pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl

pulumi_vault/aws/secret_backend_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['SecretBackendRoleArgs', 'SecretBackendRole']
@@ -17,7 +22,9 @@ class SecretBackendRoleArgs:
                  backend: pulumi.Input[str],
                  credential_type: pulumi.Input[str],
                  default_sts_ttl: Optional[pulumi.Input[int]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
                  iam_groups: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 iam_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  max_sts_ttl: Optional[pulumi.Input[int]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
@@ -25,6 +32,7 @@ class SecretBackendRoleArgs:
                  policy_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  policy_document: Optional[pulumi.Input[str]] = None,
                  role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 session_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  user_path: Optional[pulumi.Input[str]] = None):
         """
         The set of arguments for constructing a SecretBackendRole resource.
@@ -38,12 +46,16 @@ class SecretBackendRoleArgs:
                and a default TTL is specified on the role,
                then this default TTL will be used. Valid only when `credential_type` is one of
                `assumed_role` or `federation_token`.
+        :param pulumi.Input[str] external_id: External ID to set for assume role creds. 
+               Valid only when `credential_type` is set to `assumed_role`.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] iam_groups: A list of IAM group names. IAM users generated
                against this vault role will be added to these IAM Groups. For a credential
                type of `assumed_role` or `federation_token`, the policies sent to the
                corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
                policies from each group in `iam_groups` combined with the `policy_document`
                and `policy_arns` parameters.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] iam_tags: A map of strings representing key/value pairs
+               to be used as tags for any IAM user that is created by this role.
         :param pulumi.Input[int] max_sts_ttl: The max allowed TTL in seconds for STS credentials
                (credentials TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is
                one of `assumed_role` or `federation_token`.
@@ -51,7 +63,7 @@ class SecretBackendRoleArgs:
                Must be unique within the backend.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] permissions_boundary_arn: The ARN of the AWS Permissions 
                Boundary to attach to IAM users created in the role. Valid only when
@@ -72,6 +84,9 @@ class SecretBackendRoleArgs:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] role_arns: Specifies the ARNs of the AWS roles this Vault role
                is allowed to assume. Required when `credential_type` is `assumed_role` and
                prohibited otherwise.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] session_tags: A map of strings representing key/value pairs to be set
+               during assume role creds creation. Valid only when `credential_type` is set to
+               `assumed_role`.
         :param pulumi.Input[str] user_path: The path for the user name. Valid only when 
                `credential_type` is `iam_user`. Default is `/`.
         """
@@ -79,8 +94,12 @@ class SecretBackendRoleArgs:
         pulumi.set(__self__, "credential_type", credential_type)
         if default_sts_ttl is not None:
             pulumi.set(__self__, "default_sts_ttl", default_sts_ttl)
+        if external_id is not None:
+            pulumi.set(__self__, "external_id", external_id)
         if iam_groups is not None:
             pulumi.set(__self__, "iam_groups", iam_groups)
+        if iam_tags is not None:
+            pulumi.set(__self__, "iam_tags", iam_tags)
         if max_sts_ttl is not None:
             pulumi.set(__self__, "max_sts_ttl", max_sts_ttl)
         if name is not None:
@@ -95,6 +114,8 @@ class SecretBackendRoleArgs:
             pulumi.set(__self__, "policy_document", policy_document)
         if role_arns is not None:
             pulumi.set(__self__, "role_arns", role_arns)
+        if session_tags is not None:
+            pulumi.set(__self__, "session_tags", session_tags)
         if user_path is not None:
             pulumi.set(__self__, "user_path", user_path)
 
@@ -141,6 +162,19 @@ class SecretBackendRoleArgs:
     def default_sts_ttl(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "default_sts_ttl", value)
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        External ID to set for assume role creds. 
+        Valid only when `credential_type` is set to `assumed_role`.
+        """
+        return pulumi.get(self, "external_id")
+
+    @external_id.setter
+    def external_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "external_id", value)
+
     @property
     @pulumi.getter(name="iamGroups")
     def iam_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -158,6 +192,19 @@ class SecretBackendRoleArgs:
     def iam_groups(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "iam_groups", value)
 
