pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736836139__py3-none-any.whl

pulumi_vault/jwt/outputs.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = [

pulumi_vault/kmip/secret_backend.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretBackendArgs', 'SecretBackend']
@@ -40,7 +45,7 @@ class SecretBackendArgs:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] listen_addrs: Addresses the KMIP server should listen on (`host:port`).
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] server_hostnames: Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN).
         :param pulumi.Input[Sequence[pulumi.Input[str]]] server_ips: IPs to include in the server's TLS certificate as SAN IP addresses.
@@ -166,7 +171,7 @@ class SecretBackendArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -263,7 +268,7 @@ class _SecretBackendState:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] listen_addrs: Addresses the KMIP server should listen on (`host:port`).
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -379,7 +384,7 @@ class _SecretBackendState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -488,25 +493,23 @@ class SecretBackend(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
 
         default = vault.kmip.SecretBackend("default",
-            default_tls_client_key_bits=4096,
-            default_tls_client_key_type="rsa",
-            default_tls_client_ttl=86400,
+            path="kmip",
             description="Vault KMIP backend",
             listen_addrs=[
                 "127.0.0.1:5696",
                 "127.0.0.1:8080",
             ],
-            path="kmip",
+            tls_ca_key_type="rsa",
             tls_ca_key_bits=4096,
-            tls_ca_key_type="rsa")
+            default_tls_client_key_type="rsa",
+            default_tls_client_key_bits=4096,
+            default_tls_client_ttl=86400)
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -527,7 +530,7 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] listen_addrs: Addresses the KMIP server should listen on (`host:port`).
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -550,25 +553,23 @@ class SecretBackend(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
 
         default = vault.kmip.SecretBackend("default",
-            default_tls_client_key_bits=4096,
-            default_tls_client_key_type="rsa",
-            default_tls_client_ttl=86400,
+            path="kmip",
             description="Vault KMIP backend",
             listen_addrs=[
                 "127.0.0.1:5696",
                 "127.0.0.1:8080",
             ],
-            path="kmip",
+            tls_ca_key_type="rsa",
             tls_ca_key_bits=4096,
-            tls_ca_key_type="rsa")
+            default_tls_client_key_type="rsa",
+            default_tls_client_key_bits=4096,
+            default_tls_client_ttl=86400)
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -669,7 +670,7 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] listen_addrs: Addresses the KMIP server should listen on (`host:port`).
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -753,7 +754,7 @@ class SecretBackend(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi_vault/kmip/secret_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretRoleArgs', 'SecretRole']
@@ -43,7 +48,7 @@ class SecretRoleArgs:
         :param pulumi.Input[str] scope: Name of the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[bool] operation_activate: Grant permission to use the KMIP Activate operation.
         :param pulumi.Input[bool] operation_add_attribute: Grant permission to use the KMIP Add Attribute operation.
@@ -146,7 +151,7 @@ class SecretRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -388,7 +393,7 @@ class _SecretRoleState:
         Input properties used for looking up and filtering SecretRole resources.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[bool] operation_activate: Grant permission to use the KMIP Activate operation.
         :param pulumi.Input[bool] operation_add_attribute: Grant permission to use the KMIP Add Attribute operation.
@@ -461,7 +466,7 @@ class _SecretRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -746,7 +751,6 @@ class SecretRole(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -770,7 +774,6 @@ class SecretRole(pulumi.CustomResource):
             operation_create=True,
             operation_destroy=True)
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -784,7 +787,7 @@ class SecretRole(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[bool] operation_activate: Grant permission to use the KMIP Activate operation.
         :param pulumi.Input[bool] operation_add_attribute: Grant permission to use the KMIP Add Attribute operation.
@@ -821,7 +824,6 @@ class SecretRole(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -845,7 +847,6 @@ class SecretRole(pulumi.CustomResource):
             operation_create=True,
             operation_destroy=True)
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -967,7 +968,7 @@ class SecretRole(pulumi.CustomResource):
         :param pulumi.ResourceOptions opts: Options for the resource.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[bool] operation_activate: Grant permission to use the KMIP Activate operation.
         :param pulumi.Input[bool] operation_add_attribute: Grant permission to use the KMIP Add Attribute operation.
@@ -1024,7 +1025,7 @@ class SecretRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi_vault/kmip/secret_scope.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretScopeArgs', 'SecretScope']
@@ -26,7 +31,7 @@ class SecretScopeArgs:
         :param pulumi.Input[bool] force: Boolean field to force deletion even if there are managed objects in the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         """
         pulumi.set(__self__, "path", path)
@@ -79,7 +84,7 @@ class SecretScopeArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -101,7 +106,7 @@ class _SecretScopeState:
         :param pulumi.Input[bool] force: Boolean field to force deletion even if there are managed objects in the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -134,7 +139,7 @@ class _SecretScopeState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -186,7 +191,6 @@ class SecretScope(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -199,7 +203,6 @@ class SecretScope(pulumi.CustomResource):
             scope="dev",
             force=True)
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -214,7 +217,7 @@ class SecretScope(pulumi.CustomResource):
         :param pulumi.Input[bool] force: Boolean field to force deletion even if there are managed objects in the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -233,7 +236,6 @@ class SecretScope(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -246,7 +248,6 @@ class SecretScope(pulumi.CustomResource):
             scope="dev",
             force=True)
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -316,7 +317,7 @@ class SecretScope(pulumi.CustomResource):
         :param pulumi.Input[bool] force: Boolean field to force deletion even if there are managed objects in the scope.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `kmip`.
@@ -346,7 +347,7 @@ class SecretScope(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")

pulumi_vault/kubernetes/auth_backend_config.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['AuthBackendConfigArgs', 'AuthBackendConfig']
@@ -22,7 +27,8 @@ class AuthBackendConfigArgs:
                  kubernetes_ca_cert: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 token_reviewer_jwt: Optional[pulumi.Input[str]] = None):
+                 token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+                 use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None):
         """
         The set of arguments for constructing a AuthBackendConfig resource.
         :param pulumi.Input[str] kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
@@ -37,6 +43,7 @@ class AuthBackendConfigArgs:
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
         :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
+        :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
         """
         pulumi.set(__self__, "kubernetes_host", kubernetes_host)
         if backend is not None:
@@ -55,6 +62,8 @@ class AuthBackendConfigArgs:
             pulumi.set(__self__, "pem_keys", pem_keys)
         if token_reviewer_jwt is not None:
             pulumi.set(__self__, "token_reviewer_jwt", token_reviewer_jwt)
+        if use_annotations_as_alias_metadata is not None:
+            pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata)
 
     @property
     @pulumi.getter(name="kubernetesHost")
@@ -167,6 +176,18 @@ class AuthBackendConfigArgs:
     def token_reviewer_jwt(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "token_reviewer_jwt", value)
 
+    @property
+    @pulumi.getter(name="useAnnotationsAsAliasMetadata")
+    def use_annotations_as_alias_metadata(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
+        """
+        return pulumi.get(self, "use_annotations_as_alias_metadata")
+
+    @use_annotations_as_alias_metadata.setter
+    def use_annotations_as_alias_metadata(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "use_annotations_as_alias_metadata", value)
+
 
 @pulumi.input_type
 class _AuthBackendConfigState:
@@ -179,7 +200,8 @@ class _AuthBackendConfigState:
                  kubernetes_host: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 token_reviewer_jwt: Optional[pulumi.Input[str]] = None):
+                 token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+                 use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None):
         """
         Input properties used for looking up and filtering AuthBackendConfig resources.
         :param pulumi.Input[str] backend: Unique name of the kubernetes backend to configure.
@@ -194,6 +216,7 @@ class _AuthBackendConfigState:
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
         :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
+        :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
         """
         if backend is not None:
             pulumi.set(__self__, "backend", backend)
@@ -213,6 +236,8 @@ class _AuthBackendConfigState:
             pulumi.set(__self__, "pem_keys", pem_keys)
         if token_reviewer_jwt is not None:
             pulumi.set(__self__, "token_reviewer_jwt", token_reviewer_jwt)
+        if use_annotations_as_alias_metadata is not None:
+            pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata)
 
