, the token's TTL will be set to the
741
- value of this field. Specified in seconds.
636
+ Generated Token's Period
742
637
  """
743
638
  return pulumi.get(self, "token_period")
744
639
 
@@ -750,8 +645,7 @@ class _AuthBackendRoleState:
750
645
  @pulumi.getter(name="tokenPolicies")
751
646
  def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
752
647
  """
753
- List of policies to encode onto generated tokens. Depending
754
- on the auth method, this list may be supplemented by user/group/other values.
648
+ Generated Token's Policies
755
649
  """
756
650
  return pulumi.get(self, "token_policies")
757
651
 
@@ -763,8 +657,7 @@ class _AuthBackendRoleState:
763
657
  @pulumi.getter(name="tokenTtl")
764
658
  def token_ttl(self) -> Optional[pulumi.Input[int]]:
765
659
  """
766
- The incremental lifetime for generated tokens in number of seconds.
767
- Its current value will be referenced at renewal time.
660
+ The initial ttl of the token to generate in seconds
768
661
  """
769
662
  return pulumi.get(self, "token_ttl")
770
663
 
@@ -776,11 +669,7 @@ class _AuthBackendRoleState:
776
669
  @pulumi.getter(name="tokenType")
777
670
  def token_type(self) -> Optional[pulumi.Input[str]]:
778
671
  """
779
- The type of token that should be generated. Can be `service`,
780
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
781
- `service` tokens). For token store roles, there are two additional possibilities:
782
- `default-service` and `default-batch` which specify the type to return unless the client
783
- requests a different type at generation time.
672
+ The type of token to generate, service or batch
784
673
  """
785
674
  return pulumi.get(self, "token_type")
786
675
 
@@ -834,7 +723,6 @@ class AuthBackendRole(pulumi.CustomResource):
834
723
 
835
724
  ## Example Usage
836
725
 
837
- <!--Start PulumiCodeChooser -->
838
726
  ```python
839
727
  import pulumi
840
728
  import pulumi_vault as vault
@@ -856,7 +744,6 @@ class AuthBackendRole(pulumi.CustomResource):
856
744
  ],
857
745
  add_group_aliases=True)
858
746
  ```
859
- <!--End PulumiCodeChooser -->
860
747
 
861
748
  ## Import
862
749
 
@@ -868,46 +755,23 @@ class AuthBackendRole(pulumi.CustomResource):
868
755
 
869
756
  :param str resource_name: The name of the resource.
870
757
  :param pulumi.ResourceOptions opts: Options for the resource.
871
- :param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
872
758
  :param pulumi.Input[str] backend: Path to the mounted GCP auth backend
873
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
874
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
875
759
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
876
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
877
760
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
878
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
879
- :param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
880
761
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
881
762
  The value should not contain leading or trailing forward slashes.
882
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
763
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
883
764
  *Available only for Vault Enterprise*.
884
765
  :param pulumi.Input[str] role: Name of the GCP role
885
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
886
- addresses which can authenticate successfully, and ties the resulting token to these blocks
887
- as well.
888
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
889
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
890
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
891
- `token_max_ttl` would otherwise allow a renewal.
892
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
893
- Its current value will be referenced at renewal time.
894
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
895
- generated tokens; otherwise it will be added to the policies set in token_policies.
896
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
897
- of times a generated token may be used (within its lifetime); 0 means unlimited.
898
- :param pulumi.Input[int] token_period: If set, indicates that the
899
- token generated using this role should never expire. The token should be renewed within the
900
- duration specified by this value. At each renewal, the token's TTL will be set to the
901
- value of this field. Specified in seconds.
902
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
903
- on the auth method, this list may be supplemented by user/group/other values.
904
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
905
- Its current value will be referenced at renewal time.
906
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
907
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
908
- `service` tokens). For token store roles, there are two additional possibilities:
909
- `default-service` and `default-batch` which specify the type to return unless the client
910
- requests a different type at generation time.
766
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
767
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
768
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
769
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
770
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
771
+ :param pulumi.Input[int] token_period: Generated Token's Period
772
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
773
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
774
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
911
775
  :param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
912
776
  """
913
777
  ...
@@ -921,7 +785,6 @@ class AuthBackendRole(pulumi.CustomResource):
921
785
 
922
786
  ## Example Usage
923
787
 
924
- <!--Start PulumiCodeChooser -->
925
788
  ```python
926
789
  import pulumi
927
790
  import pulumi_vault as vault
@@ -943,7 +806,6 @@ class AuthBackendRole(pulumi.CustomResource):
943
806
  ],
944
807
  add_group_aliases=True)
945
808
  ```
946
- <!--End PulumiCodeChooser -->
947
809
 
