pulumi-vault 5.21.0a1710160723__py3-none-any.whl → 6.5.0a1736850018__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +52 -0
- pulumi_vault/_inputs.py +560 -0
- pulumi_vault/_utilities.py +41 -5
- pulumi_vault/ad/get_access_credentials.py +22 -7
- pulumi_vault/ad/secret_backend.py +14 -144
- pulumi_vault/ad/secret_library.py +14 -11
- pulumi_vault/ad/secret_role.py +12 -11
- pulumi_vault/alicloud/auth_backend_role.py +74 -192
- pulumi_vault/approle/auth_backend_login.py +12 -11
- pulumi_vault/approle/auth_backend_role.py +75 -193
- pulumi_vault/approle/auth_backend_role_secret_id.py +106 -11
- pulumi_vault/approle/get_auth_backend_role_id.py +18 -9
- pulumi_vault/audit.py +24 -27
- pulumi_vault/audit_request_header.py +11 -6
- pulumi_vault/auth_backend.py +64 -12
- pulumi_vault/aws/auth_backend_cert.py +12 -7
- pulumi_vault/aws/auth_backend_client.py +265 -24
- pulumi_vault/aws/auth_backend_config_identity.py +12 -11
- pulumi_vault/aws/auth_backend_identity_whitelist.py +18 -17
- pulumi_vault/aws/auth_backend_login.py +19 -22
- pulumi_vault/aws/auth_backend_role.py +75 -193
- pulumi_vault/aws/auth_backend_role_tag.py +12 -7
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +18 -17
- pulumi_vault/aws/auth_backend_sts_role.py +12 -11
- pulumi_vault/aws/get_access_credentials.py +34 -7
- pulumi_vault/aws/get_static_access_credentials.py +19 -5
- pulumi_vault/aws/secret_backend.py +75 -7
- pulumi_vault/aws/secret_backend_role.py +183 -11
- pulumi_vault/aws/secret_backend_static_role.py +14 -11
- pulumi_vault/azure/_inputs.py +24 -0
- pulumi_vault/azure/auth_backend_config.py +151 -17
- pulumi_vault/azure/auth_backend_role.py +75 -193
- pulumi_vault/azure/backend.py +223 -29
- pulumi_vault/azure/backend_role.py +42 -41
- pulumi_vault/azure/get_access_credentials.py +39 -11
- pulumi_vault/azure/outputs.py +5 -0
- pulumi_vault/cert_auth_backend_role.py +87 -271
- pulumi_vault/config/__init__.pyi +5 -0
- pulumi_vault/config/_inputs.py +73 -0
- pulumi_vault/config/outputs.py +35 -0
- pulumi_vault/config/ui_custom_message.py +529 -0
- pulumi_vault/config/vars.py +5 -0
- pulumi_vault/consul/secret_backend.py +22 -25
- pulumi_vault/consul/secret_backend_role.py +14 -80
- pulumi_vault/database/_inputs.py +2770 -881
- pulumi_vault/database/outputs.py +721 -838
- pulumi_vault/database/secret_backend_connection.py +117 -114
- pulumi_vault/database/secret_backend_role.py +29 -24
- pulumi_vault/database/secret_backend_static_role.py +85 -15
- pulumi_vault/database/secrets_mount.py +425 -138
- pulumi_vault/egp_policy.py +16 -15
- pulumi_vault/gcp/_inputs.py +111 -0
- pulumi_vault/gcp/auth_backend.py +248 -35
- pulumi_vault/gcp/auth_backend_role.py +75 -271
- pulumi_vault/gcp/get_auth_backend_role.py +43 -9
- pulumi_vault/gcp/outputs.py +5 -0
- pulumi_vault/gcp/secret_backend.py +287 -16
- pulumi_vault/gcp/secret_impersonated_account.py +74 -17
- pulumi_vault/gcp/secret_roleset.py +29 -26
- pulumi_vault/gcp/secret_static_account.py +37 -34
- pulumi_vault/generic/endpoint.py +22 -21
- pulumi_vault/generic/get_secret.py +68 -12
- pulumi_vault/generic/secret.py +19 -14
- pulumi_vault/get_auth_backend.py +24 -11
- pulumi_vault/get_auth_backends.py +33 -11
- pulumi_vault/get_namespace.py +226 -0
- pulumi_vault/get_namespaces.py +153 -0
- pulumi_vault/get_nomad_access_token.py +31 -15
- pulumi_vault/get_policy_document.py +34 -23
- pulumi_vault/get_raft_autopilot_state.py +29 -14
- pulumi_vault/github/_inputs.py +55 -0
- pulumi_vault/github/auth_backend.py +17 -16
- pulumi_vault/github/outputs.py +5 -0
- pulumi_vault/github/team.py +14 -13
- pulumi_vault/github/user.py +14 -13
- pulumi_vault/identity/entity.py +18 -15
- pulumi_vault/identity/entity_alias.py +18 -15
- pulumi_vault/identity/entity_policies.py +24 -19