+    @property
+    @pulumi.getter(name="iamTags")
+    def iam_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
+        """
+        A map of strings representing key/value pairs
+        to be used as tags for any IAM user that is created by this role.
+        """
+        return pulumi.get(self, "iam_tags")
+
+    @iam_tags.setter
+    def iam_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
+        pulumi.set(self, "iam_tags", value)
+
     @property
     @pulumi.getter(name="maxStsTtl")
     def max_sts_ttl(self) -> Optional[pulumi.Input[int]]:
@@ -191,7 +238,7 @@ class SecretBackendRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -263,6 +310,20 @@ class SecretBackendRoleArgs:
     def role_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "role_arns", value)
 
+    @property
+    @pulumi.getter(name="sessionTags")
+    def session_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
+        """
+        A map of strings representing key/value pairs to be set
+        during assume role creds creation. Valid only when `credential_type` is set to
+        `assumed_role`.
+        """
+        return pulumi.get(self, "session_tags")
+
+    @session_tags.setter
+    def session_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
+        pulumi.set(self, "session_tags", value)
+
     @property
     @pulumi.getter(name="userPath")
     def user_path(self) -> Optional[pulumi.Input[str]]:
@@ -283,7 +344,9 @@ class _SecretBackendRoleState:
                  backend: Optional[pulumi.Input[str]] = None,
                  credential_type: Optional[pulumi.Input[str]] = None,
                  default_sts_ttl: Optional[pulumi.Input[int]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
                  iam_groups: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 iam_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  max_sts_ttl: Optional[pulumi.Input[int]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
@@ -291,6 +354,7 @@ class _SecretBackendRoleState:
                  policy_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  policy_document: Optional[pulumi.Input[str]] = None,
                  role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 session_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  user_path: Optional[pulumi.Input[str]] = None):
         """
         Input properties used for looking up and filtering SecretBackendRole resources.
@@ -304,12 +368,16 @@ class _SecretBackendRoleState:
                and a default TTL is specified on the role,
                then this default TTL will be used. Valid only when `credential_type` is one of
                `assumed_role` or `federation_token`.
+        :param pulumi.Input[str] external_id: External ID to set for assume role creds. 
+               Valid only when `credential_type` is set to `assumed_role`.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] iam_groups: A list of IAM group names. IAM users generated
                against this vault role will be added to these IAM Groups. For a credential
                type of `assumed_role` or `federation_token`, the policies sent to the
                corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
                policies from each group in `iam_groups` combined with the `policy_document`
                and `policy_arns` parameters.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] iam_tags: A map of strings representing key/value pairs
+               to be used as tags for any IAM user that is created by this role.
         :param pulumi.Input[int] max_sts_ttl: The max allowed TTL in seconds for STS credentials
                (credentials TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is
                one of `assumed_role` or `federation_token`.
@@ -317,7 +385,7 @@ class _SecretBackendRoleState:
                Must be unique within the backend.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] permissions_boundary_arn: The ARN of the AWS Permissions 
                Boundary to attach to IAM users created in the role. Valid only when
@@ -338,6 +406,9 @@ class _SecretBackendRoleState:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] role_arns: Specifies the ARNs of the AWS roles this Vault role
                is allowed to assume. Required when `credential_type` is `assumed_role` and
                prohibited otherwise.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] session_tags: A map of strings representing key/value pairs to be set
+               during assume role creds creation. Valid only when `credential_type` is set to
+               `assumed_role`.
         :param pulumi.Input[str] user_path: The path for the user name. Valid only when 
                `credential_type` is `iam_user`. Default is `/`.
         """
@@ -347,8 +418,12 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "credential_type", credential_type)
         if default_sts_ttl is not None:
             pulumi.set(__self__, "default_sts_ttl", default_sts_ttl)
+        if external_id is not None:
+            pulumi.set(__self__, "external_id", external_id)
         if iam_groups is not None:
             pulumi.set(__self__, "iam_groups", iam_groups)
+        if iam_tags is not None:
+            pulumi.set(__self__, "iam_tags", iam_tags)
         if max_sts_ttl is not None:
             pulumi.set(__self__, "max_sts_ttl", max_sts_ttl)
         if name is not None:
@@ -363,6 +438,8 @@ class _SecretBackendRoleState:
             pulumi.set(__self__, "policy_document", policy_document)
         if role_arns is not None:
             pulumi.set(__self__, "role_arns", role_arns)
+        if session_tags is not None:
+            pulumi.set(__self__, "session_tags", session_tags)
         if user_path is not None:
             pulumi.set(__self__, "user_path", user_path)
 
