pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +22 -7
- pulumi_vault/ad/secret_backend.py +14 -144
- pulumi_vault/ad/secret_library.py +14 -11
- pulumi_vault/ad/secret_role.py +12 -11
- pulumi_vault/alicloud/auth_backend_role.py +74 -192
- pulumi_vault/approle/auth_backend_login.py +12 -11
- pulumi_vault/approle/auth_backend_role.py +75 -193
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
- pulumi_vault/audit.py +24 -27
- pulumi_vault/audit_request_header.py +11 -6
- pulumi_vault/auth_backend.py +64 -12
- pulumi_vault/aws/auth_backend_cert.py +12 -7
- pulumi_vault/aws/auth_backend_client.py +265 -24
- pulumi_vault/aws/auth_backend_config_identity.py +12 -11
- pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +75 -193
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
- pulumi_vault/aws/auth_backend_sts_role.py +12 -11
- pulumi_vault/aws/get_access_credentials.py +34 -7
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +75 -7
- pulumi_vault/aws/secret_backend_role.py +183 -11
- pulumi_vault/aws/secret_backend_static_role.py +14 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +151 -17
- pulumi_vault/azure/auth_backend_role.py +75 -193
- pulumi_vault/azure/backend.py +223 -29
- pulumi_vault/azure/backend_role.py +42 -41
- pulumi_vault/azure/get_access_credentials.py +39 -11
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -271
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +22 -25
- pulumi_vault/consul/secret_backend_role.py +14 -80
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +117 -114
- pulumi_vault/database/secret_backend_role.py +29 -24
- pulumi_vault/database/secret_backend_static_role.py +85 -15
- pulumi_vault/database/secrets_mount.py +425 -138
- pulumi_vault/egp_policy.py +16 -15
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +248 -35
- pulumi_vault/gcp/auth_backend_role.py +75 -271
- pulumi_vault/gcp/get_auth_backend_role.py +43 -9
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -16
- pulumi_vault/gcp/secret_impersonated_account.py +74 -17
- pulumi_vault/gcp/secret_roleset.py +29 -26
- pulumi_vault/gcp/secret_static_account.py +37 -34
- pulumi_vault/generic/endpoint.py +22 -21
- pulumi_vault/generic/get_secret.py +68 -12
- pulumi_vault/generic/secret.py +19 -14
- pulumi_vault/get_auth_backend.py +24 -11
- pulumi_vault/get_auth_backends.py +33 -11
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -15
- pulumi_vault/get_policy_document.py +34 -23
- pulumi_vault/get_raft_autopilot_state.py +29 -14
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +17 -16
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +14 -13
- pulumi_vault/github/user.py +14 -13
- pulumi_vault/identity/entity.py +18 -15
- pulumi_vault/identity/entity_alias.py +18 -15
- pulumi_vault/identity/entity_policies.py +24 -19
- pulumi_vault/identity/get_entity.py +40 -14
- pulumi_vault/identity/get_group.py +45 -13
- pulumi_vault/identity/get_oidc_client_creds.py +21 -11
- pulumi_vault/identity/get_oidc_openid_config.py +39 -13
- pulumi_vault/identity/get_oidc_public_keys.py +29 -14
- pulumi_vault/identity/group.py +50 -49
- pulumi_vault/identity/group_alias.py +14 -11
- pulumi_vault/identity/group_member_entity_ids.py +24 -74
- pulumi_vault/identity/group_member_group_ids.py +36 -27
- pulumi_vault/identity/group_policies.py +16 -15
- pulumi_vault/identity/mfa_duo.py +9 -8
- pulumi_vault/identity/mfa_login_enforcement.py +13 -8
- pulumi_vault/identity/mfa_okta.py +9 -8
- pulumi_vault/identity/mfa_pingid.py +5 -4
- pulumi_vault/identity/mfa_totp.py +5 -4
- pulumi_vault/identity/oidc.py +12 -11
- pulumi_vault/identity/oidc_assignment.py +22 -13
- pulumi_vault/identity/oidc_client.py +34 -25
- pulumi_vault/identity/oidc_key.py +28 -19
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
- pulumi_vault/identity/oidc_provider.py +34 -23
- pulumi_vault/identity/oidc_role.py +40 -27
- pulumi_vault/identity/oidc_scope.py +18 -15
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +39 -46
- pulumi_vault/jwt/auth_backend_role.py +131 -260
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +22 -21
- pulumi_vault/kmip/secret_role.py +12 -11
- pulumi_vault/kmip/secret_scope.py +12 -11
- pulumi_vault/kubernetes/auth_backend_config.py +55 -7
- pulumi_vault/kubernetes/auth_backend_role.py +68 -179
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -15
- pulumi_vault/kubernetes/secret_backend.py +314 -29
- pulumi_vault/kubernetes/secret_backend_role.py +135 -56
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +23 -12
- pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
- pulumi_vault/kv/get_secret_v2.py +89 -9
- pulumi_vault/kv/get_secrets_list.py +22 -15
- pulumi_vault/kv/get_secrets_list_v2.py +35 -19
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +19 -18
- pulumi_vault/kv/secret_backend_v2.py +12 -11
- pulumi_vault/kv/secret_v2.py +55 -52
- pulumi_vault/ldap/auth_backend.py +125 -168
- pulumi_vault/ldap/auth_backend_group.py +12 -11
- pulumi_vault/ldap/auth_backend_user.py +12 -11
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +352 -84
- pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
- pulumi_vault/ldap/secret_backend_library_set.py +14 -11
- pulumi_vault/ldap/secret_backend_static_role.py +67 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +27 -43
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +16 -13
- pulumi_vault/mfa_okta.py +16 -13
- pulumi_vault/mfa_pingid.py +16 -13
- pulumi_vault/mfa_totp.py +22 -19
- pulumi_vault/mongodbatlas/secret_backend.py +18 -17
- pulumi_vault/mongodbatlas/secret_role.py +41 -38
- pulumi_vault/mount.py +389 -65
- pulumi_vault/namespace.py +26 -21
- pulumi_vault/nomad_secret_backend.py +16 -15
- pulumi_vault/nomad_secret_role.py +12 -11
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +483 -41
- pulumi_vault/okta/auth_backend_group.py +12 -11
- pulumi_vault/okta/auth_backend_user.py +12 -11
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +18 -15
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
- pulumi_vault/pkisecret/get_backend_key.py +24 -13
- pulumi_vault/pkisecret/get_backend_keys.py +21 -12
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
- pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
- pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
- pulumi_vault/pkisecret/secret_backend_key.py +12 -7
- pulumi_vault/pkisecret/secret_backend_role.py +19 -16
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +12 -7
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +58 -8
- pulumi_vault/quota_rate_limit.py +54 -4
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +16 -15
- pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
- pulumi_vault/raft_autopilot.py +12 -11
- pulumi_vault/raft_snapshot_agent_config.py +121 -311
- pulumi_vault/rgp_policy.py +14 -13
- pulumi_vault/saml/auth_backend.py +20 -19
- pulumi_vault/saml/auth_backend_role.py +90 -199
