pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (229) hide show
  1. pulumi_vault/__init__.py +52 -0
  2. pulumi_vault/_inputs.py +560 -0
  3. pulumi_vault/_utilities.py +41 -5
  4. pulumi_vault/ad/get_access_credentials.py +22 -7
  5. pulumi_vault/ad/secret_backend.py +14 -144
  6. pulumi_vault/ad/secret_library.py +14 -11
  7. pulumi_vault/ad/secret_role.py +12 -11
  8. pulumi_vault/alicloud/auth_backend_role.py +74 -192
  9. pulumi_vault/approle/auth_backend_login.py +12 -11
  10. pulumi_vault/approle/auth_backend_role.py +75 -193
  11. pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
  12. pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
  13. pulumi_vault/audit.py +24 -27
  14. pulumi_vault/audit_request_header.py +11 -6
  15. pulumi_vault/auth_backend.py +64 -12
  16. pulumi_vault/aws/auth_backend_cert.py +12 -7
  17. pulumi_vault/aws/auth_backend_client.py +265 -24
  18. pulumi_vault/aws/auth_backend_config_identity.py +12 -11
  19. pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
  20. pulumi_vault/aws/auth_backend_login.py +19 -22
  21. pulumi_vault/aws/auth_backend_role.py +75 -193
  22. pulumi_vault/aws/auth_backend_role_tag.py +12 -7
  23. pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
  24. pulumi_vault/aws/auth_backend_sts_role.py +12 -11
  25. pulumi_vault/aws/get_access_credentials.py +34 -7
  26. pulumi_vault/aws/get_static_access_credentials.py +19 -5
  27. pulumi_vault/aws/secret_backend.py +75 -7
  28. pulumi_vault/aws/secret_backend_role.py +183 -11
  29. pulumi_vault/aws/secret_backend_static_role.py +14 -11
  30. pulumi_vault/azure/_inputs.py +24 -0
  31. pulumi_vault/azure/auth_backend_config.py +151 -17
  32. pulumi_vault/azure/auth_backend_role.py +75 -193
  33. pulumi_vault/azure/backend.py +223 -29
  34. pulumi_vault/azure/backend_role.py +42 -41
  35. pulumi_vault/azure/get_access_credentials.py +39 -11
  36. pulumi_vault/azure/outputs.py +5 -0
  37. pulumi_vault/cert_auth_backend_role.py +87 -271
  38. pulumi_vault/config/__init__.pyi +5 -0
  39. pulumi_vault/config/_inputs.py +73 -0
  40. pulumi_vault/config/outputs.py +35 -0
  41. pulumi_vault/config/ui_custom_message.py +529 -0
  42. pulumi_vault/config/vars.py +5 -0
  43. pulumi_vault/consul/secret_backend.py +22 -25
  44. pulumi_vault/consul/secret_backend_role.py +14 -80
  45. pulumi_vault/database/_inputs.py +2770 -881
  46. pulumi_vault/database/outputs.py +721 -838
  47. pulumi_vault/database/secret_backend_connection.py +117 -114
  48. pulumi_vault/database/secret_backend_role.py +29 -24
  49. pulumi_vault/database/secret_backend_static_role.py +85 -15
  50. pulumi_vault/database/secrets_mount.py +425 -138
  51. pulumi_vault/egp_policy.py +16 -15
  52. pulumi_vault/gcp/_inputs.py +111 -0
  53. pulumi_vault/gcp/auth_backend.py +248 -35
  54. pulumi_vault/gcp/auth_backend_role.py +75 -271
  55. pulumi_vault/gcp/get_auth_backend_role.py +43 -9
  56. pulumi_vault/gcp/outputs.py +5 -0
  57. pulumi_vault/gcp/secret_backend.py +287 -16
  58. pulumi_vault/gcp/secret_impersonated_account.py +74 -17
  59. pulumi_vault/gcp/secret_roleset.py +29 -26
  60. pulumi_vault/gcp/secret_static_account.py +37 -34
  61. pulumi_vault/generic/endpoint.py +22 -21
  62. pulumi_vault/generic/get_secret.py +68 -12
  63. pulumi_vault/generic/secret.py +19 -14
  64. pulumi_vault/get_auth_backend.py +24 -11
  65. pulumi_vault/get_auth_backends.py +33 -11
  66. pulumi_vault/get_namespace.py +226 -0
  67. pulumi_vault/get_namespaces.py +153 -0
  68. pulumi_vault/get_nomad_access_token.py +31 -15
  69. pulumi_vault/get_policy_document.py +34 -23
  70. pulumi_vault/get_raft_autopilot_state.py +29 -14
  71. pulumi_vault/github/_inputs.py +55 -0
  72. pulumi_vault/github/auth_backend.py +17 -16
  73. pulumi_vault/github/outputs.py +5 -0
  74. pulumi_vault/github/team.py +14 -13
  75. pulumi_vault/github/user.py +14 -13
  76. pulumi_vault/identity/entity.py +18 -15
  77. pulumi_vault/identity/entity_alias.py +18 -15
  78. pulumi_vault/identity/entity_policies.py +24 -19
  79. pulumi_vault/identity/get_entity.py +40 -14
  80. pulumi_vault/identity/get_group.py +45 -13
  81. pulumi_vault/identity/get_oidc_client_creds.py +21 -11
  82. pulumi_vault/identity/get_oidc_openid_config.py +39 -13
  83. pulumi_vault/identity/get_oidc_public_keys.py +29 -14
  84. pulumi_vault/identity/group.py +50 -49
  85. pulumi_vault/identity/group_alias.py +14 -11
  86. pulumi_vault/identity/group_member_entity_ids.py +24 -74
  87. pulumi_vault/identity/group_member_group_ids.py +36 -27
  88. pulumi_vault/identity/group_policies.py +16 -15
  89. pulumi_vault/identity/mfa_duo.py +9 -8
  90. pulumi_vault/identity/mfa_login_enforcement.py +13 -8
  91. pulumi_vault/identity/mfa_okta.py +9 -8
  92. pulumi_vault/identity/mfa_pingid.py +5 -4
  93. pulumi_vault/identity/mfa_totp.py +5 -4
  94. pulumi_vault/identity/oidc.py +12 -11
  95. pulumi_vault/identity/oidc_assignment.py +22 -13
  96. pulumi_vault/identity/oidc_client.py +34 -25
  97. pulumi_vault/identity/oidc_key.py +28 -19
  98. pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
  99. pulumi_vault/identity/oidc_provider.py +34 -23
  100. pulumi_vault/identity/oidc_role.py +40 -27
  101. pulumi_vault/identity/oidc_scope.py +18 -15
  102. pulumi_vault/identity/outputs.py +8 -3
  103. pulumi_vault/jwt/_inputs.py +55 -0
  104. pulumi_vault/jwt/auth_backend.py +39 -46
  105. pulumi_vault/jwt/auth_backend_role.py +131 -260
  106. pulumi_vault/jwt/outputs.py +5 -0
  107. pulumi_vault/kmip/secret_backend.py +22 -21
  108. pulumi_vault/kmip/secret_role.py +12 -11
  109. pulumi_vault/kmip/secret_scope.py +12 -11
  110. pulumi_vault/kubernetes/auth_backend_config.py +55 -7
  111. pulumi_vault/kubernetes/auth_backend_role.py +68 -179
  112. pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
  113. pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
  114. pulumi_vault/kubernetes/get_service_account_token.py +39 -15
  115. pulumi_vault/kubernetes/secret_backend.py +314 -29
  116. pulumi_vault/kubernetes/secret_backend_role.py +135 -56
