pulumi-vault 6.2.0__py3-none-any.whl → 6.2.0a1712470779__py3-none-any.whl

pulumi_vault/jwt/auth_backend_role.py

@@ -53,8 +53,9 @@ class AuthBackendRoleArgs:
                Required for OIDC roles
         :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
                Defaults to `jwt`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
-               type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
+               or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
+               Any match is sufficient.
         :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
                A claim's value must be a string, which may contain one value or multiple
                comma-separated values, e.g. `"red"` or `"red,green,blue"`.
@@ -70,7 +71,7 @@ class AuthBackendRoleArgs:
                Only applicable with "jwt" roles.
         :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
         :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
-               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
                the set of groups to which the user belongs; this will be used as the names
@@ -83,20 +84,37 @@ class AuthBackendRoleArgs:
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
-               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
                The standard scope "openid" is automatically included and need not be specified.
         :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
-        :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
-        :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
-        :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
-        :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
-        :param pulumi.Input[int] token_period: Generated Token's Period
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
-        :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
-        :param pulumi.Input[str] token_type: The type of token to generate, service or batch
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
+               addresses which can authenticate successfully, and ties the resulting token to these blocks
+               as well.
+        :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
+               [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+               onto the token in number of seconds. This is a hard cap even if `token_ttl` and
+               `token_max_ttl` would otherwise allow a renewal.
+        :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
+               Its current value will be referenced at renewal time.
+        :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
+               generated tokens; otherwise it will be added to the policies set in token_policies.
+        :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
+               of times a generated token may be used (within its lifetime); 0 means unlimited.
+        :param pulumi.Input[int] token_period: If set, indicates that the
+               token generated using this role should never expire. The token should be renewed within the
+               duration specified by this value. At each renewal, the token's TTL will be set to the
+               value of this field. Specified in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
+               on the auth method, this list may be supplemented by user/group/other values.
+        :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
+               Its current value will be referenced at renewal time.
+        :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
+               `batch`, or `default` to use the mount's tuned default (which unless changed will be
+               `service` tokens). For token store roles, there are two additional possibilities:
+               `default-service` and `default-batch` which specify the type to return unless the client
+               requests a different type at generation time.
         :param pulumi.Input[bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
                [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
                syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
@@ -218,8 +236,9 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="boundAudiences")
     def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        (Required for roles of type `jwt`, optional for roles of
-        type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
+        or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
+        Any match is sufficient.
         """
         return pulumi.get(self, "bound_audiences")
 
@@ -312,7 +331,7 @@ class AuthBackendRoleArgs:
     def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
         """
         The amount of leeway to add to expiration (`exp`) claims to account for
-        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "expiration_leeway")
@@ -369,7 +388,7 @@ class AuthBackendRoleArgs:
     def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
         """
         The amount of leeway to add to not before (`nbf`) claims to account for
-        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "not_before_leeway")
@@ -407,7 +426,9 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenBoundCidrs")
     def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        Specifies the blocks of IP addresses which are allowed to use the generated token
+        List of CIDR blocks; if set, specifies blocks of IP
+        addresses which can authenticate successfully, and ties the resulting token to these blocks
+        as well.
         """
         return pulumi.get(self, "token_bound_cidrs")
 
@@ -419,7 +440,10 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenExplicitMaxTtl")
     def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        Generated Token's Explicit Maximum TTL in seconds
+        If set, will encode an
+        [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+        onto the token in number of seconds. This is a hard cap even if `token_ttl` and
+        `token_max_ttl` would otherwise allow a renewal.
         """
         return pulumi.get(self, "token_explicit_max_ttl")
 
@@ -431,7 +455,8 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenMaxTtl")
     def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        The maximum lifetime of the generated token
+        The maximum lifetime for generated tokens in number of seconds.
+        Its current value will be referenced at renewal time.
         """
         return pulumi.get(self, "token_max_ttl")
 
@@ -443,7 +468,8 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenNoDefaultPolicy")
     def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
         """
-        If true, the 'default' policy will not automatically be added to generated tokens
+        If set, the default policy will not be set on
+        generated tokens; otherwise it will be added to the policies set in token_policies.
         """
         return pulumi.get(self, "token_no_default_policy")
 
