pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +22 -7
  5. pulumi_vault/ad/secret_backend.py +14 -144
  6. pulumi_vault/ad/secret_library.py +14 -11
  7. pulumi_vault/ad/secret_role.py +12 -11
  8. pulumi_vault/alicloud/auth_backend_role.py +74 -192
  9. pulumi_vault/approle/auth_backend_login.py +12 -11
  10. pulumi_vault/approle/auth_backend_role.py +75 -193
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
  13. pulumi_vault/audit.py +24 -27
  14. pulumi_vault/audit_request_header.py +11 -6
  15. pulumi_vault/auth_backend.py +64 -12
  16. pulumi_vault/aws/auth_backend_cert.py +12 -7
  17. pulumi_vault/aws/auth_backend_client.py +265 -24
  18. pulumi_vault/aws/auth_backend_config_identity.py +12 -11
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +75 -193
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
  24. pulumi_vault/aws/auth_backend_sts_role.py +12 -11
  25. pulumi_vault/aws/get_access_credentials.py +34 -7
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +75 -7
  28. pulumi_vault/aws/secret_backend_role.py +183 -11
  29. pulumi_vault/aws/secret_backend_static_role.py +14 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +151 -17
  32. pulumi_vault/azure/auth_backend_role.py +75 -193
  33. pulumi_vault/azure/backend.py +223 -29
  34. pulumi_vault/azure/backend_role.py +42 -41
  35. pulumi_vault/azure/get_access_credentials.py +39 -11
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -271
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +22 -25
  44. pulumi_vault/consul/secret_backend_role.py +14 -80
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +117 -114
  48. pulumi_vault/database/secret_backend_role.py +29 -24
  49. pulumi_vault/database/secret_backend_static_role.py +85 -15
  50. pulumi_vault/database/secrets_mount.py +425 -138
  51. pulumi_vault/egp_policy.py +16 -15
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +248 -35
  54. pulumi_vault/gcp/auth_backend_role.py +75 -271
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -9
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -16
  58. pulumi_vault/gcp/secret_impersonated_account.py +74 -17
  59. pulumi_vault/gcp/secret_roleset.py +29 -26
  60. pulumi_vault/gcp/secret_static_account.py +37 -34
  61. pulumi_vault/generic/endpoint.py +22 -21
  62. pulumi_vault/generic/get_secret.py +68 -12
  63. pulumi_vault/generic/secret.py +19 -14
  64. pulumi_vault/get_auth_backend.py +24 -11
  65. pulumi_vault/get_auth_backends.py +33 -11
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -15
  69. pulumi_vault/get_policy_document.py +34 -23
  70. pulumi_vault/get_raft_autopilot_state.py +29 -14
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +17 -16
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +14 -13
  75. pulumi_vault/github/user.py +14 -13
  76. pulumi_vault/identity/entity.py +18 -15
  77. pulumi_vault/identity/entity_alias.py +18 -15
  78. pulumi_vault/identity/entity_policies.py +24 -19
  79. pulumi_vault/identity/get_entity.py +40 -14
  80. pulumi_vault/identity/get_group.py +45 -13
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -11
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -13
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -14
  84. pulumi_vault/identity/group.py +50 -49
  85. pulumi_vault/identity/group_alias.py +14 -11
  86. pulumi_vault/identity/group_member_entity_ids.py +24 -74
  87. pulumi_vault/identity/group_member_group_ids.py +36 -27
  88. pulumi_vault/identity/group_policies.py +16 -15
  89. pulumi_vault/identity/mfa_duo.py +9 -8
  90. pulumi_vault/identity/mfa_login_enforcement.py +13 -8
  91. pulumi_vault/identity/mfa_okta.py +9 -8
  92. pulumi_vault/identity/mfa_pingid.py +5 -4
  93. pulumi_vault/identity/mfa_totp.py +5 -4
  94. pulumi_vault/identity/oidc.py +12 -11
  95. pulumi_vault/identity/oidc_assignment.py +22 -13
  96. pulumi_vault/identity/oidc_client.py +34 -25
  97. pulumi_vault/identity/oidc_key.py +28 -19
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
  99. pulumi_vault/identity/oidc_provider.py +34 -23
  100. pulumi_vault/identity/oidc_role.py +40 -27
  101. pulumi_vault/identity/oidc_scope.py +18 -15
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +39 -46
  105. pulumi_vault/jwt/auth_backend_role.py +131 -260
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +22 -21
  108. pulumi_vault/kmip/secret_role.py +12 -11
  109. pulumi_vault/kmip/secret_scope.py +12 -11
  110. pulumi_vault/kubernetes/auth_backend_config.py +55 -7
  111. pulumi_vault/kubernetes/auth_backend_role.py +68 -179
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -15
  115. pulumi_vault/kubernetes/secret_backend.py +314 -29
  116. pulumi_vault/kubernetes/secret_backend_role.py +135 -56
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +23 -12
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
  120. pulumi_vault/kv/get_secret_v2.py +89 -9
  121. pulumi_vault/kv/get_secrets_list.py +22 -15
  122. pulumi_vault/kv/get_secrets_list_v2.py +35 -19
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +19 -18
  125. pulumi_vault/kv/secret_backend_v2.py +12 -11
  126. pulumi_vault/kv/secret_v2.py +55 -52
  127. pulumi_vault/ldap/auth_backend.py +125 -168
  128. pulumi_vault/ldap/auth_backend_group.py +12 -11
  129. pulumi_vault/ldap/auth_backend_user.py +12 -11
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +352 -84
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +14 -11
  135. pulumi_vault/ldap/secret_backend_static_role.py +67 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +27 -43
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +16 -13
  140. pulumi_vault/mfa_okta.py +16 -13
  141. pulumi_vault/mfa_pingid.py +16 -13
  142. pulumi_vault/mfa_totp.py +22 -19
  143. pulumi_vault/mongodbatlas/secret_backend.py +18 -17
  144. pulumi_vault/mongodbatlas/secret_role.py +41 -38
  145. pulumi_vault/mount.py +389 -65