@@ -409,6 +486,19 @@ class _SecretBackendRoleState:
     def default_sts_ttl(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "default_sts_ttl", value)
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        External ID to set for assume role creds. 
+        Valid only when `credential_type` is set to `assumed_role`.
+        """
+        return pulumi.get(self, "external_id")
+
+    @external_id.setter
+    def external_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "external_id", value)
+
     @property
     @pulumi.getter(name="iamGroups")
     def iam_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -426,6 +516,19 @@ class _SecretBackendRoleState:
     def iam_groups(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "iam_groups", value)
 
+    @property
+    @pulumi.getter(name="iamTags")
+    def iam_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
+        """
+        A map of strings representing key/value pairs
+        to be used as tags for any IAM user that is created by this role.
+        """
+        return pulumi.get(self, "iam_tags")
+
+    @iam_tags.setter
+    def iam_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
+        pulumi.set(self, "iam_tags", value)
+
     @property
     @pulumi.getter(name="maxStsTtl")
     def max_sts_ttl(self) -> Optional[pulumi.Input[int]]:
@@ -459,7 +562,7 @@ class _SecretBackendRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -531,6 +634,20 @@ class _SecretBackendRoleState:
     def role_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "role_arns", value)
 
+    @property
+    @pulumi.getter(name="sessionTags")
+    def session_tags(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
+        """
+        A map of strings representing key/value pairs to be set
+        during assume role creds creation. Valid only when `credential_type` is set to
+        `assumed_role`.
+        """
+        return pulumi.get(self, "session_tags")
+
+    @session_tags.setter
+    def session_tags(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
+        pulumi.set(self, "session_tags", value)
+
     @property
     @pulumi.getter(name="userPath")
     def user_path(self) -> Optional[pulumi.Input[str]]:
@@ -553,7 +670,9 @@ class SecretBackendRole(pulumi.CustomResource):
                  backend: Optional[pulumi.Input[str]] = None,
                  credential_type: Optional[pulumi.Input[str]] = None,
                  default_sts_ttl: Optional[pulumi.Input[int]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
                  iam_groups: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 iam_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  max_sts_ttl: Optional[pulumi.Input[int]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
@@ -561,12 +680,12 @@ class SecretBackendRole(pulumi.CustomResource):
                  policy_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  policy_document: Optional[pulumi.Input[str]] = None,
                  role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 session_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  user_path: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         """
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -576,6 +695,7 @@ class SecretBackendRole(pulumi.CustomResource):
             secret_key="AWS secret key")
         role = vault.aws.SecretBackendRole("role",
             backend=aws.path,
+            name="deploy",
             credential_type="iam_user",
             policy_document=\"\"\"{
           "Version": "2012-10-17",
@@ -589,7 +709,6 @@ class SecretBackendRole(pulumi.CustomResource):
         }
         \"\"\")
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -611,12 +730,16 @@ class SecretBackendRole(pulumi.CustomResource):
                and a default TTL is specified on the role,
                then this default TTL will be used. Valid only when `credential_type` is one of
                `assumed_role` or `federation_token`.
+        :param pulumi.Input[str] external_id: External ID to set for assume role creds. 
+               Valid only when `credential_type` is set to `assumed_role`.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] iam_groups: A list of IAM group names. IAM users generated
                against this vault role will be added to these IAM Groups. For a credential
                type of `assumed_role` or `federation_token`, the policies sent to the
                corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
                policies from each group in `iam_groups` combined with the `policy_document`
                and `policy_arns` parameters.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] iam_tags: A map of strings representing key/value pairs
+               to be used as tags for any IAM user that is created by this role.
         :param pulumi.Input[int] max_sts_ttl: The max allowed TTL in seconds for STS credentials
                (credentials TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is
                one of `assumed_role` or `federation_token`.
@@ -624,7 +747,7 @@ class SecretBackendRole(pulumi.CustomResource):
                Must be unique within the backend.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] permissions_boundary_arn: The ARN of the AWS Permissions 
                Boundary to attach to IAM users created in the role. Valid only when
@@ -645,6 +768,9 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] role_arns: Specifies the ARNs of the AWS roles this Vault role
                is allowed to assume. Required when `credential_type` is `assumed_role` and
                prohibited otherwise.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] session_tags: A map of strings representing key/value pairs to be set
+               during assume role creds creation. Valid only when `credential_type` is set to
+               `assumed_role`.
         :param pulumi.Input[str] user_path: The path for the user name. Valid only when 
                `credential_type` is `iam_user`. Default is `/`.
         """
@@ -657,7 +783,6 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         ## Example Usage
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -667,6 +792,7 @@ class SecretBackendRole(pulumi.CustomResource):
             secret_key="AWS secret key")
         role = vault.aws.SecretBackendRole("role",
             backend=aws.path,
+            name="deploy",
             credential_type="iam_user",
             policy_document=\"\"\"{
           "Version": "2012-10-17",
@@ -680,7 +806,6 @@ class SecretBackendRole(pulumi.CustomResource):
         }
         \"\"\")
