PyPI - pulumi-vault - Versions diffs - 6.1.1__py3-none-any.whl → 6.2.0__py3-none-any.whl - Mend

pulumi-vault 6.1.1py3-none-any.whl → 6.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

pulumi_vault/__init__.py +26 -0
pulumi_vault/auth_backend.py +47 -0
pulumi_vault/aws/auth_backend_client.py +247 -7
pulumi_vault/aws/secret_backend_role.py +54 -0
pulumi_vault/azure/auth_backend_config.py +133 -0
pulumi_vault/azure/backend.py +203 -0
pulumi_vault/database/secrets_mount.py +282 -0
pulumi_vault/gcp/auth_backend.py +244 -0
pulumi_vault/gcp/secret_backend.py +271 -3
pulumi_vault/jwt/auth_backend_role.py +28 -35
pulumi_vault/kubernetes/secret_backend.py +282 -0
pulumi_vault/ldap/secret_backend.py +282 -0
pulumi_vault/mount.py +324 -0
pulumi_vault/okta/auth_backend.py +453 -0
pulumi_vault/pkisecret/__init__.py +2 -0
pulumi_vault/pkisecret/_inputs.py +30 -0
pulumi_vault/pkisecret/backend_config_est.py +614 -0
pulumi_vault/pkisecret/get_backend_config_est.py +233 -0
pulumi_vault/pkisecret/outputs.py +54 -0
pulumi_vault/plugin.py +590 -0
pulumi_vault/plugin_pinned_version.py +293 -0
pulumi_vault/pulumi-plugin.json +1 -1
pulumi_vault/quota_lease_count.py +47 -0
pulumi_vault/quota_rate_limit.py +47 -0
pulumi_vault/ssh/secret_backend_ca.py +94 -0
{pulumi_vault-6.1.1.dist-info → pulumi_vault-6.2.0.dist-info}/METADATA +1 -1
{pulumi_vault-6.1.1.dist-info → pulumi_vault-6.2.0.dist-info}/RECORD +29 -25
{pulumi_vault-6.1.1.dist-info → pulumi_vault-6.2.0.dist-info}/WHEEL +1 -1
{pulumi_vault-6.1.1.dist-info → pulumi_vault-6.2.0.dist-info}/top_level.txt +0 -0