948
810
  ## Import
949
811
 
@@ -1064,46 +926,23 @@ class AuthBackendRole(pulumi.CustomResource):
1064
926
  :param str resource_name: The unique name of the resulting resource.
1065
927
  :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
1066
928
  :param pulumi.ResourceOptions opts: Options for the resource.
1067
- :param pulumi.Input[bool] allow_gce_inference: A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
1068
929
  :param pulumi.Input[str] backend: Path to the mounted GCP auth backend
1069
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_instance_groups: The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
1070
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_labels: A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
1071
930
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_projects: An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
1072
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_regions: The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
1073
931
  :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_service_accounts: GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
1074
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_zones: The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
1075
- :param pulumi.Input[str] max_jwt_exp: The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
1076
932
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
1077
933
  The value should not contain leading or trailing forward slashes.
1078
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
934
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1079
935
  *Available only for Vault Enterprise*.
1080
936
  :param pulumi.Input[str] role: Name of the GCP role
1081
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
1082
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1083
- as well.
1084
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
1085
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1086
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1087
- `token_max_ttl` would otherwise allow a renewal.
1088
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
1089
- Its current value will be referenced at renewal time.
1090
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
1091
- generated tokens; otherwise it will be added to the policies set in token_policies.
1092
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
1093
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1094
- :param pulumi.Input[int] token_period: If set, indicates that the
1095
- token generated using this role should never expire. The token should be renewed within the
1096
- duration specified by this value. At each renewal, the token's TTL will be set to the
1097
- value of this field. Specified in seconds.
1098
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
1099
- on the auth method, this list may be supplemented by user/group/other values.
1100
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
1101
- Its current value will be referenced at renewal time.
1102
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
1103
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1104
- `service` tokens). For token store roles, there are two additional possibilities:
1105
- `default-service` and `default-batch` which specify the type to return unless the client
1106
- requests a different type at generation time.
937
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
938
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
939
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
940
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
941
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
942
+ :param pulumi.Input[int] token_period: Generated Token's Period
943
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
944
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
945
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
1107
946
  :param pulumi.Input[str] type: Type of GCP authentication role (either `gce` or `iam`)
1108
947
  """
1109
948
  opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
@@ -1142,9 +981,6 @@ class AuthBackendRole(pulumi.CustomResource):
1142
981
  @property
1143
982
  @pulumi.getter(name="allowGceInference")
1144
983
  def allow_gce_inference(self) -> pulumi.Output[bool]:
1145
- """
1146
- A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
1147
- """
1148
984
  return pulumi.get(self, "allow_gce_inference")
1149
985
 
1150
986
  @property
@@ -1158,17 +994,11 @@ class AuthBackendRole(pulumi.CustomResource):
1158
994
  @property
1159
995
  @pulumi.getter(name="boundInstanceGroups")
1160
996
  def bound_instance_groups(self) -> pulumi.Output[Sequence[str]]:
1161
- """
1162
- The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `bound_zones` or `bound_regions` must be set too.
1163
- """
1164
997
  return pulumi.get(self, "bound_instance_groups")
1165
998
 
1166
999
  @property
1167
1000
  @pulumi.getter(name="boundLabels")
1168
1001
  def bound_labels(self) -> pulumi.Output[Sequence[str]]:
1169
- """
1170
- A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
1171
- """
1172
1002
  return pulumi.get(self, "bound_labels")
1173
1003
 
1174
1004
  @property
@@ -1182,9 +1012,6 @@ class AuthBackendRole(pulumi.CustomResource):
1182
1012
  @property
1183
1013
  @pulumi.getter(name="boundRegions")
1184
1014
  def bound_regions(self) -> pulumi.Output[Sequence[str]]:
1185
- """
1186
- The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.
1187
- """
1188
1015
  return pulumi.get(self, "bound_regions")
1189
1016
 
1190
1017
  @property
@@ -1198,17 +1025,11 @@ class AuthBackendRole(pulumi.CustomResource):
1198
1025
  @property
1199
1026
  @pulumi.getter(name="boundZones")
1200
1027
  def bound_zones(self) -> pulumi.Output[Sequence[str]]:
1201
- """
1202
- The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.
1203
- """
1204
1028
  return pulumi.get(self, "bound_zones")
1205
1029
 
1206
1030
  @property
1207
1031
  @pulumi.getter(name="maxJwtExp")
1208
1032
  def max_jwt_exp(self) -> pulumi.Output[str]:
1209
- """
1210
- The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
1211
- """
1212
1033
  return pulumi.get(self, "max_jwt_exp")
1213
1034
 
