pulumi-vault 7.1.0__py3-none-any.whl → 7.2.0__py3-none-any.whl

pulumi_vault/jwt/auth_backend.py

@@ -2,8 +2,7 @@
 # *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import builtins
-import copy
+import builtins as _builtins
 import warnings
 import sys
 import pulumi
@@ -22,57 +21,59 @@ __all__ = ['AuthBackendArgs', 'AuthBackend']
 @pulumi.input_type
 class AuthBackendArgs:
     def __init__(__self__, *,
-                 bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
-                 default_role: Optional[pulumi.Input[builtins.str]] = None,
-                 description: Optional[pulumi.Input[builtins.str]] = None,
-                 disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
-                 jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-                 jwks_url: Optional[pulumi.Input[builtins.str]] = None,
-                 jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 local: Optional[pulumi.Input[builtins.bool]] = None,
-                 namespace: Optional[pulumi.Input[builtins.str]] = None,
-                 namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
-                 oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 path: Optional[pulumi.Input[builtins.str]] = None,
-                 provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 bound_issuer: Optional[pulumi.Input[_builtins.str]] = None,
+                 default_role: Optional[pulumi.Input[_builtins.str]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 disable_remount: Optional[pulumi.Input[_builtins.bool]] = None,
+                 jwks_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+                 jwks_pairs: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]] = None,
+                 jwks_url: Optional[pulumi.Input[_builtins.str]] = None,
+                 jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 local: Optional[pulumi.Input[_builtins.bool]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace_in_state: Optional[pulumi.Input[_builtins.bool]] = None,
+                 oidc_client_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_client_secret: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_discovery_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_discovery_url: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_response_mode: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 path: Optional[pulumi.Input[_builtins.str]] = None,
+                 provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
                  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None,
-                 type: Optional[pulumi.Input[builtins.str]] = None):
+                 type: Optional[pulumi.Input[_builtins.str]] = None):
         """
         The set of arguments for constructing a AuthBackend resource.
-        :param pulumi.Input[builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
-        :param pulumi.Input[builtins.str] default_role: The default role to use if none is provided during login
-        :param pulumi.Input[builtins.str] description: The description of the auth backend
-        :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
+        :param pulumi.Input[_builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
+        :param pulumi.Input[_builtins.str] default_role: The default role to use if none is provided during login
+        :param pulumi.Input[_builtins.str] description: The description of the auth backend
+        :param pulumi.Input[_builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
-        :param pulumi.Input[builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
-        :param pulumi.Input[builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
-        :param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
-        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[_builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
+        :param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]] jwks_pairs: List of JWKS URL and optional CA certificate pairs. Cannot be used with `jwks_url` or `jwks_ca_pem`. Requires Vault 1.16+.
+        :param pulumi.Input[_builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
+        :param pulumi.Input[_builtins.bool] local: Specifies if the auth method is local only.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
+        :param pulumi.Input[_builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
                
                * tune - (Optional) Extra configuration block. Structure is documented below.
                
                The `tune` block is used to tune the auth backend:
-        :param pulumi.Input[builtins.str] oidc_client_id: Client ID used for OIDC backends
-        :param pulumi.Input[builtins.str] oidc_client_secret: Client Secret used for OIDC backends
-        :param pulumi.Input[builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
-        :param pulumi.Input[builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
-        :param pulumi.Input[builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
-        :param pulumi.Input[builtins.str] path: Path to mount the JWT/OIDC auth backend
-        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
-        :param pulumi.Input[builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
+        :param pulumi.Input[_builtins.str] oidc_client_id: Client ID used for OIDC backends
+        :param pulumi.Input[_builtins.str] oidc_client_secret: Client Secret used for OIDC backends
+        :param pulumi.Input[_builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
+        :param pulumi.Input[_builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
+        :param pulumi.Input[_builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
+        :param pulumi.Input[_builtins.str] path: Path to mount the JWT/OIDC auth backend
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
+        :param pulumi.Input[_builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
         """
         if bound_issuer is not None:
             pulumi.set(__self__, "bound_issuer", bound_issuer)
@@ -84,6 +85,8 @@ class AuthBackendArgs:
             pulumi.set(__self__, "disable_remount", disable_remount)
         if jwks_ca_pem is not None:
             pulumi.set(__self__, "jwks_ca_pem", jwks_ca_pem)
+        if jwks_pairs is not None:
+            pulumi.set(__self__, "jwks_pairs", jwks_pairs)
         if jwks_url is not None:
             pulumi.set(__self__, "jwks_url", jwks_url)
         if jwt_supported_algs is not None:
@@ -117,45 +120,45 @@ class AuthBackendArgs:
         if type is not None:
             pulumi.set(__self__, "type", type)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="boundIssuer")
-    def bound_issuer(self) -> Optional[pulumi.Input[builtins.str]]:
+    def bound_issuer(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The value against which to match the iss claim in a JWT
         """
         return pulumi.get(self, "bound_issuer")
 
     @bound_issuer.setter
-    def bound_issuer(self, value: Optional[pulumi.Input[builtins.str]]):
+    def bound_issuer(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "bound_issuer", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="defaultRole")
-    def default_role(self) -> Optional[pulumi.Input[builtins.str]]:
+    def default_role(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The default role to use if none is provided during login
         """
         return pulumi.get(self, "default_role")
 
     @default_role.setter
-    def default_role(self, value: Optional[pulumi.Input[builtins.str]]):
+    def default_role(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "default_role", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def description(self) -> Optional[pulumi.Input[builtins.str]]:
+    def description(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The description of the auth backend
         """
         return pulumi.get(self, "description")
 
     @description.setter
-    def description(self, value: Optional[pulumi.Input[builtins.str]]):
+    def description(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "description", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="disableRemount")
-    def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
+    def disable_remount(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         If set, opts out of mount migration on path updates.
         See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
@@ -163,72 +166,84 @@ class AuthBackendArgs:
         return pulumi.get(self, "disable_remount")
 
     @disable_remount.setter
-    def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
+    def disable_remount(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "disable_remount", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwksCaPem")
-    def jwks_ca_pem(self) -> Optional[pulumi.Input[builtins.str]]:
+    def jwks_ca_pem(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
         """
         return pulumi.get(self, "jwks_ca_pem")
 
     @jwks_ca_pem.setter
-    def jwks_ca_pem(self, value: Optional[pulumi.Input[builtins.str]]):
+    def jwks_ca_pem(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "jwks_ca_pem", value)
 
-    @property
+    @_builtins.property
+    @pulumi.getter(name="jwksPairs")
+    def jwks_pairs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]]:
+        """
+        List of JWKS URL and optional CA certificate pairs. Cannot be used with `jwks_url` or `jwks_ca_pem`. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "jwks_pairs")
+
+    @jwks_pairs.setter
+    def jwks_pairs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]]):
+        pulumi.set(self, "jwks_pairs", value)
+
+    @_builtins.property
     @pulumi.getter(name="jwksUrl")
-    def jwks_url(self) -> Optional[pulumi.Input[builtins.str]]:
+    def jwks_url(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
         """
         return pulumi.get(self, "jwks_url")
 
     @jwks_url.setter
-    def jwks_url(self, value: Optional[pulumi.Input[builtins.str]]):
+    def jwks_url(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "jwks_url", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwtSupportedAlgs")
-    def jwt_supported_algs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
+    def jwt_supported_algs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
         """
         return pulumi.get(self, "jwt_supported_algs")
 
     @jwt_supported_algs.setter
-    def jwt_supported_algs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
+    def jwt_supported_algs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "jwt_supported_algs", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwtValidationPubkeys")
-    def jwt_validation_pubkeys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
+    def jwt_validation_pubkeys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
         """
         return pulumi.get(self, "jwt_validation_pubkeys")
 
     @jwt_validation_pubkeys.setter
-    def jwt_validation_pubkeys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
+    def jwt_validation_pubkeys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "jwt_validation_pubkeys", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def local(self) -> Optional[pulumi.Input[builtins.bool]]:
+    def local(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Specifies if the auth method is local only.
         """
         return pulumi.get(self, "local")
 
     @local.setter
-    def local(self, value: Optional[pulumi.Input[builtins.bool]]):
+    def local(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "local", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
+    def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -238,12 +253,12 @@ class AuthBackendArgs:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
+    def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "namespace", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="namespaceInState")
-    def namespace_in_state(self) -> Optional[pulumi.Input[builtins.bool]]:
+    def namespace_in_state(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
 
@@ -254,106 +269,106 @@ class AuthBackendArgs:
         return pulumi.get(self, "namespace_in_state")
 
     @namespace_in_state.setter
-    def namespace_in_state(self, value: Optional[pulumi.Input[builtins.bool]]):
+    def namespace_in_state(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "namespace_in_state", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcClientId")
-    def oidc_client_id(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_client_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Client ID used for OIDC backends
         """
         return pulumi.get(self, "oidc_client_id")
 
     @oidc_client_id.setter
-    def oidc_client_id(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_client_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_client_id", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcClientSecret")
-    def oidc_client_secret(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_client_secret(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Client Secret used for OIDC backends
         """
         return pulumi.get(self, "oidc_client_secret")
 
     @oidc_client_secret.setter
-    def oidc_client_secret(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_client_secret(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_client_secret", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcDiscoveryCaPem")
-    def oidc_discovery_ca_pem(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_discovery_ca_pem(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
         """
         return pulumi.get(self, "oidc_discovery_ca_pem")
 
     @oidc_discovery_ca_pem.setter
-    def oidc_discovery_ca_pem(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_discovery_ca_pem(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_discovery_ca_pem", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcDiscoveryUrl")
-    def oidc_discovery_url(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_discovery_url(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
         """
         return pulumi.get(self, "oidc_discovery_url")
 
     @oidc_discovery_url.setter
-    def oidc_discovery_url(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_discovery_url(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_discovery_url", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcResponseMode")
-    def oidc_response_mode(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_response_mode(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
         """
         return pulumi.get(self, "oidc_response_mode")
 
     @oidc_response_mode.setter
-    def oidc_response_mode(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_response_mode(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_response_mode", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcResponseTypes")
-    def oidc_response_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
+    def oidc_response_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
         """
         return pulumi.get(self, "oidc_response_types")
 
     @oidc_response_types.setter
-    def oidc_response_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
+    def oidc_response_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "oidc_response_types", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def path(self) -> Optional[pulumi.Input[builtins.str]]:
+    def path(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Path to mount the JWT/OIDC auth backend
         """
         return pulumi.get(self, "path")
 
     @path.setter
-    def path(self, value: Optional[pulumi.Input[builtins.str]]):
+    def path(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "path", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="providerConfig")
-    def provider_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
+    def provider_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
         """
         Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
         """
         return pulumi.get(self, "provider_config")
 
     @provider_config.setter
-    def provider_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
+    def provider_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "provider_config", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
     def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
         return pulumi.get(self, "tune")
@@ -362,75 +377,77 @@ class AuthBackendArgs:
     def tune(self, value: Optional[pulumi.Input['AuthBackendTuneArgs']]):
         pulumi.set(self, "tune", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def type(self) -> Optional[pulumi.Input[builtins.str]]:
+    def type(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
         """
         return pulumi.get(self, "type")
 
     @type.setter
-    def type(self, value: Optional[pulumi.Input[builtins.str]]):
+    def type(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "type", value)
 
 
 @pulumi.input_type
 class _AuthBackendState:
     def __init__(__self__, *,
-                 accessor: Optional[pulumi.Input[builtins.str]] = None,
-                 bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
-                 default_role: Optional[pulumi.Input[builtins.str]] = None,
-                 description: Optional[pulumi.Input[builtins.str]] = None,
-                 disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
-                 jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-                 jwks_url: Optional[pulumi.Input[builtins.str]] = None,
-                 jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 local: Optional[pulumi.Input[builtins.bool]] = None,
-                 namespace: Optional[pulumi.Input[builtins.str]] = None,
-                 namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
-                 oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 path: Optional[pulumi.Input[builtins.str]] = None,
-                 provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 accessor: Optional[pulumi.Input[_builtins.str]] = None,
+                 bound_issuer: Optional[pulumi.Input[_builtins.str]] = None,
+                 default_role: Optional[pulumi.Input[_builtins.str]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 disable_remount: Optional[pulumi.Input[_builtins.bool]] = None,
+                 jwks_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+                 jwks_pairs: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]] = None,
+                 jwks_url: Optional[pulumi.Input[_builtins.str]] = None,
+                 jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 local: Optional[pulumi.Input[_builtins.bool]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace_in_state: Optional[pulumi.Input[_builtins.bool]] = None,
+                 oidc_client_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_client_secret: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_discovery_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_discovery_url: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_response_mode: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 path: Optional[pulumi.Input[_builtins.str]] = None,
+                 provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
                  tune: Optional[pulumi.Input['AuthBackendTuneArgs']] = None,
-                 type: Optional[pulumi.Input[builtins.str]] = None):
+                 type: Optional[pulumi.Input[_builtins.str]] = None):
         """
         Input properties used for looking up and filtering AuthBackend resources.
-        :param pulumi.Input[builtins.str] accessor: The accessor for this auth method
-        :param pulumi.Input[builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
-        :param pulumi.Input[builtins.str] default_role: The default role to use if none is provided during login
-        :param pulumi.Input[builtins.str] description: The description of the auth backend
-        :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
+        :param pulumi.Input[_builtins.str] accessor: The accessor for this auth method
+        :param pulumi.Input[_builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
+        :param pulumi.Input[_builtins.str] default_role: The default role to use if none is provided during login
+        :param pulumi.Input[_builtins.str] description: The description of the auth backend
+        :param pulumi.Input[_builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
-        :param pulumi.Input[builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
-        :param pulumi.Input[builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
-        :param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
-        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[_builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
+        :param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]] jwks_pairs: List of JWKS URL and optional CA certificate pairs. Cannot be used with `jwks_url` or `jwks_ca_pem`. Requires Vault 1.16+.
+        :param pulumi.Input[_builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
+        :param pulumi.Input[_builtins.bool] local: Specifies if the auth method is local only.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
+        :param pulumi.Input[_builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
                
                * tune - (Optional) Extra configuration block. Structure is documented below.
                
                The `tune` block is used to tune the auth backend:
-        :param pulumi.Input[builtins.str] oidc_client_id: Client ID used for OIDC backends
-        :param pulumi.Input[builtins.str] oidc_client_secret: Client Secret used for OIDC backends
-        :param pulumi.Input[builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
-        :param pulumi.Input[builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
-        :param pulumi.Input[builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
-        :param pulumi.Input[builtins.str] path: Path to mount the JWT/OIDC auth backend
-        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
-        :param pulumi.Input[builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
+        :param pulumi.Input[_builtins.str] oidc_client_id: Client ID used for OIDC backends
+        :param pulumi.Input[_builtins.str] oidc_client_secret: Client Secret used for OIDC backends
+        :param pulumi.Input[_builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
+        :param pulumi.Input[_builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
+        :param pulumi.Input[_builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
+        :param pulumi.Input[_builtins.str] path: Path to mount the JWT/OIDC auth backend
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
+        :param pulumi.Input[_builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
         """
         if accessor is not None:
             pulumi.set(__self__, "accessor", accessor)
@@ -444,6 +461,8 @@ class _AuthBackendState:
             pulumi.set(__self__, "disable_remount", disable_remount)
         if jwks_ca_pem is not None:
             pulumi.set(__self__, "jwks_ca_pem", jwks_ca_pem)
+        if jwks_pairs is not None:
+            pulumi.set(__self__, "jwks_pairs", jwks_pairs)
         if jwks_url is not None:
             pulumi.set(__self__, "jwks_url", jwks_url)
         if jwt_supported_algs is not None:
@@ -477,57 +496,57 @@ class _AuthBackendState:
         if type is not None:
             pulumi.set(__self__, "type", type)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def accessor(self) -> Optional[pulumi.Input[builtins.str]]:
+    def accessor(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The accessor for this auth method
         """
         return pulumi.get(self, "accessor")
 
     @accessor.setter
-    def accessor(self, value: Optional[pulumi.Input[builtins.str]]):
+    def accessor(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "accessor", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="boundIssuer")
-    def bound_issuer(self) -> Optional[pulumi.Input[builtins.str]]:
+    def bound_issuer(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The value against which to match the iss claim in a JWT
         """
         return pulumi.get(self, "bound_issuer")
 
     @bound_issuer.setter
-    def bound_issuer(self, value: Optional[pulumi.Input[builtins.str]]):
+    def bound_issuer(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "bound_issuer", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="defaultRole")
-    def default_role(self) -> Optional[pulumi.Input[builtins.str]]:
+    def default_role(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The default role to use if none is provided during login
         """
         return pulumi.get(self, "default_role")
 
     @default_role.setter
-    def default_role(self, value: Optional[pulumi.Input[builtins.str]]):
+    def default_role(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "default_role", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def description(self) -> Optional[pulumi.Input[builtins.str]]:
+    def description(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The description of the auth backend
         """
         return pulumi.get(self, "description")
 
     @description.setter
-    def description(self, value: Optional[pulumi.Input[builtins.str]]):
+    def description(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "description", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="disableRemount")
-    def disable_remount(self) -> Optional[pulumi.Input[builtins.bool]]:
+    def disable_remount(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         If set, opts out of mount migration on path updates.
         See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
@@ -535,72 +554,84 @@ class _AuthBackendState:
         return pulumi.get(self, "disable_remount")
 
     @disable_remount.setter
-    def disable_remount(self, value: Optional[pulumi.Input[builtins.bool]]):
+    def disable_remount(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "disable_remount", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwksCaPem")
-    def jwks_ca_pem(self) -> Optional[pulumi.Input[builtins.str]]:
+    def jwks_ca_pem(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
         """
         return pulumi.get(self, "jwks_ca_pem")
 
     @jwks_ca_pem.setter
-    def jwks_ca_pem(self, value: Optional[pulumi.Input[builtins.str]]):
+    def jwks_ca_pem(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "jwks_ca_pem", value)
 
-    @property
+    @_builtins.property
+    @pulumi.getter(name="jwksPairs")
+    def jwks_pairs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]]:
+        """
+        List of JWKS URL and optional CA certificate pairs. Cannot be used with `jwks_url` or `jwks_ca_pem`. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "jwks_pairs")
+
+    @jwks_pairs.setter
+    def jwks_pairs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]]):
+        pulumi.set(self, "jwks_pairs", value)
+
+    @_builtins.property
     @pulumi.getter(name="jwksUrl")
-    def jwks_url(self) -> Optional[pulumi.Input[builtins.str]]:
+    def jwks_url(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
         """
         return pulumi.get(self, "jwks_url")
 
     @jwks_url.setter
-    def jwks_url(self, value: Optional[pulumi.Input[builtins.str]]):
+    def jwks_url(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "jwks_url", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwtSupportedAlgs")
-    def jwt_supported_algs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
+    def jwt_supported_algs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
         """
         return pulumi.get(self, "jwt_supported_algs")
 
     @jwt_supported_algs.setter
-    def jwt_supported_algs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
+    def jwt_supported_algs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "jwt_supported_algs", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwtValidationPubkeys")
-    def jwt_validation_pubkeys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
+    def jwt_validation_pubkeys(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
         """
         return pulumi.get(self, "jwt_validation_pubkeys")
 
     @jwt_validation_pubkeys.setter
-    def jwt_validation_pubkeys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
+    def jwt_validation_pubkeys(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "jwt_validation_pubkeys", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def local(self) -> Optional[pulumi.Input[builtins.bool]]:
+    def local(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Specifies if the auth method is local only.
         """
         return pulumi.get(self, "local")
 
     @local.setter
-    def local(self, value: Optional[pulumi.Input[builtins.bool]]):
+    def local(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "local", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def namespace(self) -> Optional[pulumi.Input[builtins.str]]:
+    def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -610,12 +641,12 @@ class _AuthBackendState:
         return pulumi.get(self, "namespace")
 
     @namespace.setter
-    def namespace(self, value: Optional[pulumi.Input[builtins.str]]):
+    def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "namespace", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="namespaceInState")
-    def namespace_in_state(self) -> Optional[pulumi.Input[builtins.bool]]:
+    def namespace_in_state(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
 
@@ -626,106 +657,106 @@ class _AuthBackendState:
         return pulumi.get(self, "namespace_in_state")
 
     @namespace_in_state.setter
-    def namespace_in_state(self, value: Optional[pulumi.Input[builtins.bool]]):
+    def namespace_in_state(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "namespace_in_state", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcClientId")
-    def oidc_client_id(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_client_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Client ID used for OIDC backends
         """
         return pulumi.get(self, "oidc_client_id")
 
     @oidc_client_id.setter
-    def oidc_client_id(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_client_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_client_id", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcClientSecret")
-    def oidc_client_secret(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_client_secret(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Client Secret used for OIDC backends
         """
         return pulumi.get(self, "oidc_client_secret")
 
     @oidc_client_secret.setter
-    def oidc_client_secret(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_client_secret(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_client_secret", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcDiscoveryCaPem")
-    def oidc_discovery_ca_pem(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_discovery_ca_pem(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
         """
         return pulumi.get(self, "oidc_discovery_ca_pem")
 
     @oidc_discovery_ca_pem.setter
-    def oidc_discovery_ca_pem(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_discovery_ca_pem(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_discovery_ca_pem", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcDiscoveryUrl")
-    def oidc_discovery_url(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_discovery_url(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
         """
         return pulumi.get(self, "oidc_discovery_url")
 
     @oidc_discovery_url.setter
-    def oidc_discovery_url(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_discovery_url(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_discovery_url", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcResponseMode")
-    def oidc_response_mode(self) -> Optional[pulumi.Input[builtins.str]]:
+    def oidc_response_mode(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
         """
         return pulumi.get(self, "oidc_response_mode")
 
     @oidc_response_mode.setter
-    def oidc_response_mode(self, value: Optional[pulumi.Input[builtins.str]]):
+    def oidc_response_mode(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "oidc_response_mode", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcResponseTypes")
-    def oidc_response_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
+    def oidc_response_types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
         """
         return pulumi.get(self, "oidc_response_types")
 
     @oidc_response_types.setter
-    def oidc_response_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
+    def oidc_response_types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "oidc_response_types", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def path(self) -> Optional[pulumi.Input[builtins.str]]:
+    def path(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Path to mount the JWT/OIDC auth backend
         """
         return pulumi.get(self, "path")
 
     @path.setter
-    def path(self, value: Optional[pulumi.Input[builtins.str]]):
+    def path(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "path", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="providerConfig")
-    def provider_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
+    def provider_config(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
         """
         Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
         """
         return pulumi.get(self, "provider_config")
 
     @provider_config.setter
-    def provider_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
+    def provider_config(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "provider_config", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
     def tune(self) -> Optional[pulumi.Input['AuthBackendTuneArgs']]:
         return pulumi.get(self, "tune")
@@ -734,16 +765,16 @@ class _AuthBackendState:
     def tune(self, value: Optional[pulumi.Input['AuthBackendTuneArgs']]):
         pulumi.set(self, "tune", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def type(self) -> Optional[pulumi.Input[builtins.str]]:
+    def type(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
         """
         return pulumi.get(self, "type")
 
     @type.setter
-    def type(self, value: Optional[pulumi.Input[builtins.str]]):
+    def type(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "type", value)
 
 
@@ -753,27 +784,28 @@ class AuthBackend(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
-                 default_role: Optional[pulumi.Input[builtins.str]] = None,
-                 description: Optional[pulumi.Input[builtins.str]] = None,
-                 disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
-                 jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-                 jwks_url: Optional[pulumi.Input[builtins.str]] = None,
-                 jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 local: Optional[pulumi.Input[builtins.bool]] = None,
-                 namespace: Optional[pulumi.Input[builtins.str]] = None,
-                 namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
-                 oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 path: Optional[pulumi.Input[builtins.str]] = None,
-                 provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 bound_issuer: Optional[pulumi.Input[_builtins.str]] = None,
+                 default_role: Optional[pulumi.Input[_builtins.str]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 disable_remount: Optional[pulumi.Input[_builtins.bool]] = None,
+                 jwks_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+                 jwks_pairs: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]] = None,
+                 jwks_url: Optional[pulumi.Input[_builtins.str]] = None,
+                 jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 local: Optional[pulumi.Input[_builtins.bool]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace_in_state: Optional[pulumi.Input[_builtins.bool]] = None,
+                 oidc_client_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_client_secret: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_discovery_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_discovery_url: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_response_mode: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 path: Optional[pulumi.Input[_builtins.str]] = None,
+                 provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
                  tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
-                 type: Optional[pulumi.Input[builtins.str]] = None,
+                 type: Optional[pulumi.Input[_builtins.str]] = None,
                  __props__=None):
         """
         Provides a resource for managing an
@@ -847,34 +879,35 @@ class AuthBackend(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
-        :param pulumi.Input[builtins.str] default_role: The default role to use if none is provided during login
-        :param pulumi.Input[builtins.str] description: The description of the auth backend
-        :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
+        :param pulumi.Input[_builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
+        :param pulumi.Input[_builtins.str] default_role: The default role to use if none is provided during login
+        :param pulumi.Input[_builtins.str] description: The description of the auth backend
+        :param pulumi.Input[_builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
-        :param pulumi.Input[builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
-        :param pulumi.Input[builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
-        :param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
-        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[_builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
+        :param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]] jwks_pairs: List of JWKS URL and optional CA certificate pairs. Cannot be used with `jwks_url` or `jwks_ca_pem`. Requires Vault 1.16+.
+        :param pulumi.Input[_builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
+        :param pulumi.Input[_builtins.bool] local: Specifies if the auth method is local only.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
+        :param pulumi.Input[_builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
                
                * tune - (Optional) Extra configuration block. Structure is documented below.
                
                The `tune` block is used to tune the auth backend:
-        :param pulumi.Input[builtins.str] oidc_client_id: Client ID used for OIDC backends
-        :param pulumi.Input[builtins.str] oidc_client_secret: Client Secret used for OIDC backends
-        :param pulumi.Input[builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
-        :param pulumi.Input[builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
-        :param pulumi.Input[builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
-        :param pulumi.Input[builtins.str] path: Path to mount the JWT/OIDC auth backend
-        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
-        :param pulumi.Input[builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
+        :param pulumi.Input[_builtins.str] oidc_client_id: Client ID used for OIDC backends
+        :param pulumi.Input[_builtins.str] oidc_client_secret: Client Secret used for OIDC backends
+        :param pulumi.Input[_builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
+        :param pulumi.Input[_builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
+        :param pulumi.Input[_builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
+        :param pulumi.Input[_builtins.str] path: Path to mount the JWT/OIDC auth backend
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
+        :param pulumi.Input[_builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
         """
         ...
     @overload
@@ -967,27 +1000,28 @@ class AuthBackend(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
-                 default_role: Optional[pulumi.Input[builtins.str]] = None,
-                 description: Optional[pulumi.Input[builtins.str]] = None,
-                 disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
-                 jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-                 jwks_url: Optional[pulumi.Input[builtins.str]] = None,
-                 jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 local: Optional[pulumi.Input[builtins.bool]] = None,
-                 namespace: Optional[pulumi.Input[builtins.str]] = None,
-                 namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
-                 oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
-                 oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-                 path: Optional[pulumi.Input[builtins.str]] = None,
-                 provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 bound_issuer: Optional[pulumi.Input[_builtins.str]] = None,
+                 default_role: Optional[pulumi.Input[_builtins.str]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 disable_remount: Optional[pulumi.Input[_builtins.bool]] = None,
+                 jwks_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+                 jwks_pairs: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]] = None,
+                 jwks_url: Optional[pulumi.Input[_builtins.str]] = None,
+                 jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 local: Optional[pulumi.Input[_builtins.bool]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace_in_state: Optional[pulumi.Input[_builtins.bool]] = None,
+                 oidc_client_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_client_secret: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_discovery_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_discovery_url: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_response_mode: Optional[pulumi.Input[_builtins.str]] = None,
+                 oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 path: Optional[pulumi.Input[_builtins.str]] = None,
+                 provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
                  tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
-                 type: Optional[pulumi.Input[builtins.str]] = None,
+                 type: Optional[pulumi.Input[_builtins.str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -1002,6 +1036,7 @@ class AuthBackend(pulumi.CustomResource):
             __props__.__dict__["description"] = description
             __props__.__dict__["disable_remount"] = disable_remount
             __props__.__dict__["jwks_ca_pem"] = jwks_ca_pem
+            __props__.__dict__["jwks_pairs"] = jwks_pairs
             __props__.__dict__["jwks_url"] = jwks_url
             __props__.__dict__["jwt_supported_algs"] = jwt_supported_algs
             __props__.__dict__["jwt_validation_pubkeys"] = jwt_validation_pubkeys
@@ -1031,28 +1066,29 @@ class AuthBackend(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
-            accessor: Optional[pulumi.Input[builtins.str]] = None,
-            bound_issuer: Optional[pulumi.Input[builtins.str]] = None,
-            default_role: Optional[pulumi.Input[builtins.str]] = None,
-            description: Optional[pulumi.Input[builtins.str]] = None,
-            disable_remount: Optional[pulumi.Input[builtins.bool]] = None,
-            jwks_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-            jwks_url: Optional[pulumi.Input[builtins.str]] = None,
-            jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-            jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-            local: Optional[pulumi.Input[builtins.bool]] = None,
-            namespace: Optional[pulumi.Input[builtins.str]] = None,
-            namespace_in_state: Optional[pulumi.Input[builtins.bool]] = None,
-            oidc_client_id: Optional[pulumi.Input[builtins.str]] = None,
-            oidc_client_secret: Optional[pulumi.Input[builtins.str]] = None,
-            oidc_discovery_ca_pem: Optional[pulumi.Input[builtins.str]] = None,
-            oidc_discovery_url: Optional[pulumi.Input[builtins.str]] = None,
-            oidc_response_mode: Optional[pulumi.Input[builtins.str]] = None,
-            oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
-            path: Optional[pulumi.Input[builtins.str]] = None,
-            provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+            accessor: Optional[pulumi.Input[_builtins.str]] = None,
+            bound_issuer: Optional[pulumi.Input[_builtins.str]] = None,
+            default_role: Optional[pulumi.Input[_builtins.str]] = None,
+            description: Optional[pulumi.Input[_builtins.str]] = None,
+            disable_remount: Optional[pulumi.Input[_builtins.bool]] = None,
+            jwks_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+            jwks_pairs: Optional[pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]]] = None,
+            jwks_url: Optional[pulumi.Input[_builtins.str]] = None,
+            jwt_supported_algs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            jwt_validation_pubkeys: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            local: Optional[pulumi.Input[_builtins.bool]] = None,
+            namespace: Optional[pulumi.Input[_builtins.str]] = None,
+            namespace_in_state: Optional[pulumi.Input[_builtins.bool]] = None,
+            oidc_client_id: Optional[pulumi.Input[_builtins.str]] = None,
+            oidc_client_secret: Optional[pulumi.Input[_builtins.str]] = None,
+            oidc_discovery_ca_pem: Optional[pulumi.Input[_builtins.str]] = None,
+            oidc_discovery_url: Optional[pulumi.Input[_builtins.str]] = None,
+            oidc_response_mode: Optional[pulumi.Input[_builtins.str]] = None,
+            oidc_response_types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            path: Optional[pulumi.Input[_builtins.str]] = None,
+            provider_config: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
             tune: Optional[pulumi.Input[Union['AuthBackendTuneArgs', 'AuthBackendTuneArgsDict']]] = None,
-            type: Optional[pulumi.Input[builtins.str]] = None) -> 'AuthBackend':
+            type: Optional[pulumi.Input[_builtins.str]] = None) -> 'AuthBackend':
         """
         Get an existing AuthBackend resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -1060,35 +1096,36 @@ class AuthBackend(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[builtins.str] accessor: The accessor for this auth method
-        :param pulumi.Input[builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
-        :param pulumi.Input[builtins.str] default_role: The default role to use if none is provided during login
-        :param pulumi.Input[builtins.str] description: The description of the auth backend
-        :param pulumi.Input[builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
+        :param pulumi.Input[_builtins.str] accessor: The accessor for this auth method
+        :param pulumi.Input[_builtins.str] bound_issuer: The value against which to match the iss claim in a JWT
+        :param pulumi.Input[_builtins.str] default_role: The default role to use if none is provided during login
+        :param pulumi.Input[_builtins.str] description: The description of the auth backend
+        :param pulumi.Input[_builtins.bool] disable_remount: If set, opts out of mount migration on path updates.
                See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
-        :param pulumi.Input[builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
-        :param pulumi.Input[builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
-        :param pulumi.Input[builtins.bool] local: Specifies if the auth method is local only.
-        :param pulumi.Input[builtins.str] namespace: The namespace to provision the resource in.
+        :param pulumi.Input[_builtins.str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
+        :param pulumi.Input[Sequence[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]] jwks_pairs: List of JWKS URL and optional CA certificate pairs. Cannot be used with `jwks_url` or `jwks_ca_pem`. Requires Vault 1.16+.
+        :param pulumi.Input[_builtins.str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
+        :param pulumi.Input[_builtins.bool] local: Specifies if the auth method is local only.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
                The value should not contain leading or trailing forward slashes.
                The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
                *Available only for Vault Enterprise*.
-        :param pulumi.Input[builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
+        :param pulumi.Input[_builtins.bool] namespace_in_state: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
                
                * tune - (Optional) Extra configuration block. Structure is documented below.
                
                The `tune` block is used to tune the auth backend:
-        :param pulumi.Input[builtins.str] oidc_client_id: Client ID used for OIDC backends
-        :param pulumi.Input[builtins.str] oidc_client_secret: Client Secret used for OIDC backends
-        :param pulumi.Input[builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
-        :param pulumi.Input[builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
-        :param pulumi.Input[builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
-        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
-        :param pulumi.Input[builtins.str] path: Path to mount the JWT/OIDC auth backend
-        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
-        :param pulumi.Input[builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
+        :param pulumi.Input[_builtins.str] oidc_client_id: Client ID used for OIDC backends
+        :param pulumi.Input[_builtins.str] oidc_client_secret: Client Secret used for OIDC backends
+        :param pulumi.Input[_builtins.str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
+        :param pulumi.Input[_builtins.str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
+        :param pulumi.Input[_builtins.str] oidc_response_mode: The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] oidc_response_types: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
+        :param pulumi.Input[_builtins.str] path: Path to mount the JWT/OIDC auth backend
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] provider_config: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
+        :param pulumi.Input[_builtins.str] type: Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -1100,6 +1137,7 @@ class AuthBackend(pulumi.CustomResource):
         __props__.__dict__["description"] = description
         __props__.__dict__["disable_remount"] = disable_remount
         __props__.__dict__["jwks_ca_pem"] = jwks_ca_pem
+        __props__.__dict__["jwks_pairs"] = jwks_pairs
         __props__.__dict__["jwks_url"] = jwks_url
         __props__.__dict__["jwt_supported_algs"] = jwt_supported_algs
         __props__.__dict__["jwt_validation_pubkeys"] = jwt_validation_pubkeys
@@ -1118,90 +1156,98 @@ class AuthBackend(pulumi.CustomResource):
         __props__.__dict__["type"] = type
         return AuthBackend(resource_name, opts=opts, __props__=__props__)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def accessor(self) -> pulumi.Output[builtins.str]:
+    def accessor(self) -> pulumi.Output[_builtins.str]:
         """
         The accessor for this auth method
         """
         return pulumi.get(self, "accessor")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="boundIssuer")
-    def bound_issuer(self) -> pulumi.Output[Optional[builtins.str]]:
+    def bound_issuer(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The value against which to match the iss claim in a JWT
         """
         return pulumi.get(self, "bound_issuer")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="defaultRole")
-    def default_role(self) -> pulumi.Output[Optional[builtins.str]]:
+    def default_role(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The default role to use if none is provided during login
         """
         return pulumi.get(self, "default_role")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def description(self) -> pulumi.Output[Optional[builtins.str]]:
+    def description(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The description of the auth backend
         """
         return pulumi.get(self, "description")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="disableRemount")
-    def disable_remount(self) -> pulumi.Output[Optional[builtins.bool]]:
+    def disable_remount(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
         If set, opts out of mount migration on path updates.
         See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
         """
         return pulumi.get(self, "disable_remount")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwksCaPem")
-    def jwks_ca_pem(self) -> pulumi.Output[Optional[builtins.str]]:
+    def jwks_ca_pem(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
         """
         return pulumi.get(self, "jwks_ca_pem")
 
-    @property
+    @_builtins.property
+    @pulumi.getter(name="jwksPairs")
+    def jwks_pairs(self) -> pulumi.Output[Optional[Sequence[Mapping[str, _builtins.str]]]]:
+        """
+        List of JWKS URL and optional CA certificate pairs. Cannot be used with `jwks_url` or `jwks_ca_pem`. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "jwks_pairs")
+
+    @_builtins.property
     @pulumi.getter(name="jwksUrl")
-    def jwks_url(self) -> pulumi.Output[Optional[builtins.str]]:
+    def jwks_url(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
         """
         return pulumi.get(self, "jwks_url")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwtSupportedAlgs")
-    def jwt_supported_algs(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
+    def jwt_supported_algs(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
         """
         A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
         """
         return pulumi.get(self, "jwt_supported_algs")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="jwtValidationPubkeys")
-    def jwt_validation_pubkeys(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
+    def jwt_validation_pubkeys(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
         """
         A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
         """
         return pulumi.get(self, "jwt_validation_pubkeys")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def local(self) -> pulumi.Output[Optional[builtins.bool]]:
+    def local(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
         Specifies if the auth method is local only.
         """
         return pulumi.get(self, "local")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def namespace(self) -> pulumi.Output[Optional[builtins.str]]:
+    def namespace(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The namespace to provision the resource in.
         The value should not contain leading or trailing forward slashes.
@@ -1210,9 +1256,9 @@ class AuthBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "namespace")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="namespaceInState")
-    def namespace_in_state(self) -> pulumi.Output[Optional[builtins.bool]]:
+    def namespace_in_state(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
         Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
 
@@ -1222,78 +1268,78 @@ class AuthBackend(pulumi.CustomResource):
         """
         return pulumi.get(self, "namespace_in_state")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcClientId")
-    def oidc_client_id(self) -> pulumi.Output[Optional[builtins.str]]:
+    def oidc_client_id(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         Client ID used for OIDC backends
         """
         return pulumi.get(self, "oidc_client_id")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcClientSecret")
-    def oidc_client_secret(self) -> pulumi.Output[Optional[builtins.str]]:
+    def oidc_client_secret(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         Client Secret used for OIDC backends
         """
         return pulumi.get(self, "oidc_client_secret")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcDiscoveryCaPem")
-    def oidc_discovery_ca_pem(self) -> pulumi.Output[Optional[builtins.str]]:
+    def oidc_discovery_ca_pem(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
         """
         return pulumi.get(self, "oidc_discovery_ca_pem")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcDiscoveryUrl")
-    def oidc_discovery_url(self) -> pulumi.Output[Optional[builtins.str]]:
+    def oidc_discovery_url(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with `jwt_validation_pubkeys`
         """
         return pulumi.get(self, "oidc_discovery_url")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcResponseMode")
-    def oidc_response_mode(self) -> pulumi.Output[Optional[builtins.str]]:
+    def oidc_response_mode(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The response mode to be used in the OAuth2 request. Allowed values are `query` and `form_post`. Defaults to `query`. If using Vault namespaces, and `oidc_response_mode` is `form_post`, then `namespace_in_state` should be set to `false`.
         """
         return pulumi.get(self, "oidc_response_mode")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="oidcResponseTypes")
-    def oidc_response_types(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
+    def oidc_response_types(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
         """
         List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `["code"]`. Note: `id_token` may only be used if `oidc_response_mode` is set to `form_post`.
         """
         return pulumi.get(self, "oidc_response_types")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def path(self) -> pulumi.Output[Optional[builtins.str]]:
+    def path(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         Path to mount the JWT/OIDC auth backend
         """
         return pulumi.get(self, "path")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="providerConfig")
-    def provider_config(self) -> pulumi.Output[Optional[Mapping[str, builtins.str]]]:
+    def provider_config(self) -> pulumi.Output[Optional[Mapping[str, _builtins.str]]]:
         """
         Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
         """
         return pulumi.get(self, "provider_config")
 
-    @property
+    @_builtins.property
     @pulumi.getter
     def tune(self) -> pulumi.Output['outputs.AuthBackendTune']:
         return pulumi.get(self, "tune")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def type(self) -> pulumi.Output[Optional[builtins.str]]:
+    def type(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         Type of auth backend. Should be one of `jwt` or `oidc`. Default - `jwt`
         """