pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl

pulumi_vault/jwt/auth_backend_role.py

@@ -4,9 +4,14 @@
 
 import copy
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from .. import _utilities
 
 __all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
@@ -19,10 +24,10 @@ class AuthBackendRoleArgs:
                  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  bound_claims_type: Optional[pulumi.Input[str]] = None,
                  bound_subject: Optional[pulumi.Input[str]] = None,
-                 claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
                  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
                  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -53,10 +58,9 @@ class AuthBackendRoleArgs:
                Required for OIDC roles
         :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
                Defaults to `jwt`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
-               or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
-               Any match is sufficient.
-        :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
+               type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
                A claim's value must be a string, which may contain one value or multiple
                comma-separated values, e.g. `"red"` or `"red,green,blue"`.
         :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -64,14 +68,14 @@ class AuthBackendRoleArgs:
                match). Requires Vault 1.4.0 or above.
         :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
                this value.
-        :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
                to specified metadata fields (values).
         :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
                seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
         :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
-               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
                the set of groups to which the user belongs; this will be used as the names
@@ -81,40 +85,23 @@ class AuthBackendRoleArgs:
                the user was actively authenticated with the OIDC provider.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
-               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
                The standard scope "openid" is automatically included and need not be specified.
         :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
-               addresses which can authenticate successfully, and ties the resulting token to these blocks
-               as well.
-        :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
-               [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
-               onto the token in number of seconds. This is a hard cap even if `token_ttl` and
-               `token_max_ttl` would otherwise allow a renewal.
-        :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
-               Its current value will be referenced at renewal time.
-        :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
-               generated tokens; otherwise it will be added to the policies set in token_policies.
-        :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
-               of times a generated token may be used (within its lifetime); 0 means unlimited.
-        :param pulumi.Input[int] token_period: If set, indicates that the
-               token generated using this role should never expire. The token should be renewed within the
-               duration specified by this value. At each renewal, the token's TTL will be set to the
-               value of this field. Specified in seconds.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
-               on the auth method, this list may be supplemented by user/group/other values.
-        :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
-               Its current value will be referenced at renewal time.
-        :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
-               `batch`, or `default` to use the mount's tuned default (which unless changed will be
-               `service` tokens). For token store roles, there are two additional possibilities:
-               `default-service` and `default-batch` which specify the type to return unless the client
-               requests a different type at generation time.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
+        :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
+        :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
+        :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
+        :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
+        :param pulumi.Input[int] token_period: Generated Token's Period
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
+        :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
+        :param pulumi.Input[str] token_type: The type of token to generate, service or batch
         :param pulumi.Input[bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
                [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
                syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
@@ -236,9 +223,8 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="boundAudiences")
     def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
-        or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
-        Any match is sufficient.
+        (Required for roles of type `jwt`, optional for roles of
+        type `oidc`) List of `aud` claims to match against. Any match is sufficient.
         """
         return pulumi.get(self, "bound_audiences")
 
@@ -248,7 +234,7 @@ class AuthBackendRoleArgs:
 
     @property
     @pulumi.getter(name="boundClaims")
-    def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         If set, a map of claims to values to match against.
         A claim's value must be a string, which may contain one value or multiple
@@ -257,7 +243,7 @@ class AuthBackendRoleArgs:
         return pulumi.get(self, "bound_claims")
 
     @bound_claims.setter
-    def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "bound_claims", value)
 
     @property
@@ -289,7 +275,7 @@ class AuthBackendRoleArgs:
 
     @property
     @pulumi.getter(name="claimMappings")
-    def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         If set, a map of claims (keys) to be copied
         to specified metadata fields (values).
@@ -297,7 +283,7 @@ class AuthBackendRoleArgs:
         return pulumi.get(self, "claim_mappings")
 
     @claim_mappings.setter
-    def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "claim_mappings", value)
 
     @property
@@ -331,7 +317,7 @@ class AuthBackendRoleArgs:
     def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
         """
         The amount of leeway to add to expiration (`exp`) claims to account for
-        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "expiration_leeway")
@@ -374,7 +360,7 @@ class AuthBackendRoleArgs:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -388,7 +374,7 @@ class AuthBackendRoleArgs:
     def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
         """
         The amount of leeway to add to not before (`nbf`) claims to account for
-        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "not_before_leeway")
@@ -426,9 +412,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenBoundCidrs")
     def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        List of CIDR blocks; if set, specifies blocks of IP
-        addresses which can authenticate successfully, and ties the resulting token to these blocks
-        as well.
+        Specifies the blocks of IP addresses which are allowed to use the generated token
         """
         return pulumi.get(self, "token_bound_cidrs")
 