  146. pulumi_vault/namespace.py +26 -21
  147. pulumi_vault/nomad_secret_backend.py +16 -15
  148. pulumi_vault/nomad_secret_role.py +12 -11
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +483 -41
  151. pulumi_vault/okta/auth_backend_group.py +12 -11
  152. pulumi_vault/okta/auth_backend_user.py +12 -11
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +18 -15
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -13
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -12
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
  174. pulumi_vault/pkisecret/secret_backend_key.py +12 -7
  175. pulumi_vault/pkisecret/secret_backend_role.py +19 -16
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +12 -7
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +58 -8
  185. pulumi_vault/quota_rate_limit.py +54 -4
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +16 -15
  189. pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
  190. pulumi_vault/raft_autopilot.py +12 -11
  191. pulumi_vault/raft_snapshot_agent_config.py +121 -311
  192. pulumi_vault/rgp_policy.py +14 -13
  193. pulumi_vault/saml/auth_backend.py +20 -19
  194. pulumi_vault/saml/auth_backend_role.py +90 -199
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -75
  199. pulumi_vault/secrets/sync_aws_destination.py +240 -29
  200. pulumi_vault/secrets/sync_azure_destination.py +90 -33
  201. pulumi_vault/secrets/sync_config.py +7 -6
  202. pulumi_vault/secrets/sync_gcp_destination.py +156 -27
  203. pulumi_vault/secrets/sync_gh_destination.py +187 -15
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +72 -15
  206. pulumi_vault/ssh/_inputs.py +28 -32
  207. pulumi_vault/ssh/outputs.py +11 -32
  208. pulumi_vault/ssh/secret_backend_ca.py +106 -11
  209. pulumi_vault/ssh/secret_backend_role.py +83 -120
  210. pulumi_vault/terraformcloud/secret_backend.py +5 -56
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -24
  212. pulumi_vault/terraformcloud/secret_role.py +14 -76
  213. pulumi_vault/token.py +26 -25
  214. pulumi_vault/tokenauth/auth_backend_role.py +76 -201
  215. pulumi_vault/transform/alphabet.py +16 -13
  216. pulumi_vault/transform/get_decode.py +45 -21
  217. pulumi_vault/transform/get_encode.py +45 -21
  218. pulumi_vault/transform/role.py +16 -13
  219. pulumi_vault/transform/template.py +30 -25
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -25
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +25 -97
  224. pulumi_vault/transit/secret_cache_config.py +12 -11
  225. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736850018.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = ['SecretBackendArgs', 'SecretBackend']
@@ -18,10 +23,14 @@ class SecretBackendArgs:
18
23
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
19
24
  description: Optional[pulumi.Input[str]] = None,
20
25
  disable_remount: Optional[pulumi.Input[bool]] = None,
26
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
27
+ identity_token_key: Optional[pulumi.Input[str]] = None,
28
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
21
29
  local: Optional[pulumi.Input[bool]] = None,
22
30
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
23
31
  namespace: Optional[pulumi.Input[str]] = None,
24
- path: Optional[pulumi.Input[str]] = None):
32
+ path: Optional[pulumi.Input[str]] = None,
33
+ service_account_email: Optional[pulumi.Input[str]] = None):
25
34
  """
26
35
  The set of arguments for constructing a SecretBackend resource.
27
36
  :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
@@ -30,15 +39,23 @@ class SecretBackendArgs:
30
39
  :param pulumi.Input[str] description: A human-friendly description for this backend.
31
40
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
32
41
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
42
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
43
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
44
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
45
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
46
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
47
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
33
48
  :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
34
49
  :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
35
50
  for credentials issued by this backend. Defaults to '0'.
36
51
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
37
52
  The value should not contain leading or trailing forward slashes.
38
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
53
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
39
54
  *Available only for Vault Enterprise*.
40
55
  :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
41
56
  not begin or end with a `/`. Defaults to `gcp`.
57
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
58
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
42
59
  """
43
60
  if credentials is not None:
44
61
  pulumi.set(__self__, "credentials", credentials)
@@ -48,6 +65,12 @@ class SecretBackendArgs:
48
65
  pulumi.set(__self__, "description", description)
49
66
  if disable_remount is not None:
50
67
  pulumi.set(__self__, "disable_remount", disable_remount)
68
+ if identity_token_audience is not None:
69
+ pulumi.set(__self__, "identity_token_audience", identity_token_audience)
70
+ if identity_token_key is not None:
71
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
72
+ if identity_token_ttl is not None:
73
+ pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
51
74
  if local is not None:
52
75
  pulumi.set(__self__, "local", local)
53
76
  if max_lease_ttl_seconds is not None:
@@ -56,6 +79,8 @@ class SecretBackendArgs:
56
79
  pulumi.set(__self__, "namespace", namespace)
57
80
  if path is not None:
58
81
  pulumi.set(__self__, "path", path)
82
+ if service_account_email is not None:
83
+ pulumi.set(__self__, "service_account_email", service_account_email)
59
84
 
