pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +22 -7
- pulumi_vault/ad/secret_backend.py +14 -144
- pulumi_vault/ad/secret_library.py +14 -11
- pulumi_vault/ad/secret_role.py +12 -11
- pulumi_vault/alicloud/auth_backend_role.py +74 -192
- pulumi_vault/approle/auth_backend_login.py +12 -11
- pulumi_vault/approle/auth_backend_role.py +75 -193
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
- pulumi_vault/audit.py +24 -27
- pulumi_vault/audit_request_header.py +11 -6
- pulumi_vault/auth_backend.py +64 -12
- pulumi_vault/aws/auth_backend_cert.py +12 -7
- pulumi_vault/aws/auth_backend_client.py +265 -24
- pulumi_vault/aws/auth_backend_config_identity.py +12 -11
- pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +75 -193
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
- pulumi_vault/aws/auth_backend_sts_role.py +12 -11
- pulumi_vault/aws/get_access_credentials.py +34 -7
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +75 -7
- pulumi_vault/aws/secret_backend_role.py +183 -11
- pulumi_vault/aws/secret_backend_static_role.py +14 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +151 -17
- pulumi_vault/azure/auth_backend_role.py +75 -193
- pulumi_vault/azure/backend.py +223 -29
- pulumi_vault/azure/backend_role.py +42 -41
- pulumi_vault/azure/get_access_credentials.py +39 -11
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -271
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +22 -25
- pulumi_vault/consul/secret_backend_role.py +14 -80
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +117 -114
- pulumi_vault/database/secret_backend_role.py +29 -24
- pulumi_vault/database/secret_backend_static_role.py +85 -15
- pulumi_vault/database/secrets_mount.py +425 -138
- pulumi_vault/egp_policy.py +16 -15
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +248 -35
- pulumi_vault/gcp/auth_backend_role.py +75 -271
- pulumi_vault/gcp/get_auth_backend_role.py +43 -9
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -16
- pulumi_vault/gcp/secret_impersonated_account.py +74 -17
- pulumi_vault/gcp/secret_roleset.py +29 -26
- pulumi_vault/gcp/secret_static_account.py +37 -34
- pulumi_vault/generic/endpoint.py +22 -21
- pulumi_vault/generic/get_secret.py +68 -12
- pulumi_vault/generic/secret.py +19 -14
- pulumi_vault/get_auth_backend.py +24 -11
- pulumi_vault/get_auth_backends.py +33 -11
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -15
- pulumi_vault/get_policy_document.py +34 -23
- pulumi_vault/get_raft_autopilot_state.py +29 -14
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +17 -16
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +14 -13
- pulumi_vault/github/user.py +14 -13
- pulumi_vault/identity/entity.py +18 -15
- pulumi_vault/identity/entity_alias.py +18 -15
- pulumi_vault/identity/entity_policies.py +24 -19
- pulumi_vault/identity/get_entity.py +40 -14
- pulumi_vault/identity/get_group.py +45 -13
- pulumi_vault/identity/get_oidc_client_creds.py +21 -11
- pulumi_vault/identity/get_oidc_openid_config.py +39 -13
- pulumi_vault/identity/get_oidc_public_keys.py +29 -14
- pulumi_vault/identity/group.py +50 -49
- pulumi_vault/identity/group_alias.py +14 -11
- pulumi_vault/identity/group_member_entity_ids.py +24 -74
- pulumi_vault/identity/group_member_group_ids.py +36 -27
- pulumi_vault/identity/group_policies.py +16 -15
- pulumi_vault/identity/mfa_duo.py +9 -8
- pulumi_vault/identity/mfa_login_enforcement.py +13 -8
- pulumi_vault/identity/mfa_okta.py +9 -8
- pulumi_vault/identity/mfa_pingid.py +5 -4
- pulumi_vault/identity/mfa_totp.py +5 -4
- pulumi_vault/identity/oidc.py +12 -11
- pulumi_vault/identity/oidc_assignment.py +22 -13
- pulumi_vault/identity/oidc_client.py +34 -25
- pulumi_vault/identity/oidc_key.py +28 -19
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
- pulumi_vault/identity/oidc_provider.py +34 -23
- pulumi_vault/identity/oidc_role.py +40 -27
- pulumi_vault/identity/oidc_scope.py +18 -15
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +39 -46
- pulumi_vault/jwt/auth_backend_role.py +131 -260
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +22 -21
- pulumi_vault/kmip/secret_role.py +12 -11
- pulumi_vault/kmip/secret_scope.py +12 -11
- pulumi_vault/kubernetes/auth_backend_config.py +55 -7
- pulumi_vault/kubernetes/auth_backend_role.py +68 -179
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -15
- pulumi_vault/kubernetes/secret_backend.py +314 -29
- pulumi_vault/kubernetes/secret_backend_role.py +135 -56
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +23 -12
- pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
- pulumi_vault/kv/get_secret_v2.py +89 -9