@@ -440,10 +424,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenExplicitMaxTtl")
     def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        If set, will encode an
-        [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
-        onto the token in number of seconds. This is a hard cap even if `token_ttl` and
-        `token_max_ttl` would otherwise allow a renewal.
+        Generated Token's Explicit Maximum TTL in seconds
         """
         return pulumi.get(self, "token_explicit_max_ttl")
 
@@ -455,8 +436,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenMaxTtl")
     def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        The maximum lifetime for generated tokens in number of seconds.
-        Its current value will be referenced at renewal time.
+        The maximum lifetime of the generated token
         """
         return pulumi.get(self, "token_max_ttl")
 
@@ -468,8 +448,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenNoDefaultPolicy")
     def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
         """
-        If set, the default policy will not be set on
-        generated tokens; otherwise it will be added to the policies set in token_policies.
+        If true, the 'default' policy will not automatically be added to generated tokens
         """
         return pulumi.get(self, "token_no_default_policy")
 
@@ -481,8 +460,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenNumUses")
     def token_num_uses(self) -> Optional[pulumi.Input[int]]:
         """
-        The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
-        of times a generated token may be used (within its lifetime); 0 means unlimited.
+        The maximum number of times a token may be used, a value of zero means unlimited
         """
         return pulumi.get(self, "token_num_uses")
 
@@ -494,10 +472,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenPeriod")
     def token_period(self) -> Optional[pulumi.Input[int]]:
         """
-        If set, indicates that the
-        token generated using this role should never expire. The token should be renewed within the
-        duration specified by this value. At each renewal, the token's TTL will be set to the
-        value of this field. Specified in seconds.
+        Generated Token's Period
         """
         return pulumi.get(self, "token_period")
 
@@ -509,8 +484,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenPolicies")
     def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        List of policies to encode onto generated tokens. Depending
-        on the auth method, this list may be supplemented by user/group/other values.
+        Generated Token's Policies
         """
         return pulumi.get(self, "token_policies")
 
@@ -522,8 +496,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenTtl")
     def token_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        The incremental lifetime for generated tokens in number of seconds.
-        Its current value will be referenced at renewal time.
+        The initial ttl of the token to generate in seconds
         """
         return pulumi.get(self, "token_ttl")
 
@@ -535,11 +508,7 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenType")
     def token_type(self) -> Optional[pulumi.Input[str]]:
         """
-        The type of token that should be generated. Can be `service`,
-        `batch`, or `default` to use the mount's tuned default (which unless changed will be
-        `service` tokens). For token store roles, there are two additional possibilities:
-        `default-service` and `default-batch` which specify the type to return unless the client
-        requests a different type at generation time.
+        The type of token to generate, service or batch
         """
         return pulumi.get(self, "token_type")
 