60
85
  @property
61
86
  @pulumi.getter
@@ -107,6 +132,45 @@ class SecretBackendArgs:
107
132
  def disable_remount(self, value: Optional[pulumi.Input[bool]]):
108
133
  pulumi.set(self, "disable_remount", value)
109
134
 
135
+ @property
136
+ @pulumi.getter(name="identityTokenAudience")
137
+ def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
138
+ """
139
+ The audience claim value for plugin identity
140
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
141
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
142
+ """
143
+ return pulumi.get(self, "identity_token_audience")
144
+
145
+ @identity_token_audience.setter
146
+ def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
147
+ pulumi.set(self, "identity_token_audience", value)
148
+
149
+ @property
150
+ @pulumi.getter(name="identityTokenKey")
151
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
152
+ """
153
+ The key to use for signing plugin identity
154
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
155
+ """
156
+ return pulumi.get(self, "identity_token_key")
157
+
158
+ @identity_token_key.setter
159
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
160
+ pulumi.set(self, "identity_token_key", value)
161
+
162
+ @property
163
+ @pulumi.getter(name="identityTokenTtl")
164
+ def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
165
+ """
166
+ The TTL of generated tokens.
167
+ """
168
+ return pulumi.get(self, "identity_token_ttl")
169
+
170
+ @identity_token_ttl.setter
171
+ def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
172
+ pulumi.set(self, "identity_token_ttl", value)
173
+
110
174
  @property
111
175
  @pulumi.getter
112
176
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -138,7 +202,7 @@ class SecretBackendArgs:
138
202
  """
139
203
  The namespace to provision the resource in.
140
204
  The value should not contain leading or trailing forward slashes.
141
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
205
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
142
206
  *Available only for Vault Enterprise*.
143
207
  """
144
208
  return pulumi.get(self, "namespace")
@@ -160,36 +224,65 @@ class SecretBackendArgs:
160
224
  def path(self, value: Optional[pulumi.Input[str]]):
161
225
  pulumi.set(self, "path", value)
162
226
 