@@ -455,7 +481,8 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenNumUses")
     def token_num_uses(self) -> Optional[pulumi.Input[int]]:
         """
-        The maximum number of times a token may be used, a value of zero means unlimited
+        The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
+        of times a generated token may be used (within its lifetime); 0 means unlimited.
         """
         return pulumi.get(self, "token_num_uses")
 
@@ -467,7 +494,10 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenPeriod")
     def token_period(self) -> Optional[pulumi.Input[int]]:
         """
-        Generated Token's Period
+        If set, indicates that the
+        token generated using this role should never expire. The token should be renewed within the
+        duration specified by this value. At each renewal, the token's TTL will be set to the
+        value of this field. Specified in seconds.
         """
         return pulumi.get(self, "token_period")
 
@@ -479,7 +509,8 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenPolicies")
     def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        Generated Token's Policies
+        List of policies to encode onto generated tokens. Depending
+        on the auth method, this list may be supplemented by user/group/other values.
         """
         return pulumi.get(self, "token_policies")
 
@@ -491,7 +522,8 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenTtl")
     def token_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        The initial ttl of the token to generate in seconds
+        The incremental lifetime for generated tokens in number of seconds.
+        Its current value will be referenced at renewal time.
         """
         return pulumi.get(self, "token_ttl")
 
@@ -503,7 +535,11 @@ class AuthBackendRoleArgs:
     @pulumi.getter(name="tokenType")
     def token_type(self) -> Optional[pulumi.Input[str]]:
         """
-        The type of token to generate, service or batch
+        The type of token that should be generated. Can be `service`,
+        `batch`, or `default` to use the mount's tuned default (which unless changed will be
+        `service` tokens). For token store roles, there are two additional possibilities:
+        `default-service` and `default-batch` which specify the type to return unless the client
+        requests a different type at generation time.
         """
         return pulumi.get(self, "token_type")
 
@@ -579,8 +615,9 @@ class _AuthBackendRoleState:
                Required for OIDC roles
         :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
                Defaults to `jwt`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
-               type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
+               or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
+               Any match is sufficient.
         :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
                A claim's value must be a string, which may contain one value or multiple
                comma-separated values, e.g. `"red"` or `"red,green,blue"`.
@@ -596,7 +633,7 @@ class _AuthBackendRoleState:
                Only applicable with "jwt" roles.
         :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
         :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
-               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
                the set of groups to which the user belongs; this will be used as the names
@@ -609,21 +646,38 @@ class _AuthBackendRoleState:
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
-               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
                The standard scope "openid" is automatically included and need not be specified.
         :param pulumi.Input[str] role_name: The name of the role.
         :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
-        :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
-        :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
-        :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
-        :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
-        :param pulumi.Input[int] token_period: Generated Token's Period
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
-        :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
-        :param pulumi.Input[str] token_type: The type of token to generate, service or batch
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
+               addresses which can authenticate successfully, and ties the resulting token to these blocks
+               as well.
+        :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
+               [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+               onto the token in number of seconds. This is a hard cap even if `token_ttl` and
+               `token_max_ttl` would otherwise allow a renewal.
+        :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
+               Its current value will be referenced at renewal time.
+        :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
+               generated tokens; otherwise it will be added to the policies set in token_policies.
+        :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
+               of times a generated token may be used (within its lifetime); 0 means unlimited.
+        :param pulumi.Input[int] token_period: If set, indicates that the
+               token generated using this role should never expire. The token should be renewed within the
+               duration specified by this value. At each renewal, the token's TTL will be set to the
+               value of this field. Specified in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
+               on the auth method, this list may be supplemented by user/group/other values.
+        :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
+               Its current value will be referenced at renewal time.
+        :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
+               `batch`, or `default` to use the mount's tuned default (which unless changed will be
+               `service` tokens). For token store roles, there are two additional possibilities:
+               `default-service` and `default-batch` which specify the type to return unless the client
+               requests a different type at generation time.
         :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
                the user; this will be used as the name for the Identity entity alias created
                due to a successful login.
@@ -724,8 +778,9 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="boundAudiences")
     def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        (Required for roles of type `jwt`, optional for roles of
-        type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
+        or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
+        Any match is sufficient.
         """
         return pulumi.get(self, "bound_audiences")
 
