pulumi-vault 7.2.0a1753339763__py3-none-any.whl → 7.2.0a1753398491__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pulumi_vault/__init__.py +1 -1
- pulumi_vault/_inputs.py +672 -673
- pulumi_vault/ad/__init__.py +1 -1
- pulumi_vault/ad/get_access_credentials.py +27 -28
- pulumi_vault/ad/secret_backend.py +579 -580
- pulumi_vault/ad/secret_library.py +120 -121
- pulumi_vault/ad/secret_role.py +104 -105
- pulumi_vault/alicloud/__init__.py +1 -1
- pulumi_vault/alicloud/auth_backend_role.py +222 -223
- pulumi_vault/approle/__init__.py +1 -1
- pulumi_vault/approle/auth_backend_login.py +138 -139
- pulumi_vault/approle/auth_backend_role.py +292 -293
- pulumi_vault/approle/auth_backend_role_secret_id.py +202 -203
- pulumi_vault/approle/get_auth_backend_role_id.py +23 -24
- pulumi_vault/audit.py +103 -104
- pulumi_vault/audit_request_header.py +52 -53
- pulumi_vault/auth_backend.py +132 -133
- pulumi_vault/aws/__init__.py +1 -1
- pulumi_vault/aws/auth_backend_cert.py +86 -87
- pulumi_vault/aws/auth_backend_client.py +307 -308
- pulumi_vault/aws/auth_backend_config_identity.py +103 -104
- pulumi_vault/aws/auth_backend_identity_whitelist.py +69 -70
- pulumi_vault/aws/auth_backend_login.py +258 -259
- pulumi_vault/aws/auth_backend_role.py +486 -487
- pulumi_vault/aws/auth_backend_role_tag.py +155 -156
- pulumi_vault/aws/auth_backend_roletag_blacklist.py +69 -70
- pulumi_vault/aws/auth_backend_sts_role.py +86 -87
- pulumi_vault/aws/get_access_credentials.py +59 -60
- pulumi_vault/aws/get_static_access_credentials.py +19 -20
- pulumi_vault/aws/secret_backend.py +409 -410
- pulumi_vault/aws/secret_backend_role.py +256 -257
- pulumi_vault/aws/secret_backend_static_role.py +137 -138
- pulumi_vault/azure/__init__.py +1 -1
- pulumi_vault/azure/_inputs.py +26 -27
- pulumi_vault/azure/auth_backend_config.py +222 -223
- pulumi_vault/azure/auth_backend_role.py +307 -308
- pulumi_vault/azure/backend.py +273 -274
- pulumi_vault/azure/backend_role.py +194 -195
- pulumi_vault/azure/get_access_credentials.py +75 -76
- pulumi_vault/azure/outputs.py +16 -17
- pulumi_vault/cert_auth_backend_role.py +443 -444
- pulumi_vault/config/__init__.py +1 -1
- pulumi_vault/config/__init__.pyi +1 -2
- pulumi_vault/config/_inputs.py +13 -14
- pulumi_vault/config/outputs.py +380 -381
- pulumi_vault/config/ui_custom_message.py +140 -141
- pulumi_vault/config/vars.py +31 -32
- pulumi_vault/consul/__init__.py +1 -1
- pulumi_vault/consul/secret_backend.py +239 -240
- pulumi_vault/consul/secret_backend_role.py +222 -223
- pulumi_vault/database/__init__.py +1 -1
- pulumi_vault/database/_inputs.py +3167 -3168
- pulumi_vault/database/outputs.py +2123 -2124
- pulumi_vault/database/secret_backend_connection.py +259 -260
- pulumi_vault/database/secret_backend_role.py +205 -206
- pulumi_vault/database/secret_backend_static_role.py +218 -219
- pulumi_vault/database/secrets_mount.py +379 -380
- pulumi_vault/egp_policy.py +86 -87
- pulumi_vault/gcp/__init__.py +1 -1
- pulumi_vault/gcp/_inputs.py +98 -99
- pulumi_vault/gcp/auth_backend.py +322 -323
- pulumi_vault/gcp/auth_backend_role.py +347 -348
- pulumi_vault/gcp/get_auth_backend_role.py +91 -92
- pulumi_vault/gcp/outputs.py +66 -67
- pulumi_vault/gcp/secret_backend.py +299 -300
- pulumi_vault/gcp/secret_impersonated_account.py +112 -113
- pulumi_vault/gcp/secret_roleset.py +115 -116
- pulumi_vault/gcp/secret_static_account.py +115 -116
- pulumi_vault/generic/__init__.py +1 -1
- pulumi_vault/generic/endpoint.py +138 -139
- pulumi_vault/generic/get_secret.py +39 -40
- pulumi_vault/generic/secret.py +95 -96
- pulumi_vault/get_auth_backend.py +29 -30
- pulumi_vault/get_auth_backends.py +19 -20
- pulumi_vault/get_namespace.py +21 -22
- pulumi_vault/get_namespaces.py +19 -20
- pulumi_vault/get_nomad_access_token.py +25 -26
- pulumi_vault/get_policy_document.py +10 -11
- pulumi_vault/get_raft_autopilot_state.py +31 -32
- pulumi_vault/github/__init__.py +1 -1
- pulumi_vault/github/_inputs.py +50 -51
- pulumi_vault/github/auth_backend.py +285 -286
- pulumi_vault/github/outputs.py +34 -35
- pulumi_vault/github/team.py +69 -70
- pulumi_vault/github/user.py +69 -70
- pulumi_vault/identity/__init__.py +1 -1
- pulumi_vault/identity/entity.py +103 -104
- pulumi_vault/identity/entity_alias.py +86 -87
- pulumi_vault/identity/entity_policies.py +78 -79
- pulumi_vault/identity/get_entity.py +62 -63
- pulumi_vault/identity/get_group.py +75 -76
- pulumi_vault/identity/get_oidc_client_creds.py +19 -20
- pulumi_vault/identity/get_oidc_openid_config.py +39 -40
- pulumi_vault/identity/get_oidc_public_keys.py +17 -18
- pulumi_vault/identity/group.py +171 -172
- pulumi_vault/identity/group_alias.py +69 -70
- pulumi_vault/identity/group_member_entity_ids.py +69 -70
- pulumi_vault/identity/group_member_group_ids.py +69 -70
- pulumi_vault/identity/group_policies.py +78 -79
- pulumi_vault/identity/mfa_duo.py +183 -184
- pulumi_vault/identity/mfa_login_enforcement.py +147 -148
- pulumi_vault/identity/mfa_okta.py +166 -167
- pulumi_vault/identity/mfa_pingid.py +160 -161
- pulumi_vault/identity/mfa_totp.py +217 -218
- pulumi_vault/identity/oidc.py +35 -36
- pulumi_vault/identity/oidc_assignment.py +69 -70
- pulumi_vault/identity/oidc_client.py +155 -156
- pulumi_vault/identity/oidc_key.py +103 -104
- pulumi_vault/identity/oidc_key_allowed_client_id.py +52 -53
- pulumi_vault/identity/oidc_provider.py +112 -113
- pulumi_vault/identity/oidc_role.py +103 -104
- pulumi_vault/identity/oidc_scope.py +69 -70
- pulumi_vault/identity/outputs.py +42 -43
- pulumi_vault/jwt/__init__.py +1 -1
- pulumi_vault/jwt/_inputs.py +50 -51
- pulumi_vault/jwt/auth_backend.py +353 -354
- pulumi_vault/jwt/auth_backend_role.py +494 -495
- pulumi_vault/jwt/outputs.py +34 -35
- pulumi_vault/kmip/__init__.py +1 -1
- pulumi_vault/kmip/secret_backend.py +222 -223
- pulumi_vault/kmip/secret_role.py +358 -359
- pulumi_vault/kmip/secret_scope.py +69 -70
- pulumi_vault/kubernetes/__init__.py +1 -1
- pulumi_vault/kubernetes/auth_backend_config.py +171 -172
- pulumi_vault/kubernetes/auth_backend_role.py +273 -274
- pulumi_vault/kubernetes/get_auth_backend_config.py +57 -58
- pulumi_vault/kubernetes/get_auth_backend_role.py +87 -88
- pulumi_vault/kubernetes/get_service_account_token.py +51 -52
- pulumi_vault/kubernetes/secret_backend.py +384 -385
- pulumi_vault/kubernetes/secret_backend_role.py +239 -240
- pulumi_vault/kv/__init__.py +1 -1
- pulumi_vault/kv/_inputs.py +25 -26
- pulumi_vault/kv/get_secret.py +25 -26
- pulumi_vault/kv/get_secret_subkeys_v2.py +39 -40
- pulumi_vault/kv/get_secret_v2.py +41 -42
- pulumi_vault/kv/get_secrets_list.py +17 -18
- pulumi_vault/kv/get_secrets_list_v2.py +25 -26
- pulumi_vault/kv/outputs.py +17 -18
- pulumi_vault/kv/secret.py +61 -62
- pulumi_vault/kv/secret_backend_v2.py +86 -87
- pulumi_vault/kv/secret_v2.py +184 -185
- pulumi_vault/ldap/__init__.py +1 -1
- pulumi_vault/ldap/auth_backend.py +716 -717
- pulumi_vault/ldap/auth_backend_group.py +69 -70
- pulumi_vault/ldap/auth_backend_user.py +86 -87
- pulumi_vault/ldap/get_dynamic_credentials.py +27 -28
- pulumi_vault/ldap/get_static_credentials.py +29 -30
- pulumi_vault/ldap/secret_backend.py +673 -674
- pulumi_vault/ldap/secret_backend_dynamic_role.py +154 -155
- pulumi_vault/ldap/secret_backend_library_set.py +120 -121
- pulumi_vault/ldap/secret_backend_static_role.py +120 -121
- pulumi_vault/managed/__init__.py +1 -1
- pulumi_vault/managed/_inputs.py +274 -275
- pulumi_vault/managed/keys.py +27 -28
- pulumi_vault/managed/outputs.py +184 -185
- pulumi_vault/mfa_duo.py +137 -138
- pulumi_vault/mfa_okta.py +137 -138
- pulumi_vault/mfa_pingid.py +149 -150
- pulumi_vault/mfa_totp.py +154 -155
- pulumi_vault/mongodbatlas/__init__.py +1 -1
- pulumi_vault/mongodbatlas/secret_backend.py +78 -79
- pulumi_vault/mongodbatlas/secret_role.py +188 -189
- pulumi_vault/mount.py +333 -334
- pulumi_vault/namespace.py +78 -79
- pulumi_vault/nomad_secret_backend.py +256 -257
- pulumi_vault/nomad_secret_role.py +103 -104
- pulumi_vault/okta/__init__.py +1 -1
- pulumi_vault/okta/_inputs.py +31 -32
- pulumi_vault/okta/auth_backend.py +305 -306
- pulumi_vault/okta/auth_backend_group.py +69 -70
- pulumi_vault/okta/auth_backend_user.py +86 -87
- pulumi_vault/okta/outputs.py +21 -22
- pulumi_vault/outputs.py +81 -82
- pulumi_vault/pkisecret/__init__.py +1 -1
- pulumi_vault/pkisecret/_inputs.py +55 -56
- pulumi_vault/pkisecret/backend_acme_eab.py +116 -117
- pulumi_vault/pkisecret/backend_config_acme.py +175 -176
- pulumi_vault/pkisecret/backend_config_auto_tidy.py +394 -395
- pulumi_vault/pkisecret/backend_config_cluster.py +71 -72
- pulumi_vault/pkisecret/backend_config_cmpv2.py +132 -133
- pulumi_vault/pkisecret/backend_config_est.py +149 -150
- pulumi_vault/pkisecret/backend_config_scep.py +137 -138
- pulumi_vault/pkisecret/get_backend_cert_metadata.py +37 -38
- pulumi_vault/pkisecret/get_backend_config_cmpv2.py +32 -33
- pulumi_vault/pkisecret/get_backend_config_est.py +30 -31
- pulumi_vault/pkisecret/get_backend_config_scep.py +29 -30
- pulumi_vault/pkisecret/get_backend_issuer.py +63 -64
- pulumi_vault/pkisecret/get_backend_issuers.py +23 -24
- pulumi_vault/pkisecret/get_backend_key.py +29 -30
- pulumi_vault/pkisecret/get_backend_keys.py +23 -24
- pulumi_vault/pkisecret/outputs.py +61 -62
- pulumi_vault/pkisecret/secret_backend_cert.py +415 -416
- pulumi_vault/pkisecret/secret_backend_config_ca.py +54 -55
- pulumi_vault/pkisecret/secret_backend_config_issuers.py +75 -76
- pulumi_vault/pkisecret/secret_backend_config_urls.py +105 -106
- pulumi_vault/pkisecret/secret_backend_crl_config.py +241 -242
- pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +515 -516
- pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +78 -79
- pulumi_vault/pkisecret/secret_backend_issuer.py +286 -287
- pulumi_vault/pkisecret/secret_backend_key.py +146 -147
- pulumi_vault/pkisecret/secret_backend_role.py +873 -874
- pulumi_vault/pkisecret/secret_backend_root_cert.py +677 -678
- pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +660 -661
- pulumi_vault/pkisecret/secret_backend_sign.py +346 -347
- pulumi_vault/plugin.py +154 -155
- pulumi_vault/plugin_pinned_version.py +52 -53
- pulumi_vault/policy.py +52 -53
- pulumi_vault/provider.py +160 -161
- pulumi_vault/pulumi-plugin.json +1 -1
- pulumi_vault/quota_lease_count.py +103 -104
- pulumi_vault/quota_rate_limit.py +171 -172
- pulumi_vault/rabbitmq/__init__.py +1 -1
- pulumi_vault/rabbitmq/_inputs.py +50 -51
- pulumi_vault/rabbitmq/outputs.py +34 -35
- pulumi_vault/rabbitmq/secret_backend.py +207 -208
- pulumi_vault/rabbitmq/secret_backend_role.py +79 -80
- pulumi_vault/raft_autopilot.py +137 -138
- pulumi_vault/raft_snapshot_agent_config.py +477 -478
- pulumi_vault/rgp_policy.py +69 -70
- pulumi_vault/saml/__init__.py +1 -1
- pulumi_vault/saml/auth_backend.py +188 -189
- pulumi_vault/saml/auth_backend_role.py +290 -291
- pulumi_vault/scep_auth_backend_role.py +252 -253
- pulumi_vault/secrets/__init__.py +1 -1
- pulumi_vault/secrets/_inputs.py +19 -20
- pulumi_vault/secrets/outputs.py +13 -14
- pulumi_vault/secrets/sync_association.py +88 -89
- pulumi_vault/secrets/sync_aws_destination.py +180 -181
- pulumi_vault/secrets/sync_azure_destination.py +180 -181
- pulumi_vault/secrets/sync_config.py +52 -53
- pulumi_vault/secrets/sync_gcp_destination.py +129 -130
- pulumi_vault/secrets/sync_gh_destination.py +163 -164
- pulumi_vault/secrets/sync_github_apps.py +78 -79
- pulumi_vault/secrets/sync_vercel_destination.py +146 -147
- pulumi_vault/ssh/__init__.py +1 -1
- pulumi_vault/ssh/_inputs.py +13 -14
- pulumi_vault/ssh/get_secret_backend_sign.py +65 -66
- pulumi_vault/ssh/outputs.py +9 -10
- pulumi_vault/ssh/secret_backend_ca.py +120 -121
- pulumi_vault/ssh/secret_backend_role.py +446 -447
- pulumi_vault/terraformcloud/__init__.py +1 -1
- pulumi_vault/terraformcloud/secret_backend.py +138 -139
- pulumi_vault/terraformcloud/secret_creds.py +93 -94
- pulumi_vault/terraformcloud/secret_role.py +117 -118
- pulumi_vault/token.py +301 -302
- pulumi_vault/tokenauth/__init__.py +1 -1
- pulumi_vault/tokenauth/auth_backend_role.py +324 -325
- pulumi_vault/transform/__init__.py +1 -1
- pulumi_vault/transform/alphabet.py +69 -70
- pulumi_vault/transform/get_decode.py +57 -58
- pulumi_vault/transform/get_encode.py +57 -58
- pulumi_vault/transform/role.py +69 -70
- pulumi_vault/transform/template.py +137 -138
- pulumi_vault/transform/transformation.py +171 -172
- pulumi_vault/transit/__init__.py +1 -1
- pulumi_vault/transit/get_cmac.py +47 -48
- pulumi_vault/transit/get_decrypt.py +25 -26
- pulumi_vault/transit/get_encrypt.py +29 -30
- pulumi_vault/transit/get_sign.py +71 -72
- pulumi_vault/transit/get_verify.py +83 -84
- pulumi_vault/transit/secret_backend_key.py +336 -337
- pulumi_vault/transit/secret_cache_config.py +52 -53
- {pulumi_vault-7.2.0a1753339763.dist-info → pulumi_vault-7.2.0a1753398491.dist-info}/METADATA +1 -1
- pulumi_vault-7.2.0a1753398491.dist-info/RECORD +268 -0
- pulumi_vault-7.2.0a1753339763.dist-info/RECORD +0 -268
- {pulumi_vault-7.2.0a1753339763.dist-info → pulumi_vault-7.2.0a1753398491.dist-info}/WHEEL +0 -0
- {pulumi_vault-7.2.0a1753339763.dist-info → pulumi_vault-7.2.0a1753398491.dist-info}/top_level.txt +0 -0
|
@@ -2,8 +2,7 @@
|
|
|
2
2
|
# *** WARNING: this file was generated by pulumi-language-python. ***
|
|
3
3
|
# *** Do not edit by hand unless you're certain you know what you are doing! ***
|
|
4
4
|
|
|
5
|
-
import builtins
|
|
6
|
-
import copy
|
|
5
|
+
import builtins as _builtins
|
|
7
6
|
import warnings
|
|
8
7
|
import sys
|
|
9
8
|
import pulumi