- pulumi_vault/kv/get_secrets_list.py +22 -15
- pulumi_vault/kv/get_secrets_list_v2.py +35 -19
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +19 -18
- pulumi_vault/kv/secret_backend_v2.py +12 -11
- pulumi_vault/kv/secret_v2.py +55 -52
- pulumi_vault/ldap/auth_backend.py +125 -168
- pulumi_vault/ldap/auth_backend_group.py +12 -11
- pulumi_vault/ldap/auth_backend_user.py +12 -11
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +352 -84
- pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
- pulumi_vault/ldap/secret_backend_library_set.py +14 -11
- pulumi_vault/ldap/secret_backend_static_role.py +67 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +27 -43
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +16 -13
- pulumi_vault/mfa_okta.py +16 -13
- pulumi_vault/mfa_pingid.py +16 -13
- pulumi_vault/mfa_totp.py +22 -19
- pulumi_vault/mongodbatlas/secret_backend.py +18 -17
- pulumi_vault/mongodbatlas/secret_role.py +41 -38
- pulumi_vault/mount.py +389 -65
- pulumi_vault/namespace.py +26 -21
- pulumi_vault/nomad_secret_backend.py +16 -15
- pulumi_vault/nomad_secret_role.py +12 -11
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +483 -41
- pulumi_vault/okta/auth_backend_group.py +12 -11
- pulumi_vault/okta/auth_backend_user.py +12 -11
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +18 -15
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
- pulumi_vault/pkisecret/get_backend_key.py +24 -13
- pulumi_vault/pkisecret/get_backend_keys.py +21 -12
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
- pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
- pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
- pulumi_vault/pkisecret/secret_backend_key.py +12 -7
- pulumi_vault/pkisecret/secret_backend_role.py +19 -16
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +12 -7
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +58 -8
- pulumi_vault/quota_rate_limit.py +54 -4
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +16 -15
- pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
- pulumi_vault/raft_autopilot.py +12 -11
- pulumi_vault/raft_snapshot_agent_config.py +121 -311
- pulumi_vault/rgp_policy.py +14 -13
- pulumi_vault/saml/auth_backend.py +20 -19
- pulumi_vault/saml/auth_backend_role.py +90 -199
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -75
- pulumi_vault/secrets/sync_aws_destination.py +240 -29
- pulumi_vault/secrets/sync_azure_destination.py +90 -33
- pulumi_vault/secrets/sync_config.py +7 -6
- pulumi_vault/secrets/sync_gcp_destination.py +156 -27
- pulumi_vault/secrets/sync_gh_destination.py +187 -15
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +72 -15
- pulumi_vault/ssh/_inputs.py +28 -32
- pulumi_vault/ssh/outputs.py +11 -32
- pulumi_vault/ssh/secret_backend_ca.py +106 -11
- pulumi_vault/ssh/secret_backend_role.py +83 -120
- pulumi_vault/terraformcloud/secret_backend.py +5 -56
- pulumi_vault/terraformcloud/secret_creds.py +14 -24
- pulumi_vault/terraformcloud/secret_role.py +14 -76
- pulumi_vault/token.py +26 -25
- pulumi_vault/tokenauth/auth_backend_role.py +76 -201
- pulumi_vault/transform/alphabet.py +16 -13
- pulumi_vault/transform/get_decode.py +45 -21
- pulumi_vault/transform/get_encode.py +45 -21
- pulumi_vault/transform/role.py +16 -13
- pulumi_vault/transform/template.py +30 -25
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -25
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +25 -97
- pulumi_vault/transit/secret_cache_config.py +12 -11
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736850018.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/top_level.txt +0 -0
pulumi_vault/gcp/auth_backend.py
CHANGED
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
from . import outputs
|
12
17
|
from ._inputs import *
|
@@ -22,11 +27,15 @@ class AuthBackendArgs:
|
|
22
27
|
custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
|
23
28
|
description: Optional[pulumi.Input[str]] = None,
|
24
29
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
30
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
31
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
32
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
25
33
|
local: Optional[pulumi.Input[bool]] = None,
|
26
34
|
namespace: Optional[pulumi.Input[str]] = None,
|
27
35
|
path: Optional[pulumi.Input[str]] = None,
|
28
36
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
29
37
|
project_id: Optional[pulumi.Input[str]] = None,
|
38
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
30
39
|
tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
|
31
40
|
"""
|
32
41
|
The set of arguments for constructing a AuthBackend resource.