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -75
- pulumi_vault/secrets/sync_aws_destination.py +240 -29
- pulumi_vault/secrets/sync_azure_destination.py +90 -33
- pulumi_vault/secrets/sync_config.py +7 -6
- pulumi_vault/secrets/sync_gcp_destination.py +156 -27
- pulumi_vault/secrets/sync_gh_destination.py +187 -15
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +72 -15
- pulumi_vault/ssh/_inputs.py +28 -32
- pulumi_vault/ssh/outputs.py +11 -32
- pulumi_vault/ssh/secret_backend_ca.py +106 -11
- pulumi_vault/ssh/secret_backend_role.py +83 -120
- pulumi_vault/terraformcloud/secret_backend.py +5 -56
- pulumi_vault/terraformcloud/secret_creds.py +14 -24
- pulumi_vault/terraformcloud/secret_role.py +14 -76
- pulumi_vault/token.py +26 -25
- pulumi_vault/tokenauth/auth_backend_role.py +76 -201
- pulumi_vault/transform/alphabet.py +16 -13
- pulumi_vault/transform/get_decode.py +45 -21
- pulumi_vault/transform/get_encode.py +45 -21
- pulumi_vault/transform/role.py +16 -13
- pulumi_vault/transform/template.py +30 -25
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -25
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +25 -97
- pulumi_vault/transit/secret_cache_config.py +12 -11
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736836139.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736836139.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
|
@@ -19,10 +24,10 @@ class AuthBackendRoleArgs:
|
|
19
24
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
20
25
|
backend: Optional[pulumi.Input[str]] = None,
|
21
26
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
22
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
27
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
23
28
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
24
29
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
25
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
30
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
26
31
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
27
32
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
28
33
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -53,10 +58,9 @@ class AuthBackendRoleArgs:
|
|
53
58
|
Required for OIDC roles
|
54
59
|
:param pulumi.Input[str] backend: The unique name of the auth backend to configure.
|
55
60
|
Defaults to `jwt`.
|
56
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (
|
57
|
-
|
58
|
-
|
59
|
-
:param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
|
61
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
62
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
63
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
|
60
64
|
A claim's value must be a string, which may contain one value or multiple
|
61
65
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
62
66
|
:param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
|
@@ -64,14 +68,14 @@ class AuthBackendRoleArgs:
|
|
64
68
|
match). Requires Vault 1.4.0 or above.
|
65
69
|
:param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
|
66
70
|
this value.
|
67
|
-
:param pulumi.Input[Mapping[str,
|
71
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
68
72
|
to specified metadata fields (values).
|
69
73
|
:param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
70
74
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
71
75
|
Only applicable with "jwt" roles.
|
72
76
|
:param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
73
77
|
:param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
74
|
-
clock skew, in seconds. Defaults to `
|
78
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
75
79
|
Only applicable with "jwt" roles.
|
76
80
|
:param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
|
77
81
|
the set of groups to which the user belongs; this will be used as the names
|
@@ -81,40 +85,23 @@ class AuthBackendRoleArgs:
|
|
81
85
|
the user was actively authenticated with the OIDC provider.
|
82
86
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
83
87
|
The value should not contain leading or trailing forward slashes.
|
84
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
88
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
85
89
|
*Available only for Vault Enterprise*.
|
86
90
|
:param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
87
|
-
clock skew, in seconds. Defaults to `
|
91
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
88
92
|
Only applicable with "jwt" roles.
|
89
93
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
90
94
|
The standard scope "openid" is automatically included and need not be specified.
|
91
95
|
:param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
|
92
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
93
|
-
|
94
|
-
|
95
|
-
:param pulumi.Input[
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
:param pulumi.Input[int]
|
100
|
-
|
101
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
102
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
103
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
|
104
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
105
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
106
|
-
token generated using this role should never expire. The token should be renewed within the
|
107
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
108
|
-
value of this field. Specified in seconds.
|
109
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
110
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
111
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
112
|
-
Its current value will be referenced at renewal time.
|
113
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
114
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
115
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
116
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
117
|
-
requests a different type at generation time.
|
96
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
97
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
98
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
99
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
100
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
101
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
102
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
103
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
104
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
118
105
|
:param pulumi.Input[bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
|
119
106
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
120
107
|
syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
|
@@ -236,9 +223,8 @@ class AuthBackendRoleArgs:
|
|
236
223
|
@pulumi.getter(name="boundAudiences")
|
237
224
|
def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
238
225
|
"""
|
239
|
-
(
|
240
|
-
|
241
|
-
Any match is sufficient.