|
|
@@ -20,94 +19,94 @@ __all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
|
|
|
20
19
|
@pulumi.input_type
|
|
21
20
|
class AuthBackendRoleArgs:
|
|
22
21
|
def __init__(__self__, *,
|
|
23
|
-
role_name: pulumi.Input[
|
|
24
|
-
user_claim: pulumi.Input[
|
|
25
|
-
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
26
|
-
backend: Optional[pulumi.Input[
|
|
27
|
-
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
28
|
-
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
29
|
-
bound_claims_type: Optional[pulumi.Input[
|
|
30
|
-
bound_subject: Optional[pulumi.Input[
|
|
31
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
32
|
-
clock_skew_leeway: Optional[pulumi.Input[
|
|
33
|
-
disable_bound_claims_parsing: Optional[pulumi.Input[
|
|
34
|
-
expiration_leeway: Optional[pulumi.Input[
|
|
35
|
-
groups_claim: Optional[pulumi.Input[
|
|
36
|
-
max_age: Optional[pulumi.Input[
|
|
37
|
-
namespace: Optional[pulumi.Input[
|
|
38
|
-
not_before_leeway: Optional[pulumi.Input[
|
|
39
|
-
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
40
|
-
role_type: Optional[pulumi.Input[
|
|
41
|
-
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
42
|
-
token_explicit_max_ttl: Optional[pulumi.Input[
|
|
43
|
-
token_max_ttl: Optional[pulumi.Input[
|
|
44
|
-
token_no_default_policy: Optional[pulumi.Input[
|
|
45
|
-
token_num_uses: Optional[pulumi.Input[
|
|
46
|
-
token_period: Optional[pulumi.Input[
|
|
47
|
-
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
48
|
-
token_ttl: Optional[pulumi.Input[
|
|
49
|
-
token_type: Optional[pulumi.Input[
|
|
50
|
-
user_claim_json_pointer: Optional[pulumi.Input[
|
|
51
|
-
verbose_oidc_logging: Optional[pulumi.Input[
|
|
22
|
+
role_name: pulumi.Input[_builtins.str],
|
|
23
|
+
user_claim: pulumi.Input[_builtins.str],
|
|
24
|
+
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
25
|
+
backend: Optional[pulumi.Input[_builtins.str]] = None,
|
|
26
|
+
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
27
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
28
|
+
bound_claims_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
29
|
+
bound_subject: Optional[pulumi.Input[_builtins.str]] = None,
|
|
30
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
31
|
+
clock_skew_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
32
|
+
disable_bound_claims_parsing: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
33
|
+
expiration_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
34
|
+
groups_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
35
|
+
max_age: Optional[pulumi.Input[_builtins.int]] = None,
|
|
36
|
+
namespace: Optional[pulumi.Input[_builtins.str]] = None,
|
|
37
|
+
not_before_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
38
|
+
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
39
|
+
role_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
40
|
+
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
41
|
+
token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
42
|
+
token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
43
|
+
token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
44
|
+
token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
|
|
45
|
+
token_period: Optional[pulumi.Input[_builtins.int]] = None,
|
|
46
|
+
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
47
|
+
token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
48
|
+
token_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
49
|
+
user_claim_json_pointer: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
50
|
+
verbose_oidc_logging: Optional[pulumi.Input[_builtins.bool]] = None):
|
|
52
51
|
"""
|
|
53
52
|
The set of arguments for constructing a AuthBackendRole resource.
|
|
54
|
-
:param pulumi.Input[
|
|
55
|
-
:param pulumi.Input[
|
|
53
|
+
:param pulumi.Input[_builtins.str] role_name: The name of the role.
|
|
54
|
+
:param pulumi.Input[_builtins.str] user_claim: The claim to use to uniquely identify
|
|
56
55
|
the user; this will be used as the name for the Identity entity alias created
|
|
57
56
|
due to a successful login.
|
|
58
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
57
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] allowed_redirect_uris: The list of allowed values for redirect_uri during OIDC logins.
|
|
59
58
|
Required for OIDC roles
|
|
60
|
-
:param pulumi.Input[
|
|
59
|
+
:param pulumi.Input[_builtins.str] backend: The unique name of the auth backend to configure.
|
|
61
60
|
Defaults to `jwt`.
|
|
62
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
61
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
|
63
62
|
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
|
64
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[
|
|
63
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] bound_claims: If set, a map of claims to values to match against.
|
|
65
64
|
A claim's value must be a string, which may contain one value or multiple
|
|
66
65
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
|
67
|
-
:param pulumi.Input[
|
|
66
|
+
:param pulumi.Input[_builtins.str] bound_claims_type: How to interpret values in the claims/values
|
|
68
67
|
map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
|
|
69
68
|
match). Requires Vault 1.4.0 or above.
|
|
70
|
-
:param pulumi.Input[
|
|
69
|
+
:param pulumi.Input[_builtins.str] bound_subject: If set, requires that the `sub` claim matches
|
|
71
70
|
this value.
|
|
72
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[
|
|
71
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
|
73
72
|
to specified metadata fields (values).
|
|
74
|
-
:param pulumi.Input[
|
|
73
|
+
:param pulumi.Input[_builtins.int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
|
75
74
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
|
76
75
|
Only applicable with "jwt" roles.
|
|
77
|
-
:param pulumi.Input[
|
|
78
|
-
:param pulumi.Input[
|
|
76
|
+
:param pulumi.Input[_builtins.bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
|
77
|
+
:param pulumi.Input[_builtins.int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
|
79
78
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
80
79
|
Only applicable with "jwt" roles.
|
|
81
|
-
:param pulumi.Input[
|
|
80
|
+
:param pulumi.Input[_builtins.str] groups_claim: The claim to use to uniquely identify
|
|
82
81
|
the set of groups to which the user belongs; this will be used as the names
|
|
83
82
|
for the Identity group aliases created due to a successful login. The claim
|
|
84
83
|
value must be a list of strings.
|
|
85
|
-
:param pulumi.Input[
|
|
84
|
+
:param pulumi.Input[_builtins.int] max_age: Specifies the allowable elapsed time in seconds since the last time
|
|
86
85
|
the user was actively authenticated with the OIDC provider.
|
|
87
|
-
:param pulumi.Input[
|
|
86
|
+
:param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
|
|
88
87
|
The value should not contain leading or trailing forward slashes.
|
|
89
88
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
90
89
|
*Available only for Vault Enterprise*.
|
|
91
|
-
:param pulumi.Input[
|
|
90
|
+
:param pulumi.Input[_builtins.int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
|
92
91
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
93
92
|
Only applicable with "jwt" roles.
|
|
94
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
93
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
|
95
94
|
The standard scope "openid" is automatically included and need not be specified.
|
|
96
|
-
:param pulumi.Input[
|
|
97
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
98
|
-
:param pulumi.Input[
|
|
99
|
-
:param pulumi.Input[
|
|
100
|
-
:param pulumi.Input[
|
|
101
|
-
:param pulumi.Input[
|
|
102
|
-
:param pulumi.Input[
|
|
103
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
104
|
-
:param pulumi.Input[
|
|
105
|
-
:param pulumi.Input[
|
|
106
|
-
:param pulumi.Input[
|
|
95
|
+
:param pulumi.Input[_builtins.str] role_type: Type of role, either "oidc" (default) or "jwt".
|
|
96
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
|
97
|
+
:param pulumi.Input[_builtins.int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
|
98
|
+
:param pulumi.Input[_builtins.int] token_max_ttl: The maximum lifetime of the generated token
|
|
99
|
+
:param pulumi.Input[_builtins.bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
|
100
|
+
:param pulumi.Input[_builtins.int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
|
101
|
+
:param pulumi.Input[_builtins.int] token_period: Generated Token's Period
|
|
102
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_policies: Generated Token's Policies
|
|
103
|
+
:param pulumi.Input[_builtins.int] token_ttl: The initial ttl of the token to generate in seconds
|
|
104
|
+
:param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
|
|
105
|
+
:param pulumi.Input[_builtins.bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
|
|
107
106
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
|
108
107
|
syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
|
|
109
108
|
Requires Vault 1.11+.
|
|
110
|
-
:param pulumi.Input[
|
|
109
|
+
:param pulumi.Input[_builtins.bool] verbose_oidc_logging: Log received OIDC tokens and claims when debug-level
|
|
111
110
|
logging is active. Not recommended in production since sensitive information may be present
|
|
112
111
|
in OIDC responses.
|
|
113
112
|
"""
|
|
@@ -168,21 +167,21 @@ class AuthBackendRoleArgs:
|
|
|
168
167
|
if verbose_oidc_logging is not None:
|
|
169
168
|
pulumi.set(__self__, "verbose_oidc_logging", verbose_oidc_logging)
|
|
170
169
|
|
|
171
|
-
@property
|
|
170
|
+
@_builtins.property
|
|
172
171
|
@pulumi.getter(name="roleName")
|
|
173
|
-
def role_name(self) -> pulumi.Input[
|
|
172
|
+
def role_name(self) -> pulumi.Input[_builtins.str]:
|
|
174
173
|
"""
|
|
175
174
|
The name of the role.
|
|
176
175
|
"""
|
|
177
176
|
return pulumi.get(self, "role_name")
|
|
178
177
|
|
|
179
178
|
@role_name.setter
|
|
180
|
-
def role_name(self, value: pulumi.Input[
|
|
179
|
+
def role_name(self, value: pulumi.Input[_builtins.str]):
|
|
181
180
|
pulumi.set(self, "role_name", value)
|
|
182
181
|
|
|
183
|
-
@property
|
|
182
|
+
@_builtins.property
|
|
184
183
|
@pulumi.getter(name="userClaim")
|
|
185
|
-
def user_claim(self) -> pulumi.Input[
|
|
184
|
+
def user_claim(self) -> pulumi.Input[_builtins.str]:
|
|
186
185
|
"""
|
|
187
186
|
The claim to use to uniquely identify
|
|
188
187
|
the user; this will be used as the name for the Identity entity alias created
|
|
@@ -191,12 +190,12 @@ class AuthBackendRoleArgs:
|
|
|
191
190
|
return pulumi.get(self, "user_claim")
|
|
192
191
|
|
|
193
192
|
@user_claim.setter
|
|
194
|
-
def user_claim(self, value: pulumi.Input[
|
|
193
|
+
def user_claim(self, value: pulumi.Input[_builtins.str]):
|
|
195
194
|
pulumi.set(self, "user_claim", value)
|
|
196
195
|
|
|
197
|
-
@property
|
|
196
|
+
@_builtins.property
|
|
198
197
|
@pulumi.getter(name="allowedRedirectUris")
|
|
199
|
-
def allowed_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
198
|
+
def allowed_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
200
199
|
"""
|
|
201
200
|
The list of allowed values for redirect_uri during OIDC logins.
|
|
202
201
|
Required for OIDC roles
|
|
@@ -204,12 +203,12 @@ class AuthBackendRoleArgs:
|
|
|
204
203
|
return pulumi.get(self, "allowed_redirect_uris")
|
|
205
204
|
|
|
206
205
|
@allowed_redirect_uris.setter
|
|
207
|
-
def allowed_redirect_uris(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
206
|
+
def allowed_redirect_uris(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
208
207
|
pulumi.set(self, "allowed_redirect_uris", value)
|
|
209
208
|
|
|
210
|
-
@property
|
|
209
|
+
@_builtins.property
|
|
211
210
|
@pulumi.getter
|
|
212
|
-
def backend(self) -> Optional[pulumi.Input[
|
|
211
|
+
def backend(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
213
212
|
"""
|
|
214
213
|
The unique name of the auth backend to configure.
|
|
215
214
|
Defaults to `jwt`.
|
|
@@ -217,12 +216,12 @@ class AuthBackendRoleArgs:
|
|
|
217
216
|
return pulumi.get(self, "backend")
|
|
218
217
|
|
|
219
218
|
@backend.setter
|
|
220
|
-
def backend(self, value: Optional[pulumi.Input[
|
|
219
|
+
def backend(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
221
220
|
pulumi.set(self, "backend", value)
|
|
222
221
|
|
|
223
|
-
@property
|
|
222
|
+
@_builtins.property
|
|
224
223
|
@pulumi.getter(name="boundAudiences")
|
|
225
|
-
def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
224
|
+
def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
226
225
|
"""
|
|
227
226
|
(Required for roles of type `jwt`, optional for roles of
|
|
228
227
|
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
|
@@ -230,12 +229,12 @@ class AuthBackendRoleArgs:
|
|
|
230
229
|
return pulumi.get(self, "bound_audiences")
|
|
231
230
|
|
|
232
231
|
@bound_audiences.setter
|
|
233
|
-
def bound_audiences(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
232
|
+
def bound_audiences(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
234
233
|
pulumi.set(self, "bound_audiences", value)
|
|
235
234
|
|
|
236
|
-
@property
|
|
235
|
+
@_builtins.property
|
|
237
236
|
@pulumi.getter(name="boundClaims")
|
|
238
|
-
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
237
|
+
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
|
|
239
238
|
"""
|
|
240
239
|
If set, a map of claims to values to match against.