|
@@ -43,14 +52,22 @@ class AuthBackendArgs:
|
|
43
52
|
:param pulumi.Input[str] description: A description of the auth method.
|
44
53
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
45
54
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
55
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
56
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
57
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
58
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
59
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
60
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
46
61
|
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
47
62
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
48
63
|
The value should not contain leading or trailing forward slashes.
|
49
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
64
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
50
65
|
*Available only for Vault Enterprise*.
|
51
66
|
:param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
|
52
67
|
:param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
|
53
68
|
:param pulumi.Input[str] project_id: The GCP Project ID
|
69
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
70
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
54
71
|
:param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
|
55
72
|
|
56
73
|
The `tune` block is used to tune the auth backend:
|
@@ -67,6 +84,12 @@ class AuthBackendArgs:
|
|
67
84
|
pulumi.set(__self__, "description", description)
|
68
85
|
if disable_remount is not None:
|
69
86
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
87
|
+
if identity_token_audience is not None:
|
88
|
+
pulumi.set(__self__, "identity_token_audience", identity_token_audience)
|
89
|
+
if identity_token_key is not None:
|
90
|
+
pulumi.set(__self__, "identity_token_key", identity_token_key)
|
91
|
+
if identity_token_ttl is not None:
|
92
|
+
pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
|
70
93
|
if local is not None:
|
71
94
|
pulumi.set(__self__, "local", local)
|
72
95
|
if namespace is not None:
|
@@ -77,6 +100,8 @@ class AuthBackendArgs:
|
|
77
100
|
pulumi.set(__self__, "private_key_id", private_key_id)
|
78
101
|
if project_id is not None:
|
79
102
|
pulumi.set(__self__, "project_id", project_id)
|
103
|
+
if service_account_email is not None:
|
104
|
+
pulumi.set(__self__, "service_account_email", service_account_email)
|
80
105
|
if tune is not None:
|
81
106
|
pulumi.set(__self__, "tune", tune)
|
82
107
|
|
@@ -159,6 +184,45 @@ class AuthBackendArgs:
|
|
159
184
|
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
160
185
|
pulumi.set(self, "disable_remount", value)
|
161
186
|
|
187
|
+
@property
|
188
|
+
@pulumi.getter(name="identityTokenAudience")
|
189
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
190
|
+
"""
|
191
|
+
The audience claim value for plugin identity
|
192
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
193
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
194
|
+
"""
|
195
|
+
return pulumi.get(self, "identity_token_audience")
|
196
|
+
|
197
|
+
@identity_token_audience.setter
|
198
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
199
|
+
pulumi.set(self, "identity_token_audience", value)
|
200
|
+
|
201
|
+
@property
|
202
|
+
@pulumi.getter(name="identityTokenKey")
|
203
|
+
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
204
|
+
"""
|
205
|
+
The key to use for signing plugin identity
|
206
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
207
|
+
"""
|
208
|
+
return pulumi.get(self, "identity_token_key")
|
209
|
+
|
210
|
+
@identity_token_key.setter
|
211
|
+
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
212
|
+
pulumi.set(self, "identity_token_key", value)
|
213
|
+
|
214
|
+
@property
|
215
|
+
@pulumi.getter(name="identityTokenTtl")
|
216
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
217
|
+
"""
|
218
|
+
The TTL of generated tokens.