227
+ @property
228
+ @pulumi.getter(name="serviceAccountEmail")
229
+ def service_account_email(self) -> Optional[pulumi.Input[str]]:
230
+ """
231
+ Service Account to impersonate for plugin workload identity federation.
232
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
233
+ """
234
+ return pulumi.get(self, "service_account_email")
235
+
236
+ @service_account_email.setter
237
+ def service_account_email(self, value: Optional[pulumi.Input[str]]):
238
+ pulumi.set(self, "service_account_email", value)
239
+
163
240
 
164
241
  @pulumi.input_type
165
242
  class _SecretBackendState:
166
243
  def __init__(__self__, *,
244
+ accessor: Optional[pulumi.Input[str]] = None,
167
245
  credentials: Optional[pulumi.Input[str]] = None,
168
246
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
169
247
  description: Optional[pulumi.Input[str]] = None,
170
248
  disable_remount: Optional[pulumi.Input[bool]] = None,
249
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
250
+ identity_token_key: Optional[pulumi.Input[str]] = None,
251
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
171
252
  local: Optional[pulumi.Input[bool]] = None,
172
253
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
173
254
  namespace: Optional[pulumi.Input[str]] = None,
174
- path: Optional[pulumi.Input[str]] = None):
255
+ path: Optional[pulumi.Input[str]] = None,
256
+ service_account_email: Optional[pulumi.Input[str]] = None):
175
257
  """
176
258
  Input properties used for looking up and filtering SecretBackend resources.
259
+ :param pulumi.Input[str] accessor: The accessor of the created GCP mount.
177
260
  :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
178
261
  :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
179
262
  issued by this backend. Defaults to '0'.
180
263
  :param pulumi.Input[str] description: A human-friendly description for this backend.
181
264
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
182
265
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
266
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
267
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
268
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
269
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
270
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
271
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
183
272
  :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
184
273
  :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
185
274
  for credentials issued by this backend. Defaults to '0'.
186
275
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
187
276
  The value should not contain leading or trailing forward slashes.
188
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
277
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
189
278
  *Available only for Vault Enterprise*.
190
279
  :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
191
280
  not begin or end with a `/`. Defaults to `gcp`.
281
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
282
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
192
283
  """
284
+ if accessor is not None:
285
+ pulumi.set(__self__, "accessor", accessor)
193
286
  if credentials is not None:
194
287
  pulumi.set(__self__, "credentials", credentials)
195
288
  if default_lease_ttl_seconds is not None:
@@ -198,6 +291,12 @@ class _SecretBackendState:
198
291
  pulumi.set(__self__, "description", description)
199
292
  if disable_remount is not None:
200
293
  pulumi.set(__self__, "disable_remount", disable_remount)
294
+ if identity_token_audience is not None:
295
+ pulumi.set(__self__, "identity_token_audience", identity_token_audience)
296
+ if identity_token_key is not None:
297
+ pulumi.set(__self__, "identity_token_key", identity_token_key)
298
+ if identity_token_ttl is not None:
299
+ pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
201
300
  if local is not None:
202
301
  pulumi.set(__self__, "local", local)
203
302
  if max_lease_ttl_seconds is not None:
@@ -206,6 +305,20 @@ class _SecretBackendState:
206
305
  pulumi.set(__self__, "namespace", namespace)
207
306
  if path is not None:
208
307
  pulumi.set(__self__, "path", path)
308
+ if service_account_email is not None:
309
+ pulumi.set(__self__, "service_account_email", service_account_email)
310
+
311
+ @property
312
+ @pulumi.getter
313
+ def accessor(self) -> Optional[pulumi.Input[str]]:
314
+ """
315
+ The accessor of the created GCP mount.
316
+ """
317
+ return pulumi.get(self, "accessor")
318
+
319
+ @accessor.setter
320
+ def accessor(self, value: Optional[pulumi.Input[str]]):
321
+ pulumi.set(self, "accessor", value)
209
322
 
210
323
  @property
211
324
  @pulumi.getter
@@ -257,6 +370,45 @@ class _SecretBackendState:
257
370
  def disable_remount(self, value: Optional[pulumi.Input[bool]]):
258
371
  pulumi.set(self, "disable_remount", value)
259
372
 