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -708,7 +833,9 @@ class SecretBackendRole(pulumi.CustomResource):
                  backend: Optional[pulumi.Input[str]] = None,
                  credential_type: Optional[pulumi.Input[str]] = None,
                  default_sts_ttl: Optional[pulumi.Input[int]] = None,
+                 external_id: Optional[pulumi.Input[str]] = None,
                  iam_groups: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 iam_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  max_sts_ttl: Optional[pulumi.Input[int]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
@@ -716,6 +843,7 @@ class SecretBackendRole(pulumi.CustomResource):
                  policy_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  policy_document: Optional[pulumi.Input[str]] = None,
                  role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 session_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  user_path: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
@@ -733,7 +861,9 @@ class SecretBackendRole(pulumi.CustomResource):
                 raise TypeError("Missing required property 'credential_type'")
             __props__.__dict__["credential_type"] = credential_type
             __props__.__dict__["default_sts_ttl"] = default_sts_ttl
+            __props__.__dict__["external_id"] = external_id
             __props__.__dict__["iam_groups"] = iam_groups
+            __props__.__dict__["iam_tags"] = iam_tags
             __props__.__dict__["max_sts_ttl"] = max_sts_ttl
             __props__.__dict__["name"] = name
             __props__.__dict__["namespace"] = namespace
@@ -741,6 +871,7 @@ class SecretBackendRole(pulumi.CustomResource):
             __props__.__dict__["policy_arns"] = policy_arns
             __props__.__dict__["policy_document"] = policy_document
             __props__.__dict__["role_arns"] = role_arns
+            __props__.__dict__["session_tags"] = session_tags
             __props__.__dict__["user_path"] = user_path
         super(SecretBackendRole, __self__).__init__(
             'vault:aws/secretBackendRole:SecretBackendRole',
@@ -755,7 +886,9 @@ class SecretBackendRole(pulumi.CustomResource):
             backend: Optional[pulumi.Input[str]] = None,
             credential_type: Optional[pulumi.Input[str]] = None,
             default_sts_ttl: Optional[pulumi.Input[int]] = None,
+            external_id: Optional[pulumi.Input[str]] = None,
             iam_groups: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+            iam_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             max_sts_ttl: Optional[pulumi.Input[int]] = None,
             name: Optional[pulumi.Input[str]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
@@ -763,6 +896,7 @@ class SecretBackendRole(pulumi.CustomResource):
             policy_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             policy_document: Optional[pulumi.Input[str]] = None,
             role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+            session_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             user_path: Optional[pulumi.Input[str]] = None) -> 'SecretBackendRole':
         """
         Get an existing SecretBackendRole resource's state with the given name, id, and optional extra
@@ -781,12 +915,16 @@ class SecretBackendRole(pulumi.CustomResource):
                and a default TTL is specified on the role,
                then this default TTL will be used. Valid only when `credential_type` is one of
                `assumed_role` or `federation_token`.
+        :param pulumi.Input[str] external_id: External ID to set for assume role creds. 
+               Valid only when `credential_type` is set to `assumed_role`.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] iam_groups: A list of IAM group names. IAM users generated
                against this vault role will be added to these IAM Groups. For a credential
                type of `assumed_role` or `federation_token`, the policies sent to the
                corresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the
                policies from each group in `iam_groups` combined with the `policy_document`
                and `policy_arns` parameters.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] iam_tags: A map of strings representing key/value pairs
+               to be used as tags for any IAM user that is created by this role.
         :param pulumi.Input[int] max_sts_ttl: The max allowed TTL in seconds for STS credentials
                (credentials TTL are capped to `max_sts_ttl`). Valid only when `credential_type` is
                one of `assumed_role` or `federation_token`.
@@ -794,7 +932,7 @@ class SecretBackendRole(pulumi.CustomResource):
                Must be unique within the backend.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] permissions_boundary_arn: The ARN of the AWS Permissions 
                Boundary to attach to IAM users created in the role. Valid only when
@@ -815,6 +953,9 @@ class SecretBackendRole(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] role_arns: Specifies the ARNs of the AWS roles this Vault role
                is allowed to assume. Required when `credential_type` is `assumed_role` and
                prohibited otherwise.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] session_tags: A map of strings representing key/value pairs to be set
+               during assume role creds creation. Valid only when `credential_type` is set to
+               `assumed_role`.
         :param pulumi.Input[str] user_path: The path for the user name. Valid only when 
                `credential_type` is `iam_user`. Default is `/`.
         """
@@ -825,7 +966,9 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["backend"] = backend
         __props__.__dict__["credential_type"] = credential_type
         __props__.__dict__["default_sts_ttl"] = default_sts_ttl
+        __props__.__dict__["external_id"] = external_id
         __props__.__dict__["iam_groups"] = iam_groups
+        __props__.__dict__["iam_tags"] = iam_tags
         __props__.__dict__["max_sts_ttl"] = max_sts_ttl
         __props__.__dict__["name"] = name
         __props__.__dict__["namespace"] = namespace
@@ -833,6 +976,7 @@ class SecretBackendRole(pulumi.CustomResource):
         __props__.__dict__["policy_arns"] = policy_arns
         __props__.__dict__["policy_document"] = policy_document
         __props__.__dict__["role_arns"] = role_arns
+        __props__.__dict__["session_tags"] = session_tags
         __props__.__dict__["user_path"] = user_path
         return SecretBackendRole(resource_name, opts=opts, __props__=__props__)
 