- pulumi_vault/identity/get_entity.py +40 -14
- pulumi_vault/identity/get_group.py +45 -13
- pulumi_vault/identity/get_oidc_client_creds.py +21 -11
- pulumi_vault/identity/get_oidc_openid_config.py +39 -13
- pulumi_vault/identity/get_oidc_public_keys.py +29 -14
- pulumi_vault/identity/group.py +50 -49
- pulumi_vault/identity/group_alias.py +14 -11
- pulumi_vault/identity/group_member_entity_ids.py +24 -74
- pulumi_vault/identity/group_member_group_ids.py +36 -27
- pulumi_vault/identity/group_policies.py +16 -15
- pulumi_vault/identity/mfa_duo.py +9 -8
- pulumi_vault/identity/mfa_login_enforcement.py +13 -8
- pulumi_vault/identity/mfa_okta.py +9 -8
- pulumi_vault/identity/mfa_pingid.py +5 -4
- pulumi_vault/identity/mfa_totp.py +5 -4
- pulumi_vault/identity/oidc.py +12 -11
- pulumi_vault/identity/oidc_assignment.py +22 -13
- pulumi_vault/identity/oidc_client.py +34 -25
- pulumi_vault/identity/oidc_key.py +28 -19
- pulumi_vault/identity/oidc_key_allowed_client_id.py +28 -19
- pulumi_vault/identity/oidc_provider.py +34 -23
- pulumi_vault/identity/oidc_role.py +40 -27
- pulumi_vault/identity/oidc_scope.py +18 -15
- pulumi_vault/identity/outputs.py +8 -3
- pulumi_vault/jwt/_inputs.py +55 -0
- pulumi_vault/jwt/auth_backend.py +39 -46
- pulumi_vault/jwt/auth_backend_role.py +131 -260
- pulumi_vault/jwt/outputs.py +5 -0
- pulumi_vault/kmip/secret_backend.py +22 -21
- pulumi_vault/kmip/secret_role.py +12 -11
- pulumi_vault/kmip/secret_scope.py +12 -11
- pulumi_vault/kubernetes/auth_backend_config.py +55 -7
- pulumi_vault/kubernetes/auth_backend_role.py +68 -179
- pulumi_vault/kubernetes/get_auth_backend_config.py +60 -8
- pulumi_vault/kubernetes/get_auth_backend_role.py +40 -5
- pulumi_vault/kubernetes/get_service_account_token.py +39 -15
- pulumi_vault/kubernetes/secret_backend.py +314 -29
- pulumi_vault/kubernetes/secret_backend_role.py +135 -56
- pulumi_vault/kv/_inputs.py +36 -4
- pulumi_vault/kv/get_secret.py +23 -12
- pulumi_vault/kv/get_secret_subkeys_v2.py +31 -14
- pulumi_vault/kv/get_secret_v2.py +89 -9
- pulumi_vault/kv/get_secrets_list.py +22 -15
- pulumi_vault/kv/get_secrets_list_v2.py +35 -19
- pulumi_vault/kv/outputs.py +8 -3
- pulumi_vault/kv/secret.py +19 -18
- pulumi_vault/kv/secret_backend_v2.py +12 -11
- pulumi_vault/kv/secret_v2.py +55 -52
- pulumi_vault/ldap/auth_backend.py +125 -168
- pulumi_vault/ldap/auth_backend_group.py +12 -11
- pulumi_vault/ldap/auth_backend_user.py +12 -11
- pulumi_vault/ldap/get_dynamic_credentials.py +23 -5
- pulumi_vault/ldap/get_static_credentials.py +24 -5
- pulumi_vault/ldap/secret_backend.py +352 -84
- pulumi_vault/ldap/secret_backend_dynamic_role.py +12 -11
- pulumi_vault/ldap/secret_backend_library_set.py +14 -11
- pulumi_vault/ldap/secret_backend_static_role.py +67 -12
- pulumi_vault/managed/_inputs.py +289 -132
- pulumi_vault/managed/keys.py +27 -43
- pulumi_vault/managed/outputs.py +89 -132
- pulumi_vault/mfa_duo.py +16 -13
- pulumi_vault/mfa_okta.py +16 -13
- pulumi_vault/mfa_pingid.py +16 -13
- pulumi_vault/mfa_totp.py +22 -19
- pulumi_vault/mongodbatlas/secret_backend.py +18 -17
- pulumi_vault/mongodbatlas/secret_role.py +41 -38
- pulumi_vault/mount.py +389 -65
- pulumi_vault/namespace.py +26 -21
- pulumi_vault/nomad_secret_backend.py +16 -15
- pulumi_vault/nomad_secret_role.py +12 -11
- pulumi_vault/okta/_inputs.py +47 -8
- pulumi_vault/okta/auth_backend.py +483 -41
- pulumi_vault/okta/auth_backend_group.py +12 -11
- pulumi_vault/okta/auth_backend_user.py +12 -11
- pulumi_vault/okta/outputs.py +13 -8
- pulumi_vault/outputs.py +5 -0
- pulumi_vault/password_policy.py +18 -15
- pulumi_vault/pkisecret/__init__.py +3 -0
- pulumi_vault/pkisecret/_inputs.py +81 -0
- pulumi_vault/pkisecret/backend_config_cluster.py +369 -0
- pulumi_vault/pkisecret/backend_config_est.py +619 -0
- pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
- pulumi_vault/pkisecret/get_backend_issuer.py +63 -7
- pulumi_vault/pkisecret/get_backend_issuers.py +21 -12
- pulumi_vault/pkisecret/get_backend_key.py +24 -13
- pulumi_vault/pkisecret/get_backend_keys.py +21 -12
- pulumi_vault/pkisecret/outputs.py +69 -0
- pulumi_vault/pkisecret/secret_backend_cert.py +18 -15
- pulumi_vault/pkisecret/secret_backend_config_ca.py +16 -15
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +12 -11
- pulumi_vault/pkisecret/secret_backend_config_urls.py +59 -11
- pulumi_vault/pkisecret/secret_backend_crl_config.py +14 -13
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +16 -15
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +22 -21
- pulumi_vault/pkisecret/secret_backend_issuer.py +12 -11
- pulumi_vault/pkisecret/secret_backend_key.py +12 -7
- pulumi_vault/pkisecret/secret_backend_role.py +19 -16
- pulumi_vault/pkisecret/secret_backend_root_cert.py +16 -52
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +18 -62
- pulumi_vault/pkisecret/secret_backend_sign.py +18 -60
- pulumi_vault/plugin.py +595 -0
- pulumi_vault/plugin_pinned_version.py +298 -0
- pulumi_vault/policy.py +12 -7
- pulumi_vault/provider.py +48 -53
- pulumi_vault/pulumi-plugin.json +2 -1
- pulumi_vault/quota_lease_count.py +58 -8
- pulumi_vault/quota_rate_limit.py +54 -4
- pulumi_vault/rabbitmq/_inputs.py +61 -0
- pulumi_vault/rabbitmq/outputs.py +5 -0
- pulumi_vault/rabbitmq/secret_backend.py +16 -15
- pulumi_vault/rabbitmq/secret_backend_role.py +52 -49
- pulumi_vault/raft_autopilot.py +12 -11
- pulumi_vault/raft_snapshot_agent_config.py +121 -311
- pulumi_vault/rgp_policy.py +14 -13
- pulumi_vault/saml/auth_backend.py +20 -19
- pulumi_vault/saml/auth_backend_role.py +90 -199
- pulumi_vault/secrets/__init__.py +3 -0
- pulumi_vault/secrets/_inputs.py +110 -0
- pulumi_vault/secrets/outputs.py +94 -0
- pulumi_vault/secrets/sync_association.py +56 -75
- pulumi_vault/secrets/sync_aws_destination.py +240 -29
- pulumi_vault/secrets/sync_azure_destination.py +90 -33
- pulumi_vault/secrets/sync_config.py +7 -6
- pulumi_vault/secrets/sync_gcp_destination.py +156 -27
- pulumi_vault/secrets/sync_gh_destination.py +187 -15
- pulumi_vault/secrets/sync_github_apps.py +375 -0
- pulumi_vault/secrets/sync_vercel_destination.py +72 -15
- pulumi_vault/ssh/_inputs.py +28 -32
- pulumi_vault/ssh/outputs.py +11 -32
- pulumi_vault/ssh/secret_backend_ca.py +106 -11
- pulumi_vault/ssh/secret_backend_role.py +83 -120
- pulumi_vault/terraformcloud/secret_backend.py +5 -56
- pulumi_vault/terraformcloud/secret_creds.py +14 -24
- pulumi_vault/terraformcloud/secret_role.py +14 -76
- pulumi_vault/token.py +26 -25
- pulumi_vault/tokenauth/auth_backend_role.py +76 -201
- pulumi_vault/transform/alphabet.py +16 -13
- pulumi_vault/transform/get_decode.py +45 -21
- pulumi_vault/transform/get_encode.py +45 -21
- pulumi_vault/transform/role.py +16 -13
- pulumi_vault/transform/template.py +30 -25
- pulumi_vault/transform/transformation.py +12 -7
- pulumi_vault/transit/get_decrypt.py +26 -25
- pulumi_vault/transit/get_encrypt.py +24 -19
- pulumi_vault/transit/secret_backend_key.py +25 -97
- pulumi_vault/transit/secret_cache_config.py +12 -11
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/METADATA +8 -7
- pulumi_vault-6.5.0a1736850018.dist-info/RECORD +256 -0
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/WHEEL +1 -1
- pulumi_vault-5.21.0a1710160723.dist-info/RECORD +0 -244
- {pulumi_vault-5.21.0a1710160723.dist-info → pulumi_vault-6.5.0a1736850018.dist-info}/top_level.txt +0 -0
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = [
|
@@ -21,7 +26,7 @@ class GetAuthBackendConfigResult:
|
|
21
26
|
"""
|
22
27
|
A collection of values returned by getAuthBackendConfig.