373
+ @property
374
+ @pulumi.getter(name="identityTokenAudience")
375
+ def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
376
+ """
377
+ The audience claim value for plugin identity
378
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
379
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
380
+ """
381
+ return pulumi.get(self, "identity_token_audience")
382
+
383
+ @identity_token_audience.setter
384
+ def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
385
+ pulumi.set(self, "identity_token_audience", value)
386
+
387
+ @property
388
+ @pulumi.getter(name="identityTokenKey")
389
+ def identity_token_key(self) -> Optional[pulumi.Input[str]]:
390
+ """
391
+ The key to use for signing plugin identity
392
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
393
+ """
394
+ return pulumi.get(self, "identity_token_key")
395
+
396
+ @identity_token_key.setter
397
+ def identity_token_key(self, value: Optional[pulumi.Input[str]]):
398
+ pulumi.set(self, "identity_token_key", value)
399
+
400
+ @property
401
+ @pulumi.getter(name="identityTokenTtl")
402
+ def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
403
+ """
404
+ The TTL of generated tokens.
405
+ """
406
+ return pulumi.get(self, "identity_token_ttl")
407
+
408
+ @identity_token_ttl.setter
409
+ def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
410
+ pulumi.set(self, "identity_token_ttl", value)
411
+
260
412
  @property
261
413
  @pulumi.getter
262
414
  def local(self) -> Optional[pulumi.Input[bool]]:
@@ -288,7 +440,7 @@ class _SecretBackendState:
288
440
  """
289
441
  The namespace to provision the resource in.
290
442
  The value should not contain leading or trailing forward slashes.
291
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
443
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
292
444
  *Available only for Vault Enterprise*.
293
445
  """
294
446
  return pulumi.get(self, "namespace")
@@ -310,6 +462,19 @@ class _SecretBackendState:
310
462
  def path(self, value: Optional[pulumi.Input[str]]):
311
463
  pulumi.set(self, "path", value)
312
464
 
465
+ @property
466
+ @pulumi.getter(name="serviceAccountEmail")
467
+ def service_account_email(self) -> Optional[pulumi.Input[str]]:
468
+ """
469
+ Service Account to impersonate for plugin workload identity federation.
470
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
471
+ """
472
+ return pulumi.get(self, "service_account_email")
473
+
474
+ @service_account_email.setter
475
+ def service_account_email(self, value: Optional[pulumi.Input[str]]):
476
+ pulumi.set(self, "service_account_email", value)
477
+
313
478
 
314
479
  class SecretBackend(pulumi.CustomResource):
315
480
  @overload
@@ -320,22 +485,37 @@ class SecretBackend(pulumi.CustomResource):
320
485
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
321
486
  description: Optional[pulumi.Input[str]] = None,
322
487
  disable_remount: Optional[pulumi.Input[bool]] = None,
488
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
489
+ identity_token_key: Optional[pulumi.Input[str]] = None,
490
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
323
491
  local: Optional[pulumi.Input[bool]] = None,
324
492
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
325
493
  namespace: Optional[pulumi.Input[str]] = None,
326
494
  path: Optional[pulumi.Input[str]] = None,
495
+ service_account_email: Optional[pulumi.Input[str]] = None,
327
496
  __props__=None):
328
497
  """
329
498
  ## Example Usage
330
499
 
331
- <!--Start PulumiCodeChooser -->
500
+ You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
501
+ ```python
502
+ import pulumi
503
+ import pulumi_vault as vault
504
+
505
+ gcp = vault.gcp.SecretBackend("gcp",
506
+ identity_token_key="example-key",
507
+ identity_token_ttl=1800,
508
+ identity_token_audience="<TOKEN_AUDIENCE>",
509
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>")
510
+ ```
511
+
332
512
  ```python
333
513
  import pulumi
514
+ import pulumi_std as std
334
515
  import pulumi_vault as vault
335
516
 
336
- gcp = vault.gcp.SecretBackend("gcp", credentials=(lambda path: open(path).read())("credentials.json"))
517
+ gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
337
518
  ```
338
- <!--End PulumiCodeChooser -->
339
519
 
340
520
  :param str resource_name: The name of the resource.
341
521
  :param pulumi.ResourceOptions opts: Options for the resource.
@@ -345,15 +525,23 @@ class SecretBackend(pulumi.CustomResource):
345
525
  :param pulumi.Input[str] description: A human-friendly description for this backend.
346
526
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
347
527
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
528
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
529
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
530
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
531
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
532
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
533
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
348
534
  :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
349
535
  :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
350
536
  for credentials issued by this backend. Defaults to '0'.
351
537
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
352
538
  The value should not contain leading or trailing forward slashes.
353
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
539
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
354
540
  *Available only for Vault Enterprise*.
355
541
  :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
356
542
  not begin or end with a `/`. Defaults to `gcp`.
543
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
544
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
357
545
  """
358
546
  ...
359
547
  @overload
@@ -364,14 +552,25 @@ class SecretBackend(pulumi.CustomResource):
364
552
  """
365
553
  ## Example Usage
366
554
 