@@ -583,10 +552,10 @@ class _AuthBackendRoleState:
                  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  bound_claims_type: Optional[pulumi.Input[str]] = None,
                  bound_subject: Optional[pulumi.Input[str]] = None,
-                 claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
                  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
                  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -615,10 +584,9 @@ class _AuthBackendRoleState:
                Required for OIDC roles
         :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
                Defaults to `jwt`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
-               or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
-               Any match is sufficient.
-        :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
+               type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
                A claim's value must be a string, which may contain one value or multiple
                comma-separated values, e.g. `"red"` or `"red,green,blue"`.
         :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -626,14 +594,14 @@ class _AuthBackendRoleState:
                match). Requires Vault 1.4.0 or above.
         :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
                this value.
-        :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
                to specified metadata fields (values).
         :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
                seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
         :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
-               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
                the set of groups to which the user belongs; this will be used as the names
@@ -643,41 +611,24 @@ class _AuthBackendRoleState:
                the user was actively authenticated with the OIDC provider.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
-               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
                The standard scope "openid" is automatically included and need not be specified.
         :param pulumi.Input[str] role_name: The name of the role.
         :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
-               addresses which can authenticate successfully, and ties the resulting token to these blocks
-               as well.
-        :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
-               [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
-               onto the token in number of seconds. This is a hard cap even if `token_ttl` and
-               `token_max_ttl` would otherwise allow a renewal.
-        :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
-               Its current value will be referenced at renewal time.
-        :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
-               generated tokens; otherwise it will be added to the policies set in token_policies.
-        :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
-               of times a generated token may be used (within its lifetime); 0 means unlimited.
-        :param pulumi.Input[int] token_period: If set, indicates that the
-               token generated using this role should never expire. The token should be renewed within the
-               duration specified by this value. At each renewal, the token's TTL will be set to the
-               value of this field. Specified in seconds.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
-               on the auth method, this list may be supplemented by user/group/other values.
-        :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
-               Its current value will be referenced at renewal time.
-        :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
-               `batch`, or `default` to use the mount's tuned default (which unless changed will be
-               `service` tokens). For token store roles, there are two additional possibilities:
-               `default-service` and `default-batch` which specify the type to return unless the client
-               requests a different type at generation time.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
+        :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
+        :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
+        :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
+        :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
+        :param pulumi.Input[int] token_period: Generated Token's Period
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
+        :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
+        :param pulumi.Input[str] token_type: The type of token to generate, service or batch
         :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
                the user; this will be used as the name for the Identity entity alias created
                due to a successful login.
@@ -778,9 +729,8 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="boundAudiences")
     def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
-        or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
-        Any match is sufficient.
+        (Required for roles of type `jwt`, optional for roles of
+        type `oidc`) List of `aud` claims to match against. Any match is sufficient.
         """
         return pulumi.get(self, "bound_audiences")
 
@@ -790,7 +740,7 @@ class _AuthBackendRoleState:
 
     @property
     @pulumi.getter(name="boundClaims")
-    def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         If set, a map of claims to values to match against.
         A claim's value must be a string, which may contain one value or multiple
@@ -799,7 +749,7 @@ class _AuthBackendRoleState:
         return pulumi.get(self, "bound_claims")
 
     @bound_claims.setter
-    def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "bound_claims", value)
 
     @property
@@ -831,7 +781,7 @@ class _AuthBackendRoleState:
 
     @property
     @pulumi.getter(name="claimMappings")
-    def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
+    def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
         """
         If set, a map of claims (keys) to be copied
         to specified metadata fields (values).
@@ -839,7 +789,7 @@ class _AuthBackendRoleState:
         return pulumi.get(self, "claim_mappings")
 
     @claim_mappings.setter
-    def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
+    def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
         pulumi.set(self, "claim_mappings", value)
 
     @property
@@ -873,7 +823,7 @@ class _AuthBackendRoleState:
     def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
         """
         The amount of leeway to add to expiration (`exp`) claims to account for
-        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "expiration_leeway")
@@ -916,7 +866,7 @@ class _AuthBackendRoleState:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -930,7 +880,7 @@ class _AuthBackendRoleState:
     def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
         """
         The amount of leeway to add to not before (`nbf`) claims to account for
-        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "not_before_leeway")
@@ -980,9 +930,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenBoundCidrs")
     def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        List of CIDR blocks; if set, specifies blocks of IP
-        addresses which can authenticate successfully, and ties the resulting token to these blocks
-        as well.
+        Specifies the blocks of IP addresses which are allowed to use the generated token
         """
         return pulumi.get(self, "token_bound_cidrs")
 
@@ -994,10 +942,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenExplicitMaxTtl")
     def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        If set, will encode an
-        [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
-        onto the token in number of seconds. This is a hard cap even if `token_ttl` and
-        `token_max_ttl` would otherwise allow a renewal.
+        Generated Token's Explicit Maximum TTL in seconds
         """
         return pulumi.get(self, "token_explicit_max_ttl")
 
@@ -1009,8 +954,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenMaxTtl")
     def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        The maximum lifetime for generated tokens in number of seconds.
-        Its current value will be referenced at renewal time.
+        The maximum lifetime of the generated token
         """
         return pulumi.get(self, "token_max_ttl")
 
@@ -1022,8 +966,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenNoDefaultPolicy")
     def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
         """
-        If set, the default policy will not be set on
-        generated tokens; otherwise it will be added to the policies set in token_policies.
+        If true, the 'default' policy will not automatically be added to generated tokens
         """
         return pulumi.get(self, "token_no_default_policy")
 
@@ -1035,8 +978,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenNumUses")
     def token_num_uses(self) -> Optional[pulumi.Input[int]]:
         """
-        The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
-        of times a generated token may be used (within its lifetime); 0 means unlimited.
+        The maximum number of times a token may be used, a value of zero means unlimited
         """
         return pulumi.get(self, "token_num_uses")
 