@@ -818,7 +873,7 @@ class _AuthBackendRoleState:
     def expiration_leeway(self) -> Optional[pulumi.Input[int]]:
         """
         The amount of leeway to add to expiration (`exp`) claims to account for
-        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "expiration_leeway")
@@ -875,7 +930,7 @@ class _AuthBackendRoleState:
     def not_before_leeway(self) -> Optional[pulumi.Input[int]]:
         """
         The amount of leeway to add to not before (`nbf`) claims to account for
-        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "not_before_leeway")
@@ -925,7 +980,9 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenBoundCidrs")
     def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        Specifies the blocks of IP addresses which are allowed to use the generated token
+        List of CIDR blocks; if set, specifies blocks of IP
+        addresses which can authenticate successfully, and ties the resulting token to these blocks
+        as well.
         """
         return pulumi.get(self, "token_bound_cidrs")
 
@@ -937,7 +994,10 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenExplicitMaxTtl")
     def token_explicit_max_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        Generated Token's Explicit Maximum TTL in seconds
+        If set, will encode an
+        [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+        onto the token in number of seconds. This is a hard cap even if `token_ttl` and
+        `token_max_ttl` would otherwise allow a renewal.
         """
         return pulumi.get(self, "token_explicit_max_ttl")
 
@@ -949,7 +1009,8 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenMaxTtl")
     def token_max_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        The maximum lifetime of the generated token
+        The maximum lifetime for generated tokens in number of seconds.
+        Its current value will be referenced at renewal time.
         """
         return pulumi.get(self, "token_max_ttl")
 
@@ -961,7 +1022,8 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenNoDefaultPolicy")
     def token_no_default_policy(self) -> Optional[pulumi.Input[bool]]:
         """
-        If true, the 'default' policy will not automatically be added to generated tokens
+        If set, the default policy will not be set on
+        generated tokens; otherwise it will be added to the policies set in token_policies.
         """
         return pulumi.get(self, "token_no_default_policy")
 
@@ -973,7 +1035,8 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenNumUses")
     def token_num_uses(self) -> Optional[pulumi.Input[int]]:
         """
-        The maximum number of times a token may be used, a value of zero means unlimited
+        The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
+        of times a generated token may be used (within its lifetime); 0 means unlimited.
         """
         return pulumi.get(self, "token_num_uses")
 
@@ -985,7 +1048,10 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenPeriod")
     def token_period(self) -> Optional[pulumi.Input[int]]:
         """
-        Generated Token's Period
+        If set, indicates that the
+        token generated using this role should never expire. The token should be renewed within the
+        duration specified by this value. At each renewal, the token's TTL will be set to the
+        value of this field. Specified in seconds.
         """
         return pulumi.get(self, "token_period")
 
@@ -997,7 +1063,8 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenPolicies")
     def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        Generated Token's Policies
+        List of policies to encode onto generated tokens. Depending
+        on the auth method, this list may be supplemented by user/group/other values.
         """
         return pulumi.get(self, "token_policies")
 
@@ -1009,7 +1076,8 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenTtl")
     def token_ttl(self) -> Optional[pulumi.Input[int]]:
         """
-        The initial ttl of the token to generate in seconds
+        The incremental lifetime for generated tokens in number of seconds.
+        Its current value will be referenced at renewal time.
         """
         return pulumi.get(self, "token_ttl")
 
@@ -1021,7 +1089,11 @@ class _AuthBackendRoleState:
     @pulumi.getter(name="tokenType")
     def token_type(self) -> Optional[pulumi.Input[str]]:
         """
-        The type of token to generate, service or batch
+        The type of token that should be generated. Can be `service`,
+        `batch`, or `default` to use the mount's tuned default (which unless changed will be
+        `service` tokens). For token store roles, there are two additional possibilities:
+        `default-service` and `default-batch` which specify the type to return unless the client
+        requests a different type at generation time.
         """
         return pulumi.get(self, "token_type")
 