|
226
|
+
(Required for roles of type `jwt`, optional for roles of
|
227
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
242
228
|
"""
|
243
229
|
return pulumi.get(self, "bound_audiences")
|
244
230
|
|
@@ -248,7 +234,7 @@ class AuthBackendRoleArgs:
|
|
248
234
|
|
249
235
|
@property
|
250
236
|
@pulumi.getter(name="boundClaims")
|
251
|
-
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str,
|
237
|
+
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
252
238
|
"""
|
253
239
|
If set, a map of claims to values to match against.
|
254
240
|
A claim's value must be a string, which may contain one value or multiple
|
@@ -257,7 +243,7 @@ class AuthBackendRoleArgs:
|
|
257
243
|
return pulumi.get(self, "bound_claims")
|
258
244
|
|
259
245
|
@bound_claims.setter
|
260
|
-
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str,
|
246
|
+
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
261
247
|
pulumi.set(self, "bound_claims", value)
|
262
248
|
|
263
249
|
@property
|
@@ -289,7 +275,7 @@ class AuthBackendRoleArgs:
|
|
289
275
|
|
290
276
|
@property
|
291
277
|
@pulumi.getter(name="claimMappings")
|
292
|
-
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str,
|
278
|
+
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
293
279
|
"""
|
294
280
|
If set, a map of claims (keys) to be copied
|
295
281
|
to specified metadata fields (values).
|
@@ -297,7 +283,7 @@ class AuthBackendRoleArgs:
|
|
297
283
|
return pulumi.get(self, "claim_mappings")
|
298
284
|
|
299
285
|
@claim_mappings.setter
|
300
|
-
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str,
|
286
|
+
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
301
287
|
pulumi.set(self, "claim_mappings", value)
|
302
288
|
|
303
289
|
@property
|
@@ -331,7 +317,7 @@ class AuthBackendRoleArgs:
|
|
331
317
|
def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
|
332
318
|
"""
|
333
319
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
334
|
-
clock skew, in seconds. Defaults to `
|
320
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
335
321
|
Only applicable with "jwt" roles.
|
336
322
|
"""
|
337
323
|
return pulumi.get(self, "expiration_leeway")
|
@@ -374,7 +360,7 @@ class AuthBackendRoleArgs:
|
|
374
360
|
"""
|
375
361
|
The namespace to provision the resource in.
|
376
362
|
The value should not contain leading or trailing forward slashes.
|
377
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
363
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
378
364
|
*Available only for Vault Enterprise*.
|
379
365
|
"""
|
380
366
|
return pulumi.get(self, "namespace")
|
@@ -388,7 +374,7 @@ class AuthBackendRoleArgs:
|
|
388
374
|
def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
|
389
375
|
"""
|
390
376
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
391
|
-
clock skew, in seconds. Defaults to `
|
377
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
392
378
|
Only applicable with "jwt" roles.
|
393
379
|
"""
|
394
380
|
return pulumi.get(self, "not_before_leeway")
|
@@ -426,9 +412,7 @@ class AuthBackendRoleArgs:
|
|
426
412
|
@pulumi.getter(name="tokenBoundCidrs")
|
427
413
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
428
414
|
"""
|
429
|
-
|
430
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
431
|
-
as well.
|
415
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
432
416
|
"""
|
433
417
|
return pulumi.get(self, "token_bound_cidrs")
|
434
418
|
|
@@ -440,10 +424,7 @@ class AuthBackendRoleArgs:
|
|
440
424
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
441
425
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
442
426
|
"""
|
443
|
-
|
444
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
445
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
446
|
-
`token_max_ttl` would otherwise allow a renewal.
|
427
|
+
Generated Token's Explicit Maximum TTL in seconds
|
447
428
|
"""
|
448
429
|
return pulumi.get(self, "token_explicit_max_ttl")
|
449
430
|
|
@@ -455,8 +436,7 @@ class AuthBackendRoleArgs:
|
|
455
436
|
@pulumi.getter(name="tokenMaxTtl")
|
456
437
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
457
438
|
"""
|
458
|
-
The maximum lifetime
|
459
|
-
Its current value will be referenced at renewal time.
|
439
|
+
The maximum lifetime of the generated token
|
460
440
|
"""
|
461
441
|
return pulumi.get(self, "token_max_ttl")
|
462
442
|
|
@@ -468,8 +448,7 @@ class AuthBackendRoleArgs:
|
|
468
448
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
469
449
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
470
450
|
"""
|
471
|
-
If
|
472
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
451
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
473
452
|
"""
|
474
453
|
return pulumi.get(self, "token_no_default_policy")
|
475
454
|
|
@@ -481,8 +460,7 @@ class AuthBackendRoleArgs:
|
|
481
460
|
@pulumi.getter(name="tokenNumUses")
|
482
461
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
483
462
|
"""
|
484
|
-
The
|
485
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
463
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
486
464
|
"""
|
487
465
|
return pulumi.get(self, "token_num_uses")
|
488
466
|
|
@@ -494,10 +472,7 @@ class AuthBackendRoleArgs:
|
|
494
472
|
@pulumi.getter(name="tokenPeriod")
|
495
473
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
496
474
|
"""
|
497
|
-
|
498
|
-
token generated using this role should never expire. The token should be renewed within the
|
499
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
500
|
-
value of this field. Specified in seconds.
|
475
|
+
Generated Token's Period
|
501
476
|
"""
|
502
477
|
return pulumi.get(self, "token_period")
|
503
478
|
|
@@ -509,8 +484,7 @@ class AuthBackendRoleArgs:
|
|
509
484
|
@pulumi.getter(name="tokenPolicies")
|
510
485
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
511
486
|
"""
|
512
|
-
|
513
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
487
|
+
Generated Token's Policies
|
514
488
|
"""
|
515
489
|
return pulumi.get(self, "token_policies")
|
516
490
|
|
@@ -522,8 +496,7 @@ class AuthBackendRoleArgs:
|
|
522
496
|
@pulumi.getter(name="tokenTtl")
|
523
497
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
524
498
|
"""
|
525
|
-
The
|
526
|
-
Its current value will be referenced at renewal time.