|
|
241
240
|
A claim's value must be a string, which may contain one value or multiple
|
|
@@ -244,12 +243,12 @@ class AuthBackendRoleArgs:
|
|
|
244
243
|
return pulumi.get(self, "bound_claims")
|
|
245
244
|
|
|
246
245
|
@bound_claims.setter
|
|
247
|
-
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
246
|
+
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
|
|
248
247
|
pulumi.set(self, "bound_claims", value)
|
|
249
248
|
|
|
250
|
-
@property
|
|
249
|
+
@_builtins.property
|
|
251
250
|
@pulumi.getter(name="boundClaimsType")
|
|
252
|
-
def bound_claims_type(self) -> Optional[pulumi.Input[
|
|
251
|
+
def bound_claims_type(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
253
252
|
"""
|
|
254
253
|
How to interpret values in the claims/values
|
|
255
254
|
map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
|
|
@@ -258,12 +257,12 @@ class AuthBackendRoleArgs:
|
|
|
258
257
|
return pulumi.get(self, "bound_claims_type")
|
|
259
258
|
|
|
260
259
|
@bound_claims_type.setter
|
|
261
|
-
def bound_claims_type(self, value: Optional[pulumi.Input[
|
|
260
|
+
def bound_claims_type(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
262
261
|
pulumi.set(self, "bound_claims_type", value)
|
|
263
262
|
|
|
264
|
-
@property
|
|
263
|
+
@_builtins.property
|
|
265
264
|
@pulumi.getter(name="boundSubject")
|
|
266
|
-
def bound_subject(self) -> Optional[pulumi.Input[
|
|
265
|
+
def bound_subject(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
267
266
|
"""
|
|
268
267
|
If set, requires that the `sub` claim matches
|
|
269
268
|
this value.
|
|
@@ -271,12 +270,12 @@ class AuthBackendRoleArgs:
|
|
|
271
270
|
return pulumi.get(self, "bound_subject")
|
|
272
271
|
|
|
273
272
|
@bound_subject.setter
|
|
274
|
-
def bound_subject(self, value: Optional[pulumi.Input[
|
|
273
|
+
def bound_subject(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
275
274
|
pulumi.set(self, "bound_subject", value)
|
|
276
275
|
|
|
277
|
-
@property
|
|
276
|
+
@_builtins.property
|
|
278
277
|
@pulumi.getter(name="claimMappings")
|
|
279
|
-
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
278
|
+
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
|
|
280
279
|
"""
|
|
281
280
|
If set, a map of claims (keys) to be copied
|
|
282
281
|
to specified metadata fields (values).
|
|
@@ -284,12 +283,12 @@ class AuthBackendRoleArgs:
|
|
|
284
283
|
return pulumi.get(self, "claim_mappings")
|
|
285
284
|
|
|
286
285
|
@claim_mappings.setter
|
|
287
|
-
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
286
|
+
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
|
|
288
287
|
pulumi.set(self, "claim_mappings", value)
|
|
289
288
|
|
|
290
|
-
@property
|
|
289
|
+
@_builtins.property
|
|
291
290
|
@pulumi.getter(name="clockSkewLeeway")
|
|
292
|
-
def clock_skew_leeway(self) -> Optional[pulumi.Input[
|
|
291
|
+
def clock_skew_leeway(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
293
292
|
"""
|
|
294
293
|
The amount of leeway to add to all claims to account for clock skew, in
|
|
295
294
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -298,24 +297,24 @@ class AuthBackendRoleArgs:
|
|
|
298
297
|
return pulumi.get(self, "clock_skew_leeway")
|
|
299
298
|
|
|
300
299
|
@clock_skew_leeway.setter
|
|
301
|
-
def clock_skew_leeway(self, value: Optional[pulumi.Input[
|
|
300
|
+
def clock_skew_leeway(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
302
301
|
pulumi.set(self, "clock_skew_leeway", value)
|
|
303
302
|
|
|
304
|
-
@property
|
|
303
|
+
@_builtins.property
|
|
305
304
|
@pulumi.getter(name="disableBoundClaimsParsing")
|
|
306
|
-
def disable_bound_claims_parsing(self) -> Optional[pulumi.Input[
|
|
305
|
+
def disable_bound_claims_parsing(self) -> Optional[pulumi.Input[_builtins.bool]]:
|
|
307
306
|
"""
|
|
308
307
|
Disable bound claim value parsing. Useful when values contain commas.
|
|
309
308
|
"""
|
|
310
309
|
return pulumi.get(self, "disable_bound_claims_parsing")
|
|
311
310
|
|
|
312
311
|
@disable_bound_claims_parsing.setter
|
|
313
|
-
def disable_bound_claims_parsing(self, value: Optional[pulumi.Input[
|
|
312
|
+
def disable_bound_claims_parsing(self, value: Optional[pulumi.Input[_builtins.bool]]):
|
|
314
313
|
pulumi.set(self, "disable_bound_claims_parsing", value)
|
|
315
314
|
|
|
316
|
-
@property
|
|
315
|
+
@_builtins.property
|
|
317
316
|
@pulumi.getter(name="expirationLeeway")
|
|
318
|
-
def expiration_leeway(self) -> Optional[pulumi.Input[
|
|
317
|
+
def expiration_leeway(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
319
318
|
"""
|
|
320
319
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
|
321
320
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -324,12 +323,12 @@ class AuthBackendRoleArgs:
|
|
|
324
323
|
return pulumi.get(self, "expiration_leeway")
|
|
325
324
|
|
|
326
325
|
@expiration_leeway.setter
|
|
327
|
-
def expiration_leeway(self, value: Optional[pulumi.Input[
|
|
326
|
+
def expiration_leeway(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
328
327
|
pulumi.set(self, "expiration_leeway", value)
|
|
329
328
|
|
|
330
|
-
@property
|
|
329
|
+
@_builtins.property
|
|
331
330
|
@pulumi.getter(name="groupsClaim")
|
|
332
|
-
def groups_claim(self) -> Optional[pulumi.Input[
|
|
331
|
+
def groups_claim(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
333
332
|
"""
|
|
334
333
|
The claim to use to uniquely identify
|
|
335
334
|
the set of groups to which the user belongs; this will be used as the names
|
|
@@ -339,12 +338,12 @@ class AuthBackendRoleArgs:
|
|
|
339
338
|
return pulumi.get(self, "groups_claim")
|
|
340
339
|
|
|
341
340
|
@groups_claim.setter
|
|
342
|
-
def groups_claim(self, value: Optional[pulumi.Input[
|
|
341
|
+
def groups_claim(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
343
342
|
pulumi.set(self, "groups_claim", value)
|
|
344
343
|
|
|
345
|
-
@property
|
|
344
|
+
@_builtins.property
|
|
346
345
|
@pulumi.getter(name="maxAge")
|
|
347
|
-
def max_age(self) -> Optional[pulumi.Input[
|
|
346
|
+
def max_age(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
348
347
|
"""
|
|
349
348
|
Specifies the allowable elapsed time in seconds since the last time
|
|
350
349
|
the user was actively authenticated with the OIDC provider.
|
|
@@ -352,12 +351,12 @@ class AuthBackendRoleArgs:
|
|
|
352
351
|
return pulumi.get(self, "max_age")
|
|
353
352
|
|
|
354
353
|
@max_age.setter
|
|
355
|
-
def max_age(self, value: Optional[pulumi.Input[
|
|
354
|
+
def max_age(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
356
355
|
pulumi.set(self, "max_age", value)
|
|
357
356
|
|
|
358
|
-
@property
|
|
357
|
+
@_builtins.property
|
|
359
358
|
@pulumi.getter
|
|
360
|
-
def namespace(self) -> Optional[pulumi.Input[
|
|
359
|
+
def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
361
360
|
"""
|
|
362
361
|
The namespace to provision the resource in.
|
|
363
362
|
The value should not contain leading or trailing forward slashes.
|
|
@@ -367,12 +366,12 @@ class AuthBackendRoleArgs:
|
|
|
367
366
|
return pulumi.get(self, "namespace")
|
|
368
367
|
|
|
369
368
|
@namespace.setter
|
|
370
|
-
def namespace(self, value: Optional[pulumi.Input[
|
|
369
|
+
def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
371
370
|
pulumi.set(self, "namespace", value)
|
|
372
371
|
|
|
373
|
-
@property
|
|
372
|
+
@_builtins.property
|
|
374
373
|
@pulumi.getter(name="notBeforeLeeway")
|
|
375
|
-
def not_before_leeway(self) -> Optional[pulumi.Input[
|
|
374
|
+
def not_before_leeway(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
376
375
|
"""
|
|
377
376
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
|
378
377
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -381,12 +380,12 @@ class AuthBackendRoleArgs:
|
|
|
381
380
|
return pulumi.get(self, "not_before_leeway")
|
|
382
381
|
|
|
383
382
|
@not_before_leeway.setter
|
|
384
|
-
def not_before_leeway(self, value: Optional[pulumi.Input[
|
|
383
|
+
def not_before_leeway(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
385
384
|
pulumi.set(self, "not_before_leeway", value)
|
|
386
385
|
|
|
387
|
-
@property
|
|
386
|
+
@_builtins.property
|
|
388
387
|
@pulumi.getter(name="oidcScopes")
|
|
389
|
-
def oidc_scopes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
388
|
+
def oidc_scopes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
390
389
|
"""
|
|
391
390
|
If set, a list of OIDC scopes to be used with an OIDC role.
|
|
392
391
|
The standard scope "openid" is automatically included and need not be specified.
|
|
@@ -394,132 +393,132 @@ class AuthBackendRoleArgs:
|
|
|
394
393
|
return pulumi.get(self, "oidc_scopes")
|
|
395
394
|
|
|
396
395
|
@oidc_scopes.setter
|
|
397
|
-
def oidc_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
396
|
+
def oidc_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
398
397
|
pulumi.set(self, "oidc_scopes", value)
|
|
399
398
|
|
|
400
|
-
@property
|
|
399
|
+
@_builtins.property
|
|
401
400
|
@pulumi.getter(name="roleType")
|
|
402
|
-
def role_type(self) -> Optional[pulumi.Input[
|
|
401
|
+
def role_type(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
403
402
|
"""
|
|
404
403
|
Type of role, either "oidc" (default) or "jwt".
|
|
405
404
|
"""
|
|
406
405
|
return pulumi.get(self, "role_type")
|
|
407
406
|
|
|
408
407
|
@role_type.setter
|
|
409
|
-
def role_type(self, value: Optional[pulumi.Input[
|
|
408
|
+
def role_type(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
410
409
|
pulumi.set(self, "role_type", value)
|
|
411
410
|
|
|
412
|
-
@property
|
|
411
|
+
@_builtins.property
|
|
413
412
|
@pulumi.getter(name="tokenBoundCidrs")
|
|
414
|
-
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
413
|
+
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
415
414
|
"""
|
|
416
415
|
Specifies the blocks of IP addresses which are allowed to use the generated token
|
|
417
416
|
"""
|
|
418
417
|
return pulumi.get(self, "token_bound_cidrs")
|
|
419
418
|
|
|
420
419
|
@token_bound_cidrs.setter
|
|
421
|
-
def token_bound_cidrs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
420
|
+
def token_bound_cidrs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
422
421
|
pulumi.set(self, "token_bound_cidrs", value)
|
|
423
422
|
|
|
424
|
-
@property
|
|
423
|
+
@_builtins.property
|
|
425
424
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
|
426
|
-
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[
|
|
425
|
+
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
427
426
|
"""
|
|
428
427
|
Generated Token's Explicit Maximum TTL in seconds
|
|
429
428
|
"""
|
|
430
429
|
return pulumi.get(self, "token_explicit_max_ttl")
|
|
431
430
|
|
|
432
431
|
@token_explicit_max_ttl.setter
|
|
433
|
-
def token_explicit_max_ttl(self, value: Optional[pulumi.Input[
|
|
432
|
+
def token_explicit_max_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
434
433
|
pulumi.set(self, "token_explicit_max_ttl", value)
|
|
435
434
|
|
|
436
|
-
@property
|
|
435
|
+
@_builtins.property
|
|
437
436
|
@pulumi.getter(name="tokenMaxTtl")
|
|
438
|
-
def token_max_ttl(self) -> Optional[pulumi.Input[
|
|
437
|
+
def token_max_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
439
438
|
"""
|
|
440
439
|
The maximum lifetime of the generated token
|
|
441
440
|
"""
|
|
442
441
|
return pulumi.get(self, "token_max_ttl")
|
|
443
442
|
|
|
444
443
|
@token_max_ttl.setter
|
|
445
|
-
def token_max_ttl(self, value: Optional[pulumi.Input[
|
|
444
|
+
def token_max_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
446
445
|
pulumi.set(self, "token_max_ttl", value)
|
|
447
446
|
|
|
448
|
-
@property
|
|
447
|
+
@_builtins.property
|
|
449
448
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
|
450
|
-
def token_no_default_policy(self) -> Optional[pulumi.Input[
|
|
449
|
+
def token_no_default_policy(self) -> Optional[pulumi.Input[_builtins.bool]]:
|
|
451
450
|
"""
|
|
452
451
|
If true, the 'default' policy will not automatically be added to generated tokens
|
|
453
452
|
"""
|
|
454
453
|
return pulumi.get(self, "token_no_default_policy")
|
|
455
454
|
|
|
456
455
|
@token_no_default_policy.setter
|
|
457
|
-
def token_no_default_policy(self, value: Optional[pulumi.Input[
|
|
456
|
+
def token_no_default_policy(self, value: Optional[pulumi.Input[_builtins.bool]]):
|
|
458
457
|
pulumi.set(self, "token_no_default_policy", value)
|
|
459
458
|
|
|
460
|
-
@property
|
|
459
|
+
@_builtins.property
|
|
461
460
|
@pulumi.getter(name="tokenNumUses")
|
|
462
|
-
def token_num_uses(self) -> Optional[pulumi.Input[
|
|
461
|
+
def token_num_uses(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
463
462
|
"""
|
|
464
463
|
The maximum number of times a token may be used, a value of zero means unlimited
|
|
465
464
|
"""
|
|
466
465
|
return pulumi.get(self, "token_num_uses")
|
|
467
466
|
|
|
468
467
|
@token_num_uses.setter
|
|
469
|
-
def token_num_uses(self, value: Optional[pulumi.Input[
|
|
468
|
+
def token_num_uses(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
470
469
|
pulumi.set(self, "token_num_uses", value)
|
|
471
470
|
|
|
472
|
-
@property
|
|
471
|
+
@_builtins.property
|
|
473
472
|
@pulumi.getter(name="tokenPeriod")
|
|
474
|
-
def token_period(self) -> Optional[pulumi.Input[
|
|
473
|
+
def token_period(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
475
474
|
"""
|
|
476
475
|
Generated Token's Period
|
|
477
476
|
"""
|
|
478
477
|
return pulumi.get(self, "token_period")
|
|
479
478
|
|
|
480
479
|
@token_period.setter
|
|
481
|
-
def token_period(self, value: Optional[pulumi.Input[
|
|
480
|
+
def token_period(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
482
481
|
pulumi.set(self, "token_period", value)
|
|
483
482
|
|
|
484
|
-
@property
|
|
483
|
+
@_builtins.property
|
|
485
484
|
@pulumi.getter(name="tokenPolicies")
|
|
486
|
-
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
485
|
+
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
487
486
|
"""
|
|
488
487
|
Generated Token's Policies
|
|
489
488
|
"""
|
|
490
489
|
return pulumi.get(self, "token_policies")
|
|
491
490
|
|
|
492
491
|
@token_policies.setter
|
|
493
|
-
def token_policies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
492
|
+
def token_policies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
494
493
|
pulumi.set(self, "token_policies", value)
|
|
495
494
|
|
|
496
|
-
@property
|
|
495
|
+
@_builtins.property
|
|
497
496
|
@pulumi.getter(name="tokenTtl")
|
|
498
|
-
def token_ttl(self) -> Optional[pulumi.Input[
|
|
497
|
+
def token_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
499
498
|
"""
|
|
500
499
|
The initial ttl of the token to generate in seconds
|
|
501
500
|
"""
|
|
502
501
|
return pulumi.get(self, "token_ttl")
|
|
503
502
|
|
|
504
503
|
@token_ttl.setter
|
|
505
|
-
def token_ttl(self, value: Optional[pulumi.Input[
|
|
504
|
+