|
219
|
+
"""
|
220
|
+
return pulumi.get(self, "identity_token_ttl")
|
221
|
+
|
222
|
+
@identity_token_ttl.setter
|
223
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
224
|
+
pulumi.set(self, "identity_token_ttl", value)
|
225
|
+
|
162
226
|
@property
|
163
227
|
@pulumi.getter
|
164
228
|
def local(self) -> Optional[pulumi.Input[bool]]:
|
@@ -177,7 +241,7 @@ class AuthBackendArgs:
|
|
177
241
|
"""
|
178
242
|
The namespace to provision the resource in.
|
179
243
|
The value should not contain leading or trailing forward slashes.
|
180
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
244
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
181
245
|
*Available only for Vault Enterprise*.
|
182
246
|
"""
|
183
247
|
return pulumi.get(self, "namespace")
|
@@ -222,6 +286,19 @@ class AuthBackendArgs:
|
|
222
286
|
def project_id(self, value: Optional[pulumi.Input[str]]):
|
223
287
|
pulumi.set(self, "project_id", value)
|
224
288
|
|
289
|
+
@property
|
290
|
+
@pulumi.getter(name="serviceAccountEmail")
|
291
|
+
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
292
|
+
"""
|
293
|
+
Service Account to impersonate for plugin workload identity federation.
|
294
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
295
|
+
"""
|
296
|
+
return pulumi.get(self, "service_account_email")
|
297
|
+
|
298
|
+
@service_account_email.setter
|
299
|
+
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
300
|
+
pulumi.set(self, "service_account_email", value)
|
301
|
+
|
225
302
|
@property
|
226
303
|
@pulumi.getter
|
227
304
|
def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
|
@@ -247,11 +324,15 @@ class _AuthBackendState:
|
|
247
324
|
custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
|
248
325
|
description: Optional[pulumi.Input[str]] = None,
|
249
326
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
327
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
328
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
329
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
250
330
|
local: Optional[pulumi.Input[bool]] = None,
|
251
331
|
namespace: Optional[pulumi.Input[str]] = None,
|
252
332
|
path: Optional[pulumi.Input[str]] = None,
|
253
333
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
254
334
|
project_id: Optional[pulumi.Input[str]] = None,
|
335
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
255
336
|
tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
|
256
337
|
"""
|
257
338
|
Input properties used for looking up and filtering AuthBackend resources.
|
@@ -269,14 +350,22 @@ class _AuthBackendState:
|
|
269
350
|
:param pulumi.Input[str] description: A description of the auth method.
|
270
351
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
271
352
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
353
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
354
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
355
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
356
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
357
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
358
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
272
359
|
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
273
360
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
274
361
|
The value should not contain leading or trailing forward slashes.
|
275
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
362
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
276
363
|
*Available only for Vault Enterprise*.
|
277
364
|
:param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
|
278
365
|
:param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
|
279
366
|
:param pulumi.Input[str] project_id: The GCP Project ID
|
367
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
368
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
280
369
|
:param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
|
281
370
|
|
282
371
|
The `tune` block is used to tune the auth backend:
|
@@ -295,6 +384,12 @@ class _AuthBackendState:
|
|
295
384
|
pulumi.set(__self__, "description", description)
|
296
385
|
if disable_remount is not None:
|
297
386
|
pulumi.set(__self__, "disable_remount", disable_remount)
|
387
|
+
if identity_token_audience is not None:
|
388
|
+
pulumi.set(__self__, "identity_token_audience", identity_token_audience)
|
389
|
+
if identity_token_key is not None:
|
390
|
+
pulumi.set(__self__, "identity_token_key", identity_token_key)
|
391
|
+
if identity_token_ttl is not None:
|
392
|
+
pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
|
298
393
|
if local is not None:
|
299
394
|
pulumi.set(__self__, "local", local)