@@ -1048,10 +990,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenPeriod")
     def token_period(self) -> Optional[pulumi.Input[int]]:
         """
-        If set, indicates that the
-        token generated using this role should never expire. The token should be renewed within the
-        duration specified by this value. At each renewal, the token's TTL will be set to the
-        value of this field. Specified in seconds.
+        Generated Token's Period
         """
         return pulumi.get(self, "token_period")
 
@@ -1063,8 +1002,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenPolicies")
     def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        List of policies to encode onto generated tokens. Depending
-        on the auth method, this list may be supplemented by user/group/other values.
+        Generated Token's Policies
         """
         return pulumi.get(self, "token_policies")
 
@@ -1076,8 +1014,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenTtl")
     def token_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        The incremental lifetime for generated tokens in number of seconds.
-        Its current value will be referenced at renewal time.
+        The initial ttl of the token to generate in seconds
         """
         return pulumi.get(self, "token_ttl")
 
@@ -1089,11 +1026,7 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenType")
     def token_type(self) -> Optional[pulumi.Input[str]]:
         """
-        The type of token that should be generated. Can be `service`,
-        `batch`, or `default` to use the mount's tuned default (which unless changed will be
-        `service` tokens). For token store roles, there are two additional possibilities:
-        `default-service` and `default-batch` which specify the type to return unless the client
-        requests a different type at generation time.
+        The type of token to generate, service or batch
         """
         return pulumi.get(self, "token_type")
 
@@ -1153,10 +1086,10 @@ class AuthBackendRole(pulumi.CustomResource):
                  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  bound_claims_type: Optional[pulumi.Input[str]] = None,
                  bound_subject: Optional[pulumi.Input[str]] = None,
-                 claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
                  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
                  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1189,7 +1122,6 @@ class AuthBackendRole(pulumi.CustomResource):
 
         Role for JWT backend:
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1210,11 +1142,9 @@ class AuthBackendRole(pulumi.CustomResource):
             user_claim="https://vault/user",
             role_type="jwt")
         ```
-        <!--End PulumiCodeChooser -->
 
         Role for OIDC backend:
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1234,7 +1164,6 @@ class AuthBackendRole(pulumi.CustomResource):
             role_type="oidc",
             allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -1250,10 +1179,9 @@ class AuthBackendRole(pulumi.CustomResource):
                Required for OIDC roles
         :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
                Defaults to `jwt`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
-               or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
-               Any match is sufficient.
-        :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
+               type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
                A claim's value must be a string, which may contain one value or multiple
                comma-separated values, e.g. `"red"` or `"red,green,blue"`.
         :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -1261,14 +1189,14 @@ class AuthBackendRole(pulumi.CustomResource):
                match). Requires Vault 1.4.0 or above.
         :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
                this value.
-        :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
                to specified metadata fields (values).
         :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
                seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
         :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
-               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
                the set of groups to which the user belongs; this will be used as the names
@@ -1278,41 +1206,24 @@ class AuthBackendRole(pulumi.CustomResource):
                the user was actively authenticated with the OIDC provider.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
-               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
                The standard scope "openid" is automatically included and need not be specified.
         :param pulumi.Input[str] role_name: The name of the role.
         :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
-               addresses which can authenticate successfully, and ties the resulting token to these blocks
-               as well.
-        :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
-               [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
-               onto the token in number of seconds. This is a hard cap even if `token_ttl` and
-               `token_max_ttl` would otherwise allow a renewal.
-        :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
-               Its current value will be referenced at renewal time.
-        :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
-               generated tokens; otherwise it will be added to the policies set in token_policies.
-        :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
-               of times a generated token may be used (within its lifetime); 0 means unlimited.
-        :param pulumi.Input[int] token_period: If set, indicates that the
-               token generated using this role should never expire. The token should be renewed within the
-               duration specified by this value. At each renewal, the token's TTL will be set to the
-               value of this field. Specified in seconds.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
-               on the auth method, this list may be supplemented by user/group/other values.
-        :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
-               Its current value will be referenced at renewal time.
-        :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
-               `batch`, or `default` to use the mount's tuned default (which unless changed will be
-               `service` tokens). For token store roles, there are two additional possibilities:
-               `default-service` and `default-batch` which specify the type to return unless the client
-               requests a different type at generation time.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
+        :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
+        :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
+        :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
+        :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
+        :param pulumi.Input[int] token_period: Generated Token's Period
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
+        :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
+        :param pulumi.Input[str] token_type: The type of token to generate, service or batch
         :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
                the user; this will be used as the name for the Identity entity alias created
                due to a successful login.
@@ -1339,7 +1250,6 @@ class AuthBackendRole(pulumi.CustomResource):
 