@@ -1117,6 +1189,7 @@ class AuthBackendRole(pulumi.CustomResource):
 
         Role for JWT backend:
 
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1137,9 +1210,11 @@ class AuthBackendRole(pulumi.CustomResource):
             user_claim="https://vault/user",
             role_type="jwt")
         ```
+        <!--End PulumiCodeChooser -->
 
         Role for OIDC backend:
 
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1159,6 +1234,7 @@ class AuthBackendRole(pulumi.CustomResource):
             role_type="oidc",
             allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
         ```
+        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -1174,8 +1250,9 @@ class AuthBackendRole(pulumi.CustomResource):
                Required for OIDC roles
         :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
                Defaults to `jwt`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
-               type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
+               or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
+               Any match is sufficient.
         :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
                A claim's value must be a string, which may contain one value or multiple
                comma-separated values, e.g. `"red"` or `"red,green,blue"`.
@@ -1191,7 +1268,7 @@ class AuthBackendRole(pulumi.CustomResource):
                Only applicable with "jwt" roles.
         :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
         :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
-               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
                the set of groups to which the user belongs; this will be used as the names
@@ -1204,21 +1281,38 @@ class AuthBackendRole(pulumi.CustomResource):
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
-               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
                The standard scope "openid" is automatically included and need not be specified.
         :param pulumi.Input[str] role_name: The name of the role.
         :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
-        :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
-        :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
-        :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
-        :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
-        :param pulumi.Input[int] token_period: Generated Token's Period
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
-        :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
-        :param pulumi.Input[str] token_type: The type of token to generate, service or batch
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
+               addresses which can authenticate successfully, and ties the resulting token to these blocks
+               as well.
+        :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
+               [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+               onto the token in number of seconds. This is a hard cap even if `token_ttl` and
+               `token_max_ttl` would otherwise allow a renewal.
+        :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
+               Its current value will be referenced at renewal time.
+        :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
+               generated tokens; otherwise it will be added to the policies set in token_policies.
+        :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
+               of times a generated token may be used (within its lifetime); 0 means unlimited.
+        :param pulumi.Input[int] token_period: If set, indicates that the
+               token generated using this role should never expire. The token should be renewed within the
+               duration specified by this value. At each renewal, the token's TTL will be set to the
+               value of this field. Specified in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
+               on the auth method, this list may be supplemented by user/group/other values.
+        :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
+               Its current value will be referenced at renewal time.
+        :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
+               `batch`, or `default` to use the mount's tuned default (which unless changed will be
+               `service` tokens). For token store roles, there are two additional possibilities:
+               `default-service` and `default-batch` which specify the type to return unless the client
+               requests a different type at generation time.
         :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
                the user; this will be used as the name for the Identity entity alias created
                due to a successful login.
@@ -1245,6 +1339,7 @@ class AuthBackendRole(pulumi.CustomResource):
 
         Role for JWT backend:
 
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1265,9 +1360,11 @@ class AuthBackendRole(pulumi.CustomResource):
             user_claim="https://vault/user",
             role_type="jwt")
         ```
+        <!--End PulumiCodeChooser -->
 
         Role for OIDC backend:
 