|
23
28
|
"""
|
24
|
-
def __init__(__self__, backend=None, disable_iss_validation=None, disable_local_ca_jwt=None, id=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, namespace=None, pem_keys=None):
|
29
|
+
def __init__(__self__, backend=None, disable_iss_validation=None, disable_local_ca_jwt=None, id=None, issuer=None, kubernetes_ca_cert=None, kubernetes_host=None, namespace=None, pem_keys=None, use_annotations_as_alias_metadata=None):
|
25
30
|
if backend and not isinstance(backend, str):
|
26
31
|
raise TypeError("Expected argument 'backend' to be a str")
|
27
32
|
pulumi.set(__self__, "backend", backend)
|
@@ -49,6 +54,9 @@ class GetAuthBackendConfigResult:
|
|
49
54
|
if pem_keys and not isinstance(pem_keys, list):
|
50
55
|
raise TypeError("Expected argument 'pem_keys' to be a list")
|
51
56
|
pulumi.set(__self__, "pem_keys", pem_keys)
|
57
|
+
if use_annotations_as_alias_metadata and not isinstance(use_annotations_as_alias_metadata, bool):
|
58
|
+
raise TypeError("Expected argument 'use_annotations_as_alias_metadata' to be a bool")
|
59
|
+
pulumi.set(__self__, "use_annotations_as_alias_metadata", use_annotations_as_alias_metadata)
|
52
60
|
|
53
61
|
@property
|
54
62
|
@pulumi.getter
|
@@ -58,11 +66,17 @@ class GetAuthBackendConfigResult:
|
|
58
66
|
@property
|
59
67
|
@pulumi.getter(name="disableIssValidation")
|
60
68
|
def disable_iss_validation(self) -> bool:
|
69
|
+
"""
|
70
|
+
(Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
71
|
+
"""
|
61
72
|
return pulumi.get(self, "disable_iss_validation")
|
62
73
|
|
63
74
|
@property
|
64
75
|
@pulumi.getter(name="disableLocalCaJwt")
|
65
76
|
def disable_local_ca_jwt(self) -> bool:
|
77
|
+
"""
|
78
|
+
(Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
79
|
+
"""
|
66
80
|
return pulumi.get(self, "disable_local_ca_jwt")
|
67
81
|
|
68
82
|
@property
|
@@ -110,6 +124,14 @@ class GetAuthBackendConfigResult:
|
|
110
124
|
"""
|
111
125
|
return pulumi.get(self, "pem_keys")
|
112
126
|
|
127
|
+
@property
|
128
|
+
@pulumi.getter(name="useAnnotationsAsAliasMetadata")
|
129
|
+
def use_annotations_as_alias_metadata(self) -> bool:
|
130
|
+
"""
|
131
|
+
(Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
|
132
|
+
"""
|
133
|
+
return pulumi.get(self, "use_annotations_as_alias_metadata")
|
134
|
+
|
113
135
|
|
114
136
|
class AwaitableGetAuthBackendConfigResult(GetAuthBackendConfigResult):
|
115
137
|
# pylint: disable=using-constant-test
|
@@ -125,7 +147,8 @@ class AwaitableGetAuthBackendConfigResult(GetAuthBackendConfigResult):
|
|
125
147
|
kubernetes_ca_cert=self.kubernetes_ca_cert,
|
126
148
|
kubernetes_host=self.kubernetes_host,
|
127
149
|
namespace=self.namespace,
|
128
|
-
pem_keys=self.pem_keys
|
150
|
+
pem_keys=self.pem_keys,
|
151
|
+
use_annotations_as_alias_metadata=self.use_annotations_as_alias_metadata)
|
129
152
|
|
130
153
|
|
131
154
|
def get_auth_backend_config(backend: Optional[str] = None,
|
@@ -136,6 +159,7 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
136
159
|
kubernetes_host: Optional[str] = None,
|
137
160
|
namespace: Optional[str] = None,
|
138
161
|
pem_keys: Optional[Sequence[str]] = None,
|
162
|
+
use_annotations_as_alias_metadata: Optional[bool] = None,
|
139
163
|
opts: Optional[pulumi.InvokeOptions] = None) -> AwaitableGetAuthBackendConfigResult:
|
140
164
|
"""
|
141
165
|
Reads the Role of an Kubernetes from a Vault server. See the [Vault
|
@@ -145,6 +169,8 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
145
169
|
|
146
170
|
:param str backend: The unique name for the Kubernetes backend the config to
|
147
171
|
retrieve Role attributes for resides in. Defaults to "kubernetes".