def token_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
506
505
|
pulumi.set(self, "token_ttl", value)
|
|
507
506
|
|
|
508
|
-
@property
|
|
507
|
+
@_builtins.property
|
|
509
508
|
@pulumi.getter(name="tokenType")
|
|
510
|
-
def token_type(self) -> Optional[pulumi.Input[
|
|
509
|
+
def token_type(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
511
510
|
"""
|
|
512
511
|
The type of token to generate, service or batch
|
|
513
512
|
"""
|
|
514
513
|
return pulumi.get(self, "token_type")
|
|
515
514
|
|
|
516
515
|
@token_type.setter
|
|
517
|
-
def token_type(self, value: Optional[pulumi.Input[
|
|
516
|
+
def token_type(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
518
517
|
pulumi.set(self, "token_type", value)
|
|
519
518
|
|
|
520
|
-
@property
|
|
519
|
+
@_builtins.property
|
|
521
520
|
@pulumi.getter(name="userClaimJsonPointer")
|
|
522
|
-
def user_claim_json_pointer(self) -> Optional[pulumi.Input[
|
|
521
|
+
def user_claim_json_pointer(self) -> Optional[pulumi.Input[_builtins.bool]]:
|
|
523
522
|
"""
|
|
524
523
|
Specifies if the `user_claim` value uses
|
|
525
524
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
|
@@ -529,12 +528,12 @@ class AuthBackendRoleArgs:
|
|
|
529
528
|
return pulumi.get(self, "user_claim_json_pointer")
|
|
530
529
|
|
|
531
530
|
@user_claim_json_pointer.setter
|
|
532
|
-
def user_claim_json_pointer(self, value: Optional[pulumi.Input[
|
|
531
|
+
def user_claim_json_pointer(self, value: Optional[pulumi.Input[_builtins.bool]]):
|
|
533
532
|
pulumi.set(self, "user_claim_json_pointer", value)
|
|
534
533
|
|
|
535
|
-
@property
|
|
534
|
+
@_builtins.property
|
|
536
535
|
@pulumi.getter(name="verboseOidcLogging")
|
|
537
|
-
def verbose_oidc_logging(self) -> Optional[pulumi.Input[
|
|
536
|
+
def verbose_oidc_logging(self) -> Optional[pulumi.Input[_builtins.bool]]:
|
|
538
537
|
"""
|
|
539
538
|
Log received OIDC tokens and claims when debug-level
|
|
540
539
|
logging is active. Not recommended in production since sensitive information may be present
|
|
@@ -543,101 +542,101 @@ class AuthBackendRoleArgs:
|
|
|
543
542
|
return pulumi.get(self, "verbose_oidc_logging")
|
|
544
543
|
|
|
545
544
|
@verbose_oidc_logging.setter
|
|
546
|
-
def verbose_oidc_logging(self, value: Optional[pulumi.Input[
|
|
545
|
+
def verbose_oidc_logging(self, value: Optional[pulumi.Input[_builtins.bool]]):
|
|
547
546
|
pulumi.set(self, "verbose_oidc_logging", value)
|
|
548
547
|
|
|
549
548
|
|
|
550
549
|
@pulumi.input_type
|
|
551
550
|
class _AuthBackendRoleState:
|
|
552
551
|
def __init__(__self__, *,
|
|
553
|
-
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
554
|
-
backend: Optional[pulumi.Input[
|
|
555
|
-
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
556
|
-
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
557
|
-
bound_claims_type: Optional[pulumi.Input[
|
|
558
|
-
bound_subject: Optional[pulumi.Input[
|
|
559
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
560
|
-
clock_skew_leeway: Optional[pulumi.Input[
|
|
561
|
-
disable_bound_claims_parsing: Optional[pulumi.Input[
|
|
562
|
-
expiration_leeway: Optional[pulumi.Input[
|
|
563
|
-
groups_claim: Optional[pulumi.Input[
|
|
564
|
-
max_age: Optional[pulumi.Input[
|
|
565
|
-
namespace: Optional[pulumi.Input[
|
|
566
|
-
not_before_leeway: Optional[pulumi.Input[
|
|
567
|
-
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
568
|
-
role_name: Optional[pulumi.Input[
|
|
569
|
-
role_type: Optional[pulumi.Input[
|
|
570
|
-
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
571
|
-
token_explicit_max_ttl: Optional[pulumi.Input[
|
|
572
|
-
token_max_ttl: Optional[pulumi.Input[
|
|
573
|
-
token_no_default_policy: Optional[pulumi.Input[
|
|
574
|
-
token_num_uses: Optional[pulumi.Input[
|
|
575
|
-
token_period: Optional[pulumi.Input[
|
|
576
|
-
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
577
|
-
token_ttl: Optional[pulumi.Input[
|
|
578
|
-
token_type: Optional[pulumi.Input[
|
|
579
|
-
user_claim: Optional[pulumi.Input[
|
|
580
|
-
user_claim_json_pointer: Optional[pulumi.Input[
|
|
581
|
-
verbose_oidc_logging: Optional[pulumi.Input[
|
|
552
|
+
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
553
|
+
backend: Optional[pulumi.Input[_builtins.str]] = None,
|
|
554
|
+
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
555
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
556
|
+
bound_claims_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
557
|
+
bound_subject: Optional[pulumi.Input[_builtins.str]] = None,
|
|
558
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
559
|
+
clock_skew_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
560
|
+
disable_bound_claims_parsing: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
561
|
+
expiration_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
562
|
+
groups_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
563
|
+
max_age: Optional[pulumi.Input[_builtins.int]] = None,
|
|
564
|
+
namespace: Optional[pulumi.Input[_builtins.str]] = None,
|
|
565
|
+
not_before_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
566
|
+
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
567
|
+
role_name: Optional[pulumi.Input[_builtins.str]] = None,
|
|
568
|
+
role_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
569
|
+
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
570
|
+
token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
571
|
+
token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
572
|
+
token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
573
|
+
token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
|
|
574
|
+
token_period: Optional[pulumi.Input[_builtins.int]] = None,
|
|
575
|
+
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
576
|
+
token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
577
|
+
token_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
578
|
+
user_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
579
|
+
user_claim_json_pointer: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
580
|
+
verbose_oidc_logging: Optional[pulumi.Input[_builtins.bool]] = None):
|
|
582
581
|
"""
|
|
583
582
|
Input properties used for looking up and filtering AuthBackendRole resources.
|
|
584
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
583
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] allowed_redirect_uris: The list of allowed values for redirect_uri during OIDC logins.
|
|
585
584
|
Required for OIDC roles
|
|
586
|
-
:param pulumi.Input[
|
|
585
|
+
:param pulumi.Input[_builtins.str] backend: The unique name of the auth backend to configure.
|
|
587
586
|
Defaults to `jwt`.
|
|
588
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
587
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
|
589
588
|
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
|
590
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[
|
|
589
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] bound_claims: If set, a map of claims to values to match against.
|
|
591
590
|
A claim's value must be a string, which may contain one value or multiple
|
|
592
591
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
|
593
|
-
:param pulumi.Input[
|
|
592
|
+
:param pulumi.Input[_builtins.str] bound_claims_type: How to interpret values in the claims/values
|
|
594
593
|
map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
|
|
595
594
|
match). Requires Vault 1.4.0 or above.
|
|
596
|
-
:param pulumi.Input[
|
|
595
|
+
:param pulumi.Input[_builtins.str] bound_subject: If set, requires that the `sub` claim matches
|
|
597
596
|
this value.
|
|
598
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[
|
|
597
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
|
599
598
|
to specified metadata fields (values).
|
|
600
|
-
:param pulumi.Input[
|
|
599
|
+
:param pulumi.Input[_builtins.int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
|
601
600
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
|
602
601
|
Only applicable with "jwt" roles.
|
|
603
|
-
:param pulumi.Input[
|
|
604
|
-
:param pulumi.Input[
|
|
602
|
+
:param pulumi.Input[_builtins.bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
|
603
|
+
:param pulumi.Input[_builtins.int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
|
605
604
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
606
605
|
Only applicable with "jwt" roles.
|
|
607
|
-
:param pulumi.Input[
|
|
606
|
+
:param pulumi.Input[_builtins.str] groups_claim: The claim to use to uniquely identify
|
|
608
607
|
the set of groups to which the user belongs; this will be used as the names
|
|
609
608
|
for the Identity group aliases created due to a successful login. The claim
|
|
610
609
|
value must be a list of strings.
|
|
611
|
-
:param pulumi.Input[
|
|
610
|
+
:param pulumi.Input[_builtins.int] max_age: Specifies the allowable elapsed time in seconds since the last time
|
|
612
611
|
the user was actively authenticated with the OIDC provider.
|
|
613
|
-
:param pulumi.Input[
|
|
612
|
+
:param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
|
|
614
613
|
The value should not contain leading or trailing forward slashes.
|
|
615
614
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
616
615
|
*Available only for Vault Enterprise*.
|
|
617
|
-
:param pulumi.Input[
|
|
616
|
+
:param pulumi.Input[_builtins.int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
|
618
617
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
619
618
|
Only applicable with "jwt" roles.
|
|
620
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
619
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
|
621
620
|
The standard scope "openid" is automatically included and need not be specified.
|
|
622
|
-
:param pulumi.Input[
|
|
623
|
-
:param pulumi.Input[
|
|
624
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
625
|
-
:param pulumi.Input[
|
|
626
|
-
:param pulumi.Input[
|
|
627
|
-
:param pulumi.Input[
|
|
628
|
-
:param pulumi.Input[
|
|
629
|
-
:param pulumi.Input[
|
|
630
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
631
|
-
:param pulumi.Input[
|
|
632
|
-
:param pulumi.Input[
|
|
633
|
-
:param pulumi.Input[
|
|
621
|
+
:param pulumi.Input[_builtins.str] role_name: The name of the role.
|
|
622
|
+
:param pulumi.Input[_builtins.str] role_type: Type of role, either "oidc" (default) or "jwt".
|
|
623
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
|
624
|
+
:param pulumi.Input[_builtins.int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
|
625
|
+
:param pulumi.Input[_builtins.int] token_max_ttl: The maximum lifetime of the generated token
|
|
626
|
+
:param pulumi.Input[_builtins.bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
|
627
|
+
:param pulumi.Input[_builtins.int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
|
628
|
+
:param pulumi.Input[_builtins.int] token_period: Generated Token's Period
|
|
629
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_policies: Generated Token's Policies
|
|
630
|
+
:param pulumi.Input[_builtins.int] token_ttl: The initial ttl of the token to generate in seconds
|
|
631
|
+
:param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
|
|
632
|
+
:param pulumi.Input[_builtins.str] user_claim: The claim to use to uniquely identify
|
|
634
633
|
the user; this will be used as the name for the Identity entity alias created
|
|
635
634
|
due to a successful login.
|
|
636
|
-
:param pulumi.Input[
|
|
635
|
+
:param pulumi.Input[_builtins.bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
|
|
637
636
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
|
638
637
|
syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
|
|
639
638
|
Requires Vault 1.11+.
|
|
640
|
-
:param pulumi.Input[
|
|
639
|
+
:param pulumi.Input[_builtins.bool] verbose_oidc_logging: Log received OIDC tokens and claims when debug-level
|
|
641
640
|
logging is active. Not recommended in production since sensitive information may be present
|
|
642
641
|
in OIDC responses.
|
|
643
642
|
"""
|
|
@@ -700,9 +699,9 @@ class _AuthBackendRoleState:
|
|
|
700
699
|
if verbose_oidc_logging is not None:
|
|
701
700
|
pulumi.set(__self__, "verbose_oidc_logging", verbose_oidc_logging)
|
|
702
701
|
|
|
703
|
-
@property
|
|
702
|
+
@_builtins.property
|
|
704
703
|
@pulumi.getter(name="allowedRedirectUris")
|
|
705
|
-
def allowed_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
704
|
+
def allowed_redirect_uris(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
706
705
|
"""
|
|
707
706
|
The list of allowed values for redirect_uri during OIDC logins.
|
|
708
707
|
Required for OIDC roles
|
|
@@ -710,12 +709,12 @@ class _AuthBackendRoleState:
|
|
|
710
709
|
return pulumi.get(self, "allowed_redirect_uris")
|
|
711
710
|
|
|
712
711
|
@allowed_redirect_uris.setter
|
|
713
|
-
def allowed_redirect_uris(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
712
|
+
def allowed_redirect_uris(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
714
713
|
pulumi.set(self, "allowed_redirect_uris", value)
|
|
715
714
|
|
|
716
|
-
@property
|
|
715
|
+
@_builtins.property
|
|
717
716
|
@pulumi.getter
|
|
718
|
-
def backend(self) -> Optional[pulumi.Input[
|
|
717
|
+
def backend(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
719
718
|
"""
|
|
720
719
|
The unique name of the auth backend to configure.
|
|
721
720
|
Defaults to `jwt`.
|
|
@@ -723,12 +722,12 @@ class _AuthBackendRoleState:
|
|
|
723
722
|
return pulumi.get(self, "backend")
|
|
724
723
|
|
|
725
724
|
@backend.setter
|
|
726
|
-
def backend(self, value: Optional[pulumi.Input[
|
|
725
|
+
def backend(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
727
726
|
pulumi.set(self, "backend", value)
|
|
728
727
|
|
|
729
|
-
@property
|
|
728
|
+
@_builtins.property
|
|
730
729
|
@pulumi.getter(name="boundAudiences")
|
|
731
|
-
def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
730
|
+
def bound_audiences(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
732
731
|
"""
|
|
733
732
|
(Required for roles of type `jwt`, optional for roles of
|
|
734
733
|
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
|
@@ -736,12 +735,12 @@ class _AuthBackendRoleState:
|
|
|
736
735
|
return pulumi.get(self, "bound_audiences")
|
|
737
736
|
|
|
738
737
|
@bound_audiences.setter
|
|
739
|
-
def bound_audiences(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
738
|
+
def bound_audiences(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
740
739
|
pulumi.set(self, "bound_audiences", value)
|
|
741
740
|
|
|
742
|
-
@property
|
|
741
|
+
@_builtins.property
|
|
743
742
|
@pulumi.getter(name="boundClaims")
|
|
744
|
-
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
743
|
+
def bound_claims(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
|
|
745
744
|
"""
|
|
746
745
|
If set, a map of claims to values to match against.
|
|
747
746
|
A claim's value must be a string, which may contain one value or multiple
|
|
@@ -750,12 +749,12 @@ class _AuthBackendRoleState:
|
|
|
750
749
|
return pulumi.get(self, "bound_claims")
|
|
751
750
|
|
|
752
751
|
@bound_claims.setter
|
|
753
|
-
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
752
|
+
def bound_claims(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
|
|
754
753
|
pulumi.set(self, "bound_claims", value)
|
|
755
754
|
|
|
756
|
-
@property
|
|
755
|
+
@_builtins.property
|
|
757
756
|
@pulumi.getter(name="boundClaimsType")
|
|
758
|
-
def bound_claims_type(self) -> Optional[pulumi.Input[
|
|
757
|
+
def bound_claims_type(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
759
758
|
"""
|
|
760
759
|
How to interpret values in the claims/values
|
|
761
760
|
map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
|
|
@@ -764,12 +763,12 @@ class _AuthBackendRoleState:
|
|
|
764
763
|
return pulumi.get(self, "bound_claims_type")
|
|
765
764
|
|
|
766
765
|
@bound_claims_type.setter
|
|
767
|
-
def bound_claims_type(self, value: Optional[pulumi.Input[
|
|
766
|
+
def bound_claims_type(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
768
767
|
pulumi.set(self, "bound_claims_type", value)
|
|
769
768
|
|
|
770
|
-
@property
|
|
769
|
+
@_builtins.property
|
|
771
770
|
@pulumi.getter(name="boundSubject")
|
|
772
|
-
def bound_subject(self) -> Optional[pulumi.Input[
|
|
771
|
+
def bound_subject(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
773
772
|
"""
|
|
774
773
|
If set, requires that the `sub` claim matches
|
|
775
774
|
this value.
|
|
@@ -777,12 +776,12 @@ class _AuthBackendRoleState:
|
|
|
777
776
|
return pulumi.get(self, "bound_subject")
|
|
778
777
|
|
|
779
778
|
@bound_subject.setter
|
|
780
|
-
def bound_subject(self, value: Optional[pulumi.Input[
|
|
779
|
+
def bound_subject(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
781
780
|
pulumi.set(self, "bound_subject", value)
|
|
782
781
|
|
|
783
|
-
@property
|
|
782
|
+
@_builtins.property
|
|
784
783
|
@pulumi.getter(name="claimMappings")
|
|
785
|
-
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
784
|
+
def claim_mappings(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
|
|
786
785
|
"""
|
|
787
786
|
If set, a map of claims (keys) to be copied
|
|
788
787
|
to specified metadata fields (values).
|
|
@@ -790,12 +789,12 @@ class _AuthBackendRoleState:
|
|
|
790
789
|
return pulumi.get(self, "claim_mappings")
|
|
791
790
|
|
|
792
791
|
@claim_mappings.setter
|
|
793
|
-
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
792
|
+
def claim_mappings(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
|
|
794
793
|
pulumi.set(self, "claim_mappings", value)
|
|
795
794
|
|
|
796
|
-
@property
|
|
795
|
+
@_builtins.property
|
|
797
796
|
@pulumi.getter(name="clockSkewLeeway")
|
|
798
|
-
def clock_skew_leeway(self) -> Optional[pulumi.Input[
|
|
797
|
+
def clock_skew_leeway(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
799
798
|
"""
|
|
800
799
|
The amount of leeway to add to all claims to account for clock skew, in
|
|
801
800
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -804,24 +803,24 @@ class _AuthBackendRoleState:
|
|
|
804
803
|
return pulumi.get(self, "clock_skew_leeway")
|
|
805
804
|
|
|
806
805
|
@clock_skew_leeway.setter
|
|
807
|
-
def clock_skew_leeway(self, value: Optional[pulumi.Input[
|
|
806
|
+
def clock_skew_leeway(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
808
807
|
pulumi.set(self, "clock_skew_leeway", value)
|
|
809
808
|
|
|
810
|
-
@property
|
|
809
|
+
@_builtins.property
|
|
811
810
|
@pulumi.getter(name="disableBoundClaimsParsing")
|
|
812
|
-
def disable_bound_claims_parsing(self) -> Optional[pulumi.Input[
|
|
811
|
+
def disable_bound_claims_parsing(self) -> Optional[pulumi.Input[_builtins.bool]]:
|
|
813
812
|
"""
|
|
814
813
|
Disable bound claim value parsing. Useful when values contain commas.
|
|
815
814
|
"""
|
|
816
815
|
return pulumi.get(self, "disable_bound_claims_parsing")
|
|
817
816
|
|
|
818
817
|
@disable_bound_claims_parsing.setter
|
|
819
|
-
def disable_bound_claims_parsing(self, value: Optional[pulumi.Input[
|
|
818
|
+
def disable_bound_claims_parsing(self, value: Optional[pulumi.Input[_builtins.bool]]):
|
|
820
819
|
pulumi.set(self, "disable_bound_claims_parsing", value)
|
|
821
820
|
|
|
822
|
-
@property
|
|
821
|
+
@_builtins.property
|
|
823
822
|
@pulumi.getter(name="expirationLeeway")
|
|
824
|
-
def expiration_leeway(self) -> Optional[pulumi.Input[
|
|
823
|
+
def expiration_leeway(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
825
824
|
"""
|
|
826
825
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
|
827
826
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -830,12 +829,12 @@ class _AuthBackendRoleState:
|
|
|
830
829
|
return pulumi.get(self, "expiration_leeway")
|
|
831
830
|
|
|
832
831
|
@expiration_leeway.setter
|
|
833
|
-
def expiration_leeway(self, value: Optional[pulumi.Input[
|
|
832
|
+
def expiration_leeway(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
834
833
|
pulumi.set(self, "expiration_leeway", value)
|
|
835
834
|
|
|
836
|
-
@property
|
|
835
|
+
@_builtins.property
|
|
837
836
|
@pulumi.getter(name="groupsClaim")
|
|
838
|
-
def groups_claim(self) -> Optional[pulumi.Input[
|
|
837
|
+
def groups_claim(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
839
838
|
"""
|
|
840
839
|
The claim to use to uniquely identify
|
|
841
840
|
the set of groups to which the user belongs; this will be used as the names
|
|
@@ -845,12 +844,12 @@ class _AuthBackendRoleState:
|
|
|
845
844
|
return pulumi.get(self, "groups_claim")
|
|
846
845
|
|
|
847
846
|
@groups_claim.setter
|
|
848
|
-
def groups_claim(self, value: Optional[pulumi.Input[
|
|
847
|
+
def groups_claim(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
849
848
|
pulumi.set(self, "groups_claim", value)
|
|
850
849
|
|
|
851
|
-
@property
|
|
850
|
+
@_builtins.property
|
|
852
851
|
@pulumi.getter(name="maxAge")
|
|
853
|
-
def max_age(self) -> Optional[pulumi.Input[
|
|
852
|
+
def max_age(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
854
853
|
"""
|
|
855
854
|
Specifies the allowable elapsed time in seconds since the last time
|
|
856
855
|
the user was actively authenticated with the OIDC provider.
|
|
@@ -858,12 +857,12 @@ class _AuthBackendRoleState:
|
|
|
858
857
|
return pulumi.get(self, "max_age")
|
|
859
858
|
|
|
860
859
|
@max_age.setter
|
|
861
|
-
def max_age(self, value: Optional[pulumi.Input[
|
|
860
|
+
def max_age(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
862
861
|
pulumi.set(self, "max_age", value)
|
|
863
862
|
|
|
864
|
-
@property
|
|
863
|
+
@_builtins.property
|
|
865
864
|
@pulumi.getter
|
|
866
|
-
def namespace(self) -> Optional[pulumi.Input[
|
|
865
|
+
def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
867
866
|
"""
|
|
868
867
|
The namespace to provision the resource in.
|
|
869
868
|
The value should not contain leading or trailing forward slashes.
|
|
@@ -873,12 +872,12 @@ class _AuthBackendRoleState:
|
|
|
873
872
|
return pulumi.get(self, "namespace")
|
|
874
873
|
|
|
875
874
|
@namespace.setter
|
|
876
|
-
def namespace(self, value: Optional[pulumi.Input[
|
|
875
|
+
def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
877
876
|
pulumi.set(self, "namespace", value)
|
|
878
877
|
|
|
879
|
-
@property
|
|
878
|
+
@_builtins.property
|
|
880
879
|
@pulumi.getter(name="notBeforeLeeway")
|
|
881
|
-
def not_before_leeway(self) -> Optional[pulumi.Input[
|
|
880
|
+
def not_before_leeway(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
882
881
|
"""
|
|
883
882
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
|
884
883
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -887,12 +886,12 @@ class _AuthBackendRoleState:
|
|
|
887
886
|
return pulumi.get(self, "not_before_leeway")
|
|
888
887
|
|
|
889
888
|
@not_before_leeway.setter
|
|
890
|
-
def not_before_leeway(self, value: Optional[pulumi.Input[
|
|
889
|
+
def not_before_leeway(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
891
890
|
pulumi.set(self, "not_before_leeway", value)
|
|
892
891
|
|
|
893
|
-
@property
|
|
892
|
+
@_builtins.property
|
|
894
893
|
@pulumi.getter(name="oidcScopes")
|
|
895
|
-
def oidc_scopes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
894
|
+
def oidc_scopes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
896
895
|
"""
|
|
897
896
|
If set, a list of OIDC scopes to be used with an OIDC role.
|
|
898
897
|
The standard scope "openid" is automatically included and need not be specified.
|
|
@@ -900,144 +899,144 @@ class _AuthBackendRoleState:
|
|
|
900
899
|
return pulumi.get(self, "oidc_scopes")
|
|
901
900
|
|
|
902
901
|
@oidc_scopes.setter
|
|
903
|
-
def oidc_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
902
|
+
def oidc_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
904
903
|
pulumi.set(self, "oidc_scopes", value)
|
|
905
904
|
|
|
906
|
-
@property
|
|
905
|
+
@_builtins.property
|
|
907
906
|
@pulumi.getter(name="roleName")
|
|
908
|
-
def role_name(self) -> Optional[pulumi.Input[
|
|
907
|
+
def role_name(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
909
908
|
"""
|
|
910
909
|
The name of the role.
|
|
911
910
|
"""
|
|
912
911
|
return pulumi.get(self, "role_name")
|
|
913
912
|
|
|
914
913
|
@role_name.setter
|
|
915
|
-
def role_name(self, value: Optional[pulumi.Input[
|
|
914
|
+
def role_name(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
916
915
|
pulumi.set(self, "role_name", value)
|
|
917
916
|
|
|
918
|
-
@property
|
|
917
|
+
@_builtins.property
|
|
919
918
|
@pulumi.getter(name="roleType")
|
|
920
|
-
def role_type(self) -> Optional[pulumi.Input[
|
|
919
|
+
def role_type(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
921
920
|
"""
|
|
922
921
|
Type of role, either "oidc" (default) or "jwt".
|
|
923
922
|
"""
|
|
924
923
|
return pulumi.get(self, "role_type")
|
|
925
924
|
|
|
926
925
|
@role_type.setter
|
|
927
|
-
def role_type(self, value: Optional[pulumi.Input[
|
|
926
|
+
def role_type(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
928
927
|
pulumi.set(self, "role_type", value)
|
|
929
928
|
|
|
930
|
-
@property
|
|
929
|
+
@_builtins.property
|
|
931
930
|
@pulumi.getter(name="tokenBoundCidrs")
|
|
932
|
-
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
931
|
+
def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
933
932
|
"""
|
|
934
933
|
Specifies the blocks of IP addresses which are allowed to use the generated token
|
|
935
934
|
"""
|
|
936
935
|
return pulumi.get(self, "token_bound_cidrs")
|
|
937
936
|
|
|
938
937
|
@token_bound_cidrs.setter
|
|
939
|
-
def token_bound_cidrs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
938
|
+
def token_bound_cidrs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
940
939
|
pulumi.set(self, "token_bound_cidrs", value)
|
|
941
940
|
|
|
942
|
-
@property
|
|
941
|
+
@_builtins.property
|
|
943
942
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
|
944
|
-
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[
|
|
943
|
+
def token_explicit_max_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
945
944
|
"""
|
|
946
945
|
Generated Token's Explicit Maximum TTL in seconds
|
|
947
946
|
"""
|
|
948
947
|
return pulumi.get(self, "token_explicit_max_ttl")
|
|
949
948
|
|
|
950
949
|
@token_explicit_max_ttl.setter
|
|
951
|
-
def token_explicit_max_ttl(self, value: Optional[pulumi.Input[
|
|
950
|
+
def token_explicit_max_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
952
951
|
pulumi.set(self, "token_explicit_max_ttl", value)
|
|
953
952
|
|
|
954
|
-
@property
|
|
953
|
+
@_builtins.property
|
|
955
954
|
@pulumi.getter(name="tokenMaxTtl")
|
|
956
|
-
def token_max_ttl(self) -> Optional[pulumi.Input[
|
|
955
|
+
def token_max_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
957
956
|
"""
|
|
958
957
|
The maximum lifetime of the generated token
|
|
959
958
|
"""
|
|
960
959
|
return pulumi.get(self, "token_max_ttl")
|
|
961
960
|
|
|
962
961
|
@token_max_ttl.setter
|
|
963
|
-
def token_max_ttl(self, value: Optional[pulumi.Input[
|
|
962
|
+
def token_max_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
964
963
|
pulumi.set(self, "token_max_ttl", value)
|
|
965
964
|
|
|
966
|
-
@property
|
|
965
|
+
@_builtins.property
|
|
967
966
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
|
968
|
-
def token_no_default_policy(self) -> Optional[pulumi.Input[
|
|
967
|
+
def token_no_default_policy(self) -> Optional[pulumi.Input[_builtins.bool]]:
|
|
969
968
|
"""
|
|
970
969
|
If true, the 'default' policy will not automatically be added to generated tokens
|
|
971
970
|
"""
|
|
972
971
|
return pulumi.get(self, "token_no_default_policy")
|
|
973
972
|
|
|
974
973
|
@token_no_default_policy.setter
|
|
975
|
-
def token_no_default_policy(self, value: Optional[pulumi.Input[
|
|
974
|
+
def token_no_default_policy(self, value: Optional[pulumi.Input[_builtins.bool]]):
|
|
976
975
|
pulumi.set(self, "token_no_default_policy", value)
|
|
977
976
|
|
|
978
|
-
@property
|
|
977
|
+
@_builtins.property
|
|
979
978
|
@pulumi.getter(name="tokenNumUses")
|
|
980
|
-
def token_num_uses(self) -> Optional[pulumi.Input[
|
|
979
|
+
def token_num_uses(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
981
980
|
"""
|
|
982
981
|
The maximum number of times a token may be used, a value of zero means unlimited
|
|
983
982
|
"""
|
|
984
983
|
return pulumi.get(self, "token_num_uses")
|
|
985
984
|
|
|
986
985
|
@token_num_uses.setter
|
|
987
|
-
def token_num_uses(self, value: Optional[pulumi.Input[
|
|
986
|
+
def token_num_uses(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
988
987
|
pulumi.set(self, "token_num_uses", value)
|
|
989
988
|
|
|
990
|
-
@property
|
|
989
|
+
@_builtins.property
|
|
991
990
|
@pulumi.getter(name="tokenPeriod")
|
|
992
|
-
def token_period(self) -> Optional[pulumi.Input[
|
|
991
|
+
def token_period(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
993
992
|
"""
|
|
994
993
|
Generated Token's Period
|
|
995
994
|
"""
|
|
996
995
|
return pulumi.get(self, "token_period")
|
|
997
996
|
|
|
998
997
|
@token_period.setter
|
|
999
|
-
def token_period(self, value: Optional[pulumi.Input[
|
|
998
|
+
def token_period(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
1000
999
|
pulumi.set(self, "token_period", value)
|
|
1001
1000
|
|
|
1002
|
-
@property
|
|
1001
|
+
@_builtins.property
|
|
1003
1002
|
@pulumi.getter(name="tokenPolicies")
|
|
1004
|
-
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1003
|
+
def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
|
|
1005
1004
|
"""
|
|
1006
1005
|
Generated Token's Policies
|
|
1007
1006
|
"""
|
|
1008
1007
|
return pulumi.get(self, "token_policies")
|
|
1009
1008
|
|
|
1010
1009
|
@token_policies.setter
|
|
1011
|
-
def token_policies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1010
|
+
def token_policies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
|
|
1012
1011
|
pulumi.set(self, "token_policies", value)
|
|
1013
1012
|
|
|
1014
|
-
@property
|
|
1013
|
+
@_builtins.property
|
|
1015
1014
|
@pulumi.getter(name="tokenTtl")
|
|
1016
|
-
def token_ttl(self) -> Optional[pulumi.Input[
|
|
1015
|
+
def token_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
|
|
1017
1016
|
"""
|
|
1018
1017
|
The initial ttl of the token to generate in seconds
|
|
1019
1018
|
"""
|
|
1020
1019
|
return pulumi.get(self, "token_ttl")
|
|
1021
1020
|
|
|
1022
1021
|
@token_ttl.setter
|
|
1023
|
-
def token_ttl(self, value: Optional[pulumi.Input[
|
|
1022
|
+
def token_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
|
|
1024
1023
|
pulumi.set(self, "token_ttl", value)
|
|
1025
1024
|
|
|
1026
|
-
@property
|
|
1025
|
+
@_builtins.property
|
|
1027
1026
|
@pulumi.getter(name="tokenType")
|
|
1028
|
-
def token_type(self) -> Optional[pulumi.Input[
|
|
1027
|
+
def token_type(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
1029
1028
|
"""
|
|
1030
1029
|
The type of token to generate, service or batch
|
|
1031
1030
|
"""
|
|
1032
1031
|
return pulumi.get(self, "token_type")
|
|
1033
1032
|
|
|
1034
1033
|
@token_type.setter
|
|
1035
|
-
def token_type(self, value: Optional[pulumi.Input[
|
|
1034
|
+
def token_type(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
1036
1035
|
pulumi.set(self, "token_type", value)
|
|
1037
1036
|
|
|
1038
|
-
@property
|
|
1037
|
+
@_builtins.property
|
|
1039
1038
|
@pulumi.getter(name="userClaim")
|
|
1040
|
-
def user_claim(self) -> Optional[pulumi.Input[
|
|
1039
|
+
def user_claim(self) -> Optional[pulumi.Input[_builtins.str]]:
|
|
1041
1040
|
"""
|
|
1042
1041
|
The claim to use to uniquely identify
|
|
1043
1042
|
the user; this will be used as the name for the Identity entity alias created
|
|
@@ -1046,12 +1045,12 @@ class _AuthBackendRoleState:
|
|
|
1046
1045
|
return pulumi.get(self, "user_claim")
|
|
1047
1046
|
|
|
1048
1047
|
@user_claim.setter
|
|
1049
|
-
def user_claim(self, value: Optional[pulumi.Input[
|
|
1048
|
+
def user_claim(self, value: Optional[pulumi.Input[_builtins.str]]):
|
|
1050
1049
|
pulumi.set(self, "user_claim", value)
|
|
1051
1050
|
|
|
1052
|
-
@property
|
|
1051
|
+
@_builtins.property
|
|
1053
1052
|
@pulumi.getter(name="userClaimJsonPointer")
|
|
1054
|
-
def user_claim_json_pointer(self) -> Optional[pulumi.Input[
|
|
1053
|
+
def user_claim_json_pointer(self) -> Optional[pulumi.Input[_builtins.bool]]:
|
|
1055
1054
|
"""
|
|
1056
1055
|
Specifies if the `user_claim` value uses
|
|
1057
1056
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
|
@@ -1061,12 +1060,12 @@ class _AuthBackendRoleState:
|
|
|
1061
1060
|
return pulumi.get(self, "user_claim_json_pointer")
|
|
1062
1061
|
|
|
1063
1062
|
@user_claim_json_pointer.setter
|
|
1064
|
-
def user_claim_json_pointer(self, value: Optional[pulumi.Input[
|
|
1063
|
+
def user_claim_json_pointer(self, value: Optional[pulumi.Input[_builtins.bool]]):
|
|
1065
1064
|
pulumi.set(self, "user_claim_json_pointer", value)
|
|
1066
1065
|
|
|
1067
|
-
@property
|
|
1066
|
+
@_builtins.property
|
|
1068
1067
|
@pulumi.getter(name="verboseOidcLogging")
|
|
1069
|
-
def verbose_oidc_logging(self) -> Optional[pulumi.Input[
|
|
1068
|
+
def verbose_oidc_logging(self) -> Optional[pulumi.Input[_builtins.bool]]:
|
|
1070
1069
|
"""
|
|
1071
1070
|
Log received OIDC tokens and claims when debug-level
|
|
1072
1071
|
logging is active. Not recommended in production since sensitive information may be present
|
|
@@ -1075,7 +1074,7 @@ class _AuthBackendRoleState:
|
|
|
1075
1074
|
return pulumi.get(self, "verbose_oidc_logging")
|
|
1076
1075
|
|
|
1077
1076
|
@verbose_oidc_logging.setter
|
|
1078
|
-
def verbose_oidc_logging(self, value: Optional[pulumi.Input[
|
|
1077
|
+
def verbose_oidc_logging(self, value: Optional[pulumi.Input[_builtins.bool]]):
|
|
1079
1078
|
pulumi.set(self, "verbose_oidc_logging", value)
|
|
1080
1079
|
|
|
1081
1080
|
|
|
@@ -1085,35 +1084,35 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1085
1084
|
def __init__(__self__,
|
|
1086
1085
|
resource_name: str,
|
|
1087
1086
|
opts: Optional[pulumi.ResourceOptions] = None,
|
|
1088
|
-
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1089
|
-
backend: Optional[pulumi.Input[
|
|
1090
|
-
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1091
|
-
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
1092
|
-
bound_claims_type: Optional[pulumi.Input[
|
|
1093
|
-
bound_subject: Optional[pulumi.Input[
|
|
1094
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
1095
|
-
clock_skew_leeway: Optional[pulumi.Input[
|
|
1096
|
-
disable_bound_claims_parsing: Optional[pulumi.Input[
|
|
1097
|
-
expiration_leeway: Optional[pulumi.Input[
|
|
1098
|
-
groups_claim: Optional[pulumi.Input[
|
|
1099
|
-
max_age: Optional[pulumi.Input[
|
|
1100
|
-
namespace: Optional[pulumi.Input[
|
|
1101
|
-
not_before_leeway: Optional[pulumi.Input[
|
|
1102
|
-
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1103
|
-
role_name: Optional[pulumi.Input[
|
|
1104
|
-
role_type: Optional[pulumi.Input[
|
|
1105
|
-
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1106
|
-
token_explicit_max_ttl: Optional[pulumi.Input[
|
|
1107
|
-
token_max_ttl: Optional[pulumi.Input[
|
|
1108
|
-
token_no_default_policy: Optional[pulumi.Input[
|
|
1109
|
-
token_num_uses: Optional[pulumi.Input[
|
|
1110
|
-
token_period: Optional[pulumi.Input[
|
|
1111
|
-
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1112
|
-
token_ttl: Optional[pulumi.Input[
|
|
1113
|
-
token_type: Optional[pulumi.Input[
|
|
1114
|
-
user_claim: Optional[pulumi.Input[
|
|
1115
|
-
user_claim_json_pointer: Optional[pulumi.Input[
|
|
1116
|
-
verbose_oidc_logging: Optional[pulumi.Input[
|
|
1087
|
+
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1088
|
+
backend: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1089
|
+
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1090
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
1091
|
+
bound_claims_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1092
|
+
bound_subject: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1093
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
1094
|
+
clock_skew_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1095
|
+
disable_bound_claims_parsing: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1096
|
+
expiration_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1097
|
+
groups_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1098
|
+
max_age: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1099
|
+
namespace: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1100
|
+
not_before_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1101
|
+
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1102
|
+
role_name: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1103
|
+
role_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1104
|
+
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1105
|
+
token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1106
|
+
token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1107
|
+
token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1108
|
+
token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1109
|
+
token_period: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1110
|
+
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1111
|
+
token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1112
|
+
token_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1113
|
+
user_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1114
|
+
user_claim_json_pointer: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1115
|
+
verbose_oidc_logging: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1117
1116
|
__props__=None):
|
|
1118
1117
|
"""
|
|
1119
1118
|
Manages an JWT/OIDC auth backend role in a Vault server. See the [Vault
|
|
@@ -1177,63 +1176,63 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1177
1176
|
|
|
1178
1177
|
:param str resource_name: The name of the resource.
|
|
1179
1178
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
|
1180
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1179
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] allowed_redirect_uris: The list of allowed values for redirect_uri during OIDC logins.
|
|
1181
1180
|
Required for OIDC roles
|
|
1182
|
-
:param pulumi.Input[
|
|
1181
|
+
:param pulumi.Input[_builtins.str] backend: The unique name of the auth backend to configure.
|
|
1183
1182
|
Defaults to `jwt`.
|
|
1184
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1183
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
|
1185
1184
|
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
|
1186
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[
|
|
1185
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] bound_claims: If set, a map of claims to values to match against.
|
|
1187
1186
|
A claim's value must be a string, which may contain one value or multiple
|
|
1188
1187
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
|
1189
|
-
:param pulumi.Input[
|
|
1188
|
+
:param pulumi.Input[_builtins.str] bound_claims_type: How to interpret values in the claims/values
|
|
1190
1189
|
map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
|
|
1191
1190
|
match). Requires Vault 1.4.0 or above.
|
|
1192
|
-
:param pulumi.Input[
|
|
1191
|
+
:param pulumi.Input[_builtins.str] bound_subject: If set, requires that the `sub` claim matches
|
|
1193
1192
|
this value.
|
|
1194
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[
|
|
1193
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
|
1195
1194
|
to specified metadata fields (values).
|
|
1196
|
-
:param pulumi.Input[
|
|
1195
|
+
:param pulumi.Input[_builtins.int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
|
1197
1196
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
|
1198
1197
|
Only applicable with "jwt" roles.
|
|
1199
|
-
:param pulumi.Input[
|
|
1200
|
-
:param pulumi.Input[
|
|
1198
|
+
:param pulumi.Input[_builtins.bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
|
1199
|
+
:param pulumi.Input[_builtins.int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
|
1201
1200
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
1202
1201
|
Only applicable with "jwt" roles.
|
|
1203
|
-
:param pulumi.Input[
|
|
1202
|
+
:param pulumi.Input[_builtins.str] groups_claim: The claim to use to uniquely identify
|
|
1204
1203
|
the set of groups to which the user belongs; this will be used as the names
|
|
1205
1204
|
for the Identity group aliases created due to a successful login. The claim
|
|
1206
1205
|
value must be a list of strings.
|
|
1207
|
-
:param pulumi.Input[
|
|
1206
|
+
:param pulumi.Input[_builtins.int] max_age: Specifies the allowable elapsed time in seconds since the last time
|
|
1208
1207
|
the user was actively authenticated with the OIDC provider.
|
|
1209
|
-
:param pulumi.Input[
|
|
1208
|
+
:param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
|
|
1210
1209
|
The value should not contain leading or trailing forward slashes.
|
|
1211
1210
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
1212
1211
|
*Available only for Vault Enterprise*.
|
|
1213
|
-
:param pulumi.Input[
|
|
1212
|
+
:param pulumi.Input[_builtins.int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
|
1214
1213
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
1215
1214
|
Only applicable with "jwt" roles.
|
|
1216
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1215
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
|
1217
1216
|
The standard scope "openid" is automatically included and need not be specified.
|
|
1218
|
-
:param pulumi.Input[
|
|
1219
|
-
:param pulumi.Input[
|
|
1220
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1221
|
-
:param pulumi.Input[
|
|
1222
|
-
:param pulumi.Input[
|
|
1223
|
-
:param pulumi.Input[
|
|
1224
|
-
:param pulumi.Input[
|
|
1225
|
-
:param pulumi.Input[
|
|
1226
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1227
|
-
:param pulumi.Input[
|
|
1228
|
-
:param pulumi.Input[
|
|
1229
|
-
:param pulumi.Input[
|
|
1217
|
+
:param pulumi.Input[_builtins.str] role_name: The name of the role.
|
|
1218
|
+
:param pulumi.Input[_builtins.str] role_type: Type of role, either "oidc" (default) or "jwt".
|
|
1219
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
|
1220
|
+
:param pulumi.Input[_builtins.int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
|
1221
|
+
:param pulumi.Input[_builtins.int] token_max_ttl: The maximum lifetime of the generated token
|
|
1222
|
+
:param pulumi.Input[_builtins.bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
|
1223
|
+
:param pulumi.Input[_builtins.int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
|
1224
|
+
:param pulumi.Input[_builtins.int] token_period: Generated Token's Period
|
|
1225
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_policies: Generated Token's Policies
|
|
1226
|
+
:param pulumi.Input[_builtins.int] token_ttl: The initial ttl of the token to generate in seconds
|
|
1227
|
+
:param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
|
|
1228
|
+
:param pulumi.Input[_builtins.str] user_claim: The claim to use to uniquely identify
|
|
1230
1229
|
the user; this will be used as the name for the Identity entity alias created
|
|
1231
1230
|
due to a successful login.
|
|
1232
|
-
:param pulumi.Input[
|
|
1231
|
+
:param pulumi.Input[_builtins.bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
|
|
1233
1232
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
|
1234
1233
|
syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
|
|
1235
1234
|
Requires Vault 1.11+.
|
|
1236
|
-
:param pulumi.Input[
|
|
1235
|
+
:param pulumi.Input[_builtins.bool] verbose_oidc_logging: Log received OIDC tokens and claims when debug-level
|
|
1237
1236
|
logging is active. Not recommended in production since sensitive information may be present
|
|
1238
1237
|
in OIDC responses.
|
|
1239
1238
|
"""
|
|
@@ -1318,35 +1317,35 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1318
1317
|
def _internal_init(__self__,
|
|
1319
1318
|
resource_name: str,
|
|
1320
1319
|
opts: Optional[pulumi.ResourceOptions] = None,
|
|
1321
|
-
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1322
|
-
backend: Optional[pulumi.Input[
|
|
1323
|
-
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1324
|
-
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
1325
|
-
bound_claims_type: Optional[pulumi.Input[
|
|
1326
|
-
bound_subject: Optional[pulumi.Input[
|
|
1327
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
1328
|
-
clock_skew_leeway: Optional[pulumi.Input[
|
|
1329
|
-
disable_bound_claims_parsing: Optional[pulumi.Input[
|
|
1330
|
-
expiration_leeway: Optional[pulumi.Input[
|
|
1331
|
-
groups_claim: Optional[pulumi.Input[
|
|
1332
|
-
max_age: Optional[pulumi.Input[
|
|
1333
|
-
namespace: Optional[pulumi.Input[
|
|
1334
|
-
not_before_leeway: Optional[pulumi.Input[
|
|
1335
|
-
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1336
|
-
role_name: Optional[pulumi.Input[
|
|
1337
|
-
role_type: Optional[pulumi.Input[
|
|
1338
|
-
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1339
|
-
token_explicit_max_ttl: Optional[pulumi.Input[
|
|
1340
|
-
token_max_ttl: Optional[pulumi.Input[
|
|
1341
|
-
token_no_default_policy: Optional[pulumi.Input[
|
|
1342
|
-
token_num_uses: Optional[pulumi.Input[
|
|
1343
|
-
token_period: Optional[pulumi.Input[
|
|
1344
|
-
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1345
|
-
token_ttl: Optional[pulumi.Input[
|
|
1346
|
-
token_type: Optional[pulumi.Input[
|
|
1347
|
-
user_claim: Optional[pulumi.Input[
|
|
1348
|
-
user_claim_json_pointer: Optional[pulumi.Input[
|
|
1349
|
-
verbose_oidc_logging: Optional[pulumi.Input[
|
|
1320
|
+
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1321
|
+
backend: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1322
|
+
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1323
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
1324
|
+
bound_claims_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1325
|
+
bound_subject: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1326
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
1327
|
+
clock_skew_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1328
|
+
disable_bound_claims_parsing: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1329
|
+
expiration_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1330
|
+
groups_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1331
|
+
max_age: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1332
|
+
namespace: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1333
|
+
not_before_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1334
|
+
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1335
|
+
role_name: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1336
|
+
role_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1337
|
+
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1338
|
+
token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1339
|
+
token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1340
|
+
token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1341
|
+
token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1342
|
+
token_period: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1343
|
+
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1344
|
+
token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1345
|
+
token_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1346
|
+
user_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1347
|
+
user_claim_json_pointer: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1348
|
+
verbose_oidc_logging: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1350
1349
|
__props__=None):
|
|
1351
1350
|
opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
|
|
1352
1351
|
if not isinstance(opts, pulumi.ResourceOptions):
|
|
@@ -1399,35 +1398,35 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1399
1398
|
def get(resource_name: str,
|
|
1400
1399
|
id: pulumi.Input[str],
|
|
1401
1400
|
opts: Optional[pulumi.ResourceOptions] = None,
|
|
1402
|
-
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1403
|
-
backend: Optional[pulumi.Input[
|
|
1404
|
-
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1405
|
-
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
1406
|
-
bound_claims_type: Optional[pulumi.Input[
|
|
1407
|
-
bound_subject: Optional[pulumi.Input[
|
|
1408
|
-
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[
|
|
1409
|
-
clock_skew_leeway: Optional[pulumi.Input[
|
|
1410
|
-
disable_bound_claims_parsing: Optional[pulumi.Input[
|
|
1411
|
-
expiration_leeway: Optional[pulumi.Input[
|
|
1412
|
-
groups_claim: Optional[pulumi.Input[
|
|
1413
|
-
max_age: Optional[pulumi.Input[
|
|
1414
|
-
namespace: Optional[pulumi.Input[
|
|
1415
|
-
not_before_leeway: Optional[pulumi.Input[
|
|
1416
|
-
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1417
|
-
role_name: Optional[pulumi.Input[
|
|
1418
|
-
role_type: Optional[pulumi.Input[
|
|
1419
|
-
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1420
|
-
token_explicit_max_ttl: Optional[pulumi.Input[
|
|
1421
|
-
token_max_ttl: Optional[pulumi.Input[
|
|
1422
|
-
token_no_default_policy: Optional[pulumi.Input[
|
|
1423
|
-
token_num_uses: Optional[pulumi.Input[
|
|
1424
|
-
token_period: Optional[pulumi.Input[
|
|
1425
|
-
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[
|
|
1426
|
-
token_ttl: Optional[pulumi.Input[
|
|
1427
|
-
token_type: Optional[pulumi.Input[
|
|
1428
|
-
user_claim: Optional[pulumi.Input[
|
|
1429
|
-
user_claim_json_pointer: Optional[pulumi.Input[
|
|
1430
|
-
verbose_oidc_logging: Optional[pulumi.Input[
|
|
1401
|
+
allowed_redirect_uris: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1402
|
+
backend: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1403
|
+
bound_audiences: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1404
|
+
bound_claims: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
1405
|
+
bound_claims_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1406
|
+
bound_subject: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1407
|
+
claim_mappings: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
|
|
1408
|
+
clock_skew_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1409
|
+
disable_bound_claims_parsing: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1410
|
+
expiration_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1411
|
+
groups_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1412
|
+
max_age: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1413
|
+
namespace: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1414
|
+
not_before_leeway: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1415
|
+
oidc_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1416
|
+
role_name: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1417
|
+
role_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1418
|
+
token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1419
|
+
token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1420
|
+
token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1421
|
+
token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1422
|
+
token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1423
|
+
token_period: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1424
|
+
token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
|
|
1425
|
+
token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
|
|
1426
|
+
token_type: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1427
|
+
user_claim: Optional[pulumi.Input[_builtins.str]] = None,
|
|
1428
|
+
user_claim_json_pointer: Optional[pulumi.Input[_builtins.bool]] = None,
|
|
1429
|
+
verbose_oidc_logging: Optional[pulumi.Input[_builtins.bool]] = None) -> 'AuthBackendRole':
|
|
1431
1430
|
"""
|
|
1432
1431
|
Get an existing AuthBackendRole resource's state with the given name, id, and optional extra
|
|
1433
1432
|
properties used to qualify the lookup.
|
|
@@ -1435,63 +1434,63 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1435
1434
|
:param str resource_name: The unique name of the resulting resource.
|
|
1436
1435
|
:param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
|
|
1437
1436
|
:param pulumi.ResourceOptions opts: Options for the resource.
|
|
1438
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1437
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] allowed_redirect_uris: The list of allowed values for redirect_uri during OIDC logins.
|
|
1439
1438
|
Required for OIDC roles
|
|
1440
|
-
:param pulumi.Input[
|
|
1439
|
+
:param pulumi.Input[_builtins.str] backend: The unique name of the auth backend to configure.
|
|
1441
1440
|
Defaults to `jwt`.
|
|
1442
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1441
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_audiences: (Required for roles of type `jwt`, optional for roles of
|
|
1443
1442
|
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
|
1444
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[
|
|
1443
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] bound_claims: If set, a map of claims to values to match against.
|
|
1445
1444
|
A claim's value must be a string, which may contain one value or multiple
|
|
1446
1445
|
comma-separated values, e.g. `"red"` or `"red,green,blue"`.
|
|
1447
|
-
:param pulumi.Input[
|
|
1446
|
+
:param pulumi.Input[_builtins.str] bound_claims_type: How to interpret values in the claims/values
|
|
1448
1447
|
map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
|
|
1449
1448
|
match). Requires Vault 1.4.0 or above.
|
|
1450
|
-
:param pulumi.Input[
|
|
1449
|
+
:param pulumi.Input[_builtins.str] bound_subject: If set, requires that the `sub` claim matches
|
|
1451
1450
|
this value.
|
|
1452
|
-
:param pulumi.Input[Mapping[str, pulumi.Input[
|
|
1451
|
+
:param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] claim_mappings: If set, a map of claims (keys) to be copied
|
|
1453
1452
|
to specified metadata fields (values).
|
|
1454
|
-
:param pulumi.Input[
|
|
1453
|
+
:param pulumi.Input[_builtins.int] clock_skew_leeway: The amount of leeway to add to all claims to account for clock skew, in
|
|
1455
1454
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
|
1456
1455
|
Only applicable with "jwt" roles.
|
|
1457
|
-
:param pulumi.Input[
|
|
1458
|
-
:param pulumi.Input[
|
|
1456
|
+
:param pulumi.Input[_builtins.bool] disable_bound_claims_parsing: Disable bound claim value parsing. Useful when values contain commas.
|
|
1457
|
+
:param pulumi.Input[_builtins.int] expiration_leeway: The amount of leeway to add to expiration (`exp`) claims to account for
|
|
1459
1458
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
1460
1459
|
Only applicable with "jwt" roles.
|
|
1461
|
-
:param pulumi.Input[
|
|
1460
|
+
:param pulumi.Input[_builtins.str] groups_claim: The claim to use to uniquely identify
|
|
1462
1461
|
the set of groups to which the user belongs; this will be used as the names
|
|
1463
1462
|
for the Identity group aliases created due to a successful login. The claim
|
|
1464
1463
|
value must be a list of strings.
|
|
1465
|
-
:param pulumi.Input[
|
|
1464
|
+
:param pulumi.Input[_builtins.int] max_age: Specifies the allowable elapsed time in seconds since the last time
|
|
1466
1465
|
the user was actively authenticated with the OIDC provider.
|
|
1467
|
-
:param pulumi.Input[
|
|
1466
|
+
:param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
|
|
1468
1467
|
The value should not contain leading or trailing forward slashes.
|
|
1469
1468
|
The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
|
|
1470
1469
|
*Available only for Vault Enterprise*.
|
|
1471
|
-
:param pulumi.Input[
|
|
1470
|
+
:param pulumi.Input[_builtins.int] not_before_leeway: The amount of leeway to add to not before (`nbf`) claims to account for
|
|
1472
1471
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
1473
1472
|
Only applicable with "jwt" roles.
|
|
1474
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1473
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] oidc_scopes: If set, a list of OIDC scopes to be used with an OIDC role.
|
|
1475
1474
|
The standard scope "openid" is automatically included and need not be specified.
|
|
1476
|
-
:param pulumi.Input[
|
|
1477
|
-
:param pulumi.Input[
|
|
1478
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1479
|
-
:param pulumi.Input[
|
|
1480
|
-
:param pulumi.Input[
|
|
1481
|
-
:param pulumi.Input[
|
|
1482
|
-
:param pulumi.Input[
|
|
1483
|
-
:param pulumi.Input[
|
|
1484
|
-
:param pulumi.Input[Sequence[pulumi.Input[
|
|
1485
|
-
:param pulumi.Input[
|
|
1486
|
-
:param pulumi.Input[
|
|
1487
|
-
:param pulumi.Input[
|
|
1475
|
+
:param pulumi.Input[_builtins.str] role_name: The name of the role.
|
|
1476
|
+
:param pulumi.Input[_builtins.str] role_type: Type of role, either "oidc" (default) or "jwt".
|
|
1477
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
|
|
1478
|
+
:param pulumi.Input[_builtins.int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
|
|
1479
|
+
:param pulumi.Input[_builtins.int] token_max_ttl: The maximum lifetime of the generated token
|
|
1480
|
+
:param pulumi.Input[_builtins.bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
|
|
1481
|
+
:param pulumi.Input[_builtins.int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
|
|
1482
|
+
:param pulumi.Input[_builtins.int] token_period: Generated Token's Period
|
|
1483
|
+
:param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_policies: Generated Token's Policies
|
|
1484
|
+
:param pulumi.Input[_builtins.int] token_ttl: The initial ttl of the token to generate in seconds
|
|
1485
|
+
:param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
|
|
1486
|
+
:param pulumi.Input[_builtins.str] user_claim: The claim to use to uniquely identify
|
|
1488
1487
|
the user; this will be used as the name for the Identity entity alias created
|
|
1489
1488
|
due to a successful login.
|
|
1490
|
-
:param pulumi.Input[
|
|
1489
|
+
:param pulumi.Input[_builtins.bool] user_claim_json_pointer: Specifies if the `user_claim` value uses
|
|
1491
1490
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
|
1492
1491
|
syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
|
|
1493
1492
|
Requires Vault 1.11+.
|
|
1494
|
-
:param pulumi.Input[
|
|
1493
|
+
:param pulumi.Input[_builtins.bool] verbose_oidc_logging: Log received OIDC tokens and claims when debug-level
|
|
1495
1494
|
logging is active. Not recommended in production since sensitive information may be present
|
|
1496
1495
|
in OIDC responses.
|
|
1497
1496
|
"""
|
|
@@ -1530,36 +1529,36 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1530
1529
|
__props__.__dict__["verbose_oidc_logging"] = verbose_oidc_logging
|
|
1531
1530
|
return AuthBackendRole(resource_name, opts=opts, __props__=__props__)
|
|
1532
1531
|
|
|
1533
|
-
@property
|
|
1532
|
+
@_builtins.property
|
|
1534
1533
|
@pulumi.getter(name="allowedRedirectUris")
|
|
1535
|
-
def allowed_redirect_uris(self) -> pulumi.Output[Optional[Sequence[
|
|
1534
|
+
def allowed_redirect_uris(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
|
|
1536
1535
|
"""
|
|
1537
1536
|
The list of allowed values for redirect_uri during OIDC logins.
|
|
1538
1537
|
Required for OIDC roles
|
|
1539
1538
|
"""
|
|
1540
1539
|
return pulumi.get(self, "allowed_redirect_uris")
|
|
1541
1540
|
|
|
1542
|
-
@property
|
|
1541
|
+
@_builtins.property
|
|
1543
1542
|
@pulumi.getter
|
|
1544
|
-
def backend(self) -> pulumi.Output[Optional[
|
|
1543
|
+
def backend(self) -> pulumi.Output[Optional[_builtins.str]]:
|
|
1545
1544
|
"""
|
|
1546
1545
|
The unique name of the auth backend to configure.
|
|
1547
1546
|
Defaults to `jwt`.
|
|
1548
1547
|
"""
|
|
1549
1548
|
return pulumi.get(self, "backend")
|
|
1550
1549
|
|
|
1551
|
-
@property
|
|
1550
|
+
@_builtins.property
|
|
1552
1551
|
@pulumi.getter(name="boundAudiences")
|
|
1553
|
-
def bound_audiences(self) -> pulumi.Output[Optional[Sequence[
|
|
1552
|
+
def bound_audiences(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
|
|
1554
1553
|
"""
|
|
1555
1554
|
(Required for roles of type `jwt`, optional for roles of
|
|
1556
1555
|
type `oidc`) List of `aud` claims to match against. Any match is sufficient.
|
|
1557
1556
|
"""
|
|
1558
1557
|
return pulumi.get(self, "bound_audiences")
|
|
1559
1558
|
|
|
1560
|
-
@property
|
|
1559
|
+
@_builtins.property
|
|
1561
1560
|
@pulumi.getter(name="boundClaims")
|
|
1562
|
-
def bound_claims(self) -> pulumi.Output[Optional[Mapping[str,
|
|
1561
|
+
def bound_claims(self) -> pulumi.Output[Optional[Mapping[str, _builtins.str]]]:
|
|
1563
1562
|
"""
|
|
1564
1563
|
If set, a map of claims to values to match against.