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
         import pulumi_vault as vault
@@ -1287,6 +1384,7 @@ class AuthBackendRole(pulumi.CustomResource):
             role_type="oidc",
             allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
         ```
+        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -1432,8 +1530,9 @@ class AuthBackendRole(pulumi.CustomResource):
                Required for OIDC roles
         :param pulumi.Input[str] backend: The unique name of the auth backend to configure.
                Defaults to `jwt`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
-               type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] bound_audiences: (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
+               or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
+               Any match is sufficient.
         :param pulumi.Input[Mapping[str, Any]] bound_claims: If set, a map of claims to values to match against.
                A claim's value must be a string, which may contain one value or multiple
                comma-separated values, e.g. `"red"` or `"red,green,blue"`.
@@ -1449,7 +1548,7 @@ class AuthBackendRole(pulumi.CustomResource):
                Only applicable with "jwt" roles.
         :param pulumi.Input[bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
         :param pulumi.Input[int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
-               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[str] groups_claim: The claim to use to uniquely identify
                the set of groups to which the user belongs; this will be used as the names
@@ -1462,21 +1561,38 @@ class AuthBackendRole(pulumi.CustomResource):
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
         :param pulumi.Input[int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
-               clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+               clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
                Only applicable with "jwt" roles.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
                The standard scope "openid" is automatically included and need not be specified.
         :param pulumi.Input[str] role_name: The name of the role.
         :param pulumi.Input[str] role_type: Type of role, either "oidc" (default) or "jwt".
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
-        :param pulumi.Input[int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
-        :param pulumi.Input[int] token_max_ttl: The maximum lifetime of the generated token
-        :param pulumi.Input[bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
-        :param pulumi.Input[int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
-        :param pulumi.Input[int] token_period: Generated Token's Period
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: Generated Token's Policies
-        :param pulumi.Input[int] token_ttl: The initial ttl of the token to generate in seconds
-        :param pulumi.Input[str] token_type: The type of token to generate, service or batch
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_bound_cidrs: List of CIDR blocks; if set, specifies blocks of IP
+               addresses which can authenticate successfully, and ties the resulting token to these blocks
+               as well.
+        :param pulumi.Input[int] token_explicit_max_ttl: If set, will encode an
+               [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+               onto the token in number of seconds. This is a hard cap even if `token_ttl` and
+               `token_max_ttl` would otherwise allow a renewal.
+        :param pulumi.Input[int] token_max_ttl: The maximum lifetime for generated tokens in number of seconds.
+               Its current value will be referenced at renewal time.
+        :param pulumi.Input[bool] token_no_default_policy: If set, the default policy will not be set on
+               generated tokens; otherwise it will be added to the policies set in token_policies.
+        :param pulumi.Input[int] token_num_uses: The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
+               of times a generated token may be used (within its lifetime); 0 means unlimited.
+        :param pulumi.Input[int] token_period: If set, indicates that the
+               token generated using this role should never expire. The token should be renewed within the
+               duration specified by this value. At each renewal, the token's TTL will be set to the
+               value of this field. Specified in seconds.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] token_policies: List of policies to encode onto generated tokens. Depending
+               on the auth method, this list may be supplemented by user/group/other values.
+        :param pulumi.Input[int] token_ttl: The incremental lifetime for generated tokens in number of seconds.
+               Its current value will be referenced at renewal time.
+        :param pulumi.Input[str] token_type: The type of token that should be generated. Can be `service`,
+               `batch`, or `default` to use the mount's tuned default (which unless changed will be
+               `service` tokens). For token store roles, there are two additional possibilities:
+               `default-service` and `default-batch` which specify the type to return unless the client
+               requests a different type at generation time.
         :param pulumi.Input[str] user_claim: The claim to use to uniquely identify
                the user; this will be used as the name for the Identity entity alias created
                due to a successful login.
@@ -1545,8 +1661,9 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="boundAudiences")
     def bound_audiences(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
-        (Required for roles of type `jwt`, optional for roles of
-        type `oidc`) List of `aud` claims to match against. Any match is sufficient.
+        (For "jwt" roles, at least one of `bound_audiences`, `bound_subject`, `bound_claims`
+        or `token_bound_cidrs` is required. Optional for "oidc" roles.) List of `aud` claims to match against.
+        Any match is sufficient.
         """
         return pulumi.get(self, "bound_audiences")
 