1214
1035
  @property
@@ -1217,7 +1038,7 @@ class AuthBackendRole(pulumi.CustomResource):
1217
1038
  """
1218
1039
  The namespace to provision the resource in.
1219
1040
  The value should not contain leading or trailing forward slashes.
1220
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1041
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1221
1042
  *Available only for Vault Enterprise*.
1222
1043
  """
1223
1044
  return pulumi.get(self, "namespace")
@@ -1234,9 +1055,7 @@ class AuthBackendRole(pulumi.CustomResource):
1234
1055
  @pulumi.getter(name="tokenBoundCidrs")
1235
1056
  def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
1236
1057
  """
1237
- List of CIDR blocks; if set, specifies blocks of IP
1238
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1239
- as well.
1058
+ Specifies the blocks of IP addresses which are allowed to use the generated token
1240
1059
  """
1241
1060
  return pulumi.get(self, "token_bound_cidrs")
1242
1061
 
@@ -1244,10 +1063,7 @@ class AuthBackendRole(pulumi.CustomResource):
1244
1063
  @pulumi.getter(name="tokenExplicitMaxTtl")
1245
1064
  def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
1246
1065
  """
1247
- If set, will encode an
1248
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1249
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1250
- `token_max_ttl` would otherwise allow a renewal.
1066
+ Generated Token's Explicit Maximum TTL in seconds
1251
1067
  """
1252
1068
  return pulumi.get(self, "token_explicit_max_ttl")
1253
1069
 
@@ -1255,8 +1071,7 @@ class AuthBackendRole(pulumi.CustomResource):
1255
1071
  @pulumi.getter(name="tokenMaxTtl")
1256
1072
  def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
1257
1073
  """
1258
- The maximum lifetime for generated tokens in number of seconds.
1259
- Its current value will be referenced at renewal time.
1074
+ The maximum lifetime of the generated token
1260
1075
  """
1261
1076
  return pulumi.get(self, "token_max_ttl")
1262
1077
 
@@ -1264,8 +1079,7 @@ class AuthBackendRole(pulumi.CustomResource):
1264
1079
  @pulumi.getter(name="tokenNoDefaultPolicy")
1265
1080
  def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
1266
1081
  """
1267
- If set, the default policy will not be set on
1268
- generated tokens; otherwise it will be added to the policies set in token_policies.
1082
+ If true, the 'default' policy will not automatically be added to generated tokens
1269
1083
  """
1270
1084
  return pulumi.get(self, "token_no_default_policy")
1271
1085
 
@@ -1273,8 +1087,7 @@ class AuthBackendRole(pulumi.CustomResource):
1273
1087
  @pulumi.getter(name="tokenNumUses")
1274
1088
  def token_num_uses(self) -> pulumi.Output[Optional[int]]:
1275
1089
  """
1276
- The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
1277
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1090
+ The maximum number of times a token may be used, a value of zero means unlimited
1278
1091
  """
1279
1092
  return pulumi.get(self, "token_num_uses")
1280
1093
 
@@ -1282,10 +1095,7 @@ class AuthBackendRole(pulumi.CustomResource):
1282
1095
  @pulumi.getter(name="tokenPeriod")
1283
1096
  def token_period(self) -> pulumi.Output[Optional[int]]:
1284
1097
  """
1285
- If set, indicates that the
1286
- token generated using this role should never expire. The token should be renewed within the
1287
- duration specified by this value. At each renewal, the token's TTL will be set to the
1288
- value of this field. Specified in seconds.
1098
+ Generated Token's Period
1289
1099
  """
1290
1100
  return pulumi.get(self, "token_period")
1291
1101
 
@@ -1293,8 +1103,7 @@ class AuthBackendRole(pulumi.CustomResource):
1293
1103
  @pulumi.getter(name="tokenPolicies")
1294
1104
  def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
1295
1105
  """
1296
- List of policies to encode onto generated tokens. Depending
1297
- on the auth method, this list may be supplemented by user/group/other values.
1106
+ Generated Token's Policies
1298
1107
  """
1299
1108
  return pulumi.get(self, "token_policies")
1300
1109
 
@@ -1302,8 +1111,7 @@ class AuthBackendRole(pulumi.CustomResource):
1302
1111
  @pulumi.getter(name="tokenTtl")
1303
1112
  def token_ttl(self) -> pulumi.Output[Optional[int]]:
1304
1113
  """
1305
- The incremental lifetime for generated tokens in number of seconds.
1306
- Its current value will be referenced at renewal time.
1114
+ The initial ttl of the token to generate in seconds
1307
1115
  """
1308
1116
  return pulumi.get(self, "token_ttl")
1309
1117
 
@@ -1311,11 +1119,7 @@ class AuthBackendRole(pulumi.CustomResource):
1311
1119
  @pulumi.getter(name="tokenType")
1312
1120
  def token_type(self) -> pulumi.Output[Optional[str]]:
1313
1121
  """
1314
- The type of token that should be generated. Can be `service`,
1315
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1316
- `service` tokens). For token store roles, there are two additional possibilities:
1317
- `default-service` and `default-batch` which specify the type to return unless the client
1318
- requests a different type at generation time.
1122
+ The type of token to generate, service or batch
1319
1123
  """
1320
1124
  return pulumi.get(self, "token_type")
1321
1125