|
172
|
+
:param bool disable_iss_validation: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
173
|
+
:param bool disable_local_ca_jwt: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
148
174
|
:param str issuer: Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
|
149
175
|
:param str kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
|
150
176
|
:param str kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
|
@@ -153,6 +179,7 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
153
179
|
The `namespace` is always relative to the provider's configured namespace.
|
154
180
|
*Available only for Vault Enterprise*.
|
155
181
|
:param Sequence[str] pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
|
182
|
+
:param bool use_annotations_as_alias_metadata: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
|
156
183
|
"""
|
157
184
|
__args__ = dict()
|
158
185
|
__args__['backend'] = backend
|
@@ -163,6 +190,7 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
163
190
|
__args__['kubernetesHost'] = kubernetes_host
|
164
191
|
__args__['namespace'] = namespace
|
165
192
|
__args__['pemKeys'] = pem_keys
|
193
|
+
__args__['useAnnotationsAsAliasMetadata'] = use_annotations_as_alias_metadata
|
166
194
|
opts = pulumi.InvokeOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
167
195
|
__ret__ = pulumi.runtime.invoke('vault:kubernetes/getAuthBackendConfig:getAuthBackendConfig', __args__, opts=opts, typ=GetAuthBackendConfigResult).value
|
168
196
|
|
@@ -175,10 +203,8 @@ def get_auth_backend_config(backend: Optional[str] = None,
|
|
175
203
|
kubernetes_ca_cert=pulumi.get(__ret__, 'kubernetes_ca_cert'),
|
176
204
|
kubernetes_host=pulumi.get(__ret__, 'kubernetes_host'),
|
177
205
|
namespace=pulumi.get(__ret__, 'namespace'),
|
178
|
-
pem_keys=pulumi.get(__ret__, 'pem_keys')
|
179
|
-
|
180
|
-
|
181
|
-
@_utilities.lift_output_func(get_auth_backend_config)
|
206
|
+
pem_keys=pulumi.get(__ret__, 'pem_keys'),
|
207
|
+
use_annotations_as_alias_metadata=pulumi.get(__ret__, 'use_annotations_as_alias_metadata'))
|
182
208
|
def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]] = None,
|
183
209
|
disable_iss_validation: Optional[pulumi.Input[Optional[bool]]] = None,
|
184
210
|
disable_local_ca_jwt: Optional[pulumi.Input[Optional[bool]]] = None,
|
@@ -187,7 +213,8 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]
|
|
187
213
|
kubernetes_host: Optional[pulumi.Input[Optional[str]]] = None,
|
188
214
|
namespace: Optional[pulumi.Input[Optional[str]]] = None,
|
189
215
|
pem_keys: Optional[pulumi.Input[Optional[Sequence[str]]]] = None,
|
190
|
-
|
216
|
+
use_annotations_as_alias_metadata: Optional[pulumi.Input[Optional[bool]]] = None,
|
217
|
+
opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetAuthBackendConfigResult]:
|
191
218
|
"""
|
192
219
|
Reads the Role of an Kubernetes from a Vault server. See the [Vault
|
193
220
|
documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-config) for more
|
@@ -196,6 +223,8 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]
|
|
196
223
|
|
197
224
|
:param str backend: The unique name for the Kubernetes backend the config to
|
198
225
|
retrieve Role attributes for resides in. Defaults to "kubernetes".
|
226
|
+
:param bool disable_iss_validation: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
227
|
+
:param bool disable_local_ca_jwt: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
|
199
228
|
:param str issuer: Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
|
200
229
|
:param str kubernetes_ca_cert: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
|
201
230
|
:param str kubernetes_host: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
|
@@ -204,5 +233,28 @@ def get_auth_backend_config_output(backend: Optional[pulumi.Input[Optional[str]]
|
|
204
233
|
The `namespace` is always relative to the provider's configured namespace.
|
205
234
|
*Available only for Vault Enterprise*.
