pulumi-vault 6.2.0__py3-none-any.whl → 6.2.0a1712731873__py3-none-any.whl

pulumi_vault/gcp/get_auth_backend_role.py

@@ -311,6 +311,7 @@ def get_auth_backend_role(backend: Optional[str] = None,
 
     ## Example Usage
 
+    <!--Start PulumiCodeChooser -->
     ```python
     import pulumi
     import pulumi_vault as vault
@@ -319,6 +320,7 @@ def get_auth_backend_role(backend: Optional[str] = None,
         role_name="my-role")
     pulumi.export("role-id", role.role_id)
     ```
+    <!--End PulumiCodeChooser -->
 
 
     :param str backend: The unique name for the GCP backend from which to fetch the role. Defaults to "gcp".
@@ -414,6 +416,7 @@ def get_auth_backend_role_output(backend: Optional[pulumi.Input[Optional[str]]]
 
     ## Example Usage
 
+    <!--Start PulumiCodeChooser -->
     ```python
     import pulumi
     import pulumi_vault as vault
@@ -422,6 +425,7 @@ def get_auth_backend_role_output(backend: Optional[pulumi.Input[Optional[str]]]
         role_name="my-role")
     pulumi.export("role-id", role.role_id)
     ```
+    <!--End PulumiCodeChooser -->
 
 
     :param str backend: The unique name for the GCP backend from which to fetch the role. Defaults to "gcp".

pulumi_vault/gcp/secret_backend.py

@@ -18,14 +18,10 @@ class SecretBackendArgs:
                  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
-                 identity_token_audience: Optional[pulumi.Input[str]] = None,
-                 identity_token_key: Optional[pulumi.Input[str]] = None,
-                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
-                 path: Optional[pulumi.Input[str]] = None,
-                 service_account_email: Optional[pulumi.Input[str]] = None):
+                 path: Optional[pulumi.Input[str]] = None):
         """
         The set of arguments for constructing a SecretBackend resource.
         :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
@@ -34,12 +30,6 @@ class SecretBackendArgs:
         :param pulumi.Input[str] description: A human-friendly description for this backend.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
-        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
-               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
-               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
-               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
         :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
                for credentials issued by this backend. Defaults to '0'.
@@ -49,8 +39,6 @@ class SecretBackendArgs:
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `gcp`.
-        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
-               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         """
         if credentials is not None:
             pulumi.set(__self__, "credentials", credentials)
@@ -60,12 +48,6 @@ class SecretBackendArgs:
             pulumi.set(__self__, "description", description)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
-        if identity_token_audience is not None:
-            pulumi.set(__self__, "identity_token_audience", identity_token_audience)
-        if identity_token_key is not None:
-            pulumi.set(__self__, "identity_token_key", identity_token_key)
-        if identity_token_ttl is not None:
-            pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
         if local is not None:
             pulumi.set(__self__, "local", local)
         if max_lease_ttl_seconds is not None:
@@ -74,8 +56,6 @@ class SecretBackendArgs:
             pulumi.set(__self__, "namespace", namespace)
         if path is not None:
             pulumi.set(__self__, "path", path)
-        if service_account_email is not None:
-            pulumi.set(__self__, "service_account_email", service_account_email)
 
     @property
     @pulumi.getter
@@ -127,45 +107,6 @@ class SecretBackendArgs:
     def disable_remount(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "disable_remount", value)
 
-    @property
-    @pulumi.getter(name="identityTokenAudience")
-    def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
-        """
-        The audience claim value for plugin identity
-        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
-        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "identity_token_audience")
-
-    @identity_token_audience.setter
-    def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "identity_token_audience", value)
-
-    @property
-    @pulumi.getter(name="identityTokenKey")
-    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
-        """
-        The key to use for signing plugin identity
-        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "identity_token_key")
-
-    @identity_token_key.setter
-    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "identity_token_key", value)
-
-    @property
-    @pulumi.getter(name="identityTokenTtl")
-    def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
-        """
-        The TTL of generated tokens.
-        """
-        return pulumi.get(self, "identity_token_ttl")
-
-    @identity_token_ttl.setter
-    def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
-        pulumi.set(self, "identity_token_ttl", value)
-
     @property
     @pulumi.getter
     def local(self) -> Optional[pulumi.Input[bool]]:
@@ -219,51 +160,26 @@ class SecretBackendArgs:
     def path(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "path", value)
 