|
|
1565
1564
|
A claim's value must be a string, which may contain one value or multiple
|
|
@@ -1567,9 +1566,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1567
1566
|
"""
|
|
1568
1567
|
return pulumi.get(self, "bound_claims")
|
|
1569
1568
|
|
|
1570
|
-
@property
|
|
1569
|
+
@_builtins.property
|
|
1571
1570
|
@pulumi.getter(name="boundClaimsType")
|
|
1572
|
-
def bound_claims_type(self) -> pulumi.Output[
|
|
1571
|
+
def bound_claims_type(self) -> pulumi.Output[_builtins.str]:
|
|
1573
1572
|
"""
|
|
1574
1573
|
How to interpret values in the claims/values
|
|
1575
1574
|
map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
|
|
@@ -1577,27 +1576,27 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1577
1576
|
"""
|
|
1578
1577
|
return pulumi.get(self, "bound_claims_type")
|
|
1579
1578
|
|
|
1580
|
-
@property
|
|
1579
|
+
@_builtins.property
|
|
1581
1580
|
@pulumi.getter(name="boundSubject")
|
|
1582
|
-
def bound_subject(self) -> pulumi.Output[Optional[
|
|
1581
|
+
def bound_subject(self) -> pulumi.Output[Optional[_builtins.str]]:
|
|
1583
1582
|
"""
|
|
1584
1583
|
If set, requires that the `sub` claim matches
|
|
1585
1584
|
this value.
|
|
1586
1585
|
"""
|
|
1587
1586
|
return pulumi.get(self, "bound_subject")
|
|
1588
1587
|
|
|
1589
|
-
@property
|
|
1588
|
+
@_builtins.property
|
|
1590
1589
|
@pulumi.getter(name="claimMappings")
|
|
1591
|
-
def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str,
|
|
1590
|
+
def claim_mappings(self) -> pulumi.Output[Optional[Mapping[str, _builtins.str]]]:
|
|
1592
1591
|
"""
|
|
1593
1592
|
If set, a map of claims (keys) to be copied
|
|
1594
1593
|
to specified metadata fields (values).
|
|
1595
1594
|
"""
|
|
1596
1595
|
return pulumi.get(self, "claim_mappings")
|
|
1597
1596
|
|
|
1598
|
-
@property
|
|
1597
|
+
@_builtins.property
|
|
1599
1598
|
@pulumi.getter(name="clockSkewLeeway")
|
|
1600
|
-
def clock_skew_leeway(self) -> pulumi.Output[Optional[
|
|
1599
|
+
def clock_skew_leeway(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1601
1600
|
"""
|
|
1602
1601
|
The amount of leeway to add to all claims to account for clock skew, in
|
|
1603
1602
|
seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -1605,17 +1604,17 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1605
1604
|
"""
|
|
1606
1605
|
return pulumi.get(self, "clock_skew_leeway")
|
|
1607
1606
|
|
|
1608
|
-
@property
|
|
1607
|
+
@_builtins.property
|
|
1609
1608
|
@pulumi.getter(name="disableBoundClaimsParsing")
|
|
1610
|
-
def disable_bound_claims_parsing(self) -> pulumi.Output[Optional[
|
|
1609
|
+
def disable_bound_claims_parsing(self) -> pulumi.Output[Optional[_builtins.bool]]:
|
|
1611
1610
|
"""
|
|
1612
1611
|
Disable bound claim value parsing. Useful when values contain commas.
|
|
1613
1612
|
"""
|
|
1614
1613
|
return pulumi.get(self, "disable_bound_claims_parsing")
|
|
1615
1614
|
|
|
1616
|
-
@property
|
|
1615
|
+
@_builtins.property
|
|
1617
1616
|
@pulumi.getter(name="expirationLeeway")
|
|
1618
|
-
def expiration_leeway(self) -> pulumi.Output[Optional[
|
|
1617
|
+
def expiration_leeway(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1619
1618
|
"""
|
|
1620
1619
|
The amount of leeway to add to expiration (`exp`) claims to account for
|
|
1621
1620
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -1623,9 +1622,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1623
1622
|
"""
|
|
1624
1623
|
return pulumi.get(self, "expiration_leeway")
|
|
1625
1624
|
|
|
1626
|
-
@property
|
|
1625
|
+
@_builtins.property
|
|
1627
1626
|
@pulumi.getter(name="groupsClaim")
|
|
1628
|
-
def groups_claim(self) -> pulumi.Output[Optional[
|
|
1627
|
+
def groups_claim(self) -> pulumi.Output[Optional[_builtins.str]]:
|
|
1629
1628
|
"""
|
|
1630
1629
|
The claim to use to uniquely identify
|
|
1631
1630
|
the set of groups to which the user belongs; this will be used as the names
|
|
@@ -1634,18 +1633,18 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1634
1633
|
"""
|
|
1635
1634
|
return pulumi.get(self, "groups_claim")
|
|
1636
1635
|
|
|
1637
|
-
@property
|
|
1636
|
+
@_builtins.property
|
|
1638
1637
|
@pulumi.getter(name="maxAge")
|
|
1639
|
-
def max_age(self) -> pulumi.Output[Optional[
|
|
1638
|
+
def max_age(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1640
1639
|
"""
|
|
1641
1640
|
Specifies the allowable elapsed time in seconds since the last time
|
|
1642
1641
|
the user was actively authenticated with the OIDC provider.
|
|
1643
1642
|
"""
|
|
1644
1643
|
return pulumi.get(self, "max_age")
|
|
1645
1644
|
|
|
1646
|
-
@property
|
|
1645
|
+
@_builtins.property
|
|
1647
1646
|
@pulumi.getter
|
|
1648
|
-
def namespace(self) -> pulumi.Output[Optional[
|
|
1647
|
+
def namespace(self) -> pulumi.Output[Optional[_builtins.str]]:
|
|
1649
1648
|
"""
|
|
1650
1649
|
The namespace to provision the resource in.
|
|
1651
1650
|
The value should not contain leading or trailing forward slashes.
|
|
@@ -1654,9 +1653,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1654
1653
|
"""
|
|
1655
1654
|
return pulumi.get(self, "namespace")
|
|
1656
1655
|
|
|
1657
|
-
@property
|
|
1656
|
+
@_builtins.property
|
|
1658
1657
|
@pulumi.getter(name="notBeforeLeeway")
|
|
1659
|
-
def not_before_leeway(self) -> pulumi.Output[Optional[
|
|
1658
|
+
def not_before_leeway(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1660
1659
|
"""
|
|
1661
1660
|
The amount of leeway to add to not before (`nbf`) claims to account for
|
|
1662
1661
|
clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
|
|
@@ -1664,106 +1663,106 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1664
1663
|
"""
|
|
1665
1664
|
return pulumi.get(self, "not_before_leeway")
|
|
1666
1665
|
|
|
1667
|
-
@property
|
|
1666
|
+
@_builtins.property
|
|
1668
1667
|
@pulumi.getter(name="oidcScopes")
|
|
1669
|
-
def oidc_scopes(self) -> pulumi.Output[Optional[Sequence[
|
|
1668
|
+
def oidc_scopes(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
|
|
1670
1669
|
"""
|
|
1671
1670
|
If set, a list of OIDC scopes to be used with an OIDC role.
|
|
1672
1671
|
The standard scope "openid" is automatically included and need not be specified.
|
|
1673
1672
|
"""
|
|
1674
1673
|
return pulumi.get(self, "oidc_scopes")
|
|
1675
1674
|
|
|
1676
|
-
@property
|
|
1675
|
+
@_builtins.property
|
|
1677
1676
|
@pulumi.getter(name="roleName")
|
|
1678
|
-
def role_name(self) -> pulumi.Output[
|
|
1677
|
+
def role_name(self) -> pulumi.Output[_builtins.str]:
|
|
1679
1678
|
"""
|
|
1680
1679
|
The name of the role.
|
|
1681
1680
|
"""
|
|
1682
1681
|
return pulumi.get(self, "role_name")
|
|
1683
1682
|
|
|
1684
|
-
@property
|
|
1683
|
+
@_builtins.property
|
|
1685
1684
|
@pulumi.getter(name="roleType")
|
|
1686
|
-
def role_type(self) -> pulumi.Output[
|
|
1685
|
+
def role_type(self) -> pulumi.Output[_builtins.str]:
|
|
1687
1686
|
"""
|
|
1688
1687
|
Type of role, either "oidc" (default) or "jwt".
|
|
1689
1688
|
"""
|
|
1690
1689
|
return pulumi.get(self, "role_type")
|
|
1691
1690
|
|
|
1692
|
-
@property
|
|
1691
|
+
@_builtins.property
|
|
1693
1692
|
@pulumi.getter(name="tokenBoundCidrs")
|
|
1694
|
-
def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[
|
|
1693
|
+
def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
|
|
1695
1694
|
"""
|
|
1696
1695
|
Specifies the blocks of IP addresses which are allowed to use the generated token
|
|
1697
1696
|
"""
|
|
1698
1697
|
return pulumi.get(self, "token_bound_cidrs")
|
|
1699
1698
|
|
|
1700
|
-
@property
|
|
1699
|
+
@_builtins.property
|
|
1701
1700
|
@pulumi.getter(name="tokenExplicitMaxTtl")
|
|
1702
|
-
def token_explicit_max_ttl(self) -> pulumi.Output[Optional[
|
|
1701
|
+
def token_explicit_max_ttl(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1703
1702
|
"""
|
|
1704
1703
|
Generated Token's Explicit Maximum TTL in seconds
|
|
1705
1704
|
"""
|
|
1706
1705
|
return pulumi.get(self, "token_explicit_max_ttl")
|
|
1707
1706
|
|
|
1708
|
-
@property
|
|
1707
|
+
@_builtins.property
|
|
1709
1708
|
@pulumi.getter(name="tokenMaxTtl")
|
|
1710
|
-
def token_max_ttl(self) -> pulumi.Output[Optional[
|
|
1709
|
+
def token_max_ttl(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1711
1710
|
"""
|
|
1712
1711
|
The maximum lifetime of the generated token
|
|
1713
1712
|
"""
|
|
1714
1713
|
return pulumi.get(self, "token_max_ttl")
|
|
1715
1714
|
|
|
1716
|
-
@property
|
|
1715
|
+
@_builtins.property
|
|
1717
1716
|
@pulumi.getter(name="tokenNoDefaultPolicy")
|
|
1718
|
-
def token_no_default_policy(self) -> pulumi.Output[Optional[
|
|
1717
|
+
def token_no_default_policy(self) -> pulumi.Output[Optional[_builtins.bool]]:
|
|
1719
1718
|
"""
|
|
1720
1719
|
If true, the 'default' policy will not automatically be added to generated tokens
|
|
1721
1720
|
"""
|
|
1722
1721
|
return pulumi.get(self, "token_no_default_policy")
|
|
1723
1722
|
|
|
1724
|
-
@property
|
|
1723
|
+
@_builtins.property
|
|
1725
1724
|
@pulumi.getter(name="tokenNumUses")
|
|
1726
|
-
def token_num_uses(self) -> pulumi.Output[Optional[
|
|
1725
|
+
def token_num_uses(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1727
1726
|
"""
|
|
1728
1727
|
The maximum number of times a token may be used, a value of zero means unlimited
|
|
1729
1728
|
"""
|
|
1730
1729
|
return pulumi.get(self, "token_num_uses")
|
|
1731
1730
|
|
|
1732
|
-
@property
|
|
1731
|
+
@_builtins.property
|
|
1733
1732
|
@pulumi.getter(name="tokenPeriod")
|
|
1734
|
-
def token_period(self) -> pulumi.Output[Optional[
|
|
1733
|
+
def token_period(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1735
1734
|
"""
|
|
1736
1735
|
Generated Token's Period
|
|
1737
1736
|
"""
|
|
1738
1737
|
return pulumi.get(self, "token_period")
|
|
1739
1738
|
|
|
1740
|
-
@property
|
|
1739
|
+
@_builtins.property
|
|
1741
1740
|
@pulumi.getter(name="tokenPolicies")
|
|
1742
|
-
def token_policies(self) -> pulumi.Output[Optional[Sequence[
|
|
1741
|
+
def token_policies(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
|
|
1743
1742
|
"""
|
|
1744
1743
|
Generated Token's Policies
|
|
1745
1744
|
"""
|
|
1746
1745
|
return pulumi.get(self, "token_policies")
|
|
1747
1746
|
|
|
1748
|
-
@property
|
|
1747
|
+
@_builtins.property
|
|
1749
1748
|
@pulumi.getter(name="tokenTtl")
|
|
1750
|
-
def token_ttl(self) -> pulumi.Output[Optional[
|
|
1749
|
+
def token_ttl(self) -> pulumi.Output[Optional[_builtins.int]]:
|
|
1751
1750
|
"""
|
|
1752
1751
|
The initial ttl of the token to generate in seconds
|
|
1753
1752
|
"""
|
|
1754
1753
|
return pulumi.get(self, "token_ttl")
|
|
1755
1754
|
|
|
1756
|
-
@property
|
|
1755
|
+
@_builtins.property
|
|
1757
1756
|
@pulumi.getter(name="tokenType")
|
|
1758
|
-
def token_type(self) -> pulumi.Output[Optional[
|
|
1757
|
+
def token_type(self) -> pulumi.Output[Optional[_builtins.str]]:
|
|
1759
1758
|
"""
|
|
1760
1759
|
The type of token to generate, service or batch
|
|
1761
1760
|
"""
|
|
1762
1761
|
return pulumi.get(self, "token_type")
|
|
1763
1762
|
|
|
1764
|
-
@property
|
|
1763
|
+
@_builtins.property
|
|
1765
1764
|
@pulumi.getter(name="userClaim")
|
|
1766
|
-
def user_claim(self) -> pulumi.Output[
|
|
1765
|
+
def user_claim(self) -> pulumi.Output[_builtins.str]:
|
|
1767
1766
|
"""
|
|
1768
1767
|
The claim to use to uniquely identify
|
|
1769
1768
|
the user; this will be used as the name for the Identity entity alias created
|
|
@@ -1771,9 +1770,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1771
1770
|
"""
|
|
1772
1771
|
return pulumi.get(self, "user_claim")
|
|
1773
1772
|
|
|
1774
|
-
@property
|
|
1773
|
+
@_builtins.property
|
|
1775
1774
|
@pulumi.getter(name="userClaimJsonPointer")
|
|
1776
|
-
def user_claim_json_pointer(self) -> pulumi.Output[Optional[
|
|
1775
|
+
def user_claim_json_pointer(self) -> pulumi.Output[Optional[_builtins.bool]]:
|
|
1777
1776
|
"""
|
|
1778
1777
|
Specifies if the `user_claim` value uses
|
|
1779
1778
|
[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
|
|
@@ -1782,9 +1781,9 @@ class AuthBackendRole(pulumi.CustomResource):
|
|
|
1782
1781
|
"""
|
|
1783
1782
|
return pulumi.get(self, "user_claim_json_pointer")
|
|
1784
1783
|
|
|
1785
|
-
@property
|
|
1784
|
+
@_builtins.property
|
|
1786
1785
|
@pulumi.getter(name="verboseOidcLogging")
|
|
1787
|
-
def verbose_oidc_logging(self) -> pulumi.Output[Optional[
|
|
1786
|
+
def verbose_oidc_logging(self) -> pulumi.Output[Optional[_builtins.bool]]:
|
|
1788
1787
|
"""
|
|
1789
1788
|
Log received OIDC tokens and claims when debug-level
|
|
1790
1789
|
logging is active. Not recommended in production since sensitive information may be present
|