|
300
395
|
if namespace is not None:
|
@@ -305,6 +400,8 @@ class _AuthBackendState:
|
|
305
400
|
pulumi.set(__self__, "private_key_id", private_key_id)
|
306
401
|
if project_id is not None:
|
307
402
|
pulumi.set(__self__, "project_id", project_id)
|
403
|
+
if service_account_email is not None:
|
404
|
+
pulumi.set(__self__, "service_account_email", service_account_email)
|
308
405
|
if tune is not None:
|
309
406
|
pulumi.set(__self__, "tune", tune)
|
310
407
|
|
@@ -399,6 +496,45 @@ class _AuthBackendState:
|
|
399
496
|
def disable_remount(self, value: Optional[pulumi.Input[bool]]):
|
400
497
|
pulumi.set(self, "disable_remount", value)
|
401
498
|
|
499
|
+
@property
|
500
|
+
@pulumi.getter(name="identityTokenAudience")
|
501
|
+
def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
|
502
|
+
"""
|
503
|
+
The audience claim value for plugin identity
|
504
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
505
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
506
|
+
"""
|
507
|
+
return pulumi.get(self, "identity_token_audience")
|
508
|
+
|
509
|
+
@identity_token_audience.setter
|
510
|
+
def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
|
511
|
+
pulumi.set(self, "identity_token_audience", value)
|
512
|
+
|
513
|
+
@property
|
514
|
+
@pulumi.getter(name="identityTokenKey")
|
515
|
+
def identity_token_key(self) -> Optional[pulumi.Input[str]]:
|
516
|
+
"""
|
517
|
+
The key to use for signing plugin identity
|
518
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
519
|
+
"""
|
520
|
+
return pulumi.get(self, "identity_token_key")
|
521
|
+
|
522
|
+
@identity_token_key.setter
|
523
|
+
def identity_token_key(self, value: Optional[pulumi.Input[str]]):
|
524
|
+
pulumi.set(self, "identity_token_key", value)
|
525
|
+
|
526
|
+
@property
|
527
|
+
@pulumi.getter(name="identityTokenTtl")
|
528
|
+
def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
|
529
|
+
"""
|
530
|
+
The TTL of generated tokens.
|
531
|
+
"""
|
532
|
+
return pulumi.get(self, "identity_token_ttl")
|
533
|
+
|
534
|
+
@identity_token_ttl.setter
|
535
|
+
def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
|
536
|
+
pulumi.set(self, "identity_token_ttl", value)
|
537
|
+
|
402
538
|
@property
|
403
539
|
@pulumi.getter
|
404
540
|
def local(self) -> Optional[pulumi.Input[bool]]:
|
@@ -417,7 +553,7 @@ class _AuthBackendState:
|
|
417
553
|
"""
|
418
554
|
The namespace to provision the resource in.
|
419
555
|
The value should not contain leading or trailing forward slashes.
|
420
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
556
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
421
557
|
*Available only for Vault Enterprise*.
|
422
558
|
"""
|
423
559
|
return pulumi.get(self, "namespace")
|
@@ -462,6 +598,19 @@ class _AuthBackendState:
|
|
462
598
|
def project_id(self, value: Optional[pulumi.Input[str]]):
|
463
599
|
pulumi.set(self, "project_id", value)
|
464
600
|
|
601
|
+
@property
|
602
|
+
@pulumi.getter(name="serviceAccountEmail")
|
603
|
+
def service_account_email(self) -> Optional[pulumi.Input[str]]:
|
604
|
+
"""
|
605
|
+
Service Account to impersonate for plugin workload identity federation.
|
606
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
607
|
+
"""
|
608
|
+
return pulumi.get(self, "service_account_email")
|
609
|
+
|
610
|
+
@service_account_email.setter
|
611
|
+
def service_account_email(self, value: Optional[pulumi.Input[str]]):
|
612
|
+
pulumi.set(self, "service_account_email", value)
|
613
|
+
|
465
614
|
@property
|
466
615
|
@pulumi.getter
|
467
616
|
def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
|
@@ -485,36 +634,36 @@ class AuthBackend(pulumi.CustomResource):
|
|
485
634
|
client_email: Optional[pulumi.Input[str]] = None,
|
486
635
|
client_id: Optional[pulumi.Input[str]] = None,
|
487
636
|
credentials: Optional[pulumi.Input[str]] = None,
|
488
|
-
custom_endpoint: Optional[pulumi.Input[
|
637
|
+
custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
|
489
638
|
description: Optional[pulumi.Input[str]] = None,
|
490
639
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
640
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
641
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
642
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
491
643
|
local: Optional[pulumi.Input[bool]] = None,
|
492
644
|
namespace: Optional[pulumi.Input[str]] = None,
|
493
645
|
path: Optional[pulumi.Input[str]] = None,
|
494
646
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
495
647
|
project_id: Optional[pulumi.Input[str]] = None,
|
496
|
-
|
648
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