-    @property
-    @pulumi.getter(name="serviceAccountEmail")
-    def service_account_email(self) -> Optional[pulumi.Input[str]]:
-        """
-        Service Account to impersonate for plugin workload identity federation.
-        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "service_account_email")
-
-    @service_account_email.setter
-    def service_account_email(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "service_account_email", value)
-
 
 @pulumi.input_type
 class _SecretBackendState:
     def __init__(__self__, *,
-                 accessor: Optional[pulumi.Input[str]] = None,
                  credentials: Optional[pulumi.Input[str]] = None,
                  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
-                 identity_token_audience: Optional[pulumi.Input[str]] = None,
-                 identity_token_key: Optional[pulumi.Input[str]] = None,
-                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
-                 path: Optional[pulumi.Input[str]] = None,
-                 service_account_email: Optional[pulumi.Input[str]] = None):
+                 path: Optional[pulumi.Input[str]] = None):
         """
         Input properties used for looking up and filtering SecretBackend resources.
-        :param pulumi.Input[str] accessor: The accessor of the created GCP mount.
         :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
         :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
                issued by this backend. Defaults to '0'.
         :param pulumi.Input[str] description: A human-friendly description for this backend.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
-        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
-               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
-               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
-               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
         :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
                for credentials issued by this backend. Defaults to '0'.
@@ -273,11 +189,7 @@ class _SecretBackendState:
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `gcp`.
-        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
-               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         """
-        if accessor is not None:
-            pulumi.set(__self__, "accessor", accessor)
         if credentials is not None:
             pulumi.set(__self__, "credentials", credentials)
         if default_lease_ttl_seconds is not None:
@@ -286,12 +198,6 @@ class _SecretBackendState:
             pulumi.set(__self__, "description", description)
         if disable_remount is not None:
             pulumi.set(__self__, "disable_remount", disable_remount)
-        if identity_token_audience is not None:
-            pulumi.set(__self__, "identity_token_audience", identity_token_audience)
-        if identity_token_key is not None:
-            pulumi.set(__self__, "identity_token_key", identity_token_key)
-        if identity_token_ttl is not None:
-            pulumi.set(__self__, "identity_token_ttl", identity_token_ttl)
         if local is not None:
             pulumi.set(__self__, "local", local)
         if max_lease_ttl_seconds is not None:
@@ -300,20 +206,6 @@ class _SecretBackendState:
             pulumi.set(__self__, "namespace", namespace)
         if path is not None:
             pulumi.set(__self__, "path", path)
-        if service_account_email is not None:
-            pulumi.set(__self__, "service_account_email", service_account_email)
-
-    @property
-    @pulumi.getter
-    def accessor(self) -> Optional[pulumi.Input[str]]:
-        """
-        The accessor of the created GCP mount.
-        """
-        return pulumi.get(self, "accessor")
-
-    @accessor.setter
-    def accessor(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "accessor", value)
 
     @property
     @pulumi.getter
@@ -365,45 +257,6 @@ class _SecretBackendState:
     def disable_remount(self, value: Optional[pulumi.Input[bool]]):
         pulumi.set(self, "disable_remount", value)
 
-    @property
-    @pulumi.getter(name="identityTokenAudience")
-    def identity_token_audience(self) -> Optional[pulumi.Input[str]]:
-        """
-        The audience claim value for plugin identity
-        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
-        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "identity_token_audience")
-
-    @identity_token_audience.setter
-    def identity_token_audience(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "identity_token_audience", value)
-
-    @property
-    @pulumi.getter(name="identityTokenKey")
-    def identity_token_key(self) -> Optional[pulumi.Input[str]]:
-        """
-        The key to use for signing plugin identity
-        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "identity_token_key")
-
-    @identity_token_key.setter
-    def identity_token_key(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "identity_token_key", value)
-
-    @property
-    @pulumi.getter(name="identityTokenTtl")
-    def identity_token_ttl(self) -> Optional[pulumi.Input[int]]:
-        """
-        The TTL of generated tokens.
-        """
-        return pulumi.get(self, "identity_token_ttl")
-
-    @identity_token_ttl.setter
-    def identity_token_ttl(self, value: Optional[pulumi.Input[int]]):
-        pulumi.set(self, "identity_token_ttl", value)
-
     @property
     @pulumi.getter
     def local(self) -> Optional[pulumi.Input[bool]]:
@@ -457,19 +310,6 @@ class _SecretBackendState:
     def path(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "path", value)
 