pulumi_vault/gcp/auth_backend.py CHANGED Viewed

@@ -22,11 +22,15 @@ class AuthBackendArgs:
                  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
                  private_key_id: Optional[pulumi.Input[str]] = None,
                  project_id: Optional[pulumi.Input[str]] = None,
+                 service_account_email: Optional[pulumi.Input[str]] = None,
                  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
         """
         The set of arguments for constructing a AuthBackend resource.
@@ -43,6 +47,12 @@ class AuthBackendArgs:
         :param pulumi.Input[str] description: A description of the auth method.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
+               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
+               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Specifies if the auth method is local only.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
@@ -51,6 +61,8 @@ class AuthBackendArgs:
         :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
         :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
         :param pulumi.Input[str] project_id: The GCP Project ID
+        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
+               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
                The `tune` block is used to tune the auth backend:
@@ -67,6 +79,12 @@ class AuthBackendArgs:
             pulumi.set(__self__, "description", description)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
+        if identity_token_audience is not None:
+            pulumi.set(__self__, "identity_token_audience", identity_token_audience)
+        if identity_token_key is not None:
+            pulumi.set(__self__, "identity_token_key", identity_token_key)
+        if identity_token_ttl is not None:
+            pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
         if local is not None:
             pulumi.set(__self__, "local", local)
         if namespace is not None:
@@ -77,6 +95,8 @@ class AuthBackendArgs:
             pulumi.set(__self__, "private_key_id", private_key_id)
         if project_id is not None:
             pulumi.set(__self__, "project_id", project_id)
+        if service_account_email is not None:
+            pulumi.set(__self__, "service_account_email", service_account_email)
         if tune is not None:
             pulumi.set(__self__, "tune", tune)
@@ -159,6 +179,45 @@ class AuthBackendArgs:
     def disable_remount(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "disable_remount", value)
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
+        """
+        The audience claim value for plugin identity
+        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_audience")
+    @identity_token_audience.setter
+    def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_audience", value)
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        The key to use for signing plugin identity
+        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_key")
+    @identity_token_key.setter
+    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_key", value)
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
+        """
+        The TTL of generated tokens.
+        """
+        return pulumi.get(self, "identity_token_ttl")
+    @identity_token_ttl.setter
+    def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "identity_token_ttl", value)
     @property
     @pulumi.getter
     def local(self) -> Optional[pulumi.Input[bool]]:
@@ -222,6 +281,19 @@ class AuthBackendArgs:
     def project_id(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "project_id", value)
+    @property
+    @pulumi.getter(name="serviceAccountEmail")
+    def service_account_email(self) -> Optional[pulumi.Input[str]]:
+        """
+        Service Account to impersonate for plugin workload identity federation.
+        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "service_account_email")
+    @service_account_email.setter
+    def service_account_email(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "service_account_email", value)
     @property
     @pulumi.getter
     def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
@@ -247,11 +319,15 @@ class _AuthBackendState:
                  custom_endpoint: Optional[pulumi.Input['AuthBackendCustomEndpointArgs']] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
                  private_key_id: Optional[pulumi.Input[str]] = None,
                  project_id: Optional[pulumi.Input[str]] = None,
+                 service_account_email: Optional[pulumi.Input[str]] = None,
                  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None):
         """
         Input properties used for looking up and filtering AuthBackend resources.
@@ -269,6 +345,12 @@ class _AuthBackendState:
         :param pulumi.Input[str] description: A description of the auth method.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
+               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
+               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Specifies if the auth method is local only.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
@@ -277,6 +359,8 @@ class _AuthBackendState:
         :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
         :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
         :param pulumi.Input[str] project_id: The GCP Project ID
+        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
+               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         :param pulumi.Input['AuthBackendTuneArgs'] tune: Extra configuration block. Structure is documented below.
                The `tune` block is used to tune the auth backend:
@@ -295,6 +379,12 @@ class _AuthBackendState:
             pulumi.set(__self__, "description", description)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
+        if identity_token_audience is not None:
+            pulumi.set(__self__, "identity_token_audience", identity_token_audience)
+        if identity_token_key is not None:
+            pulumi.set(__self__, "identity_token_key", identity_token_key)
+        if identity_token_ttl is not None:
+            pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
         if local is not None:
             pulumi.set(__self__, "local", local)
         if namespace is not None:
@@ -305,6 +395,8 @@ class _AuthBackendState:
             pulumi.set(__self__, "private_key_id", private_key_id)
         if project_id is not None:
             pulumi.set(__self__, "project_id", project_id)
+        if service_account_email is not None:
+            pulumi.set(__self__, "service_account_email", service_account_email)
         if tune is not None:
             pulumi.set(__self__, "tune", tune)
@@ -399,6 +491,45 @@ class _AuthBackendState:
     def disable_remount(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "disable_remount", value)
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
+        """
+        The audience claim value for plugin identity
+        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_audience")
+    @identity_token_audience.setter
+    def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_audience", value)
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        The key to use for signing plugin identity
+        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_key")
+    @identity_token_key.setter
+    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "identity_token_key", value)
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
+        """
+        The TTL of generated tokens.
+        """
+        return pulumi.get(self, "identity_token_ttl")
+    @identity_token_ttl.setter
+    def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "identity_token_ttl", value)
     @property
     @pulumi.getter
     def local(self) -> Optional[pulumi.Input[bool]]:
@@ -462,6 +593,19 @@ class _AuthBackendState:
     def project_id(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "project_id", value)
+    @property
+    @pulumi.getter(name="serviceAccountEmail")
+    def service_account_email(self) -> Optional[pulumi.Input[str]]:
+        """
+        Service Account to impersonate for plugin workload identity federation.
+        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "service_account_email")
+    @service_account_email.setter
+    def service_account_email(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "service_account_email", value)
     @property
     @pulumi.getter
     def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
@@ -488,16 +632,34 @@ class AuthBackend(pulumi.CustomResource):
                  custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
                  private_key_id: Optional[pulumi.Input[str]] = None,