  117. pulumi_vault/kv/_inputs.py +36 -4
  118. pulumi_vault/kv/get_secret.py +23 -12
  119. pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
  120. pulumi_vault/kv/get_secret_v2.py +89 -9
  121. pulumi_vault/kv/get_secrets_list.py +22 -15
  122. pulumi_vault/kv/get_secrets_list_v2.py +35 -19
  123. pulumi_vault/kv/outputs.py +8 -3
  124. pulumi_vault/kv/secret.py +19 -18
  125. pulumi_vault/kv/secret_backend_v2.py +12 -11
  126. pulumi_vault/kv/secret_v2.py +55 -52
  127. pulumi_vault/ldap/auth_backend.py +125 -168
  128. pulumi_vault/ldap/auth_backend_group.py +12 -11
  129. pulumi_vault/ldap/auth_backend_user.py +12 -11
  130. pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
  131. pulumi_vault/ldap/get_static_credentials.py +24 -5
  132. pulumi_vault/ldap/secret_backend.py +352 -84
  133. pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
  134. pulumi_vault/ldap/secret_backend_library_set.py +14 -11
  135. pulumi_vault/ldap/secret_backend_static_role.py +67 -12
  136. pulumi_vault/managed/_inputs.py +289 -132
  137. pulumi_vault/managed/keys.py +27 -43
  138. pulumi_vault/managed/outputs.py +89 -132
  139. pulumi_vault/mfa_duo.py +16 -13
  140. pulumi_vault/mfa_okta.py +16 -13
  141. pulumi_vault/mfa_pingid.py +16 -13
  142. pulumi_vault/mfa_totp.py +22 -19
  143. pulumi_vault/mongodbatlas/secret_backend.py +18 -17
  144. pulumi_vault/mongodbatlas/secret_role.py +41 -38
  145. pulumi_vault/mount.py +389 -65
  146. pulumi_vault/namespace.py +26 -21
  147. pulumi_vault/nomad_secret_backend.py +16 -15
  148. pulumi_vault/nomad_secret_role.py +12 -11
  149. pulumi_vault/okta/_inputs.py +47 -8
  150. pulumi_vault/okta/auth_backend.py +483 -41
  151. pulumi_vault/okta/auth_backend_group.py +12 -11
  152. pulumi_vault/okta/auth_backend_user.py +12 -11
  153. pulumi_vault/okta/outputs.py +13 -8
  154. pulumi_vault/outputs.py +5 -0
  155. pulumi_vault/password_policy.py +18 -15
  156. pulumi_vault/pkisecret/__init__.py +3 -0
  157. pulumi_vault/pkisecret/_inputs.py +81 -0
  158. pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
  159. pulumi_vault/pkisecret/backend_config_est.py +619 -0
  160. pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
  161. pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
  162. pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
  163. pulumi_vault/pkisecret/get_backend_key.py +24 -13
  164. pulumi_vault/pkisecret/get_backend_keys.py +21 -12
  165. pulumi_vault/pkisecret/outputs.py +69 -0
  166. pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
  167. pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
  168. pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
  169. pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
  170. pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
  171. pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
  172. pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
  173. pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
  174. pulumi_vault/pkisecret/secret_backend_key.py +12 -7
  175. pulumi_vault/pkisecret/secret_backend_role.py +19 -16
  176. pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
  177. pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
  178. pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
  179. pulumi_vault/plugin.py +595 -0
  180. pulumi_vault/plugin_pinned_version.py +298 -0
  181. pulumi_vault/policy.py +12 -7
  182. pulumi_vault/provider.py +48 -53
  183. pulumi_vault/pulumi-plugin.json +2 -1
  184. pulumi_vault/quota_lease_count.py +58 -8
  185. pulumi_vault/quota_rate_limit.py +54 -4
  186. pulumi_vault/rabbitmq/_inputs.py +61 -0
  187. pulumi_vault/rabbitmq/outputs.py +5 -0
  188. pulumi_vault/rabbitmq/secret_backend.py +16 -15
  189. pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
  190. pulumi_vault/raft_autopilot.py +12 -11
  191. pulumi_vault/raft_snapshot_agent_config.py +121 -311
  192. pulumi_vault/rgp_policy.py +14 -13
  193. pulumi_vault/saml/auth_backend.py +20 -19
  194. pulumi_vault/saml/auth_backend_role.py +90 -199
  195. pulumi_vault/secrets/__init__.py +3 -0
  196. pulumi_vault/secrets/_inputs.py +110 -0
  197. pulumi_vault/secrets/outputs.py +94 -0
  198. pulumi_vault/secrets/sync_association.py +56 -75
  199. pulumi_vault/secrets/sync_aws_destination.py +240 -29
  200. pulumi_vault/secrets/sync_azure_destination.py +90 -33
  201. pulumi_vault/secrets/sync_config.py +7 -6
  202. pulumi_vault/secrets/sync_gcp_destination.py +156 -27
  203. pulumi_vault/secrets/sync_gh_destination.py +187 -15
  204. pulumi_vault/secrets/sync_github_apps.py +375 -0
  205. pulumi_vault/secrets/sync_vercel_destination.py +72 -15
  206. pulumi_vault/ssh/_inputs.py +28 -32
  207. pulumi_vault/ssh/outputs.py +11 -32
  208. pulumi_vault/ssh/secret_backend_ca.py +106 -11
  209. pulumi_vault/ssh/secret_backend_role.py +83 -120
  210. pulumi_vault/terraformcloud/secret_backend.py +5 -56
  211. pulumi_vault/terraformcloud/secret_creds.py +14 -24
  212. pulumi_vault/terraformcloud/secret_role.py +14 -76
  213. pulumi_vault/token.py +26 -25
  214. pulumi_vault/tokenauth/auth_backend_role.py +76 -201
  215. pulumi_vault/transform/alphabet.py +16 -13
  216. pulumi_vault/transform/get_decode.py +45 -21
  217. pulumi_vault/transform/get_encode.py +45 -21
  218. pulumi_vault/transform/role.py +16 -13
  219. pulumi_vault/transform/template.py +30 -25
  220. pulumi_vault/transform/transformation.py +12 -7
  221. pulumi_vault/transit/get_decrypt.py +26 -25
  222. pulumi_vault/transit/get_encrypt.py +24 -19
  223. pulumi_vault/transit/secret_backend_key.py +25 -97
  224. pulumi_vault/transit/secret_cache_config.py +12 -11
  225. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/METADATA +8 -7
  226. pulumi_vault-6.5.0a1736850018.dist-info/RECORD +256 -0
  227. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/WHEEL +1 -1
  228. pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
  229. {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
4
4
 