367
- <!--Start PulumiCodeChooser -->
555
+ You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
556
+ ```python
557
+ import pulumi
558
+ import pulumi_vault as vault
559
+
560
+ gcp = vault.gcp.SecretBackend("gcp",
561
+ identity_token_key="example-key",
562
+ identity_token_ttl=1800,
563
+ identity_token_audience="<TOKEN_AUDIENCE>",
564
+ service_account_email="<SERVICE_ACCOUNT_EMAIL>")
565
+ ```
566
+
368
567
  ```python
369
568
  import pulumi
569
+ import pulumi_std as std
370
570
  import pulumi_vault as vault
371
571
 
372
- gcp = vault.gcp.SecretBackend("gcp", credentials=(lambda path: open(path).read())("credentials.json"))
572
+ gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
373
573
  ```
374
- <!--End PulumiCodeChooser -->
375
574
 
376
575
  :param str resource_name: The name of the resource.
377
576
  :param SecretBackendArgs args: The arguments to use to populate this resource's properties.
@@ -392,10 +591,14 @@ class SecretBackend(pulumi.CustomResource):
392
591
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
393
592
  description: Optional[pulumi.Input[str]] = None,
394
593
  disable_remount: Optional[pulumi.Input[bool]] = None,
594
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
595
+ identity_token_key: Optional[pulumi.Input[str]] = None,
596
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
395
597
  local: Optional[pulumi.Input[bool]] = None,
396
598
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
397
599
  namespace: Optional[pulumi.Input[str]] = None,
398
600
  path: Optional[pulumi.Input[str]] = None,
601
+ service_account_email: Optional[pulumi.Input[str]] = None,
399
602
  __props__=None):
400
603
  opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
401
604
  if not isinstance(opts, pulumi.ResourceOptions):
@@ -409,10 +612,15 @@ class SecretBackend(pulumi.CustomResource):
409
612
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
410
613
  __props__.__dict__["description"] = description
411
614
  __props__.__dict__["disable_remount"] = disable_remount
615
+ __props__.__dict__["identity_token_audience"] = identity_token_audience
616
+ __props__.__dict__["identity_token_key"] = identity_token_key
617
+ __props__.__dict__["identity_token_ttl"] = identity_token_ttl
412
618
  __props__.__dict__["local"] = local
413
619
  __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
414
620
  __props__.__dict__["namespace"] = namespace
415
621
  __props__.__dict__["path"] = path
622
+ __props__.__dict__["service_account_email"] = service_account_email
623
+ __props__.__dict__["accessor"] = None
416
624
  secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
417
625
  opts = pulumi.ResourceOptions.merge(opts, secret_opts)
418
626
  super(SecretBackend, __self__).__init__(
@@ -425,14 +633,19 @@ class SecretBackend(pulumi.CustomResource):
425
633
  def get(resource_name: str,
426
634
  id: pulumi.Input[str],
427
635
  opts: Optional[pulumi.ResourceOptions] = None,
636
+ accessor: Optional[pulumi.Input[str]] = None,
428
637
  credentials: Optional[pulumi.Input[str]] = None,
429
638
  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
430
639
  description: Optional[pulumi.Input[str]] = None,
431
640
  disable_remount: Optional[pulumi.Input[bool]] = None,
641
+ identity_token_audience: Optional[pulumi.Input[str]] = None,
642
+ identity_token_key: Optional[pulumi.Input[str]] = None,
643
+ identity_token_ttl: Optional[pulumi.Input[int]] = None,
432
644
  local: Optional[pulumi.Input[bool]] = None,
433
645
  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
434
646
  namespace: Optional[pulumi.Input[str]] = None,
435
- path: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
647
+ path: Optional[pulumi.Input[str]] = None,
648
+ service_account_email: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
436
649
  """
437
650
  Get an existing SecretBackend resource's state with the given name, id, and optional extra
438
651
  properties used to qualify the lookup.
@@ -440,36 +653,58 @@ class SecretBackend(pulumi.CustomResource):
440
653
  :param str resource_name: The unique name of the resulting resource.
441
654
  :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
442
655
  :param pulumi.ResourceOptions opts: Options for the resource.
656
+ :param pulumi.Input[str] accessor: The accessor of the created GCP mount.
443
657
  :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
444
658
  :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
445
659
  issued by this backend. Defaults to '0'.
446
660
  :param pulumi.Input[str] description: A human-friendly description for this backend.
447
661
  :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
448
662
  See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
663
+ :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
664
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
665
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
666
+ :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
667
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
668
+ :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
449
669
  :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
450
670
  :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
451
671
  for credentials issued by this backend. Defaults to '0'.
452
672
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
453
673
  The value should not contain leading or trailing forward slashes.
454
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
674
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
455
675
  *Available only for Vault Enterprise*.
456
676
  :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
457
677
  not begin or end with a `/`. Defaults to `gcp`.
678
+ :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
679
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
458
680
  """
459
681
  opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
460
682
 