649
|
+
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
|
497
650
|
__props__=None):
|
498
651
|
"""
|
499
652
|
Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
|
500
653
|
|
501
654
|
## Example Usage
|
502
655
|
|
503
|
-
|
656
|
+
You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
|
504
657
|
```python
|
505
658
|
import pulumi
|
506
659
|
import pulumi_vault as vault
|
507
660
|
|
508
661
|
gcp = vault.gcp.AuthBackend("gcp",
|
509
|
-
|
510
|
-
|
511
|
-
|
512
|
-
|
513
|
-
crm="cloudresourcemanager.googleapis.com",
|
514
|
-
compute="compute.googleapis.com",
|
515
|
-
))
|
662
|
+
identity_token_key="example-key",
|
663
|
+
identity_token_ttl=1800,
|
664
|
+
identity_token_audience="<TOKEN_AUDIENCE>",
|
665
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
|
516
666
|
```
|
517
|
-
<!--End PulumiCodeChooser -->
|
518
667
|
|
519
668
|
## Import
|
520
669
|
|
@@ -529,7 +678,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
529
678
|
:param pulumi.Input[str] client_email: The clients email associated with the credentials
|
530
679
|
:param pulumi.Input[str] client_id: The Client ID of the credentials
|
531
680
|
:param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
|
532
|
-
:param pulumi.Input[
|
681
|
+
:param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
|
533
682
|
[service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
|
534
683
|
used when making API requests. This allows specific requests made during authentication
|
535
684
|
to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
|
@@ -539,15 +688,23 @@ class AuthBackend(pulumi.CustomResource):
|
|
539
688
|
:param pulumi.Input[str] description: A description of the auth method.
|
540
689
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
541
690
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
691
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
692
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
693
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
694
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
695
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
696
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
542
697
|
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
543
698
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
544
699
|
The value should not contain leading or trailing forward slashes.
|
545
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
700
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
546
701
|
*Available only for Vault Enterprise*.
|
547
702
|
:param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
|
548
703
|
:param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
|
549
704
|
:param pulumi.Input[str] project_id: The GCP Project ID
|
550
|
-
:param pulumi.Input[
|
705
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
706
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
707
|
+
:param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
|
551
708
|
|
552
709
|
The `tune` block is used to tune the auth backend:
|
553
710
|
"""
|
@@ -562,21 +719,17 @@ class AuthBackend(pulumi.CustomResource):
|
|
562
719
|
|
563
720
|
## Example Usage
|
564
721
|
|
565
|
-
|
722
|
+
You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
|
566
723
|
```python
|
567
724
|
import pulumi
|
568
725
|
import pulumi_vault as vault
|
569
726
|
|
570
727
|
gcp = vault.gcp.AuthBackend("gcp",
|
571
|
-
|
572
|
-
|
573
|
-
|
574
|
-
|
575
|
-
crm="cloudresourcemanager.googleapis.com",
|
576
|
-
compute="compute.googleapis.com",
|
577
|
-
))
|
728
|
+
identity_token_key="example-key",
|
729
|
+
identity_token_ttl=1800,
|
730
|
+
identity_token_audience="<TOKEN_AUDIENCE>",
|
731
|
+
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
|
578
732
|
```
|
579
|
-
<!--End PulumiCodeChooser -->
|
580
733
|
|
581
734
|
## Import
|
582
735
|
|
@@ -604,15 +757,19 @@ class AuthBackend(pulumi.CustomResource):
|
|
604
757
|
client_email: Optional[pulumi.Input[str]] = None,
|
605
758
|
client_id: Optional[pulumi.Input[str]] = None,
|
606
759
|
credentials: Optional[pulumi.Input[str]] = None,
|
607
|
-
custom_endpoint: Optional[pulumi.Input[
|
760
|
+
custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
|
608
761
|
description: Optional[pulumi.Input[str]] = None,
|
609
762
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
763
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
764
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
765
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
610
766
|
local: Optional[pulumi.Input[bool]] = None,
|
611
767
|
namespace: Optional[pulumi.Input[str]] = None,
|
612
768
|