|
499
|
+
The initial ttl of the token to generate in seconds
|
527
500
|
"""
|
528
501
|
return pulumi.get(self, "token_ttl")
|
529
502
|
|
@@ -535,11 +508,7 @@ class AuthBackendRoleArgs:
|
|
535
508
|
@pulumi.getter(name="tokenType")
|
536
509
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
537
510
|
"""
|
538
|
-
The type of token
|
539
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
540
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
541
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
542
|
-
requests a different type at generation time.
|
511
|
+
The type of token to generate, service or batch
|
543
512
|
"""
|
544
513
|
return pulumi.get(self, "token_type")
|
545
514
|
|
@@ -583,10 +552,10 @@ class _AuthBackendRoleState:
|
|
583
552
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
584
553
|
backend: Optional[pulumi.Input[str]] = None,
|
585
554
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
586
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
555
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
587
556
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
588
557
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
589
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
558
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
590
559
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
591
560
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
592
561
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -615,10 +584,9 @@ class _AuthBackendRoleState:
|
|
615
584
|
Required for OIDC roles
|
616
585
|
:param pulumi.Input[str] backend: The unique name of the auth backend to configure.
|
617
586
|
Defaults to `jwt`.
|
618
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (
|
619
|
-
|
620
|
-
|
621
|
-
:param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
|
587
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
588
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
589
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
|
622
590
|
A claim's value must be a string, which may contain one value or multiple
|
623
591
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
624
592
|
:param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
|
@@ -626,14 +594,14 @@ class _AuthBackendRoleState:
|
|
626
594
|
match). Requires Vault 1.4.0 or above.
|
627
595
|
:param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
|
628
596
|
this value.
|
629
|
-
:param pulumi.Input[Mapping[str,
|
597
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
630
598
|
to specified metadata fields (values).
|
631
599
|
:param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
632
600
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
633
601
|
Only applicable with "jwt" roles.
|
634
602
|
:param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
635
603
|
:param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
636
|
-
clock skew, in seconds. Defaults to `
|
604
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
637
605
|
Only applicable with "jwt" roles.
|
638
606
|
:param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
|
639
607
|
the set of groups to which the user belongs; this will be used as the names
|
@@ -643,41 +611,24 @@ class _AuthBackendRoleState:
|
|
643
611
|
the user was actively authenticated with the OIDC provider.
|
644
612
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
645
613
|
The value should not contain leading or trailing forward slashes.
|
646
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
614
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
647
615
|
*Available only for Vault Enterprise*.
|
648
616
|
:param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
649
|
-
clock skew, in seconds. Defaults to `
|
617
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
650
618
|
Only applicable with "jwt" roles.
|
651
619
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
652
620
|
The standard scope "openid" is automatically included and need not be specified.
|
653
621
|
:param pulumi.Input[str] role_name: The name of the role.
|
654
622
|
:param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
|
655
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
656
|
-
|
657
|
-
|
658
|
-
:param pulumi.Input[
|
659
|
-
|
660
|
-
|
661
|
-
|
662
|
-
:param pulumi.Input[int]
|
663
|
-
|
664
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
665
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
666
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
|
667
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
668
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
669
|
-
token generated using this role should never expire. The token should be renewed within the
|
670
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
671
|
-
value of this field. Specified in seconds.
|
672
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
673
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
674
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
675
|
-
Its current value will be referenced at renewal time.
|
676
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
677
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
678
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
679
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
680
|
-
requests a different type at generation time.
|
623
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
624
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
625
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
626
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
627
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
628
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
629
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
630
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
631
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
681
632
|
:param pulumi.Input[str] user_claim: The claim to use to uniquely identify
|
682
633
|
the user; this will be used as the name for the Identity entity alias created
|
683
634
|
due to a successful login.
|
@@ -778,9 +729,8 @@ class _AuthBackendRoleState:
|
|
778
729
|
@pulumi.getter(name="boundAudiences")
|
779
730
|
def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
780
731
|
"""
|
781
|
-
(
|
782
|
-
|
783
|
-
Any match is sufficient.
|
732
|
+
(Required for roles of type `jwt`, optional for roles of
|
733
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
784
734
|
"""
|
785
735
|
return pulumi.get(self, "bound_audiences")
|
786
736
|
|
@@ -790,7 +740,7 @@ class _AuthBackendRoleState:
|
|
790
740
|
|
791
741
|
@property
|
792
742
|
@pulumi.getter(name="boundClaims")
|
793
|
-
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str,
|
743
|
+
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
794
744
|
"""
|
795
745
|
If set, a map of claims to values to match against.
|
796
746
|
A claim's value must be a string, which may contain one value or multiple
|
@@ -799,7 +749,7 @@ class _AuthBackendRoleState:
|
|
799
749
|
return pulumi.get(self, "bound_claims")
|
800
750
|
|
801
751
|
@bound_claims.setter
|
802
|
-
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str,
|
752
|
+
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
803
753
|
pulumi.set(self, "bound_claims", value)
|
804
754
|
|
805
755
|
@property
|
@@ -831,7 +781,7 @@ class _AuthBackendRoleState:
|
|
831
781
|
|
832
782
|
@property
|
833
783
|
@pulumi.getter(name="claimMappings")
|
834
|
-
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str,
|
784
|
+
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
|
835
785
|
"""
|
836
786
|
If set, a map of claims (keys) to be copied
|
837
787
|
to specified metadata fields (values).