|
206
235
|
:param Sequence[str] pem_keys: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
|
236
|
+
:param bool use_annotations_as_alias_metadata: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
|
207
237
|
"""
|
208
|
-
|
238
|
+
__args__ = dict()
|
239
|
+
__args__['backend'] = backend
|
240
|
+
__args__['disableIssValidation'] = disable_iss_validation
|
241
|
+
__args__['disableLocalCaJwt'] = disable_local_ca_jwt
|
242
|
+
__args__['issuer'] = issuer
|
243
|
+
__args__['kubernetesCaCert'] = kubernetes_ca_cert
|
244
|
+
__args__['kubernetesHost'] = kubernetes_host
|
245
|
+
__args__['namespace'] = namespace
|
246
|
+
__args__['pemKeys'] = pem_keys
|
247
|
+
__args__['useAnnotationsAsAliasMetadata'] = use_annotations_as_alias_metadata
|
248
|
+
opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
249
|
+
__ret__ = pulumi.runtime.invoke_output('vault:kubernetes/getAuthBackendConfig:getAuthBackendConfig', __args__, opts=opts, typ=GetAuthBackendConfigResult)
|
250
|
+
return __ret__.apply(lambda __response__: GetAuthBackendConfigResult(
|
251
|
+
backend=pulumi.get(__response__, 'backend'),
|
252
|
+
disable_iss_validation=pulumi.get(__response__, 'disable_iss_validation'),
|
253
|
+
disable_local_ca_jwt=pulumi.get(__response__, 'disable_local_ca_jwt'),
|
254
|
+
id=pulumi.get(__response__, 'id'),
|
255
|
+
issuer=pulumi.get(__response__, 'issuer'),
|
256
|
+
kubernetes_ca_cert=pulumi.get(__response__, 'kubernetes_ca_cert'),
|
257
|
+
kubernetes_host=pulumi.get(__response__, 'kubernetes_host'),
|
258
|
+
namespace=pulumi.get(__response__, 'namespace'),
|
259
|
+
pem_keys=pulumi.get(__response__, 'pem_keys'),
|
260
|
+
use_annotations_as_alias_metadata=pulumi.get(__response__, 'use_annotations_as_alias_metadata')))
|
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = [
|
@@ -336,9 +341,6 @@ def get_auth_backend_role(audience: Optional[str] = None,
|
|
336
341
|
token_policies=pulumi.get(__ret__, 'token_policies'),
|
337
342
|
token_ttl=pulumi.get(__ret__, 'token_ttl'),
|
338
343
|
token_type=pulumi.get(__ret__, 'token_type'))
|
339
|
-
|
340
|
-
|
341
|
-
@_utilities.lift_output_func(get_auth_backend_role)
|
342
344
|
def get_auth_backend_role_output(audience: Optional[pulumi.Input[Optional[str]]] = None,
|
343
345
|
backend: Optional[pulumi.Input[Optional[str]]] = None,
|
344
346
|
namespace: Optional[pulumi.Input[Optional[str]]] = None,
|
@@ -352,7 +354,7 @@ def get_auth_backend_role_output(audience: Optional[pulumi.Input[Optional[str]]]
|
|
352
354
|
token_policies: Optional[pulumi.Input[Optional[Sequence[str]]]] = None,
|
353
355
|
token_ttl: Optional[pulumi.Input[Optional[int]]] = None,
|
354
356
|
token_type: Optional[pulumi.Input[Optional[str]]] = None,
|
355
|
-
opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetAuthBackendRoleResult]:
|
357
|
+
opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetAuthBackendRoleResult]:
|
356
358
|
"""
|
357
359
|
Reads the Role of an Kubernetes from a Vault server. See the [Vault
|
358
360
|
documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-role) for more
|
@@ -395,4 +397,37 @@ def get_auth_backend_role_output(audience: Optional[pulumi.Input[Optional[str]]]
|
|
395
397
|
`default-service` and `default-batch` which specify the type to return unless the client
|
396
398
|
requests a different type at generation time.
|
397
399
|
"""
|
398
|
-
|
400
|
+
__args__ = dict()
|
401
|
+
__args__['audience'] = audience
|
402
|
+
__args__['backend'] = backend
|
403
|
+
__args__['namespace'] = namespace
|
404
|
+
__args__['roleName'] = role_name
|
405
|
+
__args__['tokenBoundCidrs'] = token_bound_cidrs
|
406
|
+
__args__['tokenExplicitMaxTtl'] = token_explicit_max_ttl
|
407
|
+
__args__['tokenMaxTtl'] = token_max_ttl
|
408
|
+
__args__['tokenNoDefaultPolicy'] = token_no_default_policy
|
409
|
+
__args__['tokenNumUses'] = token_num_uses
|
410
|
+
__args__['tokenPeriod'] = token_period
|
411
|
+
__args__['tokenPolicies'] = token_policies
|