path: Optional[pulumi.Input[str]] = None,
|
613
769
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
614
770
|
project_id: Optional[pulumi.Input[str]] = None,
|
615
|
-
|
771
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
772
|
+
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
|
616
773
|
__props__=None):
|
617
774
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
618
775
|
if not isinstance(opts, pulumi.ResourceOptions):
|
@@ -628,11 +785,15 @@ class AuthBackend(pulumi.CustomResource):
|
|
628
785
|
__props__.__dict__["custom_endpoint"] = custom_endpoint
|
629
786
|
__props__.__dict__["description"] = description
|
630
787
|
__props__.__dict__["disable_remount"] = disable_remount
|
788
|
+
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
789
|
+
__props__.__dict__["identity_token_key"] = identity_token_key
|
790
|
+
__props__.__dict__["identity_token_ttl"] = identity_token_ttl
|
631
791
|
__props__.__dict__["local"] = local
|
632
792
|
__props__.__dict__["namespace"] = namespace
|
633
793
|
__props__.__dict__["path"] = path
|
634
794
|
__props__.__dict__["private_key_id"] = private_key_id
|
635
795
|
__props__.__dict__["project_id"] = project_id
|
796
|
+
__props__.__dict__["service_account_email"] = service_account_email
|
636
797
|
__props__.__dict__["tune"] = tune
|
637
798
|
__props__.__dict__["accessor"] = None
|
638
799
|
secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
|
@@ -651,15 +812,19 @@ class AuthBackend(pulumi.CustomResource):
|
|
651
812
|
client_email: Optional[pulumi.Input[str]] = None,
|
652
813
|
client_id: Optional[pulumi.Input[str]] = None,
|
653
814
|
credentials: Optional[pulumi.Input[str]] = None,
|
654
|
-
custom_endpoint: Optional[pulumi.Input[
|
815
|
+
custom_endpoint: Optional[pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']]] = None,
|
655
816
|
description: Optional[pulumi.Input[str]] = None,
|
656
817
|
disable_remount: Optional[pulumi.Input[bool]] = None,
|
818
|
+
identity_token_audience: Optional[pulumi.Input[str]] = None,
|
819
|
+
identity_token_key: Optional[pulumi.Input[str]] = None,
|
820
|
+
identity_token_ttl: Optional[pulumi.Input[int]] = None,
|
657
821
|
local: Optional[pulumi.Input[bool]] = None,
|
658
822
|
namespace: Optional[pulumi.Input[str]] = None,
|
659
823
|
path: Optional[pulumi.Input[str]] = None,
|
660
824
|
private_key_id: Optional[pulumi.Input[str]] = None,
|
661
825
|
project_id: Optional[pulumi.Input[str]] = None,
|
662
|
-
|
826
|
+
service_account_email: Optional[pulumi.Input[str]] = None,
|
827
|
+
tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None) -> 'AuthBackend':
|
663
828
|
"""
|
664
829
|
Get an existing AuthBackend resource's state with the given name, id, and optional extra
|
665
830
|
properties used to qualify the lookup.
|
@@ -671,7 +836,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
671
836
|
:param pulumi.Input[str] client_email: The clients email associated with the credentials
|
672
837
|
:param pulumi.Input[str] client_id: The Client ID of the credentials
|
673
838
|
:param pulumi.Input[str] credentials: A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
|
674
|
-
:param pulumi.Input[
|
839
|
+
:param pulumi.Input[Union['AuthBackendCustomEndpointArgs', 'AuthBackendCustomEndpointArgsDict']] custom_endpoint: Specifies overrides to
|
675
840
|
[service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
|
676
841
|
used when making API requests. This allows specific requests made during authentication
|
677
842
|
to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
|
@@ -681,15 +846,23 @@ class AuthBackend(pulumi.CustomResource):
|
|
681
846
|
:param pulumi.Input[str] description: A description of the auth method.
|
682
847
|
:param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
|
683
848
|
See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
|
849
|
+
:param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
|
850
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
851
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
852
|
+
:param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
|
853
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
854
|
+
:param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
|
684
855
|
:param pulumi.Input[bool] local: Specifies if the auth method is local only.
|
685
856
|
:param pulumi.Input[str] namespace: The namespace to provision the resource in.
|
686
857
|
The value should not contain leading or trailing forward slashes.
|
687
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
858
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
688
859
|
*Available only for Vault Enterprise*.