-    @property
-    @pulumi.getter(name="serviceAccountEmail")
-    def service_account_email(self) -> Optional[pulumi.Input[str]]:
-        """
-        Service Account to impersonate for plugin workload identity federation.
-        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "service_account_email")
-
-    @service_account_email.setter
-    def service_account_email(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "service_account_email", value)
-
 
 class SecretBackend(pulumi.CustomResource):
     @overload
@@ -480,37 +320,22 @@ class SecretBackend(pulumi.CustomResource):
                  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
-                 identity_token_audience: Optional[pulumi.Input[str]] = None,
-                 identity_token_key: Optional[pulumi.Input[str]] = None,
-                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
-                 service_account_email: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         """
         ## Example Usage
 
-        You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
-        ```python
-        import pulumi
-        import pulumi_vault as vault
-
-        gcp = vault.gcp.SecretBackend("gcp",
-            identity_token_key="example-key",
-            identity_token_ttl=1800,
-            identity_token_audience="<TOKEN_AUDIENCE>",
-            service_account_email="<SERVICE_ACCOUNT_EMAIL>")
-        ```
-
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
-        import pulumi_std as std
         import pulumi_vault as vault
 
-        gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
+        gcp = vault.gcp.SecretBackend("gcp", credentials=(lambda path: open(path).read())("credentials.json"))
         ```
+        <!--End PulumiCodeChooser -->
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
@@ -520,12 +345,6 @@ class SecretBackend(pulumi.CustomResource):
         :param pulumi.Input[str] description: A human-friendly description for this backend.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
-        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
-               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
-               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
-               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
         :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
                for credentials issued by this backend. Defaults to '0'.
@@ -535,8 +354,6 @@ class SecretBackend(pulumi.CustomResource):
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `gcp`.
-        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
-               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         """
         ...
     @overload
@@ -547,25 +364,14 @@ class SecretBackend(pulumi.CustomResource):
         """
         ## Example Usage
 
-        You can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:
-        ```python
-        import pulumi
-        import pulumi_vault as vault
-
-        gcp = vault.gcp.SecretBackend("gcp",
-            identity_token_key="example-key",
-            identity_token_ttl=1800,
-            identity_token_audience="<TOKEN_AUDIENCE>",
-            service_account_email="<SERVICE_ACCOUNT_EMAIL>")
-        ```
-
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
-        import pulumi_std as std
         import pulumi_vault as vault
 
-        gcp = vault.gcp.SecretBackend("gcp", credentials=std.file(input="credentials.json").result)
+        gcp = vault.gcp.SecretBackend("gcp", credentials=(lambda path: open(path).read())("credentials.json"))
         ```
+        <!--End PulumiCodeChooser -->
 