412
|
+
__args__['tokenTtl'] = token_ttl
|
413
|
+
__args__['tokenType'] = token_type
|
414
|
+
opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
415
|
+
__ret__ = pulumi.runtime.invoke_output('vault:kubernetes/getAuthBackendRole:getAuthBackendRole', __args__, opts=opts, typ=GetAuthBackendRoleResult)
|
416
|
+
return __ret__.apply(lambda __response__: GetAuthBackendRoleResult(
|
417
|
+
alias_name_source=pulumi.get(__response__, 'alias_name_source'),
|
418
|
+
audience=pulumi.get(__response__, 'audience'),
|
419
|
+
backend=pulumi.get(__response__, 'backend'),
|
420
|
+
bound_service_account_names=pulumi.get(__response__, 'bound_service_account_names'),
|
421
|
+
bound_service_account_namespaces=pulumi.get(__response__, 'bound_service_account_namespaces'),
|
422
|
+
id=pulumi.get(__response__, 'id'),
|
423
|
+
namespace=pulumi.get(__response__, 'namespace'),
|
424
|
+
role_name=pulumi.get(__response__, 'role_name'),
|
425
|
+
token_bound_cidrs=pulumi.get(__response__, 'token_bound_cidrs'),
|
426
|
+
token_explicit_max_ttl=pulumi.get(__response__, 'token_explicit_max_ttl'),
|
427
|
+
token_max_ttl=pulumi.get(__response__, 'token_max_ttl'),
|
428
|
+
token_no_default_policy=pulumi.get(__response__, 'token_no_default_policy'),
|
429
|
+
token_num_uses=pulumi.get(__response__, 'token_num_uses'),
|
430
|
+
token_period=pulumi.get(__response__, 'token_period'),
|
431
|
+
token_policies=pulumi.get(__response__, 'token_policies'),
|
432
|
+
token_ttl=pulumi.get(__response__, 'token_ttl'),
|
433
|
+
token_type=pulumi.get(__response__, 'token_type')))
|
@@ -4,9 +4,14 @@
|
|
4
4
|
|
5
5
|
import copy
|
6
6
|
import warnings
|
7
|
+
import sys
|
7
8
|
import pulumi
|
8
9
|
import pulumi.runtime
|
9
10
|
from typing import Any, Mapping, Optional, Sequence, Union, overload
|
11
|
+
if sys.version_info >= (3, 11):
|
12
|
+
from typing import NotRequired, TypedDict, TypeAlias
|
13
|
+
else:
|
14
|
+
from typing_extensions import NotRequired, TypedDict, TypeAlias
|
10
15
|
from .. import _utilities
|
11
16
|
|
12
17
|
__all__ = [
|
@@ -180,20 +185,21 @@ def get_service_account_token(backend: Optional[str] = None,
|
|
180
185
|
"""
|
181
186
|
## Example Usage
|
182
187
|
|
183
|
-
<!--Start PulumiCodeChooser -->
|
184
188
|
```python
|
185
189
|
import pulumi
|
190
|
+
import pulumi_std as std
|
186
191
|
import pulumi_vault as vault
|
187
192
|
|
188
193
|
config = vault.kubernetes.SecretBackend("config",
|
189
194
|
path="kubernetes",
|
190
195
|
description="kubernetes secrets engine description",
|
191
196
|
kubernetes_host="https://127.0.0.1:61233",
|
192
|
-
kubernetes_ca_cert=
|
193
|
-
service_account_jwt=
|
197
|
+
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
|
198
|
+
service_account_jwt=std.file(input="/path/to/token").result,
|
194
199
|
disable_local_ca_jwt=False)
|
195
200
|
role = vault.kubernetes.SecretBackendRole("role",
|
196
201
|
backend=config.path,
|
202
|
+
name="service-account-name-role",
|
197
203
|
allowed_kubernetes_namespaces=["*"],
|
198
204
|
token_max_ttl=43200,
|
199
205
|
token_default_ttl=21600,
|
@@ -212,7 +218,6 @@ def get_service_account_token(backend: Optional[str] = None,
|
|
212
218
|
cluster_role_binding=False,
|
213
219
|
ttl="1h")
|
214
220
|
```
|
215
|
-
<!--End PulumiCodeChooser -->
|
216
221
|
|
217
222
|
|
218
223
|
:param str backend: The Kubernetes secret backend to generate service account
|
@@ -223,7 +228,7 @@ def get_service_account_token(backend: Optional[str] = None,
|
|
223
228
|
generate the credentials.
|
224
229
|
:param str namespace: The namespace of the target resource.
|
225
230
|
The value should not contain leading or trailing forward slashes.
|
226
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
231
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
227
232
|
*Available only for Vault Enterprise*.
|
228
233
|
:param str role: The name of the Kubernetes secret backend role to generate service
|
229
234
|
account tokens from.