|
689
860
|
:param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
|
690
861
|
:param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
|
691
862
|
:param pulumi.Input[str] project_id: The GCP Project ID
|
692
|
-
:param pulumi.Input[
|
863
|
+
:param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
|
864
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
865
|
+
:param pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']] tune: Extra configuration block. Structure is documented below.
|
693
866
|
|
694
867
|
The `tune` block is used to tune the auth backend:
|
695
868
|
"""
|
@@ -704,11 +877,15 @@ class AuthBackend(pulumi.CustomResource):
|
|
704
877
|
__props__.__dict__["custom_endpoint"] = custom_endpoint
|
705
878
|
__props__.__dict__["description"] = description
|
706
879
|
__props__.__dict__["disable_remount"] = disable_remount
|
880
|
+
__props__.__dict__["identity_token_audience"] = identity_token_audience
|
881
|
+
__props__.__dict__["identity_token_key"] = identity_token_key
|
882
|
+
__props__.__dict__["identity_token_ttl"] = identity_token_ttl
|
707
883
|
__props__.__dict__["local"] = local
|
708
884
|
__props__.__dict__["namespace"] = namespace
|
709
885
|
__props__.__dict__["path"] = path
|
710
886
|
__props__.__dict__["private_key_id"] = private_key_id
|
711
887
|
__props__.__dict__["project_id"] = project_id
|
888
|
+
__props__.__dict__["service_account_email"] = service_account_email
|
712
889
|
__props__.__dict__["tune"] = tune
|
713
890
|
return AuthBackend(resource_name, opts=opts, __props__=__props__)
|
714
891
|
|
@@ -775,6 +952,33 @@ class AuthBackend(pulumi.CustomResource):
|
|
775
952
|
"""
|
776
953
|
return pulumi.get(self, "disable_remount")
|
777
954
|
|
955
|
+
@property
|
956
|
+
@pulumi.getter(name="identityTokenAudience")
|
957
|
+
def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
|
958
|
+
"""
|
959
|
+
The audience claim value for plugin identity
|
960
|
+
tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
|
961
|
+
Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
962
|
+
"""
|
963
|
+
return pulumi.get(self, "identity_token_audience")
|
964
|
+
|
965
|
+
@property
|
966
|
+
@pulumi.getter(name="identityTokenKey")
|
967
|
+
def identity_token_key(self) -> pulumi.Output[Optional[str]]:
|
968
|
+
"""
|
969
|
+
The key to use for signing plugin identity
|
970
|
+
tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
971
|
+
"""
|
972
|
+
return pulumi.get(self, "identity_token_key")
|
973
|
+
|
974
|
+
@property
|
975
|
+
@pulumi.getter(name="identityTokenTtl")
|
976
|
+
def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
|
977
|
+
"""
|
978
|
+
The TTL of generated tokens.
|
979
|
+
"""
|
980
|
+
return pulumi.get(self, "identity_token_ttl")
|
981
|
+
|
778
982
|
@property
|
779
983
|
@pulumi.getter
|
780
984
|
def local(self) -> pulumi.Output[Optional[bool]]:
|
@@ -789,7 +993,7 @@ class AuthBackend(pulumi.CustomResource):
|
|
789
993
|
"""
|
790
994
|
The namespace to provision the resource in.
|
791
995
|
The value should not contain leading or trailing forward slashes.
|
792
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
996
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
793
997
|
*Available only for Vault Enterprise*.
|
794
998
|
"""
|
795
999
|
return pulumi.get(self, "namespace")
|
@@ -818,6 +1022,15 @@ class AuthBackend(pulumi.CustomResource):
|
|
818
1022
|
"""
|
819
1023
|
return pulumi.get(self, "project_id")
|
820
1024
|
|
1025
|
+
@property
|
1026
|
+
@pulumi.getter(name="serviceAccountEmail")
|
1027
|
+
def service_account_email(self) -> pulumi.Output[Optional[str]]:
|
1028
|
+
"""
|
1029
|
+
Service Account to impersonate for plugin workload identity federation.
|
1030
|
+
Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
|
1031
|
+
"""
|
1032
|
+
return pulumi.get(self, "service_account_email")
|
1033
|
+
|
821
1034
|
@property
|
822
1035
|
@pulumi.getter
|
823
1036
|
def tune(self) -> pulumi.Output['outputs.AuthBackendTune']:
|