                  project_id: Optional[pulumi.Input[str]] = None,
+                 service_account_email: Optional[pulumi.Input[str]] = None,
                  tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None,
                  __props__=None):
         """
         Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
+        ## Example Usage
+        You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+        gcp = vault.gcp.AuthBackend("gcp",
+            identity_token_key="example-key",
+            identity_token_ttl=1800,
+            identity_token_audience="<TOKEN_AUDIENCE>",
+            service_account_email="<SERVICE_ACCOUNT_EMAIL>")
+        ```
         ## Import
         GCP authentication backends can be imported using the backend name, e.g.
@@ -521,6 +683,12 @@ class AuthBackend(pulumi.CustomResource):
         :param pulumi.Input[str] description: A description of the auth method.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
+               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
+               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Specifies if the auth method is local only.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
@@ -529,6 +697,8 @@ class AuthBackend(pulumi.CustomResource):
         :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
         :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
         :param pulumi.Input[str] project_id: The GCP Project ID
+        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
+               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         :param pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']] tune: Extra configuration block. Structure is documented below.
                The `tune` block is used to tune the auth backend:
@@ -542,6 +712,20 @@ class AuthBackend(pulumi.CustomResource):
         """
         Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).
+        ## Example Usage
+        You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+        gcp = vault.gcp.AuthBackend("gcp",
+            identity_token_key="example-key",
+            identity_token_ttl=1800,
+            identity_token_audience="<TOKEN_AUDIENCE>",
+            service_account_email="<SERVICE_ACCOUNT_EMAIL>")
+        ```
         ## Import
         GCP authentication backends can be imported using the backend name, e.g.
@@ -571,11 +755,15 @@ class AuthBackend(pulumi.CustomResource):
                  custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
+                 identity_token_audience: Optional[pulumi.Input[str]] = None,
+                 identity_token_key: Optional[pulumi.Input[str]] = None,
+                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
                  private_key_id: Optional[pulumi.Input[str]] = None,
                  project_id: Optional[pulumi.Input[str]] = None,
+                 service_account_email: Optional[pulumi.Input[str]] = None,
                  tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
@@ -592,11 +780,15 @@ class AuthBackend(pulumi.CustomResource):
             __props__.__dict__["custom_endpoint"] = custom_endpoint
             __props__.__dict__["description"] = description
             __props__.__dict__["disable_remount"] = disable_remount
+            __props__.__dict__["identity_token_audience"] = identity_token_audience
+            __props__.__dict__["identity_token_key"] = identity_token_key
+            __props__.__dict__["identity_token_ttl"] = identity_token_ttl
             __props__.__dict__["local"] = local
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["path"] = path
             __props__.__dict__["private_key_id"] = private_key_id
             __props__.__dict__["project_id"] = project_id
+            __props__.__dict__["service_account_email"] = service_account_email
             __props__.__dict__["tune"] = tune
             __props__.__dict__["accessor"] = None
         secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
@@ -618,11 +810,15 @@ class AuthBackend(pulumi.CustomResource):
             custom_endpoint: Optional[pulumi.Input[pulumi.InputType['AuthBackendCustomEndpointArgs']]] = None,
             description: Optional[pulumi.Input[str]] = None,
             disable_remount: Optional[pulumi.Input[bool]] = None,
+            identity_token_audience: Optional[pulumi.Input[str]] = None,
+            identity_token_key: Optional[pulumi.Input[str]] = None,
+            identity_token_ttl: Optional[pulumi.Input[int]] = None,
             local: Optional[pulumi.Input[bool]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
             path: Optional[pulumi.Input[str]] = None,
             private_key_id: Optional[pulumi.Input[str]] = None,
             project_id: Optional[pulumi.Input[str]] = None,
+            service_account_email: Optional[pulumi.Input[str]] = None,
             tune: Optional[pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']]] = None) -> 'AuthBackend':
         """
         Get an existing AuthBackend resource's state with the given name, id, and optional extra
@@ -645,6 +841,12 @@ class AuthBackend(pulumi.CustomResource):
         :param pulumi.Input[str] description: A description of the auth method.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
+        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
+               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
+               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Specifies if the auth method is local only.
         :param pulumi.Input[str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
@@ -653,6 +855,8 @@ class AuthBackend(pulumi.CustomResource):
         :param pulumi.Input[str] path: The path to mount the auth method — this defaults to 'gcp'.
         :param pulumi.Input[str] private_key_id: The ID of the private key from the credentials
         :param pulumi.Input[str] project_id: The GCP Project ID
+        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
+               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         :param pulumi.Input[pulumi.InputType['AuthBackendTuneArgs']] tune: Extra configuration block. Structure is documented below.
                The `tune` block is used to tune the auth backend:
@@ -668,11 +872,15 @@ class AuthBackend(pulumi.CustomResource):
         __props__.__dict__["custom_endpoint"] = custom_endpoint
         __props__.__dict__["description"] = description
         __props__.__dict__["disable_remount"] = disable_remount
+        __props__.__dict__["identity_token_audience"] = identity_token_audience
+        __props__.__dict__["identity_token_key"] = identity_token_key
+        __props__.__dict__["identity_token_ttl"] = identity_token_ttl
         __props__.__dict__["local"] = local
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["path"] = path
         __props__.__dict__["private_key_id"] = private_key_id
         __props__.__dict__["project_id"] = project_id
+        __props__.__dict__["service_account_email"] = service_account_email
         __props__.__dict__["tune"] = tune
         return AuthBackend(resource_name, opts=opts, __props__=__props__)
@@ -739,6 +947,33 @@ class AuthBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "disable_remount")
+    @property
+    @pulumi.getter(name="identityTokenAudience")
+    def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
+        """
+        The audience claim value for plugin identity
+        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_audience")
+    @property
+    @pulumi.getter(name="identityTokenKey")
+    def identity_token_key(self) -> pulumi.Output[Optional[str]]:
+        """
+        The key to use for signing plugin identity
+        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "identity_token_key")
+    @property
+    @pulumi.getter(name="identityTokenTtl")
+    def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
+        """
+        The TTL of generated tokens.
+        """
+        return pulumi.get(self, "identity_token_ttl")
     @property
     @pulumi.getter
     def local(self) -> pulumi.Output[Optional[bool]]:
@@ -782,6 +1017,15 @@ class AuthBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "project_id")
+    @property
+    @pulumi.getter(name="serviceAccountEmail")
+    def service_account_email(self) -> pulumi.Output[Optional[str]]:
+        """
+        Service Account to impersonate for plugin workload identity federation.
+        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "service_account_email")
     @property
     @pulumi.getter
     def tune(self) -> pulumi.Output['outputs.AuthBackendTune']:

pulumi-vault 6.1.1__py3-none-any.whl → 6.2.0__py3-none-any.whl

pulumi-vault 6.1.1py3-none-any.whl → 6.2.0py3-none-any.whl