|
@@ -839,7 +789,7 @@ class _AuthBackendRoleState:
|
|
839
789
|
return pulumi.get(self, "claim_mappings")
|
840
790
|
|
841
791
|
@claim_mappings.setter
|
842
|
-
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str,
|
792
|
+
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
|
843
793
|
pulumi.set(self, "claim_mappings", value)
|
844
794
|
|
845
795
|
@property
|
@@ -873,7 +823,7 @@ class _AuthBackendRoleState:
|
|
873
823
|
def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
|
874
824
|
"""
|
875
825
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
876
|
-
clock skew, in seconds. Defaults to `
|
826
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
877
827
|
Only applicable with "jwt" roles.
|
878
828
|
"""
|
879
829
|
return pulumi.get(self, "expiration_leeway")
|
@@ -916,7 +866,7 @@ class _AuthBackendRoleState:
|
|
916
866
|
"""
|
917
867
|
The namespace to provision the resource in.
|
918
868
|
The value should not contain leading or trailing forward slashes.
|
919
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
869
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
920
870
|
*Available only for Vault Enterprise*.
|
921
871
|
"""
|
922
872
|
return pulumi.get(self, "namespace")
|
@@ -930,7 +880,7 @@ class _AuthBackendRoleState:
|
|
930
880
|
def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
|
931
881
|
"""
|
932
882
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
933
|
-
clock skew, in seconds. Defaults to `
|
883
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
934
884
|
Only applicable with "jwt" roles.
|
935
885
|
"""
|
936
886
|
return pulumi.get(self, "not_before_leeway")
|
@@ -980,9 +930,7 @@ class _AuthBackendRoleState:
|
|
980
930
|
@pulumi.getter(name="tokenBoundCidrs")
|
981
931
|
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
982
932
|
"""
|
983
|
-
|
984
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
985
|
-
as well.
|
933
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
986
934
|
"""
|
987
935
|
return pulumi.get(self, "token_bound_cidrs")
|
988
936
|
|
@@ -994,10 +942,7 @@ class _AuthBackendRoleState:
|
|
994
942
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
995
943
|
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
996
944
|
"""
|
997
|
-
|
998
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
999
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
1000
|
-
`token_max_ttl` would otherwise allow a renewal.
|
945
|
+
Generated Token's Explicit Maximum TTL in seconds
|
1001
946
|
"""
|
1002
947
|
return pulumi.get(self, "token_explicit_max_ttl")
|
1003
948
|
|
@@ -1009,8 +954,7 @@ class _AuthBackendRoleState:
|
|
1009
954
|
@pulumi.getter(name="tokenMaxTtl")
|
1010
955
|
def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
|
1011
956
|
"""
|
1012
|
-
The maximum lifetime
|
1013
|
-
Its current value will be referenced at renewal time.
|
957
|
+
The maximum lifetime of the generated token
|
1014
958
|
"""
|
1015
959
|
return pulumi.get(self, "token_max_ttl")
|
1016
960
|
|
@@ -1022,8 +966,7 @@ class _AuthBackendRoleState:
|
|
1022
966
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
1023
967
|
def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
|
1024
968
|
"""
|
1025
|
-
If
|
1026
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
969
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
1027
970
|
"""
|
1028
971
|
return pulumi.get(self, "token_no_default_policy")
|
1029
972
|
|
@@ -1035,8 +978,7 @@ class _AuthBackendRoleState:
|
|
1035
978
|
@pulumi.getter(name="tokenNumUses")
|
1036
979
|
def token_num_uses(self) -> Optional[pulumi.Input[int]]:
|
1037
980
|
"""
|
1038
|
-
The
|
1039
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
981
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
1040
982
|
"""
|
1041
983
|
return pulumi.get(self, "token_num_uses")
|
1042
984
|
|
@@ -1048,10 +990,7 @@ class _AuthBackendRoleState:
|
|
1048
990
|
@pulumi.getter(name="tokenPeriod")
|
1049
991
|
def token_period(self) -> Optional[pulumi.Input[int]]:
|
1050
992
|
"""
|
1051
|
-
|
1052
|
-
token generated using this role should never expire. The token should be renewed within the
|
1053
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1054
|
-
value of this field. Specified in seconds.
|
993
|
+
Generated Token's Period
|
1055
994
|
"""
|
1056
995
|
return pulumi.get(self, "token_period")
|
1057
996
|
|
@@ -1063,8 +1002,7 @@ class _AuthBackendRoleState:
|
|
1063
1002
|
@pulumi.getter(name="tokenPolicies")
|
1064
1003
|
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
|
1065
1004
|
"""
|
1066
|
-
|
1067
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1005
|
+
Generated Token's Policies
|
1068
1006
|
"""
|
1069
1007
|
return pulumi.get(self, "token_policies")
|
1070
1008
|
|
@@ -1076,8 +1014,7 @@ class _AuthBackendRoleState:
|
|
1076
1014
|
@pulumi.getter(name="tokenTtl")
|
1077
1015
|
def token_ttl(self) -> Optional[pulumi.Input[int]]:
|
1078
1016
|
"""
|
1079
|
-
The
|
1080
|
-
Its current value will be referenced at renewal time.
|
1017
|
+
The initial ttl of the token to generate in seconds
|
1081
1018
|
"""
|
1082
1019
|
return pulumi.get(self, "token_ttl")
|
1083
1020
|
|
@@ -1089,11 +1026,7 @@ class _AuthBackendRoleState:
|
|
1089
1026
|
@pulumi.getter(name="tokenType")
|
1090
1027
|
def token_type(self) -> Optional[pulumi.Input[str]]:
|
1091
1028
|
"""
|
1092
|
-
The type of token
|
1093
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1094
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1095
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1096
|
-
requests a different type at generation time.