         Role for JWT backend:
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1360,11 +1270,9 @@ class AuthBackendRole(pulumi.CustomResource):
             user_claim="https://vault/user",
             role_type="jwt")
         ```
-        <!--End PulumiCodeChooser -->
 
         Role for OIDC backend:
 
-        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1384,7 +1292,6 @@ class AuthBackendRole(pulumi.CustomResource):
             role_type="oidc",
             allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
         ```
-        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -1412,10 +1319,10 @@ class AuthBackendRole(pulumi.CustomResource):
                  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  backend: Optional[pulumi.Input[str]] = None,
                  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  bound_claims_type: Optional[pulumi.Input[str]] = None,
                  bound_subject: Optional[pulumi.Input[str]] = None,
-                 claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+                 claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
                  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
                  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1493,10 +1400,10 @@ class AuthBackendRole(pulumi.CustomResource):
             allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             backend: Optional[pulumi.Input[str]] = None,
             bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             bound_claims_type: Optional[pulumi.Input[str]] = None,
             bound_subject: Optional[pulumi.Input[str]] = None,
-            claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
+            claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
             clock_skew_leeway: Optional[pulumi.Input[int]] = None,
             disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
             expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1530,10 +1437,9 @@ class AuthBackendRole(pulumi.CustomResource):
                Required for OIDC roles
         :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
                Defaults to `jwt`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
-               or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
-               Any match is sufficient.
-        :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
+               type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
                A claim's value must be a string, which may contain one value or multiple
                comma-separated values, e.g. `"red"` or `"red,green,blue"`.
         :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -1541,14 +1447,14 @@ class AuthBackendRole(pulumi.CustomResource):
                match). Requires Vault 1.4.0 or above.
         :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
                this value.
-        :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
+        :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
                to specified metadata fields (values).
         :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
                seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
         :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
-               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
                the set of groups to which the user belongs; this will be used as the names
@@ -1558,41 +1464,24 @@ class AuthBackendRole(pulumi.CustomResource):
                the user was actively authenticated with the OIDC provider.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
-               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
-               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
                The standard scope "openid" is automatically included and need not be specified.
         :param pulumi.Input[str] role_name: The name of the role.
         :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
-               addresses which can authenticate successfully, and ties the resulting token to these blocks
-               as well.
-        :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
-               [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
-               onto the token in number of seconds. This is a hard cap even if `token_ttl` and
-               `token_max_ttl` would otherwise allow a renewal.
-        :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
-               Its current value will be referenced at renewal time.
-        :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
-               generated tokens; otherwise it will be added to the policies set in token_policies.
-        :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
-               of times a generated token may be used (within its lifetime); 0 means unlimited.
-        :param pulumi.Input[int] token_period: If set, indicates that the
-               token generated using this role should never expire. The token should be renewed within the
-               duration specified by this value. At each renewal, the token's TTL will be set to the
-               value of this field. Specified in seconds.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
-               on the auth method, this list may be supplemented by user/group/other values.
-        :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
-               Its current value will be referenced at renewal time.
-        :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
-               `batch`, or `default` to use the mount's tuned default (which unless changed will be
-               `service` tokens). For token store roles, there are two additional possibilities:
-               `default-service` and `default-batch` which specify the type to return unless the client
-               requests a different type at generation time.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
+        :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
+        :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
+        :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
+        :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
+        :param pulumi.Input[int] token_period: Generated Token's Period
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
+        :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
+        :param pulumi.Input[str] token_type: The type of token to generate, service or batch
         :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
                the user; this will be used as the name for the Identity entity alias created
                due to a successful login.
@@ -1661,15 +1550,14 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="boundAudiences")
     def bound_audiences(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
-        (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
-        or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
-        Any match is sufficient.
+        (Required for roles of type `jwt`, optional for roles of
+        type `oidc`) List of `aud` claims to match against. Any match is sufficient.
         """
         return pulumi.get(self, "bound_audiences")
 