5
5
  import copy
6
6
  import warnings
7
+ import sys
7
8
  import pulumi
8
9
  import pulumi.runtime
9
10
  from typing import Any, Mapping, Optional, Sequence, Union, overload
11
+ if sys.version_info >= (3, 11):
12
+ from typing import NotRequired, TypedDict, TypeAlias
13
+ else:
14
+ from typing_extensions import NotRequired, TypedDict, TypeAlias
10
15
  from .. import _utilities
11
16
 
12
17
  __all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
@@ -19,10 +24,10 @@ class AuthBackendRoleArgs:
19
24
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
20
25
  backend: Optional[pulumi.Input[str]] = None,
21
26
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
22
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
27
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
23
28
  bound_claims_type: Optional[pulumi.Input[str]] = None,
24
29
  bound_subject: Optional[pulumi.Input[str]] = None,
25
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
30
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
26
31
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
27
32
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
28
33
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -53,10 +58,9 @@ class AuthBackendRoleArgs:
53
58
  Required for OIDC roles
54
59
  :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
55
60
  Defaults to `jwt`.
56
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
57
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
58
- Any match is sufficient.
59
- :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
61
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
62
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
63
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
60
64
  A claim's value must be a string, which may contain one value or multiple
61
65
  comma-separated values, e.g. `"red"` or `"red,green,blue"`.
62
66
  :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -64,14 +68,14 @@ class AuthBackendRoleArgs:
64
68
  match). Requires Vault 1.4.0 or above.
65
69
  :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
66
70
  this value.
67
- :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
71
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
68
72
  to specified metadata fields (values).
69
73
  :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
70
74
  seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
71
75
  Only applicable with "jwt" roles.
72
76
  :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
73
77
  :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
74
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
78
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
75
79
  Only applicable with "jwt" roles.
76
80
  :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
77
81
  the set of groups to which the user belongs; this will be used as the names
@@ -81,40 +85,23 @@ class AuthBackendRoleArgs:
81
85
  the user was actively authenticated with the OIDC provider.
82
86
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
83
87
  The value should not contain leading or trailing forward slashes.
84
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
88
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
85
89
  *Available only for Vault Enterprise*.
86
90
  :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
87
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
91
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
88
92
  Only applicable with "jwt" roles.
89
93
  :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
90
94
  The standard scope "openid" is automatically included and need not be specified.
91
95
  :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
92
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
93
- addresses which can authenticate successfully, and ties the resulting token to these blocks
94
- as well.
95
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
96
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
97
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
98
- `token_max_ttl` would otherwise allow a renewal.
99
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
100
- Its current value will be referenced at renewal time.
101
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
102
- generated tokens; otherwise it will be added to the policies set in token_policies.
103
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
104
- of times a generated token may be used (within its lifetime); 0 means unlimited.
105
- :param pulumi.Input[int] token_period: If set, indicates that the
106
- token generated using this role should never expire. The token should be renewed within the
107
- duration specified by this value. At each renewal, the token's TTL will be set to the
108
- value of this field. Specified in seconds.
109
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
110
- on the auth method, this list may be supplemented by user/group/other values.
111
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
112
- Its current value will be referenced at renewal time.
113
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
114
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
115
- `service` tokens). For token store roles, there are two additional possibilities:
116
- `default-service` and `default-batch` which specify the type to return unless the client
117
- requests a different type at generation time.
96
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
97
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
98
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
99
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
100
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
101
+ :param pulumi.Input[int] token_period: Generated Token's Period
102
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
103
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
104
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
118
105
  :param pulumi.Input[bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
119
106
  [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
120
107
  syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
@@ -236,9 +223,8 @@ class AuthBackendRoleArgs:
236
223
  @pulumi.getter(name="boundAudiences")
237
224
  def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
238
225
  """
239
- (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
240
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
241
- Any match is sufficient.
226
+ (Required for roles of type `jwt`, optional for roles of
227
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
242
228
  """
243
229
  return pulumi.get(self, "bound_audiences")
244
230
 
@@ -248,7 +234,7 @@ class AuthBackendRoleArgs:
248
234
 
249
235
  @property
250
236
  @pulumi.getter(name="boundClaims")
251
- def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
237
+ def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
252
238
  """
253
239
  If set, a map of claims to values to match against.
254
240
  A claim's value must be a string, which may contain one value or multiple
@@ -257,7 +243,7 @@ class AuthBackendRoleArgs:
257
243
  return pulumi.get(self, "bound_claims")
258
244
 
259
245
  @bound_claims.setter
260
- def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
246
+ def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
261
247
  pulumi.set(self, "bound_claims", value)
262
248
 
263
249
  @property
@@ -289,7 +275,7 @@ class AuthBackendRoleArgs:
289
275
 
290
276
  @property
291
277
  @pulumi.getter(name="claimMappings")
292
- def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
278
+ def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
293
279
  """
294
280
  If set, a map of claims (keys) to be copied
295
281
  to specified metadata fields (values).
@@ -297,7 +283,7 @@ class AuthBackendRoleArgs:
297
283
  return pulumi.get(self, "claim_mappings")
298
284
 
299
285
  @claim_mappings.setter
300
- def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
286
+ def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
301
287
  pulumi.set(self, "claim_mappings", value)
302
288
 