|
1029
|
+
The type of token to generate, service or batch
|
1097
1030
|
"""
|
1098
1031
|
return pulumi.get(self, "token_type")
|
1099
1032
|
|
@@ -1153,10 +1086,10 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1153
1086
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1154
1087
|
backend: Optional[pulumi.Input[str]] = None,
|
1155
1088
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1156
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
1089
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1157
1090
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
1158
1091
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
1159
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
1092
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1160
1093
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
1161
1094
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
1162
1095
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -1189,7 +1122,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1189
1122
|
|
1190
1123
|
Role for JWT backend:
|
1191
1124
|
|
1192
|
-
<!--Start PulumiCodeChooser -->
|
1193
1125
|
```python
|
1194
1126
|
import pulumi
|
1195
1127
|
import pulumi_vault as vault
|
@@ -1210,11 +1142,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1210
1142
|
user_claim="https://vault/user",
|
1211
1143
|
role_type="jwt")
|
1212
1144
|
```
|
1213
|
-
<!--End PulumiCodeChooser -->
|
1214
1145
|
|
1215
1146
|
Role for OIDC backend:
|
1216
1147
|
|
1217
|
-
<!--Start PulumiCodeChooser -->
|
1218
1148
|
```python
|
1219
1149
|
import pulumi
|
1220
1150
|
import pulumi_vault as vault
|
@@ -1234,7 +1164,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1234
1164
|
role_type="oidc",
|
1235
1165
|
allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
|
1236
1166
|
```
|
1237
|
-
<!--End PulumiCodeChooser -->
|
1238
1167
|
|
1239
1168
|
## Import
|
1240
1169
|
|
@@ -1250,10 +1179,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1250
1179
|
Required for OIDC roles
|
1251
1180
|
:param pulumi.Input[str] backend: The unique name of the auth backend to configure.
|
1252
1181
|
Defaults to `jwt`.
|
1253
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (
|
1254
|
-
|
1255
|
-
|
1256
|
-
:param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
|
1182
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
1183
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
1184
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
|
1257
1185
|
A claim's value must be a string, which may contain one value or multiple
|
1258
1186
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
1259
1187
|
:param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
|
@@ -1261,14 +1189,14 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1261
1189
|
match). Requires Vault 1.4.0 or above.
|
1262
1190
|
:param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
|
1263
1191
|
this value.
|
1264
|
-
:param pulumi.Input[Mapping[str,
|
1192
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
1265
1193
|
to specified metadata fields (values).
|
1266
1194
|
:param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
1267
1195
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
1268
1196
|
Only applicable with "jwt" roles.
|
1269
1197
|
:param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
1270
1198
|
:param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
1271
|
-
clock skew, in seconds. Defaults to `
|
1199
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1272
1200
|
Only applicable with "jwt" roles.
|
1273
1201
|
:param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
|
1274
1202
|
the set of groups to which the user belongs; this will be used as the names
|
@@ -1278,41 +1206,24 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1278
1206
|
the user was actively authenticated with the OIDC provider.
|
1279
1207
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1280
1208
|
The value should not contain leading or trailing forward slashes.
|
1281
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1209
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1282
1210
|
*Available only for Vault Enterprise*.
|
1283
1211
|
:param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
1284
|
-
clock skew, in seconds. Defaults to `
|
1212
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1285
1213
|
Only applicable with "jwt" roles.
|
1286
1214
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
1287
1215
|
The standard scope "openid" is automatically included and need not be specified.
|
1288
1216
|
:param pulumi.Input[str] role_name: The name of the role.
|
1289
1217
|
:param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
|
1290
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1291
|
-
|
1292
|
-
|
1293
|
-
:param pulumi.Input[
|
1294
|
-
|
1295
|
-
|
1296
|
-
|
1297
|
-
:param pulumi.Input[int]
|
1298
|
-
|
1299
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1300
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1301
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
|
1302
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1303
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1304
|
-
token generated using this role should never expire. The token should be renewed within the
|
1305
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1306
|
-
value of this field. Specified in seconds.
|
1307
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1308
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1309
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1310
|
-
Its current value will be referenced at renewal time.
|
1311
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1312
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1313
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1314
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1315
|
-
requests a different type at generation time.
|
1218
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
1219
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
1220
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
1221
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
1222
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
1223
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
1224
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
1225
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
1226
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1316
1227
|
:param pulumi.Input[str] user_claim: The claim to use to uniquely identify
|
1317
1228
|
the user; this will be used as the name for the Identity entity alias created
|
1318
1229
|
due to a successful login.
|
@@ -1339,7 +1250,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1339
1250
|
|
1340
1251
|
Role for JWT backend:
|
1341
1252
|
|
1342
|
-
<!--Start PulumiCodeChooser -->
|
1343
1253
|
```python
|
1344
1254
|
import pulumi
|
1345
1255
|
import pulumi_vault as vault
|
@@ -1360,11 +1270,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1360
1270
|
user_claim="https://vault/user",
|
1361
1271
|
role_type="jwt")
|
1362
1272
|
```
|
1363
|
-
<!--End PulumiCodeChooser -->
|
1364
1273
|
|
1365
1274
|
Role for OIDC backend:
|
1366
1275
|
|
1367
|
-
<!--Start PulumiCodeChooser -->
|
1368
1276
|
```python
|
1369
1277
|
import pulumi
|
1370
1278
|
import pulumi_vault as vault
|
@@ -1384,7 +1292,6 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1384
1292
|
role_type="oidc",
|
1385
1293
|
allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
|
1386
1294
|
```
|
1387
|
-
<!--End PulumiCodeChooser -->
|
1388
1295
|
|
1389
1296
|
## Import
|
1390
1297
|
|
@@ -1412,10 +1319,10 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1412
1319
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1413
1320
|
backend: Optional[pulumi.Input[str]] = None,
|
1414
1321
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1415
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
1322
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1416
1323
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
1417
1324
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
1418
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
1325
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1419
1326
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
1420
1327
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
1421
1328
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -1493,10 +1400,10 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1493
1400
|
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1494
1401
|
backend: Optional[pulumi.Input[str]] = None,
|
1495
1402
|
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
|
1496
|
-
bound_claims: Optional[pulumi.Input[Mapping[str,
|
1403
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1497
1404
|
bound_claims_type: Optional[pulumi.Input[str]] = None,
|
1498
1405
|
bound_subject: Optional[pulumi.Input[str]] = None,
|
1499
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str,
|
1406
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
|
1500
1407
|
clock_skew_leeway: Optional[pulumi.Input[int]] = None,
|
1501
1408
|
disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
|
1502
1409
|
expiration_leeway: Optional[pulumi.Input[int]] = None,
|
@@ -1530,10 +1437,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1530
1437
|
Required for OIDC roles
|
1531
1438
|
:param pulumi.Input[str] backend: The unique name of the auth backend to configure.
|
1532
1439
|
Defaults to `jwt`.
|
1533
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (
|
1534
|
-
|
1535
|
-
|
1536
|
-
:param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
|
1440
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
1441
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
1442
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
|
1537
1443
|
A claim's value must be a string, which may contain one value or multiple
|
1538
1444
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
1539
1445
|
:param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
|
@@ -1541,14 +1447,14 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1541
1447
|
match). Requires Vault 1.4.0 or above.
|
1542
1448
|
:param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
|
1543
1449
|
this value.
|
1544
|
-
:param pulumi.Input[Mapping[str,
|
1450
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
1545
1451
|
to specified metadata fields (values).
|
1546
1452
|
:param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
1547
1453
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
1548
1454
|
Only applicable with "jwt" roles.
|
1549
1455
|
:param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
1550
1456
|
:param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
1551
|
-
clock skew, in seconds. Defaults to `
|
1457
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1552
1458
|
Only applicable with "jwt" roles.
|
1553
1459
|
:param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
|
1554
1460
|
the set of groups to which the user belongs; this will be used as the names
|
@@ -1558,41 +1464,24 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1558
1464
|
the user was actively authenticated with the OIDC provider.
|
1559
1465
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
1560
1466
|
The value should not contain leading or trailing forward slashes.
|
1561
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1467
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1562
1468
|
*Available only for Vault Enterprise*.
|
1563
1469
|
:param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
1564
|
-
clock skew, in seconds. Defaults to `
|
1470
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1565
1471
|
Only applicable with "jwt" roles.
|
1566
1472
|
:param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
1567
1473
|
The standard scope "openid" is automatically included and need not be specified.
|
1568
1474
|
:param pulumi.Input[str] role_name: The name of the role.
|
1569
1475
|
:param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
|
1570
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs:
|
1571
|
-
|
1572
|
-
|
1573
|
-
:param pulumi.Input[
|
1574
|
-
|
1575
|
-
|
1576
|
-
|
1577
|
-
:param pulumi.Input[int]
|
1578
|
-
|
1579
|
-
:param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
|
1580
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1581
|
-
:param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
|
1582
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1583
|
-
:param pulumi.Input[int] token_period: If set, indicates that the
|
1584
|
-
token generated using this role should never expire. The token should be renewed within the
|
1585
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1586
|
-
value of this field. Specified in seconds.
|
1587
|
-
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
|
1588
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1589
|
-
:param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
|
1590
|
-
Its current value will be referenced at renewal time.
|
1591
|
-
:param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
|
1592
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1593
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1594
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1595
|
-
requests a different type at generation time.
|
1476
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
1477
|
+
:param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
1478
|
+
:param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
|
1479
|
+
:param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
1480
|
+
:param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
1481
|
+
:param pulumi.Input[int] token_period: Generated Token's Period
|
1482
|
+
:param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
|
1483
|
+
:param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
|
1484
|
+
:param pulumi.Input[str] token_type: The type of token to generate, service or batch
|
1596
1485
|
:param pulumi.Input[str] user_claim: The claim to use to uniquely identify
|
1597
1486
|
the user; this will be used as the name for the Identity entity alias created
|
1598
1487
|
due to a successful login.
|
@@ -1661,15 +1550,14 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1661
1550
|
@pulumi.getter(name="boundAudiences")
|
1662
1551
|
def bound_audiences(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1663
1552
|
"""
|
1664
|
-
(
|
1665
|
-
|
1666
|
-
Any match is sufficient.
|
1553
|
+
(Required for roles of type `jwt`, optional for roles of
|
1554
|
+
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
1667
1555
|
"""
|
1668
1556
|
return pulumi.get(self, "bound_audiences")
|
1669
1557
|
|
1670
1558
|
@property
|
1671
1559
|
@pulumi.getter(name="boundClaims")
|
1672
|
-
def bound_claims(self) -> pulumi.Output[Optional[Mapping[str,
|
1560
|
+
def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
|
1673
1561
|
"""
|
1674
1562
|
If set, a map of claims to values to match against.
|
1675
1563
|
A claim's value must be a string, which may contain one value or multiple
|
@@ -1698,7 +1586,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1698
1586
|
|
1699
1587
|
@property
|
1700
1588
|
@pulumi.getter(name="claimMappings")
|
1701
|
-
def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str,
|
1589
|
+
def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
|
1702
1590
|
"""
|
1703
1591
|
If set, a map of claims (keys) to be copied
|
1704
1592
|
to specified metadata fields (values).
|
@@ -1728,7 +1616,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1728
1616
|
def expiration_leeway(self) -> pulumi.Output[Optional[int]]:
|
1729
1617
|
"""
|
1730
1618
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
1731
|
-
clock skew, in seconds. Defaults to `
|
1619
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1732
1620
|
Only applicable with "jwt" roles.
|
1733
1621
|
"""
|
1734
1622
|
return pulumi.get(self, "expiration_leeway")
|
@@ -1759,7 +1647,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1759
1647
|
"""
|
1760
1648
|
The namespace to provision the resource in.
|
1761
1649
|
The value should not contain leading or trailing forward slashes.
|
1762
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
1650
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
1763
1651
|
*Available only for Vault Enterprise*.
|
1764
1652
|
"""
|
1765
1653
|
return pulumi.get(self, "namespace")
|
@@ -1769,7 +1657,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1769
1657
|
def not_before_leeway(self) -> pulumi.Output[Optional[int]]:
|
1770
1658
|
"""
|
1771
1659
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
1772
|
-
clock skew, in seconds. Defaults to `
|
1660
|
+
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
1773
1661
|
Only applicable with "jwt" roles.
|
1774
1662
|
"""
|
1775
1663
|
return pulumi.get(self, "not_before_leeway")
|
@@ -1803,9 +1691,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1803
1691
|
@pulumi.getter(name="tokenBoundCidrs")
|
1804
1692
|
def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1805
1693
|
"""
|
1806
|
-
|
1807
|
-
addresses which can authenticate successfully, and ties the resulting token to these blocks
|
1808
|
-
as well.
|
1694
|
+
Specifies the blocks of IP addresses which are allowed to use the generated token
|
1809
1695
|
"""
|
1810
1696
|
return pulumi.get(self, "token_bound_cidrs")
|
1811
1697
|
|
@@ -1813,10 +1699,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1813
1699
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
1814
1700
|
def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1815
1701
|
"""
|
1816
|
-
|
1817
|
-
[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
|
1818
|
-
onto the token in number of seconds. This is a hard cap even if `token_ttl` and
|
1819
|
-
`token_max_ttl` would otherwise allow a renewal.
|
1702
|
+
Generated Token's Explicit Maximum TTL in seconds
|
1820
1703
|
"""
|
1821
1704
|
return pulumi.get(self, "token_explicit_max_ttl")
|
1822
1705
|
|
@@ -1824,8 +1707,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1824
1707
|
@pulumi.getter(name="tokenMaxTtl")
|
1825
1708
|
def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
|
1826
1709
|
"""
|
1827
|
-
The maximum lifetime
|
1828
|
-
Its current value will be referenced at renewal time.
|
1710
|
+
The maximum lifetime of the generated token
|
1829
1711
|
"""
|
1830
1712
|
return pulumi.get(self, "token_max_ttl")
|
1831
1713
|
|
@@ -1833,8 +1715,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1833
1715
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
1834
1716
|
def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
|
1835
1717
|
"""
|
1836
|
-
If
|
1837
|
-
generated tokens; otherwise it will be added to the policies set in token_policies.
|
1718
|
+
If true, the 'default' policy will not automatically be added to generated tokens
|
1838
1719
|
"""
|
1839
1720
|
return pulumi.get(self, "token_no_default_policy")
|
1840
1721
|
|
@@ -1842,8 +1723,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1842
1723
|
@pulumi.getter(name="tokenNumUses")
|
1843
1724
|
def token_num_uses(self) -> pulumi.Output[Optional[int]]:
|
1844
1725
|
"""
|
1845
|
-
The
|
1846
|
-
of times a generated token may be used (within its lifetime); 0 means unlimited.
|
1726
|
+
The maximum number of times a token may be used, a value of zero means unlimited
|
1847
1727
|
"""
|
1848
1728
|
return pulumi.get(self, "token_num_uses")
|
1849
1729
|
|
@@ -1851,10 +1731,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1851
1731
|
@pulumi.getter(name="tokenPeriod")
|
1852
1732
|
def token_period(self) -> pulumi.Output[Optional[int]]:
|
1853
1733
|
"""
|
1854
|
-
|
1855
|
-
token generated using this role should never expire. The token should be renewed within the
|
1856
|
-
duration specified by this value. At each renewal, the token's TTL will be set to the
|
1857
|
-
value of this field. Specified in seconds.
|
1734
|
+
Generated Token's Period
|
1858
1735
|
"""
|
1859
1736
|
return pulumi.get(self, "token_period")
|
1860
1737
|
|
@@ -1862,8 +1739,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1862
1739
|
@pulumi.getter(name="tokenPolicies")
|
1863
1740
|
def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
|
1864
1741
|
"""
|
1865
|
-
|
1866
|
-
on the auth method, this list may be supplemented by user/group/other values.
|
1742
|
+
Generated Token's Policies
|
1867
1743
|
"""
|
1868
1744
|
return pulumi.get(self, "token_policies")
|
1869
1745
|
|
@@ -1871,8 +1747,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1871
1747
|
@pulumi.getter(name="tokenTtl")
|
1872
1748
|
def token_ttl(self) -> pulumi.Output[Optional[int]]:
|
1873
1749
|
"""
|
1874
|
-
The
|
1875
|
-
Its current value will be referenced at renewal time.
|
1750
|
+
The initial ttl of the token to generate in seconds
|
1876
1751
|
"""
|
1877
1752
|
return pulumi.get(self, "token_ttl")
|
1878
1753
|
|
@@ -1880,11 +1755,7 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
1880
1755
|
@pulumi.getter(name="tokenType")
|
1881
1756
|
def token_type(self) -> pulumi.Output[Optional[str]]:
|
1882
1757
|
"""
|
1883
|
-
The type of token
|
1884
|
-
`batch`, or `default` to use the mount's tuned default (which unless changed will be
|
1885
|
-
`service` tokens). For token store roles, there are two additional possibilities:
|
1886
|
-
`default-service` and `default-batch` which specify the type to return unless the client
|
1887
|
-
requests a different type at generation time.
|
1758
|
+
The type of token to generate, service or batch
|
1888
1759
|
"""
|
1889
1760
|
return pulumi.get(self, "token_type")
|
1890
1761
|
|