461
683
  __props__ = _SecretBackendState.__new__(_SecretBackendState)
462
684
 
685
+ __props__.__dict__["accessor"] = accessor
463
686
  __props__.__dict__["credentials"] = credentials
464
687
  __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
465
688
  __props__.__dict__["description"] = description
466
689
  __props__.__dict__["disable_remount"] = disable_remount
690
+ __props__.__dict__["identity_token_audience"] = identity_token_audience
691
+ __props__.__dict__["identity_token_key"] = identity_token_key
692
+ __props__.__dict__["identity_token_ttl"] = identity_token_ttl
467
693
  __props__.__dict__["local"] = local
468
694
  __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
469
695
  __props__.__dict__["namespace"] = namespace
470
696
  __props__.__dict__["path"] = path
697
+ __props__.__dict__["service_account_email"] = service_account_email
471
698
  return SecretBackend(resource_name, opts=opts, __props__=__props__)
472
699
 
700
+ @property
701
+ @pulumi.getter
702
+ def accessor(self) -> pulumi.Output[str]:
703
+ """
704
+ The accessor of the created GCP mount.
705
+ """
706
+ return pulumi.get(self, "accessor")
707
+
473
708
  @property
474
709
  @pulumi.getter
475
710
  def credentials(self) -> pulumi.Output[Optional[str]]:
@@ -504,6 +739,33 @@ class SecretBackend(pulumi.CustomResource):
504
739
  """
505
740
  return pulumi.get(self, "disable_remount")
506
741
 
742
+ @property
743
+ @pulumi.getter(name="identityTokenAudience")
744
+ def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
745
+ """
746
+ The audience claim value for plugin identity
747
+ tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
748
+ Mutually exclusive with `credentials`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
749
+ """
750
+ return pulumi.get(self, "identity_token_audience")
751
+
752
+ @property
753
+ @pulumi.getter(name="identityTokenKey")
754
+ def identity_token_key(self) -> pulumi.Output[Optional[str]]:
755
+ """
756
+ The key to use for signing plugin identity
757
+ tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
758
+ """
759
+ return pulumi.get(self, "identity_token_key")
760
+
761
+ @property
762
+ @pulumi.getter(name="identityTokenTtl")
763
+ def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
764
+ """
765
+ The TTL of generated tokens.
766
+ """
767
+ return pulumi.get(self, "identity_token_ttl")
768
+
507
769
  @property
508
770
  @pulumi.getter
509
771
  def local(self) -> pulumi.Output[Optional[bool]]:
@@ -527,7 +789,7 @@ class SecretBackend(pulumi.CustomResource):
527
789
  """
528
790
  The namespace to provision the resource in.
529
791
  The value should not contain leading or trailing forward slashes.
530
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
792
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
531
793
  *Available only for Vault Enterprise*.
532
794
  """
533
795
  return pulumi.get(self, "namespace")
@@ -541,3 +803,12 @@ class SecretBackend(pulumi.CustomResource):
541
803
  """
542
804
  return pulumi.get(self, "path")
543
805
 
806
+ @property
807
+ @pulumi.getter(name="serviceAccountEmail")
808
+ def service_account_email(self) -> pulumi.Output[Optional[str]]:
809
+ """
810
+ Service Account to impersonate for plugin workload identity federation.
811
+ Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
812
+ """
813
+ return pulumi.get(self, "service_account_email")
814
+