303
289
  @property
@@ -331,7 +317,7 @@ class AuthBackendRoleArgs:
331
317
  def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
332
318
  """
333
319
  The amount of leeway to add to expiration (`exp`) claims to account for
334
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
320
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
335
321
  Only applicable with "jwt" roles.
336
322
  """
337
323
  return pulumi.get(self, "expiration_leeway")
@@ -374,7 +360,7 @@ class AuthBackendRoleArgs:
374
360
  """
375
361
  The namespace to provision the resource in.
376
362
  The value should not contain leading or trailing forward slashes.
377
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
363
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
378
364
  *Available only for Vault Enterprise*.
379
365
  """
380
366
  return pulumi.get(self, "namespace")
@@ -388,7 +374,7 @@ class AuthBackendRoleArgs:
388
374
  def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
389
375
  """
390
376
  The amount of leeway to add to not before (`nbf`) claims to account for
391
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
377
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
392
378
  Only applicable with "jwt" roles.
393
379
  """
394
380
  return pulumi.get(self, "not_before_leeway")
@@ -426,9 +412,7 @@ class AuthBackendRoleArgs:
426
412
  @pulumi.getter(name="tokenBoundCidrs")
427
413
  def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
428
414
  """
429
- List of CIDR blocks; if set, specifies blocks of IP
430
- addresses which can authenticate successfully, and ties the resulting token to these blocks
431
- as well.
415
+ Specifies the blocks of IP addresses which are allowed to use the generated token
432
416
  """
433
417
  return pulumi.get(self, "token_bound_cidrs")
434
418
 
@@ -440,10 +424,7 @@ class AuthBackendRoleArgs:
440
424
  @pulumi.getter(name="tokenExplicitMaxTtl")
441
425
  def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
442
426
  """
443
- If set, will encode an
444
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
445
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
446
- `token_max_ttl` would otherwise allow a renewal.
427
+ Generated Token's Explicit Maximum TTL in seconds
447
428
  """
448
429
  return pulumi.get(self, "token_explicit_max_ttl")
449
430
 
@@ -455,8 +436,7 @@ class AuthBackendRoleArgs:
455
436
  @pulumi.getter(name="tokenMaxTtl")
456
437
  def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
457
438
  """
458
- The maximum lifetime for generated tokens in number of seconds.
459
- Its current value will be referenced at renewal time.
439
+ The maximum lifetime of the generated token
460
440
  """
461
441
  return pulumi.get(self, "token_max_ttl")
462
442
 
@@ -468,8 +448,7 @@ class AuthBackendRoleArgs:
468
448
  @pulumi.getter(name="tokenNoDefaultPolicy")
469
449
  def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
470
450
  """
471
- If set, the default policy will not be set on
472
- generated tokens; otherwise it will be added to the policies set in token_policies.
451
+ If true, the 'default' policy will not automatically be added to generated tokens
473
452
  """
474
453
  return pulumi.get(self, "token_no_default_policy")
475
454
 
@@ -481,8 +460,7 @@ class AuthBackendRoleArgs:
481
460
  @pulumi.getter(name="tokenNumUses")
482
461
  def token_num_uses(self) -> Optional[pulumi.Input[int]]:
483
462
  """
484
- The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
485
- of times a generated token may be used (within its lifetime); 0 means unlimited.
463
+ The maximum number of times a token may be used, a value of zero means unlimited
486
464
  """
487
465
  return pulumi.get(self, "token_num_uses")
488
466
 
@@ -494,10 +472,7 @@ class AuthBackendRoleArgs:
494
472
  @pulumi.getter(name="tokenPeriod")
495
473
  def token_period(self) -> Optional[pulumi.Input[int]]:
496
474
  """
497
- If set, indicates that the
498
- token generated using this role should never expire. The token should be renewed within the
499
- duration specified by this value. At each renewal, the token's TTL will be set to the
500
- value of this field. Specified in seconds.
475
+ Generated Token's Period
501
476
  """
502
477
  return pulumi.get(self, "token_period")
503
478
 
@@ -509,8 +484,7 @@ class AuthBackendRoleArgs:
509
484
  @pulumi.getter(name="tokenPolicies")
510
485
  def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
511
486
  """
512
- List of policies to encode onto generated tokens. Depending
513
- on the auth method, this list may be supplemented by user/group/other values.
487
+ Generated Token's Policies
514
488
  """
515
489
  return pulumi.get(self, "token_policies")
516
490
 
@@ -522,8 +496,7 @@ class AuthBackendRoleArgs:
522
496
  @pulumi.getter(name="tokenTtl")
523
497
  def token_ttl(self) -> Optional[pulumi.Input[int]]:
524
498
  """
525
- The incremental lifetime for generated tokens in number of seconds.
526
- Its current value will be referenced at renewal time.
499
+ The initial ttl of the token to generate in seconds
527
500
  """
528
501
  return pulumi.get(self, "token_ttl")
529
502
 
@@ -535,11 +508,7 @@ class AuthBackendRoleArgs:
535
508
  @pulumi.getter(name="tokenType")
536
509
  def token_type(self) -> Optional[pulumi.Input[str]]:
537
510
  """
538
- The type of token that should be generated. Can be `service`,
539
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
540
- `service` tokens). For token store roles, there are two additional possibilities:
541
- `default-service` and `default-batch` which specify the type to return unless the client
542
- requests a different type at generation time.
511
+ The type of token to generate, service or batch
543
512
  """
544
513
  return pulumi.get(self, "token_type")
545
514
 
@@ -583,10 +552,10 @@ class _AuthBackendRoleState:
583
552
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
584
553
  backend: Optional[pulumi.Input[str]] = None,
585
554
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
586
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
555
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
587
556
  bound_claims_type: Optional[pulumi.Input[str]] = None,
588
557
  bound_subject: Optional[pulumi.Input[str]] = None,
589
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
558
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
590
559
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
591
560
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
592
561
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -615,10 +584,9 @@ class _AuthBackendRoleState:
615
584
  Required for OIDC roles
616
585
  :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
617
586
  Defaults to `jwt`.
618
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
619
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
620
- Any match is sufficient.
621
- :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
587
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
588
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
589
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
622
590
  A claim's value must be a string, which may contain one value or multiple
623
591
  comma-separated values, e.g. `"red"` or `"red,green,blue"`.
624
592
  :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -626,14 +594,14 @@ class _AuthBackendRoleState:
626
594
  match). Requires Vault 1.4.0 or above.
627
595
  :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
628
596
  this value.
629
- :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
597
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
630
598
  to specified metadata fields (values).
631
599
  :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
632
600
  seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
633
601
  Only applicable with "jwt" roles.
634
602
  :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
635
603
  :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
636
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
604
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
637
605
  Only applicable with "jwt" roles.
638
606
  :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
639
607
  the set of groups to which the user belongs; this will be used as the names
@@ -643,41 +611,24 @@ class _AuthBackendRoleState:
643
611
  the user was actively authenticated with the OIDC provider.
644
612
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
645
613
  The value should not contain leading or trailing forward slashes.
646
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
614
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
647
615
  *Available only for Vault Enterprise*.
648
616
  :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
649
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
617
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
650
618
  Only applicable with "jwt" roles.
651
619
  :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
652
620
  The standard scope "openid" is automatically included and need not be specified.
653
621
  :param pulumi.Input[str] role_name: The name of the role.
654
622
  :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
655
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
656
- addresses which can authenticate successfully, and ties the resulting token to these blocks
657
- as well.
658
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
659
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
660
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
661
- `token_max_ttl` would otherwise allow a renewal.
662
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
663
- Its current value will be referenced at renewal time.
664
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
665
- generated tokens; otherwise it will be added to the policies set in token_policies.
666
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
667
- of times a generated token may be used (within its lifetime); 0 means unlimited.
668
- :param pulumi.Input[int] token_period: If set, indicates that the
669
- token generated using this role should never expire. The token should be renewed within the
670
- duration specified by this value. At each renewal, the token's TTL will be set to the
671
- value of this field. Specified in seconds.
672
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
673
- on the auth method, this list may be supplemented by user/group/other values.
674
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
675
- Its current value will be referenced at renewal time.
676
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
677
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
678
- `service` tokens). For token store roles, there are two additional possibilities:
679
- `default-service` and `default-batch` which specify the type to return unless the client
680
- requests a different type at generation time.
623
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
624
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
625
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
626
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
627
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
628
+ :param pulumi.Input[int] token_period: Generated Token's Period
629
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
630
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
631
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
681
632
  :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
682
633
  the user; this will be used as the name for the Identity entity alias created
683
634
  due to a successful login.
@@ -778,9 +729,8 @@ class _AuthBackendRoleState:
778
729
  @pulumi.getter(name="boundAudiences")
779
730
  def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
780
731
  """
781
- (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
782
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
783
- Any match is sufficient.
732
+ (Required for roles of type `jwt`, optional for roles of
733
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
784
734
  """
785
735
  return pulumi.get(self, "bound_audiences")
786
736
 
@@ -790,7 +740,7 @@ class _AuthBackendRoleState:
790
740
 
791
741
  @property
792
742
  @pulumi.getter(name="boundClaims")
793
- def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
743
+ def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
794
744
  """
795
745
  If set, a map of claims to values to match against.
796
746
  A claim's value must be a string, which may contain one value or multiple
@@ -799,7 +749,7 @@ class _AuthBackendRoleState:
799
749
  return pulumi.get(self, "bound_claims")
800
750
 
801
751
  @bound_claims.setter
802
- def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
752
+ def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
803
753
  pulumi.set(self, "bound_claims", value)
804
754
 
805
755
  @property
@@ -831,7 +781,7 @@ class _AuthBackendRoleState:
831
781
 
832
782
  @property
833
783
  @pulumi.getter(name="claimMappings")
834
- def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, Any]]]:
784
+ def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]:
835
785
  """
836
786
  If set, a map of claims (keys) to be copied
837
787
  to specified metadata fields (values).
@@ -839,7 +789,7 @@ class _AuthBackendRoleState:
839
789
  return pulumi.get(self, "claim_mappings")
840
790
 
841
791
  @claim_mappings.setter
842
- def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, Any]]]):
792
+ def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]]):
843
793
  pulumi.set(self, "claim_mappings", value)
844
794
 
845
795
  @property
@@ -873,7 +823,7 @@ class _AuthBackendRoleState:
873
823
  def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
874
824
  """
875
825
  The amount of leeway to add to expiration (`exp`) claims to account for
876
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
826
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
877
827
  Only applicable with "jwt" roles.
878
828
  """
879
829
  return pulumi.get(self, "expiration_leeway")
@@ -916,7 +866,7 @@ class _AuthBackendRoleState:
916
866
  """
917
867
  The namespace to provision the resource in.
918
868
  The value should not contain leading or trailing forward slashes.
919
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
869
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
920
870
  *Available only for Vault Enterprise*.
921
871
  """
922
872
  return pulumi.get(self, "namespace")
@@ -930,7 +880,7 @@ class _AuthBackendRoleState:
930
880
  def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
931
881
  """
932
882
  The amount of leeway to add to not before (`nbf`) claims to account for
933
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
883
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
934
884
  Only applicable with "jwt" roles.
935
885
  """
936
886
  return pulumi.get(self, "not_before_leeway")
@@ -980,9 +930,7 @@ class _AuthBackendRoleState:
980
930
  @pulumi.getter(name="tokenBoundCidrs")
981
931
  def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
982
932
  """
983
- List of CIDR blocks; if set, specifies blocks of IP
984
- addresses which can authenticate successfully, and ties the resulting token to these blocks
985
- as well.
933
+ Specifies the blocks of IP addresses which are allowed to use the generated token
986
934
  """
987
935
  return pulumi.get(self, "token_bound_cidrs")
988
936
 
@@ -994,10 +942,7 @@ class _AuthBackendRoleState:
994
942
  @pulumi.getter(name="tokenExplicitMaxTtl")
995
943
  def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
996
944
  """
997
- If set, will encode an
998
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
999
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1000
- `token_max_ttl` would otherwise allow a renewal.
945
+ Generated Token's Explicit Maximum TTL in seconds
1001
946
  """
1002
947
  return pulumi.get(self, "token_explicit_max_ttl")
1003
948
 
@@ -1009,8 +954,7 @@ class _AuthBackendRoleState:
1009
954
  @pulumi.getter(name="tokenMaxTtl")
1010
955
  def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
1011
956
  """
1012
- The maximum lifetime for generated tokens in number of seconds.
1013
- Its current value will be referenced at renewal time.
957
+ The maximum lifetime of the generated token
1014
958
  """
1015
959
  return pulumi.get(self, "token_max_ttl")
1016
960
 
@@ -1022,8 +966,7 @@ class _AuthBackendRoleState:
1022
966
  @pulumi.getter(name="tokenNoDefaultPolicy")
1023
967
  def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
1024
968
  """
1025
- If set, the default policy will not be set on
1026
- generated tokens; otherwise it will be added to the policies set in token_policies.
969
+ If true, the 'default' policy will not automatically be added to generated tokens
1027
970
  """
1028
971
  return pulumi.get(self, "token_no_default_policy")
1029
972
 
@@ -1035,8 +978,7 @@ class _AuthBackendRoleState:
1035
978
  @pulumi.getter(name="tokenNumUses")
1036
979
  def token_num_uses(self) -> Optional[pulumi.Input[int]]:
1037
980
  """
1038
- The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
1039
- of times a generated token may be used (within its lifetime); 0 means unlimited.
981
+ The maximum number of times a token may be used, a value of zero means unlimited
1040
982
  """
1041
983
  return pulumi.get(self, "token_num_uses")
1042
984
 
@@ -1048,10 +990,7 @@ class _AuthBackendRoleState:
1048
990
  @pulumi.getter(name="tokenPeriod")
1049
991
  def token_period(self) -> Optional[pulumi.Input[int]]:
1050
992
  """
1051
- If set, indicates that the
1052
- token generated using this role should never expire. The token should be renewed within the
1053
- duration specified by this value. At each renewal, the token's TTL will be set to the
1054
- value of this field. Specified in seconds.
993
+ Generated Token's Period
1055
994
  """
1056
995
  return pulumi.get(self, "token_period")
1057
996
 
@@ -1063,8 +1002,7 @@ class _AuthBackendRoleState:
1063
1002
  @pulumi.getter(name="tokenPolicies")
1064
1003
  def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
1065
1004
  """
1066
- List of policies to encode onto generated tokens. Depending
1067
- on the auth method, this list may be supplemented by user/group/other values.
1005
+ Generated Token's Policies
1068
1006
  """
1069
1007
  return pulumi.get(self, "token_policies")
1070
1008
 
@@ -1076,8 +1014,7 @@ class _AuthBackendRoleState:
1076
1014
  @pulumi.getter(name="tokenTtl")
1077
1015
  def token_ttl(self) -> Optional[pulumi.Input[int]]:
1078
1016
  """
1079
- The incremental lifetime for generated tokens in number of seconds.
1080
- Its current value will be referenced at renewal time.
1017
+ The initial ttl of the token to generate in seconds
1081
1018
  """
1082
1019
  return pulumi.get(self, "token_ttl")
1083
1020
 
@@ -1089,11 +1026,7 @@ class _AuthBackendRoleState:
1089
1026
  @pulumi.getter(name="tokenType")
1090
1027
  def token_type(self) -> Optional[pulumi.Input[str]]:
1091
1028
  """
1092
- The type of token that should be generated. Can be `service`,
1093
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1094
- `service` tokens). For token store roles, there are two additional possibilities:
1095
- `default-service` and `default-batch` which specify the type to return unless the client
1096
- requests a different type at generation time.
1029
+ The type of token to generate, service or batch
1097
1030
  """
1098
1031
  return pulumi.get(self, "token_type")
1099
1032
 
@@ -1153,10 +1086,10 @@ class AuthBackendRole(pulumi.CustomResource):
1153
1086
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1154
1087
  backend: Optional[pulumi.Input[str]] = None,
1155
1088
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1156
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1089
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1157
1090
  bound_claims_type: Optional[pulumi.Input[str]] = None,
1158
1091
  bound_subject: Optional[pulumi.Input[str]] = None,
1159
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1092
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1160
1093
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
1161
1094
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
1162
1095
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1189,7 +1122,6 @@ class AuthBackendRole(pulumi.CustomResource):
1189
1122
 
1190
1123
  Role for JWT backend:
1191
1124
 
1192
- <!--Start PulumiCodeChooser -->
1193
1125
  ```python
1194
1126
  import pulumi
1195
1127
  import pulumi_vault as vault
@@ -1210,11 +1142,9 @@ class AuthBackendRole(pulumi.CustomResource):
1210
1142
  user_claim="https://vault/user",
1211
1143
  role_type="jwt")
1212
1144
  ```
1213
- <!--End PulumiCodeChooser -->
1214
1145
 
1215
1146
  Role for OIDC backend:
1216
1147
 
1217
- <!--Start PulumiCodeChooser -->
1218
1148
  ```python
1219
1149
  import pulumi
1220
1150
  import pulumi_vault as vault
@@ -1234,7 +1164,6 @@ class AuthBackendRole(pulumi.CustomResource):
1234
1164
  role_type="oidc",
1235
1165
  allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
1236
1166
  ```
1237
- <!--End PulumiCodeChooser -->
1238
1167
 
1239
1168
  ## Import
1240
1169
 
@@ -1250,10 +1179,9 @@ class AuthBackendRole(pulumi.CustomResource):
1250
1179
  Required for OIDC roles
1251
1180
  :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
1252
1181
  Defaults to `jwt`.
1253
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
1254
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
1255
- Any match is sufficient.
1256
- :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
1182
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
1183
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
1184
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
1257
1185
  A claim's value must be a string, which may contain one value or multiple
1258
1186
  comma-separated values, e.g. `"red"` or `"red,green,blue"`.
1259
1187
  :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -1261,14 +1189,14 @@ class AuthBackendRole(pulumi.CustomResource):
1261
1189
  match). Requires Vault 1.4.0 or above.
1262
1190
  :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
1263
1191
  this value.
1264
- :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
1192
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
1265
1193
  to specified metadata fields (values).
1266
1194
  :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
1267
1195
  seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1268
1196
  Only applicable with "jwt" roles.
1269
1197
  :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
1270
1198
  :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
1271
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1199
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1272
1200
  Only applicable with "jwt" roles.
1273
1201
  :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
1274
1202
  the set of groups to which the user belongs; this will be used as the names
@@ -1278,41 +1206,24 @@ class AuthBackendRole(pulumi.CustomResource):
1278
1206
  the user was actively authenticated with the OIDC provider.
1279
1207
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
1280
1208
  The value should not contain leading or trailing forward slashes.
1281
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1209
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1282
1210
  *Available only for Vault Enterprise*.
1283
1211
  :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
1284
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1212
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1285
1213
  Only applicable with "jwt" roles.
1286
1214
  :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
1287
1215
  The standard scope "openid" is automatically included and need not be specified.
1288
1216
  :param pulumi.Input[str] role_name: The name of the role.
1289
1217
  :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
1290
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
1291
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1292
- as well.
1293
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
1294
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1295
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1296
- `token_max_ttl` would otherwise allow a renewal.
1297
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
1298
- Its current value will be referenced at renewal time.
1299
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
1300
- generated tokens; otherwise it will be added to the policies set in token_policies.
1301
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
1302
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1303
- :param pulumi.Input[int] token_period: If set, indicates that the
1304
- token generated using this role should never expire. The token should be renewed within the
1305
- duration specified by this value. At each renewal, the token's TTL will be set to the
1306
- value of this field. Specified in seconds.
1307
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
1308
- on the auth method, this list may be supplemented by user/group/other values.
1309
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
1310
- Its current value will be referenced at renewal time.
1311
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
1312
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1313
- `service` tokens). For token store roles, there are two additional possibilities:
1314
- `default-service` and `default-batch` which specify the type to return unless the client
1315
- requests a different type at generation time.
1218
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
1219
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
1220
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
1221
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
1222
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
1223
+ :param pulumi.Input[int] token_period: Generated Token's Period
1224
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
1225
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
1226
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
1316
1227
  :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
1317
1228
  the user; this will be used as the name for the Identity entity alias created
1318
1229
  due to a successful login.
@@ -1339,7 +1250,6 @@ class AuthBackendRole(pulumi.CustomResource):
1339
1250
 
1340
1251
  Role for JWT backend:
1341
1252
 
1342
- <!--Start PulumiCodeChooser -->
1343
1253
  ```python
1344
1254
  import pulumi
1345
1255
  import pulumi_vault as vault
@@ -1360,11 +1270,9 @@ class AuthBackendRole(pulumi.CustomResource):
1360
1270
  user_claim="https://vault/user",
1361
1271
  role_type="jwt")
1362
1272
  ```
1363
- <!--End PulumiCodeChooser -->
1364
1273
 