     @property
     @pulumi.getter
@@ -325,6 +350,18 @@ class _AuthBackendConfigState:
     def token_reviewer_jwt(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "token_reviewer_jwt", value)
 
+    @property
+    @pulumi.getter(name="useAnnotationsAsAliasMetadata")
+    def use_annotations_as_alias_metadata(self) -> Optional[pulumi.Input[bool]]:
+        """
+        Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
+        """
+        return pulumi.get(self, "use_annotations_as_alias_metadata")
+
+    @use_annotations_as_alias_metadata.setter
+    def use_annotations_as_alias_metadata(self, value: Optional[pulumi.Input[bool]]):
+        pulumi.set(self, "use_annotations_as_alias_metadata", value)
+
 
 class AuthBackendConfig(pulumi.CustomResource):
     @overload
@@ -340,6 +377,7 @@ class AuthBackendConfig(pulumi.CustomResource):
                  namespace: Optional[pulumi.Input[str]] = None,
                  pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+                 use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None,
                  __props__=None):
         """
         Manages an Kubernetes auth backend config in a Vault server. See the [Vault
@@ -348,7 +386,6 @@ class AuthBackendConfig(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -364,7 +401,6 @@ class AuthBackendConfig(pulumi.CustomResource):
             issuer="api",
             disable_iss_validation=True)
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -388,6 +424,7 @@ class AuthBackendConfig(pulumi.CustomResource):
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
         :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
+        :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
         """
         ...
     @overload
@@ -402,7 +439,6 @@ class AuthBackendConfig(pulumi.CustomResource):
 
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -418,7 +454,6 @@ class AuthBackendConfig(pulumi.CustomResource):
             issuer="api",
             disable_iss_validation=True)
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -452,6 +487,7 @@ class AuthBackendConfig(pulumi.CustomResource):
                  namespace: Optional[pulumi.Input[str]] = None,
                  pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+                 use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -472,6 +508,7 @@ class AuthBackendConfig(pulumi.CustomResource):
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["pem_keys"] = pem_keys
             __props__.__dict__["token_reviewer_jwt"] = None if token_reviewer_jwt is None else pulumi.Output.secret(token_reviewer_jwt)
+            __props__.__dict__["use_annotations_as_alias_metadata"] = use_annotations_as_alias_metadata
         secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["tokenReviewerJwt"])
         opts = pulumi.ResourceOptions.merge(opts, secret_opts)
         super(AuthBackendConfig, __self__).__init__(
@@ -492,7 +529,8 @@ class AuthBackendConfig(pulumi.CustomResource):
             kubernetes_host: Optional[pulumi.Input[str]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
             pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            token_reviewer_jwt: Optional[pulumi.Input[str]] = None) -> 'AuthBackendConfig':
+            token_reviewer_jwt: Optional[pulumi.Input[str]] = None,
+            use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None) -> 'AuthBackendConfig':
         """
         Get an existing AuthBackendConfig resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -512,6 +550,7 @@ class AuthBackendConfig(pulumi.CustomResource):
                *Available only for Vault Enterprise*.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] pem_keys: List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
         :param pulumi.Input[str] token_reviewer_jwt: A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
+        :param pulumi.Input[bool] use_annotations_as_alias_metadata: Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -526,6 +565,7 @@ class AuthBackendConfig(pulumi.CustomResource):
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["pem_keys"] = pem_keys
         __props__.__dict__["token_reviewer_jwt"] = token_reviewer_jwt
+        __props__.__dict__["use_annotations_as_alias_metadata"] = use_annotations_as_alias_metadata
         return AuthBackendConfig(resource_name, opts=opts, __props__=__props__)
 
     @property
@@ -603,3 +643,11 @@ class AuthBackendConfig(pulumi.CustomResource):
         """
         return pulumi.get(self, "token_reviewer_jwt")
 
+    @property
+    @pulumi.getter(name="useAnnotationsAsAliasMetadata")
+    def use_annotations_as_alias_metadata(self) -> pulumi.Output[bool]:
+        """
+        Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
+        """
+        return pulumi.get(self, "use_annotations_as_alias_metadata")
+