         :param str resource_name: The name of the resource.
         :param SecretBackendArgs args: The arguments to use to populate this resource's properties.
@@ -586,14 +392,10 @@ class SecretBackend(pulumi.CustomResource):
                  default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  description: Optional[pulumi.Input[str]] = None,
                  disable_remount: Optional[pulumi.Input[bool]] = None,
-                 identity_token_audience: Optional[pulumi.Input[str]] = None,
-                 identity_token_key: Optional[pulumi.Input[str]] = None,
-                 identity_token_ttl: Optional[pulumi.Input[int]] = None,
                  local: Optional[pulumi.Input[bool]] = None,
                  max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
                  namespace: Optional[pulumi.Input[str]] = None,
                  path: Optional[pulumi.Input[str]] = None,
-                 service_account_email: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -607,15 +409,10 @@ class SecretBackend(pulumi.CustomResource):
             __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
             __props__.__dict__["description"] = description
             __props__.__dict__["disable_remount"] = disable_remount
-            __props__.__dict__["identity_token_audience"] = identity_token_audience
-            __props__.__dict__["identity_token_key"] = identity_token_key
-            __props__.__dict__["identity_token_ttl"] = identity_token_ttl
             __props__.__dict__["local"] = local
             __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
             __props__.__dict__["namespace"] = namespace
             __props__.__dict__["path"] = path
-            __props__.__dict__["service_account_email"] = service_account_email
-            __props__.__dict__["accessor"] = None
         secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["credentials"])
         opts = pulumi.ResourceOptions.merge(opts, secret_opts)
         super(SecretBackend, __self__).__init__(
@@ -628,19 +425,14 @@ class SecretBackend(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
-            accessor: Optional[pulumi.Input[str]] = None,
             credentials: Optional[pulumi.Input[str]] = None,
             default_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
             description: Optional[pulumi.Input[str]] = None,
             disable_remount: Optional[pulumi.Input[bool]] = None,
-            identity_token_audience: Optional[pulumi.Input[str]] = None,
-            identity_token_key: Optional[pulumi.Input[str]] = None,
-            identity_token_ttl: Optional[pulumi.Input[int]] = None,
             local: Optional[pulumi.Input[bool]] = None,
             max_lease_ttl_seconds: Optional[pulumi.Input[int]] = None,
             namespace: Optional[pulumi.Input[str]] = None,
-            path: Optional[pulumi.Input[str]] = None,
-            service_account_email: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
+            path: Optional[pulumi.Input[str]] = None) -> 'SecretBackend':
         """
         Get an existing SecretBackend resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -648,19 +440,12 @@ class SecretBackend(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[str] accessor: The accessor of the created GCP mount.
         :param pulumi.Input[str] credentials: JSON-encoded credentials to use to connect to GCP
         :param pulumi.Input[int] default_lease_ttl_seconds: The default TTL for credentials
                issued by this backend. Defaults to '0'.
         :param pulumi.Input[str] description: A human-friendly description for this backend.
         :param pulumi.Input[bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
-        :param pulumi.Input[str] identity_token_audience: The audience claim value for plugin identity
-               tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
-               Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        :param pulumi.Input[str] identity_token_key: The key to use for signing plugin identity
-               tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        :param pulumi.Input[int] identity_token_ttl: The TTL of generated tokens.
         :param pulumi.Input[bool] local: Boolean flag that can be explicitly set to true to enforce local mount in HA environment
         :param pulumi.Input[int] max_lease_ttl_seconds: The maximum TTL that can be requested
                for credentials issued by this backend. Defaults to '0'.
@@ -670,36 +455,21 @@ class SecretBackend(pulumi.CustomResource):
                *Available only for Vault Enterprise*.
         :param pulumi.Input[str] path: The unique path this backend should be mounted at. Must
                not begin or end with a `/`. Defaults to `gcp`.
-        :param pulumi.Input[str] service_account_email: Service Account to impersonate for plugin workload identity federation.
-               Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
         __props__ = _SecretBackendState.__new__(_SecretBackendState)
 
-        __props__.__dict__["accessor"] = accessor
         __props__.__dict__["credentials"] = credentials
         __props__.__dict__["default_lease_ttl_seconds"] = default_lease_ttl_seconds
         __props__.__dict__["description"] = description
         __props__.__dict__["disable_remount"] = disable_remount
-        __props__.__dict__["identity_token_audience"] = identity_token_audience
-        __props__.__dict__["identity_token_key"] = identity_token_key
-        __props__.__dict__["identity_token_ttl"] = identity_token_ttl
         __props__.__dict__["local"] = local
         __props__.__dict__["max_lease_ttl_seconds"] = max_lease_ttl_seconds
         __props__.__dict__["namespace"] = namespace
         __props__.__dict__["path"] = path
-        __props__.__dict__["service_account_email"] = service_account_email
         return SecretBackend(resource_name, opts=opts, __props__=__props__)
 
-    @property
-    @pulumi.getter
-    def accessor(self) -> pulumi.Output[str]:
-        """
-        The accessor of the created GCP mount.
-        """
-        return pulumi.get(self, "accessor")
-
     @property
     @pulumi.getter
     def credentials(self) -> pulumi.Output[Optional[str]]:
@@ -734,33 +504,6 @@ class SecretBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "disable_remount")
 
-    @property
-    @pulumi.getter(name="identityTokenAudience")
-    def identity_token_audience(self) -> pulumi.Output[Optional[str]]:
-        """
-        The audience claim value for plugin identity
-        tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
-        Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "identity_token_audience")
-
-    @property
-    @pulumi.getter(name="identityTokenKey")
-    def identity_token_key(self) -> pulumi.Output[Optional[str]]:
-        """
-        The key to use for signing plugin identity
-        tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "identity_token_key")
-
-    @property
-    @pulumi.getter(name="identityTokenTtl")
-    def identity_token_ttl(self) -> pulumi.Output[Optional[int]]:
-        """
-        The TTL of generated tokens.
-        """
-        return pulumi.get(self, "identity_token_ttl")
-
     @property
     @pulumi.getter
     def local(self) -> pulumi.Output[Optional[bool]]:
@@ -798,12 +541,3 @@ class SecretBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "path")
 