1365
1274
  Role for OIDC backend:
1366
1275
 
1367
- <!--Start PulumiCodeChooser -->
1368
1276
  ```python
1369
1277
  import pulumi
1370
1278
  import pulumi_vault as vault
@@ -1384,7 +1292,6 @@ class AuthBackendRole(pulumi.CustomResource):
1384
1292
  role_type="oidc",
1385
1293
  allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
1386
1294
  ```
1387
- <!--End PulumiCodeChooser -->
1388
1295
 
1389
1296
  ## Import
1390
1297
 
@@ -1412,10 +1319,10 @@ class AuthBackendRole(pulumi.CustomResource):
1412
1319
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1413
1320
  backend: Optional[pulumi.Input[str]] = None,
1414
1321
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1415
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1322
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1416
1323
  bound_claims_type: Optional[pulumi.Input[str]] = None,
1417
1324
  bound_subject: Optional[pulumi.Input[str]] = None,
1418
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1325
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1419
1326
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
1420
1327
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
1421
1328
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1493,10 +1400,10 @@ class AuthBackendRole(pulumi.CustomResource):
1493
1400
  allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1494
1401
  backend: Optional[pulumi.Input[str]] = None,
1495
1402
  bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
1496
- bound_claims: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1403
+ bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1497
1404
  bound_claims_type: Optional[pulumi.Input[str]] = None,
1498
1405
  bound_subject: Optional[pulumi.Input[str]] = None,
1499
- claim_mappings: Optional[pulumi.Input[Mapping[str, Any]]] = None,
1406
+ claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
1500
1407
  clock_skew_leeway: Optional[pulumi.Input[int]] = None,
1501
1408
  disable_bound_claims_parsing: Optional[pulumi.Input[bool]] = None,
1502
1409
  expiration_leeway: Optional[pulumi.Input[int]] = None,
@@ -1530,10 +1437,9 @@ class AuthBackendRole(pulumi.CustomResource):
1530
1437
  Required for OIDC roles
1531
1438
  :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
1532
1439
  Defaults to `jwt`.
1533
- :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
1534
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
1535
- Any match is sufficient.
1536
- :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
1440
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
1441
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
1442
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] bound_claims: If set, a map of claims to values to match against.
1537
1443
  A claim's value must be a string, which may contain one value or multiple
1538
1444
  comma-separated values, e.g. `"red"` or `"red,green,blue"`.
1539
1445
  :param pulumi.Input[str] bound_claims_type: How to interpret values in the claims/values
@@ -1541,14 +1447,14 @@ class AuthBackendRole(pulumi.CustomResource):
1541
1447
  match). Requires Vault 1.4.0 or above.
1542
1448
  :param pulumi.Input[str] bound_subject: If set, requires that the `sub` claim matches
1543
1449
  this value.
1544
- :param pulumi.Input[Mapping[str, Any]] claim_mappings: If set, a map of claims (keys) to be copied
1450
+ :param pulumi.Input[Mapping[str, pulumi.Input[str]]] claim_mappings: If set, a map of claims (keys) to be copied
1545
1451
  to specified metadata fields (values).
1546
1452
  :param pulumi.Input[int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
1547
1453
  seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1548
1454
  Only applicable with "jwt" roles.
1549
1455
  :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
1550
1456
  :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
1551
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1457
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1552
1458
  Only applicable with "jwt" roles.
1553
1459
  :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
1554
1460
  the set of groups to which the user belongs; this will be used as the names
@@ -1558,41 +1464,24 @@ class AuthBackendRole(pulumi.CustomResource):
1558
1464
  the user was actively authenticated with the OIDC provider.
1559
1465
  :param pulumi.Input[str] namespace: The namespace to provision the resource in.
1560
1466
  The value should not contain leading or trailing forward slashes.
1561
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1467
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1562
1468
  *Available only for Vault Enterprise*.
1563
1469
  :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
1564
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1470
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1565
1471
  Only applicable with "jwt" roles.
1566
1472
  :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
1567
1473
  The standard scope "openid" is automatically included and need not be specified.
1568
1474
  :param pulumi.Input[str] role_name: The name of the role.
1569
1475
  :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
1570
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
1571
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1572
- as well.
1573
- :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
1574
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1575
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1576
- `token_max_ttl` would otherwise allow a renewal.
1577
- :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
1578
- Its current value will be referenced at renewal time.
1579
- :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
1580
- generated tokens; otherwise it will be added to the policies set in token_policies.
1581
- :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
1582
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1583
- :param pulumi.Input[int] token_period: If set, indicates that the
1584
- token generated using this role should never expire. The token should be renewed within the
1585
- duration specified by this value. At each renewal, the token's TTL will be set to the
1586
- value of this field. Specified in seconds.
1587
- :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
1588
- on the auth method, this list may be supplemented by user/group/other values.
1589
- :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
1590
- Its current value will be referenced at renewal time.
1591
- :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
1592
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1593
- `service` tokens). For token store roles, there are two additional possibilities:
1594
- `default-service` and `default-batch` which specify the type to return unless the client
1595
- requests a different type at generation time.
1476
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
1477
+ :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
1478
+ :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
1479
+ :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
1480
+ :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
1481
+ :param pulumi.Input[int] token_period: Generated Token's Period
1482
+ :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
1483
+ :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
1484
+ :param pulumi.Input[str] token_type: The type of token to generate, service or batch
1596
1485
  :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
1597
1486
  the user; this will be used as the name for the Identity entity alias created
1598
1487
  due to a successful login.
@@ -1661,15 +1550,14 @@ class AuthBackendRole(pulumi.CustomResource):
1661
1550
  @pulumi.getter(name="boundAudiences")
1662
1551
  def bound_audiences(self) -> pulumi.Output[Optional[Sequence[str]]]:
1663
1552
  """
1664
- (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
1665
- or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
1666
- Any match is sufficient.
1553
+ (Required for roles of type `jwt`, optional for roles of
1554
+ type `oidc`) List of `aud` claims to match against. Any match is sufficient.
1667
1555
  """
1668
1556
  return pulumi.get(self, "bound_audiences")
1669
1557
 
1670
1558
  @property
1671
1559
  @pulumi.getter(name="boundClaims")
1672
- def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
1560
+ def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
1673
1561
  """
1674
1562
  If set, a map of claims to values to match against.
1675
1563
  A claim's value must be a string, which may contain one value or multiple
@@ -1698,7 +1586,7 @@ class AuthBackendRole(pulumi.CustomResource):
1698
1586
 