@@ -1611,7 +1728,7 @@ class AuthBackendRole(pulumi.CustomResource):
     def expiration_leeway(self) -> pulumi.Output[Optional[int]]:
         """
         The amount of leeway to add to expiration (`exp`) claims to account for
-        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "expiration_leeway")
@@ -1652,7 +1769,7 @@ class AuthBackendRole(pulumi.CustomResource):
     def not_before_leeway(self) -> pulumi.Output[Optional[int]]:
         """
         The amount of leeway to add to not before (`nbf`) claims to account for
-        clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
+        clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
         Only applicable with "jwt" roles.
         """
         return pulumi.get(self, "not_before_leeway")
@@ -1686,7 +1803,9 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenBoundCidrs")
     def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
-        Specifies the blocks of IP addresses which are allowed to use the generated token
+        List of CIDR blocks; if set, specifies blocks of IP
+        addresses which can authenticate successfully, and ties the resulting token to these blocks
+        as well.
         """
         return pulumi.get(self, "token_bound_cidrs")
 
@@ -1694,7 +1813,10 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenExplicitMaxTtl")
     def token_explicit_max_ttl(self) -> pulumi.Output[Optional[int]]:
         """
-        Generated Token's Explicit Maximum TTL in seconds
+        If set, will encode an
+        [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
+        onto the token in number of seconds. This is a hard cap even if `token_ttl` and
+        `token_max_ttl` would otherwise allow a renewal.
         """
         return pulumi.get(self, "token_explicit_max_ttl")
 
@@ -1702,7 +1824,8 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenMaxTtl")
     def token_max_ttl(self) -> pulumi.Output[Optional[int]]:
         """
-        The maximum lifetime of the generated token
+        The maximum lifetime for generated tokens in number of seconds.
+        Its current value will be referenced at renewal time.
         """
         return pulumi.get(self, "token_max_ttl")
 
@@ -1710,7 +1833,8 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenNoDefaultPolicy")
     def token_no_default_policy(self) -> pulumi.Output[Optional[bool]]:
         """
-        If true, the 'default' policy will not automatically be added to generated tokens
+        If set, the default policy will not be set on
+        generated tokens; otherwise it will be added to the policies set in token_policies.
         """
         return pulumi.get(self, "token_no_default_policy")
 
@@ -1718,7 +1842,8 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenNumUses")
     def token_num_uses(self) -> pulumi.Output[Optional[int]]:
         """
-        The maximum number of times a token may be used, a value of zero means unlimited
+        The [maximum number](https://www.vaultproject.io/api-docs/jwt#token_num_uses)
+        of times a generated token may be used (within its lifetime); 0 means unlimited.
         """
         return pulumi.get(self, "token_num_uses")
 
@@ -1726,7 +1851,10 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenPeriod")
     def token_period(self) -> pulumi.Output[Optional[int]]:
         """
-        Generated Token's Period
+        If set, indicates that the
+        token generated using this role should never expire. The token should be renewed within the
+        duration specified by this value. At each renewal, the token's TTL will be set to the
+        value of this field. Specified in seconds.
         """
         return pulumi.get(self, "token_period")
 
@@ -1734,7 +1862,8 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenPolicies")
     def token_policies(self) -> pulumi.Output[Optional[Sequence[str]]]:
         """
-        Generated Token's Policies
+        List of policies to encode onto generated tokens. Depending
+        on the auth method, this list may be supplemented by user/group/other values.
         """
         return pulumi.get(self, "token_policies")
 
@@ -1742,7 +1871,8 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenTtl")
     def token_ttl(self) -> pulumi.Output[Optional[int]]:
         """
-        The initial ttl of the token to generate in seconds
+        The incremental lifetime for generated tokens in number of seconds.
+        Its current value will be referenced at renewal time.
         """
         return pulumi.get(self, "token_ttl")
 
@@ -1750,7 +1880,11 @@ class AuthBackendRole(pulumi.CustomResource):
     @pulumi.getter(name="tokenType")
     def token_type(self) -> pulumi.Output[Optional[str]]:
         """
-        The type of token to generate, service or batch
+        The type of token that should be generated. Can be `service`,
+        `batch`, or `default` to use the mount's tuned default (which unless changed will be
+        `service` tokens). For token store roles, there are two additional possibilities:
+        `default-service` and `default-batch` which specify the type to return unless the client
+        requests a different type at generation time.
         """
         return pulumi.get(self, "token_type")