|
@@ -254,33 +259,31 @@ def get_service_account_token(backend: Optional[str] = None,
|
|
254
259
|
service_account_namespace=pulumi.get(__ret__, 'service_account_namespace'),
|
255
260
|
service_account_token=pulumi.get(__ret__, 'service_account_token'),
|
256
261
|
ttl=pulumi.get(__ret__, 'ttl'))
|
257
|
-
|
258
|
-
|
259
|
-
@_utilities.lift_output_func(get_service_account_token)
|
260
262
|
def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None,
|
261
263
|
cluster_role_binding: Optional[pulumi.Input[Optional[bool]]] = None,
|
262
264
|
kubernetes_namespace: Optional[pulumi.Input[str]] = None,
|
263
265
|
namespace: Optional[pulumi.Input[Optional[str]]] = None,
|
264
266
|
role: Optional[pulumi.Input[str]] = None,
|
265
267
|
ttl: Optional[pulumi.Input[Optional[str]]] = None,
|
266
|
-
opts: Optional[pulumi.InvokeOptions] = None) -> pulumi.Output[GetServiceAccountTokenResult]:
|
268
|
+
opts: Optional[Union[pulumi.InvokeOptions, pulumi.InvokeOutputOptions]] = None) -> pulumi.Output[GetServiceAccountTokenResult]:
|
267
269
|
"""
|
268
270
|
## Example Usage
|
269
271
|
|
270
|
-
<!--Start PulumiCodeChooser -->
|
271
272
|
```python
|
272
273
|
import pulumi
|
274
|
+
import pulumi_std as std
|
273
275
|
import pulumi_vault as vault
|
274
276
|
|
275
277
|
config = vault.kubernetes.SecretBackend("config",
|
276
278
|
path="kubernetes",
|
277
279
|
description="kubernetes secrets engine description",
|
278
280
|
kubernetes_host="https://127.0.0.1:61233",
|
279
|
-
kubernetes_ca_cert=
|
280
|
-
service_account_jwt=
|
281
|
+
kubernetes_ca_cert=std.file(input="/path/to/cert").result,
|
282
|
+
service_account_jwt=std.file(input="/path/to/token").result,
|
281
283
|
disable_local_ca_jwt=False)
|
282
284
|
role = vault.kubernetes.SecretBackendRole("role",
|
283
285
|
backend=config.path,
|
286
|
+
name="service-account-name-role",
|
284
287
|
allowed_kubernetes_namespaces=["*"],
|
285
288
|
token_max_ttl=43200,
|
286
289
|
token_default_ttl=21600,
|
@@ -299,7 +302,6 @@ def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None
|
|
299
302
|
cluster_role_binding=False,
|
300
303
|
ttl="1h")
|
301
304
|
```
|
302
|
-
<!--End PulumiCodeChooser -->
|
303
305
|
|
304
306
|
|
305
307
|
:param str backend: The Kubernetes secret backend to generate service account
|
@@ -310,11 +312,33 @@ def get_service_account_token_output(backend: Optional[pulumi.Input[str]] = None
|
|
310
312
|
generate the credentials.
|
311
313
|
:param str namespace: The namespace of the target resource.
|
312
314
|
The value should not contain leading or trailing forward slashes.
|
313
|
-
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).
|
315
|
+
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
314
316
|
*Available only for Vault Enterprise*.
|
315
317
|
:param str role: The name of the Kubernetes secret backend role to generate service
|
316
318
|
account tokens from.
|
317
319
|
:param str ttl: The TTL of the generated Kubernetes service account token, specified in
|
318
320
|
seconds or as a Go duration format string.
|
319
321
|
"""
|
320
|
-
|
322
|
+
__args__ = dict()
|
323
|
+
__args__['backend'] = backend
|
324
|
+
__args__['clusterRoleBinding'] = cluster_role_binding
|
325
|
+
__args__['kubernetesNamespace'] = kubernetes_namespace
|
326
|
+
__args__['namespace'] = namespace
|
327
|
+
__args__['role'] = role
|
328
|
+
__args__['ttl'] = ttl
|
329
|
+
opts = pulumi.InvokeOutputOptions.merge(_utilities.get_invoke_opts_defaults(), opts)
|
330
|
+
__ret__ = pulumi.runtime.invoke_output('vault:kubernetes/getServiceAccountToken:getServiceAccountToken', __args__, opts=opts, typ=GetServiceAccountTokenResult)
|
331
|
+
return __ret__.apply(lambda __response__: GetServiceAccountTokenResult(
|
332
|
+
backend=pulumi.get(__response__, 'backend'),
|
333
|
+
cluster_role_binding=pulumi.get(__response__, 'cluster_role_binding'),
|
334
|
+
id=pulumi.get(__response__, 'id'),
|
335
|
+
kubernetes_namespace=pulumi.get(__response__, 'kubernetes_namespace'),
|
336
|
+
lease_duration=pulumi.get(__response__, 'lease_duration'),
|
337
|
+
lease_id=pulumi.get(__response__, 'lease_id'),
|
338
|
+
lease_renewable=pulumi.get(__response__, 'lease_renewable'),
|
339
|
+
namespace=pulumi.get(__response__, 'namespace'),
|
340
|
+
role=pulumi.get(__response__, 'role'),
|
341
|
+
service_account_name=pulumi.get(__response__, 'service_account_name'),
|
342
|
+
service_account_namespace=pulumi.get(__response__, 'service_account_namespace'),
|
343
|
+
service_account_token=pulumi.get(__response__, 'service_account_token'),
|
344
|
+
ttl=pulumi.get(__response__, 'ttl')))
|