1699
1587
  @property
1700
1588
  @pulumi.getter(name="claimMappings")
1701
- def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, Any]]]:
1589
+ def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, str]]]:
1702
1590
  """
1703
1591
  If set, a map of claims (keys) to be copied
1704
1592
  to specified metadata fields (values).
@@ -1728,7 +1616,7 @@ class AuthBackendRole(pulumi.CustomResource):
1728
1616
  def expiration_leeway(self) -> pulumi.Output[Optional[int]]:
1729
1617
  """
1730
1618
  The amount of leeway to add to expiration (`exp`) claims to account for
1731
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1619
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1732
1620
  Only applicable with "jwt" roles.
1733
1621
  """
1734
1622
  return pulumi.get(self, "expiration_leeway")
@@ -1759,7 +1647,7 @@ class AuthBackendRole(pulumi.CustomResource):
1759
1647
  """
1760
1648
  The namespace to provision the resource in.
1761
1649
  The value should not contain leading or trailing forward slashes.
1762
- The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
1650
+ The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
1763
1651
  *Available only for Vault Enterprise*.
1764
1652
  """
1765
1653
  return pulumi.get(self, "namespace")
@@ -1769,7 +1657,7 @@ class AuthBackendRole(pulumi.CustomResource):
1769
1657
  def not_before_leeway(self) -> pulumi.Output[Optional[int]]:
1770
1658
  """
1771
1659
  The amount of leeway to add to not before (`nbf`) claims to account for
1772
- clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
1660
+ clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
1773
1661
  Only applicable with "jwt" roles.
1774
1662
  """
1775
1663
  return pulumi.get(self, "not_before_leeway")
@@ -1803,9 +1691,7 @@ class AuthBackendRole(pulumi.CustomResource):
1803
1691
  @pulumi.getter(name="tokenBoundCidrs")
1804
1692
  def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
1805
1693
  """
1806
- List of CIDR blocks; if set, specifies blocks of IP
1807
- addresses which can authenticate successfully, and ties the resulting token to these blocks
1808
- as well.
1694
+ Specifies the blocks of IP addresses which are allowed to use the generated token
1809
1695
  """
1810
1696
  return pulumi.get(self, "token_bound_cidrs")
1811
1697
 
@@ -1813,10 +1699,7 @@ class AuthBackendRole(pulumi.CustomResource):
1813
1699
  @pulumi.getter(name="tokenExplicitMaxTtl")
1814
1700
  def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
1815
1701
  """
1816
- If set, will encode an
1817
- [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
1818
- onto the token in number of seconds. This is a hard cap even if `token_ttl` and
1819
- `token_max_ttl` would otherwise allow a renewal.
1702
+ Generated Token's Explicit Maximum TTL in seconds
1820
1703
  """
1821
1704
  return pulumi.get(self, "token_explicit_max_ttl")
1822
1705
 
@@ -1824,8 +1707,7 @@ class AuthBackendRole(pulumi.CustomResource):
1824
1707
  @pulumi.getter(name="tokenMaxTtl")
1825
1708
  def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
1826
1709
  """
1827
- The maximum lifetime for generated tokens in number of seconds.
1828
- Its current value will be referenced at renewal time.
1710
+ The maximum lifetime of the generated token
1829
1711
  """
1830
1712
  return pulumi.get(self, "token_max_ttl")
1831
1713
 
@@ -1833,8 +1715,7 @@ class AuthBackendRole(pulumi.CustomResource):
1833
1715
  @pulumi.getter(name="tokenNoDefaultPolicy")
1834
1716
  def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
1835
1717
  """
1836
- If set, the default policy will not be set on
1837
- generated tokens; otherwise it will be added to the policies set in token_policies.
1718
+ If true, the 'default' policy will not automatically be added to generated tokens
1838
1719
  """
1839
1720
  return pulumi.get(self, "token_no_default_policy")
1840
1721
 
@@ -1842,8 +1723,7 @@ class AuthBackendRole(pulumi.CustomResource):
1842
1723
  @pulumi.getter(name="tokenNumUses")
1843
1724
  def token_num_uses(self) -> pulumi.Output[Optional[int]]:
1844
1725
  """
1845
- The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
1846
- of times a generated token may be used (within its lifetime); 0 means unlimited.
1726
+ The maximum number of times a token may be used, a value of zero means unlimited
1847
1727
  """
1848
1728
  return pulumi.get(self, "token_num_uses")
1849
1729
 
@@ -1851,10 +1731,7 @@ class AuthBackendRole(pulumi.CustomResource):
1851
1731
  @pulumi.getter(name="tokenPeriod")
1852
1732
  def token_period(self) -> pulumi.Output[Optional[int]]:
1853
1733
  """
1854
- If set, indicates that the
1855
- token generated using this role should never expire. The token should be renewed within the
1856
- duration specified by this value. At each renewal, the token's TTL will be set to the
1857
- value of this field. Specified in seconds.
1734
+ Generated Token's Period
1858
1735
  """
1859
1736
  return pulumi.get(self, "token_period")
1860
1737
 
@@ -1862,8 +1739,7 @@ class AuthBackendRole(pulumi.CustomResource):
1862
1739
  @pulumi.getter(name="tokenPolicies")
1863
1740
  def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
1864
1741
  """
1865
- List of policies to encode onto generated tokens. Depending
1866
- on the auth method, this list may be supplemented by user/group/other values.
1742
+ Generated Token's Policies
1867
1743
  """
1868
1744
  return pulumi.get(self, "token_policies")
1869
1745
 
@@ -1871,8 +1747,7 @@ class AuthBackendRole(pulumi.CustomResource):
1871
1747
  @pulumi.getter(name="tokenTtl")
1872
1748
  def token_ttl(self) -> pulumi.Output[Optional[int]]:
1873
1749
  """
1874
- The incremental lifetime for generated tokens in number of seconds.
1875
- Its current value will be referenced at renewal time.
1750
+ The initial ttl of the token to generate in seconds
1876
1751
  """
1877
1752
  return pulumi.get(self, "token_ttl")
1878
1753
 
@@ -1880,11 +1755,7 @@ class AuthBackendRole(pulumi.CustomResource):
1880
1755
  @pulumi.getter(name="tokenType")
1881
1756
  def token_type(self) -> pulumi.Output[Optional[str]]:
1882
1757
  """
1883
- The type of token that should be generated. Can be `service`,
1884
- `batch`, or `default` to use the mount's tuned default (which unless changed will be
1885
- `service` tokens). For token store roles, there are two additional possibilities:
1886
- `default-service` and `default-batch` which specify the type to return unless the client
1887
- requests a different type at generation time.
1758
+ The type of token to generate, service or batch
1888
1759
  """
1889
1760
  return pulumi.get(self, "token_type")
1890
1761