-    @property
-    @pulumi.getter(name="serviceAccountEmail")
-    def service_account_email(self) -> pulumi.Output[Optional[str]]:
-        """
-        Service Account to impersonate for plugin workload identity federation.
-        Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
-        """
-        return pulumi.get(self, "service_account_email")
-

pulumi_vault/gcp/secret_impersonated_account.py

@@ -219,22 +219,23 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
 
         ## Example Usage
 
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
-        import pulumi_google as google
-        import pulumi_std as std
+        import pulumi_gcp as gcp
         import pulumi_vault as vault
 
-        this = google.index.ServiceAccount("this", account_id=my-awesome-account)
+        this = gcp.service_account.Account("this", account_id="my-awesome-account")
         gcp = vault.gcp.SecretBackend("gcp",
             path="gcp",
-            credentials=std.file(input="credentials.json").result)
-        impersonated_account = vault.gcp.SecretImpersonatedAccount("impersonated_account",
+            credentials=(lambda path: open(path).read())("credentials.json"))
+        impersonated_account = vault.gcp.SecretImpersonatedAccount("impersonatedAccount",
             backend=gcp.path,
             impersonated_account="this",
-            service_account_email=this["email"],
+            service_account_email=this.email,
             token_scopes=["https://www.googleapis.com/auth/cloud-platform"])
         ```
+        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -266,22 +267,23 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
 
         ## Example Usage
 
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
-        import pulumi_google as google
-        import pulumi_std as std
+        import pulumi_gcp as gcp
         import pulumi_vault as vault
 
-        this = google.index.ServiceAccount("this", account_id=my-awesome-account)
+        this = gcp.service_account.Account("this", account_id="my-awesome-account")
         gcp = vault.gcp.SecretBackend("gcp",
             path="gcp",
-            credentials=std.file(input="credentials.json").result)
-        impersonated_account = vault.gcp.SecretImpersonatedAccount("impersonated_account",
+            credentials=(lambda path: open(path).read())("credentials.json"))
+        impersonated_account = vault.gcp.SecretImpersonatedAccount("impersonatedAccount",
             backend=gcp.path,
             impersonated_account="this",
-            service_account_email=this["email"],
+            service_account_email=this.email,
             token_scopes=["https://www.googleapis.com/auth/cloud-platform"])
         ```
+        <!--End PulumiCodeChooser -->
 
         ## Import
 

pulumi_vault/gcp/secret_roleset.py

@@ -297,15 +297,15 @@ class SecretRoleset(pulumi.CustomResource):
 
         ## Example Usage
 
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
-        import pulumi_std as std
         import pulumi_vault as vault
 
         project = "my-awesome-project"
         gcp = vault.gcp.SecretBackend("gcp",
             path="gcp",
-            credentials=std.file(input="credentials.json").result)
+            credentials=(lambda path: open(path).read())("credentials.json"))
         roleset = vault.gcp.SecretRoleset("roleset",
             backend=gcp.path,
             roleset="project_viewer",
@@ -317,6 +317,7 @@ class SecretRoleset(pulumi.CustomResource):
                 roles=["roles/viewer"],
             )])
         ```
+        <!--End PulumiCodeChooser -->
 
         ## Import
 
@@ -352,15 +353,15 @@ class SecretRoleset(pulumi.CustomResource):
 
         ## Example Usage
 
+        <!--Start PulumiCodeChooser -->
         ```python
         import pulumi
-        import pulumi_std as std
         import pulumi_vault as vault
 
         project = "my-awesome-project"
         gcp = vault.gcp.SecretBackend("gcp",
             path="gcp",
-            credentials=std.file(input="credentials.json").result)
+            credentials=(lambda path: open(path).read())("credentials.json"))
         roleset = vault.gcp.SecretRoleset("roleset",
             backend=gcp.path,
             roleset="project_viewer",
@@ -372,6 +373,7 @@ class SecretRoleset(pulumi.CustomResource):
                 roles=["roles/viewer"],
             )])
         ```
+        <!--End PulumiCodeChooser -->
 
         ## Import