     @property
     @pulumi.getter(name="boundClaims")
-    def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         If set, a map of claims to values to match against.
         A claim's value must be a string, which may contain one value or multiple
@@ -1698,7 +1586,7 @@ class AuthBackendRole(pulumi.CustomResource):
 
     @property
     @pulumi.getter(name="claimMappings")
-    def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
+    def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
         """
         If set, a map of claims (keys) to be copied
         to specified metadata fields (values).
@@ -1728,7 +1616,7 @@ class AuthBackendRole(pulumi.CustomResource):
     def expiration_leeway(self) -> pulumi.Output[Optional[int]]:
         """
         The amount of leeway to add to expiration (`exp`) claims to account for
-        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "expiration_leeway")
@@ -1759,7 +1647,7 @@ class AuthBackendRole(pulumi.CustomResource):
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
-        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
         *Available only for Vault Enterprise*.
         """
         return pulumi.get(self, "namespace")
@@ -1769,7 +1657,7 @@ class AuthBackendRole(pulumi.CustomResource):
     def not_before_leeway(self) -> pulumi.Output[Optional[int]]:
         """
         The amount of leeway to add to not before (`nbf`) claims to account for
-        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "not_before_leeway")
@@ -1803,9 +1691,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenBoundCidrs")
     def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
-        List of CIDR blocks; if set, specifies blocks of IP
-        addresses which can authenticate successfully, and ties the resulting token to these blocks
-        as well.
+        Specifies the blocks of IP addresses which are allowed to use the generated token
         """
         return pulumi.get(self, "token_bound_cidrs")
 
@@ -1813,10 +1699,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenExplicitMaxTtl")
     def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
         """
-        If set, will encode an
-        [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
-        onto the token in number of seconds. This is a hard cap even if `token_ttl` and
-        `token_max_ttl` would otherwise allow a renewal.
+        Generated Token's Explicit Maximum TTL in seconds
         """
         return pulumi.get(self, "token_explicit_max_ttl")
 
@@ -1824,8 +1707,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenMaxTtl")
     def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
         """
-        The maximum lifetime for generated tokens in number of seconds.
-        Its current value will be referenced at renewal time.
+        The maximum lifetime of the generated token
         """
         return pulumi.get(self, "token_max_ttl")
 
@@ -1833,8 +1715,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenNoDefaultPolicy")
     def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
         """
-        If set, the default policy will not be set on
-        generated tokens; otherwise it will be added to the policies set in token_policies.
+        If true, the 'default' policy will not automatically be added to generated tokens
         """
         return pulumi.get(self, "token_no_default_policy")
 
@@ -1842,8 +1723,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenNumUses")
     def token_num_uses(self) -> pulumi.Output[Optional[int]]:
         """
-        The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
-        of times a generated token may be used (within its lifetime); 0 means unlimited.
+        The maximum number of times a token may be used, a value of zero means unlimited
         """
         return pulumi.get(self, "token_num_uses")
 
@@ -1851,10 +1731,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenPeriod")
     def token_period(self) -> pulumi.Output[Optional[int]]:
         """
-        If set, indicates that the
-        token generated using this role should never expire. The token should be renewed within the
-        duration specified by this value. At each renewal, the token's TTL will be set to the
-        value of this field. Specified in seconds.
+        Generated Token's Period
         """
         return pulumi.get(self, "token_period")
 
@@ -1862,8 +1739,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenPolicies")
     def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
-        List of policies to encode onto generated tokens. Depending
-        on the auth method, this list may be supplemented by user/group/other values.
+        Generated Token's Policies
         """
         return pulumi.get(self, "token_policies")
 
@@ -1871,8 +1747,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenTtl")
     def token_ttl(self) -> pulumi.Output[Optional[int]]:
         """
-        The incremental lifetime for generated tokens in number of seconds.
-        Its current value will be referenced at renewal time.
+        The initial ttl of the token to generate in seconds
         """
         return pulumi.get(self, "token_ttl")
 
@@ -1880,11 +1755,7 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenType")
     def token_type(self) -> pulumi.Output[Optional[str]]:
         """
-        The type of token that should be generated. Can be `service`,
-        `batch`, or `default` to use the mount's tuned default (which unless changed will be
-        `service` tokens). For token store roles, there are two additional possibilities:
-        `default-service` and `default-batch` which specify the type to return unless the client
-        requests a different type at generation time.
+        The type of token to generate, service or batch
         """
         return pulumi.get(self, "token_type")