@@ -867,6 +1011,15 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "default_sts_ttl")
 
+    @property
+    @pulumi.getter(name="externalId")
+    def external_id(self) -> pulumi.Output[Optional[str]]:
+        """
+        External ID to set for assume role creds. 
+        Valid only when `credential_type` is set to `assumed_role`.
+        """
+        return pulumi.get(self, "external_id")
+
     @property
     @pulumi.getter(name="iamGroups")
     def iam_groups(self) -> pulumi.Output[Optional[Sequence[str]]]:
@@ -880,6 +1033,15 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "iam_groups")
 
+    @property
+    @pulumi.getter(name="iamTags")
+    def iam_tags(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
+        """
+        A map of strings representing key/value pairs
+        to be used as tags for any IAM user that is created by this role.
+        """
+        return pulumi.get(self, "iam_tags")
+
     @property
     @pulumi.getter(name="maxStsTtl")
     def max_sts_ttl(self) -> pulumi.Output[int]:
@@ -905,7 +1067,7 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -957,6 +1119,16 @@ class SecretBackendRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "role_arns")
 
+    @property
+    @pulumi.getter(name="sessionTags")
+    def session_tags(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
+        """
+        A map of strings representing key/value pairs to be set
+        during assume role creds creation. Valid only when `credential_type` is set to
+        `assumed_role`.
+        """
+        return pulumi.get(self, "session_tags")
+
     @property
     @pulumi.getter(name="userPath")
     def user_path(self) -> pulumi.Output[Optional[str]]: