PyPI - pulumi-vault - Versions diffs - 7.6.0a1764657486__py3-none-any.whl - Mend

pulumi-vault 7.6.0a1764657486__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (274) hide show

pulumi_vault/__init__.py +1399 -0
pulumi_vault/_inputs.py +2701 -0
pulumi_vault/_utilities.py +331 -0
pulumi_vault/ad/__init__.py +12 -0
pulumi_vault/ad/get_access_credentials.py +177 -0
pulumi_vault/ad/secret_backend.py +1916 -0
pulumi_vault/ad/secret_library.py +546 -0
pulumi_vault/ad/secret_role.py +499 -0
pulumi_vault/alicloud/__init__.py +9 -0
pulumi_vault/alicloud/auth_backend_role.py +866 -0
pulumi_vault/approle/__init__.py +12 -0
pulumi_vault/approle/auth_backend_login.py +571 -0
pulumi_vault/approle/auth_backend_role.py +1082 -0
pulumi_vault/approle/auth_backend_role_secret_id.py +796 -0
pulumi_vault/approle/get_auth_backend_role_id.py +169 -0
pulumi_vault/audit.py +499 -0
pulumi_vault/audit_request_header.py +277 -0
pulumi_vault/auth_backend.py +565 -0
pulumi_vault/aws/__init__.py +22 -0
pulumi_vault/aws/auth_backend_cert.py +420 -0
pulumi_vault/aws/auth_backend_client.py +1259 -0
pulumi_vault/aws/auth_backend_config_identity.py +494 -0
pulumi_vault/aws/auth_backend_identity_whitelist.py +380 -0
pulumi_vault/aws/auth_backend_login.py +1046 -0
pulumi_vault/aws/auth_backend_role.py +1961 -0
pulumi_vault/aws/auth_backend_role_tag.py +638 -0
pulumi_vault/aws/auth_backend_roletag_blacklist.py +366 -0
pulumi_vault/aws/auth_backend_sts_role.py +414 -0
pulumi_vault/aws/get_access_credentials.py +369 -0
pulumi_vault/aws/get_static_access_credentials.py +137 -0
pulumi_vault/aws/secret_backend.py +2018 -0
pulumi_vault/aws/secret_backend_role.py +1188 -0
pulumi_vault/aws/secret_backend_static_role.py +639 -0
pulumi_vault/azure/__init__.py +15 -0
pulumi_vault/azure/_inputs.py +108 -0
pulumi_vault/azure/auth_backend_config.py +1096 -0
pulumi_vault/azure/auth_backend_role.py +1176 -0
pulumi_vault/azure/backend.py +1793 -0
pulumi_vault/azure/backend_role.py +883 -0
pulumi_vault/azure/get_access_credentials.py +400 -0
pulumi_vault/azure/outputs.py +107 -0
pulumi_vault/cert_auth_backend_role.py +1539 -0
pulumi_vault/config/__init__.py +9 -0
pulumi_vault/config/__init__.pyi +164 -0
pulumi_vault/config/_inputs.py +73 -0
pulumi_vault/config/outputs.py +1225 -0
pulumi_vault/config/ui_custom_message.py +530 -0
pulumi_vault/config/vars.py +230 -0
pulumi_vault/consul/__init__.py +10 -0
pulumi_vault/consul/secret_backend.py +1517 -0
pulumi_vault/consul/secret_backend_role.py +847 -0
pulumi_vault/database/__init__.py +14 -0
pulumi_vault/database/_inputs.py +11907 -0
pulumi_vault/database/outputs.py +8496 -0
pulumi_vault/database/secret_backend_connection.py +1676 -0
pulumi_vault/database/secret_backend_role.py +840 -0
pulumi_vault/database/secret_backend_static_role.py +881 -0
pulumi_vault/database/secrets_mount.py +2160 -0
pulumi_vault/egp_policy.py +399 -0
pulumi_vault/gcp/__init__.py +17 -0
pulumi_vault/gcp/_inputs.py +441 -0
pulumi_vault/gcp/auth_backend.py +1486 -0
pulumi_vault/gcp/auth_backend_role.py +1235 -0
pulumi_vault/gcp/get_auth_backend_role.py +514 -0
pulumi_vault/gcp/outputs.py +302 -0
pulumi_vault/gcp/secret_backend.py +1807 -0
pulumi_vault/gcp/secret_impersonated_account.py +484 -0
pulumi_vault/gcp/secret_roleset.py +554 -0
pulumi_vault/gcp/secret_static_account.py +557 -0
pulumi_vault/generic/__init__.py +11 -0
pulumi_vault/generic/endpoint.py +786 -0
pulumi_vault/generic/get_secret.py +306 -0
pulumi_vault/generic/secret.py +486 -0
pulumi_vault/get_auth_backend.py +226 -0
pulumi_vault/get_auth_backends.py +170 -0
pulumi_vault/get_namespace.py +226 -0
pulumi_vault/get_namespaces.py +202 -0
pulumi_vault/get_nomad_access_token.py +210 -0
pulumi_vault/get_policy_document.py +160 -0
pulumi_vault/get_raft_autopilot_state.py +267 -0
pulumi_vault/github/__init__.py +13 -0
pulumi_vault/github/_inputs.py +225 -0
pulumi_vault/github/auth_backend.py +1194 -0
pulumi_vault/github/outputs.py +174 -0
pulumi_vault/github/team.py +380 -0
pulumi_vault/github/user.py +380 -0
pulumi_vault/identity/__init__.py +35 -0
pulumi_vault/identity/entity.py +447 -0
pulumi_vault/identity/entity_alias.py +398 -0
pulumi_vault/identity/entity_policies.py +455 -0
pulumi_vault/identity/get_entity.py +384 -0
pulumi_vault/identity/get_group.py +467 -0
pulumi_vault/identity/get_oidc_client_creds.py +175 -0
pulumi_vault/identity/get_oidc_openid_config.py +334 -0
pulumi_vault/identity/get_oidc_public_keys.py +179 -0
pulumi_vault/identity/group.py +805 -0
pulumi_vault/identity/group_alias.py +386 -0
pulumi_vault/identity/group_member_entity_ids.py +444 -0
pulumi_vault/identity/group_member_group_ids.py +467 -0
pulumi_vault/identity/group_policies.py +471 -0
pulumi_vault/identity/mfa_duo.py +674 -0
pulumi_vault/identity/mfa_login_enforcement.py +566 -0
pulumi_vault/identity/mfa_okta.py +626 -0
pulumi_vault/identity/mfa_pingid.py +616 -0
pulumi_vault/identity/mfa_totp.py +758 -0
pulumi_vault/identity/oidc.py +268 -0
pulumi_vault/identity/oidc_assignment.py +375 -0
pulumi_vault/identity/oidc_client.py +667 -0
pulumi_vault/identity/oidc_key.py +474 -0
pulumi_vault/identity/oidc_key_allowed_client_id.py +298 -0
pulumi_vault/identity/oidc_provider.py +550 -0
pulumi_vault/identity/oidc_role.py +543 -0
pulumi_vault/identity/oidc_scope.py +355 -0
pulumi_vault/identity/outputs.py +137 -0
pulumi_vault/jwt/__init__.py +12 -0
pulumi_vault/jwt/_inputs.py +225 -0
pulumi_vault/jwt/auth_backend.py +1347 -0
pulumi_vault/jwt/auth_backend_role.py +1847 -0
pulumi_vault/jwt/outputs.py +174 -0
pulumi_vault/kmip/__init__.py +11 -0
pulumi_vault/kmip/secret_backend.py +1591 -0
pulumi_vault/kmip/secret_role.py +1194 -0
pulumi_vault/kmip/secret_scope.py +372 -0
pulumi_vault/kubernetes/__init__.py +15 -0
pulumi_vault/kubernetes/auth_backend_config.py +654 -0
pulumi_vault/kubernetes/auth_backend_role.py +1031 -0
pulumi_vault/kubernetes/get_auth_backend_config.py +280 -0
pulumi_vault/kubernetes/get_auth_backend_role.py +470 -0
pulumi_vault/kubernetes/get_service_account_token.py +344 -0
pulumi_vault/kubernetes/secret_backend.py +1341 -0
pulumi_vault/kubernetes/secret_backend_role.py +1140 -0
pulumi_vault/kv/__init__.py +18 -0
pulumi_vault/kv/_inputs.py +124 -0
pulumi_vault/kv/get_secret.py +240 -0
pulumi_vault/kv/get_secret_subkeys_v2.py +275 -0
pulumi_vault/kv/get_secret_v2.py +315 -0
pulumi_vault/kv/get_secrets_list.py +186 -0
pulumi_vault/kv/get_secrets_list_v2.py +243 -0
pulumi_vault/kv/outputs.py +102 -0
pulumi_vault/kv/secret.py +397 -0
pulumi_vault/kv/secret_backend_v2.py +455 -0
pulumi_vault/kv/secret_v2.py +970 -0
pulumi_vault/ldap/__init__.py +19 -0
pulumi_vault/ldap/_inputs.py +225 -0
pulumi_vault/ldap/auth_backend.py +2520 -0
pulumi_vault/ldap/auth_backend_group.py +386 -0
pulumi_vault/ldap/auth_backend_user.py +439 -0
pulumi_vault/ldap/get_dynamic_credentials.py +181 -0
pulumi_vault/ldap/get_static_credentials.py +192 -0
pulumi_vault/ldap/outputs.py +174 -0
pulumi_vault/ldap/secret_backend.py +2207 -0
pulumi_vault/ldap/secret_backend_dynamic_role.py +767 -0
pulumi_vault/ldap/secret_backend_library_set.py +552 -0
pulumi_vault/ldap/secret_backend_static_role.py +541 -0
pulumi_vault/managed/__init__.py +11 -0
pulumi_vault/managed/_inputs.py +944 -0
pulumi_vault/managed/keys.py +398 -0
pulumi_vault/managed/outputs.py +667 -0
pulumi_vault/mfa_duo.py +589 -0
pulumi_vault/mfa_okta.py +623 -0
pulumi_vault/mfa_pingid.py +670 -0
pulumi_vault/mfa_totp.py +620 -0
pulumi_vault/mongodbatlas/__init__.py +10 -0
pulumi_vault/mongodbatlas/secret_backend.py +388 -0
pulumi_vault/mongodbatlas/secret_role.py +726 -0
pulumi_vault/mount.py +1262 -0
pulumi_vault/namespace.py +452 -0
pulumi_vault/nomad_secret_backend.py +1559 -0
pulumi_vault/nomad_secret_role.py +489 -0
pulumi_vault/oci_auth_backend.py +676 -0
pulumi_vault/oci_auth_backend_role.py +852 -0
pulumi_vault/okta/__init__.py +13 -0
pulumi_vault/okta/_inputs.py +320 -0
pulumi_vault/okta/auth_backend.py +1231 -0
pulumi_vault/okta/auth_backend_group.py +369 -0
pulumi_vault/okta/auth_backend_user.py +416 -0
pulumi_vault/okta/outputs.py +244 -0
pulumi_vault/outputs.py +502 -0
pulumi_vault/pkisecret/__init__.py +38 -0
pulumi_vault/pkisecret/_inputs.py +270 -0
pulumi_vault/pkisecret/backend_acme_eab.py +550 -0
pulumi_vault/pkisecret/backend_config_acme.py +690 -0
pulumi_vault/pkisecret/backend_config_auto_tidy.py +1370 -0
pulumi_vault/pkisecret/backend_config_cluster.py +370 -0
pulumi_vault/pkisecret/backend_config_cmpv2.py +693 -0
pulumi_vault/pkisecret/backend_config_est.py +756 -0
pulumi_vault/pkisecret/backend_config_scep.py +738 -0
pulumi_vault/pkisecret/get_backend_cert_metadata.py +277 -0
pulumi_vault/pkisecret/get_backend_config_cmpv2.py +226 -0
pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
pulumi_vault/pkisecret/get_backend_config_scep.py +271 -0
pulumi_vault/pkisecret/get_backend_issuer.py +395 -0
pulumi_vault/pkisecret/get_backend_issuers.py +192 -0
pulumi_vault/pkisecret/get_backend_key.py +211 -0
pulumi_vault/pkisecret/get_backend_keys.py +192 -0
pulumi_vault/pkisecret/outputs.py +270 -0
pulumi_vault/pkisecret/secret_backend_cert.py +1315 -0
pulumi_vault/pkisecret/secret_backend_config_ca.py +386 -0
pulumi_vault/pkisecret/secret_backend_config_issuers.py +392 -0
pulumi_vault/pkisecret/secret_backend_config_urls.py +462 -0
pulumi_vault/pkisecret/secret_backend_crl_config.py +846 -0
pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +1629 -0
pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +444 -0
pulumi_vault/pkisecret/secret_backend_issuer.py +1089 -0
pulumi_vault/pkisecret/secret_backend_key.py +613 -0
pulumi_vault/pkisecret/secret_backend_role.py +2694 -0
pulumi_vault/pkisecret/secret_backend_root_cert.py +2134 -0
pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +2031 -0
pulumi_vault/pkisecret/secret_backend_sign.py +1194 -0
pulumi_vault/plugin.py +596 -0
pulumi_vault/plugin_pinned_version.py +299 -0
pulumi_vault/policy.py +279 -0
pulumi_vault/provider.py +781 -0
pulumi_vault/pulumi-plugin.json +5 -0
pulumi_vault/py.typed +0 -0
pulumi_vault/quota_lease_count.py +504 -0
pulumi_vault/quota_rate_limit.py +751 -0
pulumi_vault/rabbitmq/__init__.py +12 -0
pulumi_vault/rabbitmq/_inputs.py +235 -0
pulumi_vault/rabbitmq/outputs.py +144 -0
pulumi_vault/rabbitmq/secret_backend.py +1437 -0
pulumi_vault/rabbitmq/secret_backend_role.py +496 -0
pulumi_vault/raft_autopilot.py +609 -0
pulumi_vault/raft_snapshot_agent_config.py +1591 -0
pulumi_vault/rgp_policy.py +349 -0
pulumi_vault/saml/__init__.py +12 -0
pulumi_vault/saml/_inputs.py +225 -0
pulumi_vault/saml/auth_backend.py +811 -0
pulumi_vault/saml/auth_backend_role.py +1068 -0
pulumi_vault/saml/outputs.py +174 -0
pulumi_vault/scep_auth_backend_role.py +908 -0
pulumi_vault/secrets/__init__.py +18 -0
pulumi_vault/secrets/_inputs.py +110 -0
pulumi_vault/secrets/outputs.py +94 -0
pulumi_vault/secrets/sync_association.py +450 -0
pulumi_vault/secrets/sync_aws_destination.py +780 -0
pulumi_vault/secrets/sync_azure_destination.py +736 -0
pulumi_vault/secrets/sync_config.py +303 -0
pulumi_vault/secrets/sync_gcp_destination.py +572 -0
pulumi_vault/secrets/sync_gh_destination.py +688 -0
pulumi_vault/secrets/sync_github_apps.py +376 -0
pulumi_vault/secrets/sync_vercel_destination.py +603 -0
pulumi_vault/ssh/__init__.py +13 -0
pulumi_vault/ssh/_inputs.py +76 -0
pulumi_vault/ssh/get_secret_backend_sign.py +294 -0
pulumi_vault/ssh/outputs.py +51 -0
pulumi_vault/ssh/secret_backend_ca.py +588 -0
pulumi_vault/ssh/secret_backend_role.py +1493 -0
pulumi_vault/terraformcloud/__init__.py +11 -0
pulumi_vault/terraformcloud/secret_backend.py +1321 -0
pulumi_vault/terraformcloud/secret_creds.py +445 -0
pulumi_vault/terraformcloud/secret_role.py +563 -0
pulumi_vault/token.py +1026 -0
pulumi_vault/tokenauth/__init__.py +9 -0
pulumi_vault/tokenauth/auth_backend_role.py +1135 -0
pulumi_vault/transform/__init__.py +14 -0
pulumi_vault/transform/alphabet.py +348 -0
pulumi_vault/transform/get_decode.py +287 -0
pulumi_vault/transform/get_encode.py +291 -0
pulumi_vault/transform/role.py +350 -0
pulumi_vault/transform/template.py +592 -0
pulumi_vault/transform/transformation.py +608 -0
pulumi_vault/transit/__init__.py +15 -0
pulumi_vault/transit/get_cmac.py +256 -0
pulumi_vault/transit/get_decrypt.py +181 -0
pulumi_vault/transit/get_encrypt.py +174 -0
pulumi_vault/transit/get_sign.py +328 -0
pulumi_vault/transit/get_verify.py +373 -0
pulumi_vault/transit/secret_backend_key.py +1202 -0
pulumi_vault/transit/secret_cache_config.py +302 -0
pulumi_vault-7.6.0a1764657486.dist-info/METADATA +92 -0
pulumi_vault-7.6.0a1764657486.dist-info/RECORD +274 -0
pulumi_vault-7.6.0a1764657486.dist-info/WHEEL +5 -0
pulumi_vault-7.6.0a1764657486.dist-info/top_level.txt +1 -0

pulumi_vault/aws/auth_backend_role.py ADDED Viewed

@@ -0,0 +1,1961 @@
+# coding=utf-8
+# *** WARNING: this file was generated by pulumi-language-python. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+import builtins as _builtins
+import warnings
+import sys
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
+from .. import _utilities
+__all__ = ['AuthBackendRoleArgs', 'AuthBackendRole']
+@pulumi.input_type
+class AuthBackendRoleArgs:
+    def __init__(__self__, *,
+                 role: pulumi.Input[_builtins.str],
+                 alias_metadata: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 allow_instance_migration: Optional[pulumi.Input[_builtins.bool]] = None,
+                 auth_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 bound_account_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_ami_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_ec2_instance_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_instance_profile_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_principal_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_regions: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_subnet_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_vpc_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 disallow_reauthentication: Optional[pulumi.Input[_builtins.bool]] = None,
+                 inferred_aws_region: Optional[pulumi.Input[_builtins.str]] = None,
+                 inferred_entity_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 resolve_aws_unique_ids: Optional[pulumi.Input[_builtins.bool]] = None,
+                 role_tag: Optional[pulumi.Input[_builtins.str]] = None,
+                 token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
+                 token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_period: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_type: Optional[pulumi.Input[_builtins.str]] = None):
+        """
+        The set of arguments for constructing a AuthBackendRole resource.
+        :param pulumi.Input[_builtins.str] role: The name of the role.
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] alias_metadata: The metadata to be tied to generated entity alias.
+                 This should be a list or map containing the metadata in key value pairs.
+        :param pulumi.Input[_builtins.bool] allow_instance_migration: If set to `true`, allows migration of
+               the underlying instance where the client resides.
+        :param pulumi.Input[_builtins.str] auth_type: The auth type permitted for this role. Valid choices
+               are `ec2` and `iam`. Defaults to `iam`.
+        :param pulumi.Input[_builtins.str] backend: Path to the mounted aws auth backend.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_account_ids: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they should be using the
+               account ID specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_ami_ids: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that they should be using the AMI ID
+               specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_ec2_instance_ids: Only EC2 instances that match this instance ID will be permitted to log in.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_instance_profile_arns: If set, defines a constraint on
+               the EC2 instances that can perform the login operation that they must be
+               associated with an IAM instance profile ARN which has a prefix that matches
+               the value specified by this field. The value is prefix-matched as though it
+               were a glob ending in `*`. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_principal_arns: If set, defines the IAM principal that
+               must be authenticated when `auth_type` is set to `iam`. Wildcards are
+               supported at the end of the ARN.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_role_arns: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they must match the IAM
+               role ARN specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_regions: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that the region in their identity
+               document must match the one specified by this field. `auth_type` must be set
+               to `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+               constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_subnet_ids: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they be associated with
+               the subnet ID that matches the value specified by this field. `auth_type`
+               must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+               to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_vpc_ids: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that they be associated with the VPC ID
+               that matches the value specified by this field. `auth_type` must be set to
+               `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+               constraint.
+        :param pulumi.Input[_builtins.bool] disallow_reauthentication: IF set to `true`, only allows a
+               single token to be granted per instance ID. This can only be set when
+               `auth_type` is set to `ec2`.
+        :param pulumi.Input[_builtins.str] inferred_aws_region: When `inferred_entity_type` is set, this
+               is the region to search for the inferred entities. Required if
+               `inferred_entity_type` is set. This only applies when `auth_type` is set to
+               `iam`.
+        :param pulumi.Input[_builtins.str] inferred_entity_type: If set, instructs Vault to turn on
+               inferencing. The only valid value is `ec2_instance`, which instructs Vault to
+               infer that the role comes from an EC2 instance in an IAM instance profile.
+               This only applies when `auth_type` is set to `iam`.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+               *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.bool] resolve_aws_unique_ids: Only valid when
+               `auth_type` is `iam`. If set to `true`, the `bound_iam_principal_arns` are
+               resolved to [AWS Unique
+               IDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+               for the bound principal ARN. This field is ignored when a
+               `bound_iam_principal_arn` ends in a wildcard. Resolving to unique IDs more
+               closely mimics the behavior of AWS services in that if an IAM user or role is
+               deleted and a new one is recreated with the same name, those new users or
+               roles won't get access to roles in Vault that were permissioned to the prior
+               principals of the same name. Defaults to `true`.
+               Once set to `true`, this cannot be changed to `false` without recreating the role.
+        :param pulumi.Input[_builtins.str] role_tag: If set, enable role tags for this role. The value set
+               for this field should be the key of the tag on the EC2 instance. `auth_type`
+               must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+               to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
+        :param pulumi.Input[_builtins.int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
+        :param pulumi.Input[_builtins.int] token_max_ttl: The maximum lifetime of the generated token
+        :param pulumi.Input[_builtins.bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
+        :param pulumi.Input[_builtins.int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
+        :param pulumi.Input[_builtins.int] token_period: Generated Token's Period
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_policies: Generated Token's Policies
+        :param pulumi.Input[_builtins.int] token_ttl: The initial ttl of the token to generate in seconds
+        :param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
+        """
+        pulumi.set(__self__, "role", role)
+        if alias_metadata is not None:
+            pulumi.set(__self__, "alias_metadata", alias_metadata)
+        if allow_instance_migration is not None:
+            pulumi.set(__self__, "allow_instance_migration", allow_instance_migration)
+        if auth_type is not None:
+            pulumi.set(__self__, "auth_type", auth_type)
+        if backend is not None:
+            pulumi.set(__self__, "backend", backend)
+        if bound_account_ids is not None:
+            pulumi.set(__self__, "bound_account_ids", bound_account_ids)
+        if bound_ami_ids is not None:
+            pulumi.set(__self__, "bound_ami_ids", bound_ami_ids)
+        if bound_ec2_instance_ids is not None:
+            pulumi.set(__self__, "bound_ec2_instance_ids", bound_ec2_instance_ids)
+        if bound_iam_instance_profile_arns is not None:
+            pulumi.set(__self__, "bound_iam_instance_profile_arns", bound_iam_instance_profile_arns)
+        if bound_iam_principal_arns is not None:
+            pulumi.set(__self__, "bound_iam_principal_arns", bound_iam_principal_arns)
+        if bound_iam_role_arns is not None:
+            pulumi.set(__self__, "bound_iam_role_arns", bound_iam_role_arns)
+        if bound_regions is not None:
+            pulumi.set(__self__, "bound_regions", bound_regions)
+        if bound_subnet_ids is not None:
+            pulumi.set(__self__, "bound_subnet_ids", bound_subnet_ids)
+        if bound_vpc_ids is not None:
+            pulumi.set(__self__, "bound_vpc_ids", bound_vpc_ids)
+        if disallow_reauthentication is not None:
+            pulumi.set(__self__, "disallow_reauthentication", disallow_reauthentication)
+        if inferred_aws_region is not None:
+            pulumi.set(__self__, "inferred_aws_region", inferred_aws_region)
+        if inferred_entity_type is not None:
+            pulumi.set(__self__, "inferred_entity_type", inferred_entity_type)
+        if namespace is not None:
+            pulumi.set(__self__, "namespace", namespace)
+        if resolve_aws_unique_ids is not None:
+            pulumi.set(__self__, "resolve_aws_unique_ids", resolve_aws_unique_ids)
+        if role_tag is not None:
+            pulumi.set(__self__, "role_tag", role_tag)
+        if token_bound_cidrs is not None:
+            pulumi.set(__self__, "token_bound_cidrs", token_bound_cidrs)
+        if token_explicit_max_ttl is not None:
+            pulumi.set(__self__, "token_explicit_max_ttl", token_explicit_max_ttl)
+        if token_max_ttl is not None:
+            pulumi.set(__self__, "token_max_ttl", token_max_ttl)
+        if token_no_default_policy is not None:
+            pulumi.set(__self__, "token_no_default_policy", token_no_default_policy)
+        if token_num_uses is not None:
+            pulumi.set(__self__, "token_num_uses", token_num_uses)
+        if token_period is not None:
+            pulumi.set(__self__, "token_period", token_period)
+        if token_policies is not None:
+            pulumi.set(__self__, "token_policies", token_policies)
+        if token_ttl is not None:
+            pulumi.set(__self__, "token_ttl", token_ttl)
+        if token_type is not None:
+            pulumi.set(__self__, "token_type", token_type)
+    @_builtins.property
+    @pulumi.getter
+    def role(self) -> pulumi.Input[_builtins.str]:
+        """
+        The name of the role.
+        """
+        return pulumi.get(self, "role")
+    @role.setter
+    def role(self, value: pulumi.Input[_builtins.str]):
+        pulumi.set(self, "role", value)
+    @_builtins.property
+    @pulumi.getter(name="aliasMetadata")
+    def alias_metadata(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
+        """
+        The metadata to be tied to generated entity alias.
+          This should be a list or map containing the metadata in key value pairs.
+        """
+        return pulumi.get(self, "alias_metadata")
+    @alias_metadata.setter
+    def alias_metadata(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "alias_metadata", value)
+    @_builtins.property
+    @pulumi.getter(name="allowInstanceMigration")
+    def allow_instance_migration(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If set to `true`, allows migration of
+        the underlying instance where the client resides.
+        """
+        return pulumi.get(self, "allow_instance_migration")
+    @allow_instance_migration.setter
+    def allow_instance_migration(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "allow_instance_migration", value)
+    @_builtins.property
+    @pulumi.getter(name="authType")
+    def auth_type(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The auth type permitted for this role. Valid choices
+        are `ec2` and `iam`. Defaults to `iam`.
+        """
+        return pulumi.get(self, "auth_type")
+    @auth_type.setter
+    def auth_type(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "auth_type", value)
+    @_builtins.property
+    @pulumi.getter
+    def backend(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Path to the mounted aws auth backend.
+        """
+        return pulumi.get(self, "backend")
+    @backend.setter
+    def backend(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "backend", value)
+    @_builtins.property
+    @pulumi.getter(name="boundAccountIds")
+    def bound_account_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they should be using the
+        account ID specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_account_ids")
+    @bound_account_ids.setter
+    def bound_account_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_account_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="boundAmiIds")
+    def bound_ami_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that they should be using the AMI ID
+        specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_ami_ids")
+    @bound_ami_ids.setter
+    def bound_ami_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_ami_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="boundEc2InstanceIds")
+    def bound_ec2_instance_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        Only EC2 instances that match this instance ID will be permitted to log in.
+        """
+        return pulumi.get(self, "bound_ec2_instance_ids")
+    @bound_ec2_instance_ids.setter
+    def bound_ec2_instance_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_ec2_instance_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="boundIamInstanceProfileArns")
+    def bound_iam_instance_profile_arns(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on
+        the EC2 instances that can perform the login operation that they must be
+        associated with an IAM instance profile ARN which has a prefix that matches
+        the value specified by this field. The value is prefix-matched as though it
+        were a glob ending in `*`. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_iam_instance_profile_arns")
+    @bound_iam_instance_profile_arns.setter
+    def bound_iam_instance_profile_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_iam_instance_profile_arns", value)
+    @_builtins.property
+    @pulumi.getter(name="boundIamPrincipalArns")
+    def bound_iam_principal_arns(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines the IAM principal that
+        must be authenticated when `auth_type` is set to `iam`. Wildcards are
+        supported at the end of the ARN.
+        """
+        return pulumi.get(self, "bound_iam_principal_arns")
+    @bound_iam_principal_arns.setter
+    def bound_iam_principal_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_iam_principal_arns", value)
+    @_builtins.property
+    @pulumi.getter(name="boundIamRoleArns")
+    def bound_iam_role_arns(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they must match the IAM
+        role ARN specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_iam_role_arns")
+    @bound_iam_role_arns.setter
+    def bound_iam_role_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_iam_role_arns", value)
+    @_builtins.property
+    @pulumi.getter(name="boundRegions")
+    def bound_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that the region in their identity
+        document must match the one specified by this field. `auth_type` must be set
+        to `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+        constraint.
+        """
+        return pulumi.get(self, "bound_regions")
+    @bound_regions.setter
+    def bound_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_regions", value)
+    @_builtins.property
+    @pulumi.getter(name="boundSubnetIds")
+    def bound_subnet_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they be associated with
+        the subnet ID that matches the value specified by this field. `auth_type`
+        must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+        to use this constraint.
+        """
+        return pulumi.get(self, "bound_subnet_ids")
+    @bound_subnet_ids.setter
+    def bound_subnet_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_subnet_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="boundVpcIds")
+    def bound_vpc_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that they be associated with the VPC ID
+        that matches the value specified by this field. `auth_type` must be set to
+        `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+        constraint.
+        """
+        return pulumi.get(self, "bound_vpc_ids")
+    @bound_vpc_ids.setter
+    def bound_vpc_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_vpc_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="disallowReauthentication")
+    def disallow_reauthentication(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        IF set to `true`, only allows a
+        single token to be granted per instance ID. This can only be set when
+        `auth_type` is set to `ec2`.
+        """
+        return pulumi.get(self, "disallow_reauthentication")
+    @disallow_reauthentication.setter
+    def disallow_reauthentication(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "disallow_reauthentication", value)
+    @_builtins.property
+    @pulumi.getter(name="inferredAwsRegion")
+    def inferred_aws_region(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        When `inferred_entity_type` is set, this
+        is the region to search for the inferred entities. Required if
+        `inferred_entity_type` is set. This only applies when `auth_type` is set to
+        `iam`.
+        """
+        return pulumi.get(self, "inferred_aws_region")
+    @inferred_aws_region.setter
+    def inferred_aws_region(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "inferred_aws_region", value)
+    @_builtins.property
+    @pulumi.getter(name="inferredEntityType")
+    def inferred_entity_type(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        If set, instructs Vault to turn on
+        inferencing. The only valid value is `ec2_instance`, which instructs Vault to
+        infer that the role comes from an EC2 instance in an IAM instance profile.
+        This only applies when `auth_type` is set to `iam`.
+        """
+        return pulumi.get(self, "inferred_entity_type")
+    @inferred_entity_type.setter
+    def inferred_entity_type(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "inferred_entity_type", value)
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "namespace")
+    @namespace.setter
+    def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "namespace", value)
+    @_builtins.property
+    @pulumi.getter(name="resolveAwsUniqueIds")
+    def resolve_aws_unique_ids(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        Only valid when
+        `auth_type` is `iam`. If set to `true`, the `bound_iam_principal_arns` are
+        resolved to [AWS Unique
+        IDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+        for the bound principal ARN. This field is ignored when a
+        `bound_iam_principal_arn` ends in a wildcard. Resolving to unique IDs more
+        closely mimics the behavior of AWS services in that if an IAM user or role is
+        deleted and a new one is recreated with the same name, those new users or
+        roles won't get access to roles in Vault that were permissioned to the prior
+        principals of the same name. Defaults to `true`.
+        Once set to `true`, this cannot be changed to `false` without recreating the role.
+        """
+        return pulumi.get(self, "resolve_aws_unique_ids")
+    @resolve_aws_unique_ids.setter
+    def resolve_aws_unique_ids(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "resolve_aws_unique_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="roleTag")
+    def role_tag(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        If set, enable role tags for this role. The value set
+        for this field should be the key of the tag on the EC2 instance. `auth_type`
+        must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+        to use this constraint.
+        """
+        return pulumi.get(self, "role_tag")
+    @role_tag.setter
+    def role_tag(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "role_tag", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenBoundCidrs")
+    def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        Specifies the blocks of IP addresses which are allowed to use the generated token
+        """
+        return pulumi.get(self, "token_bound_cidrs")
+    @token_bound_cidrs.setter
+    def token_bound_cidrs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "token_bound_cidrs", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenExplicitMaxTtl")
+    def token_explicit_max_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        Generated Token's Explicit Maximum TTL in seconds
+        """
+        return pulumi.get(self, "token_explicit_max_ttl")
+    @token_explicit_max_ttl.setter
+    def token_explicit_max_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_explicit_max_ttl", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenMaxTtl")
+    def token_max_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The maximum lifetime of the generated token
+        """
+        return pulumi.get(self, "token_max_ttl")
+    @token_max_ttl.setter
+    def token_max_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_max_ttl", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenNoDefaultPolicy")
+    def token_no_default_policy(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If true, the 'default' policy will not automatically be added to generated tokens
+        """
+        return pulumi.get(self, "token_no_default_policy")
+    @token_no_default_policy.setter
+    def token_no_default_policy(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "token_no_default_policy", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenNumUses")
+    def token_num_uses(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The maximum number of times a token may be used, a value of zero means unlimited
+        """
+        return pulumi.get(self, "token_num_uses")
+    @token_num_uses.setter
+    def token_num_uses(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_num_uses", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenPeriod")
+    def token_period(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        Generated Token's Period
+        """
+        return pulumi.get(self, "token_period")
+    @token_period.setter
+    def token_period(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_period", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenPolicies")
+    def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        Generated Token's Policies
+        """
+        return pulumi.get(self, "token_policies")
+    @token_policies.setter
+    def token_policies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "token_policies", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenTtl")
+    def token_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The initial ttl of the token to generate in seconds
+        """
+        return pulumi.get(self, "token_ttl")
+    @token_ttl.setter
+    def token_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_ttl", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenType")
+    def token_type(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The type of token to generate, service or batch
+        """
+        return pulumi.get(self, "token_type")
+    @token_type.setter
+    def token_type(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "token_type", value)
+@pulumi.input_type
+class _AuthBackendRoleState:
+    def __init__(__self__, *,
+                 alias_metadata: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 allow_instance_migration: Optional[pulumi.Input[_builtins.bool]] = None,
+                 auth_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 bound_account_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_ami_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_ec2_instance_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_instance_profile_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_principal_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_regions: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_subnet_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_vpc_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 disallow_reauthentication: Optional[pulumi.Input[_builtins.bool]] = None,
+                 inferred_aws_region: Optional[pulumi.Input[_builtins.str]] = None,
+                 inferred_entity_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 resolve_aws_unique_ids: Optional[pulumi.Input[_builtins.bool]] = None,
+                 role: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_tag: Optional[pulumi.Input[_builtins.str]] = None,
+                 token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
+                 token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_period: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_type: Optional[pulumi.Input[_builtins.str]] = None):
+        """
+        Input properties used for looking up and filtering AuthBackendRole resources.
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] alias_metadata: The metadata to be tied to generated entity alias.
+                 This should be a list or map containing the metadata in key value pairs.
+        :param pulumi.Input[_builtins.bool] allow_instance_migration: If set to `true`, allows migration of
+               the underlying instance where the client resides.
+        :param pulumi.Input[_builtins.str] auth_type: The auth type permitted for this role. Valid choices
+               are `ec2` and `iam`. Defaults to `iam`.
+        :param pulumi.Input[_builtins.str] backend: Path to the mounted aws auth backend.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_account_ids: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they should be using the
+               account ID specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_ami_ids: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that they should be using the AMI ID
+               specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_ec2_instance_ids: Only EC2 instances that match this instance ID will be permitted to log in.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_instance_profile_arns: If set, defines a constraint on
+               the EC2 instances that can perform the login operation that they must be
+               associated with an IAM instance profile ARN which has a prefix that matches
+               the value specified by this field. The value is prefix-matched as though it
+               were a glob ending in `*`. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_principal_arns: If set, defines the IAM principal that
+               must be authenticated when `auth_type` is set to `iam`. Wildcards are
+               supported at the end of the ARN.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_role_arns: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they must match the IAM
+               role ARN specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_regions: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that the region in their identity
+               document must match the one specified by this field. `auth_type` must be set
+               to `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+               constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_subnet_ids: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they be associated with
+               the subnet ID that matches the value specified by this field. `auth_type`
+               must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+               to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_vpc_ids: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that they be associated with the VPC ID
+               that matches the value specified by this field. `auth_type` must be set to
+               `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+               constraint.
+        :param pulumi.Input[_builtins.bool] disallow_reauthentication: IF set to `true`, only allows a
+               single token to be granted per instance ID. This can only be set when
+               `auth_type` is set to `ec2`.
+        :param pulumi.Input[_builtins.str] inferred_aws_region: When `inferred_entity_type` is set, this
+               is the region to search for the inferred entities. Required if
+               `inferred_entity_type` is set. This only applies when `auth_type` is set to
+               `iam`.
+        :param pulumi.Input[_builtins.str] inferred_entity_type: If set, instructs Vault to turn on
+               inferencing. The only valid value is `ec2_instance`, which instructs Vault to
+               infer that the role comes from an EC2 instance in an IAM instance profile.
+               This only applies when `auth_type` is set to `iam`.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+               *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.bool] resolve_aws_unique_ids: Only valid when
+               `auth_type` is `iam`. If set to `true`, the `bound_iam_principal_arns` are
+               resolved to [AWS Unique
+               IDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+               for the bound principal ARN. This field is ignored when a
+               `bound_iam_principal_arn` ends in a wildcard. Resolving to unique IDs more
+               closely mimics the behavior of AWS services in that if an IAM user or role is
+               deleted and a new one is recreated with the same name, those new users or
+               roles won't get access to roles in Vault that were permissioned to the prior
+               principals of the same name. Defaults to `true`.
+               Once set to `true`, this cannot be changed to `false` without recreating the role.
+        :param pulumi.Input[_builtins.str] role: The name of the role.
+        :param pulumi.Input[_builtins.str] role_id: The Vault generated role ID.
+        :param pulumi.Input[_builtins.str] role_tag: If set, enable role tags for this role. The value set
+               for this field should be the key of the tag on the EC2 instance. `auth_type`
+               must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+               to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
+        :param pulumi.Input[_builtins.int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
+        :param pulumi.Input[_builtins.int] token_max_ttl: The maximum lifetime of the generated token
+        :param pulumi.Input[_builtins.bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
+        :param pulumi.Input[_builtins.int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
+        :param pulumi.Input[_builtins.int] token_period: Generated Token's Period
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_policies: Generated Token's Policies
+        :param pulumi.Input[_builtins.int] token_ttl: The initial ttl of the token to generate in seconds
+        :param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
+        """
+        if alias_metadata is not None:
+            pulumi.set(__self__, "alias_metadata", alias_metadata)
+        if allow_instance_migration is not None:
+            pulumi.set(__self__, "allow_instance_migration", allow_instance_migration)
+        if auth_type is not None:
+            pulumi.set(__self__, "auth_type", auth_type)
+        if backend is not None:
+            pulumi.set(__self__, "backend", backend)
+        if bound_account_ids is not None:
+            pulumi.set(__self__, "bound_account_ids", bound_account_ids)
+        if bound_ami_ids is not None:
+            pulumi.set(__self__, "bound_ami_ids", bound_ami_ids)
+        if bound_ec2_instance_ids is not None:
+            pulumi.set(__self__, "bound_ec2_instance_ids", bound_ec2_instance_ids)
+        if bound_iam_instance_profile_arns is not None:
+            pulumi.set(__self__, "bound_iam_instance_profile_arns", bound_iam_instance_profile_arns)
+        if bound_iam_principal_arns is not None:
+            pulumi.set(__self__, "bound_iam_principal_arns", bound_iam_principal_arns)
+        if bound_iam_role_arns is not None:
+            pulumi.set(__self__, "bound_iam_role_arns", bound_iam_role_arns)
+        if bound_regions is not None:
+            pulumi.set(__self__, "bound_regions", bound_regions)
+        if bound_subnet_ids is not None:
+            pulumi.set(__self__, "bound_subnet_ids", bound_subnet_ids)
+        if bound_vpc_ids is not None:
+            pulumi.set(__self__, "bound_vpc_ids", bound_vpc_ids)
+        if disallow_reauthentication is not None:
+            pulumi.set(__self__, "disallow_reauthentication", disallow_reauthentication)
+        if inferred_aws_region is not None:
+            pulumi.set(__self__, "inferred_aws_region", inferred_aws_region)
+        if inferred_entity_type is not None:
+            pulumi.set(__self__, "inferred_entity_type", inferred_entity_type)
+        if namespace is not None:
+            pulumi.set(__self__, "namespace", namespace)
+        if resolve_aws_unique_ids is not None:
+            pulumi.set(__self__, "resolve_aws_unique_ids", resolve_aws_unique_ids)
+        if role is not None:
+            pulumi.set(__self__, "role", role)
+        if role_id is not None:
+            pulumi.set(__self__, "role_id", role_id)
+        if role_tag is not None:
+            pulumi.set(__self__, "role_tag", role_tag)
+        if token_bound_cidrs is not None:
+            pulumi.set(__self__, "token_bound_cidrs", token_bound_cidrs)
+        if token_explicit_max_ttl is not None:
+            pulumi.set(__self__, "token_explicit_max_ttl", token_explicit_max_ttl)
+        if token_max_ttl is not None:
+            pulumi.set(__self__, "token_max_ttl", token_max_ttl)
+        if token_no_default_policy is not None:
+            pulumi.set(__self__, "token_no_default_policy", token_no_default_policy)
+        if token_num_uses is not None:
+            pulumi.set(__self__, "token_num_uses", token_num_uses)
+        if token_period is not None:
+            pulumi.set(__self__, "token_period", token_period)
+        if token_policies is not None:
+            pulumi.set(__self__, "token_policies", token_policies)
+        if token_ttl is not None:
+            pulumi.set(__self__, "token_ttl", token_ttl)
+        if token_type is not None:
+            pulumi.set(__self__, "token_type", token_type)
+    @_builtins.property
+    @pulumi.getter(name="aliasMetadata")
+    def alias_metadata(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
+        """
+        The metadata to be tied to generated entity alias.
+          This should be a list or map containing the metadata in key value pairs.
+        """
+        return pulumi.get(self, "alias_metadata")
+    @alias_metadata.setter
+    def alias_metadata(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "alias_metadata", value)
+    @_builtins.property
+    @pulumi.getter(name="allowInstanceMigration")
+    def allow_instance_migration(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If set to `true`, allows migration of
+        the underlying instance where the client resides.
+        """
+        return pulumi.get(self, "allow_instance_migration")
+    @allow_instance_migration.setter
+    def allow_instance_migration(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "allow_instance_migration", value)
+    @_builtins.property
+    @pulumi.getter(name="authType")
+    def auth_type(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The auth type permitted for this role. Valid choices
+        are `ec2` and `iam`. Defaults to `iam`.
+        """
+        return pulumi.get(self, "auth_type")
+    @auth_type.setter
+    def auth_type(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "auth_type", value)
+    @_builtins.property
+    @pulumi.getter
+    def backend(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Path to the mounted aws auth backend.
+        """
+        return pulumi.get(self, "backend")
+    @backend.setter
+    def backend(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "backend", value)
+    @_builtins.property
+    @pulumi.getter(name="boundAccountIds")
+    def bound_account_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they should be using the
+        account ID specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_account_ids")
+    @bound_account_ids.setter
+    def bound_account_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_account_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="boundAmiIds")
+    def bound_ami_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that they should be using the AMI ID
+        specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_ami_ids")
+    @bound_ami_ids.setter
+    def bound_ami_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_ami_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="boundEc2InstanceIds")
+    def bound_ec2_instance_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        Only EC2 instances that match this instance ID will be permitted to log in.
+        """
+        return pulumi.get(self, "bound_ec2_instance_ids")
+    @bound_ec2_instance_ids.setter
+    def bound_ec2_instance_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_ec2_instance_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="boundIamInstanceProfileArns")
+    def bound_iam_instance_profile_arns(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on
+        the EC2 instances that can perform the login operation that they must be
+        associated with an IAM instance profile ARN which has a prefix that matches
+        the value specified by this field. The value is prefix-matched as though it
+        were a glob ending in `*`. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_iam_instance_profile_arns")
+    @bound_iam_instance_profile_arns.setter
+    def bound_iam_instance_profile_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_iam_instance_profile_arns", value)
+    @_builtins.property
+    @pulumi.getter(name="boundIamPrincipalArns")
+    def bound_iam_principal_arns(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines the IAM principal that
+        must be authenticated when `auth_type` is set to `iam`. Wildcards are
+        supported at the end of the ARN.
+        """
+        return pulumi.get(self, "bound_iam_principal_arns")
+    @bound_iam_principal_arns.setter
+    def bound_iam_principal_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_iam_principal_arns", value)
+    @_builtins.property
+    @pulumi.getter(name="boundIamRoleArns")
+    def bound_iam_role_arns(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they must match the IAM
+        role ARN specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_iam_role_arns")
+    @bound_iam_role_arns.setter
+    def bound_iam_role_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_iam_role_arns", value)
+    @_builtins.property
+    @pulumi.getter(name="boundRegions")
+    def bound_regions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that the region in their identity
+        document must match the one specified by this field. `auth_type` must be set
+        to `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+        constraint.
+        """
+        return pulumi.get(self, "bound_regions")
+    @bound_regions.setter
+    def bound_regions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_regions", value)
+    @_builtins.property
+    @pulumi.getter(name="boundSubnetIds")
+    def bound_subnet_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they be associated with
+        the subnet ID that matches the value specified by this field. `auth_type`
+        must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+        to use this constraint.
+        """
+        return pulumi.get(self, "bound_subnet_ids")
+    @bound_subnet_ids.setter
+    def bound_subnet_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_subnet_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="boundVpcIds")
+    def bound_vpc_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that they be associated with the VPC ID
+        that matches the value specified by this field. `auth_type` must be set to
+        `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+        constraint.
+        """
+        return pulumi.get(self, "bound_vpc_ids")
+    @bound_vpc_ids.setter
+    def bound_vpc_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "bound_vpc_ids", value)
+    @_builtins.property
+    @pulumi.getter(name="disallowReauthentication")
+    def disallow_reauthentication(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        IF set to `true`, only allows a
+        single token to be granted per instance ID. This can only be set when
+        `auth_type` is set to `ec2`.
+        """
+        return pulumi.get(self, "disallow_reauthentication")
+    @disallow_reauthentication.setter
+    def disallow_reauthentication(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "disallow_reauthentication", value)
+    @_builtins.property
+    @pulumi.getter(name="inferredAwsRegion")
+    def inferred_aws_region(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        When `inferred_entity_type` is set, this
+        is the region to search for the inferred entities. Required if
+        `inferred_entity_type` is set. This only applies when `auth_type` is set to
+        `iam`.
+        """
+        return pulumi.get(self, "inferred_aws_region")
+    @inferred_aws_region.setter
+    def inferred_aws_region(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "inferred_aws_region", value)
+    @_builtins.property
+    @pulumi.getter(name="inferredEntityType")
+    def inferred_entity_type(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        If set, instructs Vault to turn on
+        inferencing. The only valid value is `ec2_instance`, which instructs Vault to
+        infer that the role comes from an EC2 instance in an IAM instance profile.
+        This only applies when `auth_type` is set to `iam`.
+        """
+        return pulumi.get(self, "inferred_entity_type")
+    @inferred_entity_type.setter
+    def inferred_entity_type(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "inferred_entity_type", value)
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "namespace")
+    @namespace.setter
+    def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "namespace", value)
+    @_builtins.property
+    @pulumi.getter(name="resolveAwsUniqueIds")
+    def resolve_aws_unique_ids(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        Only valid when
+        `auth_type` is `iam`. If set to `true`, the `bound_iam_principal_arns` are
+        resolved to [AWS Unique
+        IDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+        for the bound principal ARN. This field is ignored when a
+        `bound_iam_principal_arn` ends in a wildcard. Resolving to unique IDs more
+        closely mimics the behavior of AWS services in that if an IAM user or role is
+        deleted and a new one is recreated with the same name, those new users or
+        roles won't get access to roles in Vault that were permissioned to the prior
+        principals of the same name. Defaults to `true`.
+        Once set to `true`, this cannot be changed to `false` without recreating the role.
+        """
+        return pulumi.get(self, "resolve_aws_unique_ids")
+    @resolve_aws_unique_ids.setter
+    def resolve_aws_unique_ids(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "resolve_aws_unique_ids", value)
+    @_builtins.property
+    @pulumi.getter
+    def role(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The name of the role.
+        """
+        return pulumi.get(self, "role")
+    @role.setter
+    def role(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "role", value)
+    @_builtins.property
+    @pulumi.getter(name="roleId")
+    def role_id(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The Vault generated role ID.
+        """
+        return pulumi.get(self, "role_id")
+    @role_id.setter
+    def role_id(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "role_id", value)
+    @_builtins.property
+    @pulumi.getter(name="roleTag")
+    def role_tag(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        If set, enable role tags for this role. The value set
+        for this field should be the key of the tag on the EC2 instance. `auth_type`
+        must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+        to use this constraint.
+        """
+        return pulumi.get(self, "role_tag")
+    @role_tag.setter
+    def role_tag(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "role_tag", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenBoundCidrs")
+    def token_bound_cidrs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        Specifies the blocks of IP addresses which are allowed to use the generated token
+        """
+        return pulumi.get(self, "token_bound_cidrs")
+    @token_bound_cidrs.setter
+    def token_bound_cidrs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "token_bound_cidrs", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenExplicitMaxTtl")
+    def token_explicit_max_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        Generated Token's Explicit Maximum TTL in seconds
+        """
+        return pulumi.get(self, "token_explicit_max_ttl")
+    @token_explicit_max_ttl.setter
+    def token_explicit_max_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_explicit_max_ttl", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenMaxTtl")
+    def token_max_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The maximum lifetime of the generated token
+        """
+        return pulumi.get(self, "token_max_ttl")
+    @token_max_ttl.setter
+    def token_max_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_max_ttl", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenNoDefaultPolicy")
+    def token_no_default_policy(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If true, the 'default' policy will not automatically be added to generated tokens
+        """
+        return pulumi.get(self, "token_no_default_policy")
+    @token_no_default_policy.setter
+    def token_no_default_policy(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "token_no_default_policy", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenNumUses")
+    def token_num_uses(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The maximum number of times a token may be used, a value of zero means unlimited
+        """
+        return pulumi.get(self, "token_num_uses")
+    @token_num_uses.setter
+    def token_num_uses(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_num_uses", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenPeriod")
+    def token_period(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        Generated Token's Period
+        """
+        return pulumi.get(self, "token_period")
+    @token_period.setter
+    def token_period(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_period", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenPolicies")
+    def token_policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        Generated Token's Policies
+        """
+        return pulumi.get(self, "token_policies")
+    @token_policies.setter
+    def token_policies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "token_policies", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenTtl")
+    def token_ttl(self) -> Optional[pulumi.Input[_builtins.int]]:
+        """
+        The initial ttl of the token to generate in seconds
+        """
+        return pulumi.get(self, "token_ttl")
+    @token_ttl.setter
+    def token_ttl(self, value: Optional[pulumi.Input[_builtins.int]]):
+        pulumi.set(self, "token_ttl", value)
+    @_builtins.property
+    @pulumi.getter(name="tokenType")
+    def token_type(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The type of token to generate, service or batch
+        """
+        return pulumi.get(self, "token_type")
+    @token_type.setter
+    def token_type(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "token_type", value)
+@pulumi.type_token("vault:aws/authBackendRole:AuthBackendRole")
+class AuthBackendRole(pulumi.CustomResource):
+    @overload
+    def __init__(__self__,
+                 resource_name: str,
+                 opts: Optional[pulumi.ResourceOptions] = None,
+                 alias_metadata: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 allow_instance_migration: Optional[pulumi.Input[_builtins.bool]] = None,
+                 auth_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 bound_account_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_ami_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_ec2_instance_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_instance_profile_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_principal_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_regions: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_subnet_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_vpc_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 disallow_reauthentication: Optional[pulumi.Input[_builtins.bool]] = None,
+                 inferred_aws_region: Optional[pulumi.Input[_builtins.str]] = None,
+                 inferred_entity_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 resolve_aws_unique_ids: Optional[pulumi.Input[_builtins.bool]] = None,
+                 role: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_tag: Optional[pulumi.Input[_builtins.str]] = None,
+                 token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
+                 token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_period: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 __props__=None):
+        """
+        Manages an AWS auth backend role in a Vault server. Roles constrain the
+        instances or principals that can perform the login operation against the
+        backend. See the [Vault
+        documentation](https://www.vaultproject.io/docs/auth/aws.html) for more
+        information.
+        ## Example Usage
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+        aws = vault.AuthBackend("aws", type="aws")
+        example = vault.aws.AuthBackendRole("example",
+            backend=aws.path,
+            role="test-role",
+            auth_type="iam",
+            bound_ami_ids=["ami-8c1be5f6"],
+            bound_account_ids=["123456789012"],
+            bound_vpc_ids=["vpc-b61106d4"],
+            bound_subnet_ids=["vpc-133128f1"],
+            bound_iam_role_arns=["arn:aws:iam::123456789012:role/MyRole"],
+            bound_iam_instance_profile_arns=["arn:aws:iam::123456789012:instance-profile/MyProfile"],
+            inferred_entity_type="ec2_instance",
+            inferred_aws_region="us-east-1",
+            token_ttl=60,
+            token_max_ttl=120,
+            token_policies=[
+                "default",
+                "dev",
+                "prod",
+            ])
+        ```
+        ## Import
+        AWS auth backend roles can be imported using `auth/`, the `backend` path, `/role/`, and the `role` name e.g.
+        ```sh
+        $ pulumi import vault:aws/authBackendRole:AuthBackendRole example auth/aws/role/test-role
+        ```
+        :param str resource_name: The name of the resource.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] alias_metadata: The metadata to be tied to generated entity alias.
+                 This should be a list or map containing the metadata in key value pairs.
+        :param pulumi.Input[_builtins.bool] allow_instance_migration: If set to `true`, allows migration of
+               the underlying instance where the client resides.
+        :param pulumi.Input[_builtins.str] auth_type: The auth type permitted for this role. Valid choices
+               are `ec2` and `iam`. Defaults to `iam`.
+        :param pulumi.Input[_builtins.str] backend: Path to the mounted aws auth backend.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_account_ids: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they should be using the
+               account ID specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_ami_ids: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that they should be using the AMI ID
+               specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_ec2_instance_ids: Only EC2 instances that match this instance ID will be permitted to log in.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_instance_profile_arns: If set, defines a constraint on
+               the EC2 instances that can perform the login operation that they must be
+               associated with an IAM instance profile ARN which has a prefix that matches
+               the value specified by this field. The value is prefix-matched as though it
+               were a glob ending in `*`. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_principal_arns: If set, defines the IAM principal that
+               must be authenticated when `auth_type` is set to `iam`. Wildcards are
+               supported at the end of the ARN.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_role_arns: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they must match the IAM
+               role ARN specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_regions: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that the region in their identity
+               document must match the one specified by this field. `auth_type` must be set
+               to `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+               constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_subnet_ids: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they be associated with
+               the subnet ID that matches the value specified by this field. `auth_type`
+               must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+               to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_vpc_ids: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that they be associated with the VPC ID
+               that matches the value specified by this field. `auth_type` must be set to
+               `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+               constraint.
+        :param pulumi.Input[_builtins.bool] disallow_reauthentication: IF set to `true`, only allows a
+               single token to be granted per instance ID. This can only be set when
+               `auth_type` is set to `ec2`.
+        :param pulumi.Input[_builtins.str] inferred_aws_region: When `inferred_entity_type` is set, this
+               is the region to search for the inferred entities. Required if
+               `inferred_entity_type` is set. This only applies when `auth_type` is set to
+               `iam`.
+        :param pulumi.Input[_builtins.str] inferred_entity_type: If set, instructs Vault to turn on
+               inferencing. The only valid value is `ec2_instance`, which instructs Vault to
+               infer that the role comes from an EC2 instance in an IAM instance profile.
+               This only applies when `auth_type` is set to `iam`.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+               *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.bool] resolve_aws_unique_ids: Only valid when
+               `auth_type` is `iam`. If set to `true`, the `bound_iam_principal_arns` are
+               resolved to [AWS Unique
+               IDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+               for the bound principal ARN. This field is ignored when a
+               `bound_iam_principal_arn` ends in a wildcard. Resolving to unique IDs more
+               closely mimics the behavior of AWS services in that if an IAM user or role is
+               deleted and a new one is recreated with the same name, those new users or
+               roles won't get access to roles in Vault that were permissioned to the prior
+               principals of the same name. Defaults to `true`.
+               Once set to `true`, this cannot be changed to `false` without recreating the role.
+        :param pulumi.Input[_builtins.str] role: The name of the role.
+        :param pulumi.Input[_builtins.str] role_tag: If set, enable role tags for this role. The value set
+               for this field should be the key of the tag on the EC2 instance. `auth_type`
+               must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+               to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
+        :param pulumi.Input[_builtins.int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
+        :param pulumi.Input[_builtins.int] token_max_ttl: The maximum lifetime of the generated token
+        :param pulumi.Input[_builtins.bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
+        :param pulumi.Input[_builtins.int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
+        :param pulumi.Input[_builtins.int] token_period: Generated Token's Period
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_policies: Generated Token's Policies
+        :param pulumi.Input[_builtins.int] token_ttl: The initial ttl of the token to generate in seconds
+        :param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
+        """
+        ...
+    @overload
+    def __init__(__self__,
+                 resource_name: str,
+                 args: AuthBackendRoleArgs,
+                 opts: Optional[pulumi.ResourceOptions] = None):
+        """
+        Manages an AWS auth backend role in a Vault server. Roles constrain the
+        instances or principals that can perform the login operation against the
+        backend. See the [Vault
+        documentation](https://www.vaultproject.io/docs/auth/aws.html) for more
+        information.
+        ## Example Usage
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+        aws = vault.AuthBackend("aws", type="aws")
+        example = vault.aws.AuthBackendRole("example",
+            backend=aws.path,
+            role="test-role",
+            auth_type="iam",
+            bound_ami_ids=["ami-8c1be5f6"],
+            bound_account_ids=["123456789012"],
+            bound_vpc_ids=["vpc-b61106d4"],
+            bound_subnet_ids=["vpc-133128f1"],
+            bound_iam_role_arns=["arn:aws:iam::123456789012:role/MyRole"],
+            bound_iam_instance_profile_arns=["arn:aws:iam::123456789012:instance-profile/MyProfile"],
+            inferred_entity_type="ec2_instance",
+            inferred_aws_region="us-east-1",
+            token_ttl=60,
+            token_max_ttl=120,
+            token_policies=[
+                "default",
+                "dev",
+                "prod",
+            ])
+        ```
+        ## Import
+        AWS auth backend roles can be imported using `auth/`, the `backend` path, `/role/`, and the `role` name e.g.
+        ```sh
+        $ pulumi import vault:aws/authBackendRole:AuthBackendRole example auth/aws/role/test-role
+        ```
+        :param str resource_name: The name of the resource.
+        :param AuthBackendRoleArgs args: The arguments to use to populate this resource's properties.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        """
+        ...
+    def __init__(__self__, resource_name: str, *args, **kwargs):
+        resource_args, opts = _utilities.get_resource_args_opts(AuthBackendRoleArgs, pulumi.ResourceOptions, *args, **kwargs)
+        if resource_args is not None:
+            __self__._internal_init(resource_name, opts, **resource_args.__dict__)
+        else:
+            __self__._internal_init(resource_name, *args, **kwargs)
+    def _internal_init(__self__,
+                 resource_name: str,
+                 opts: Optional[pulumi.ResourceOptions] = None,
+                 alias_metadata: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 allow_instance_migration: Optional[pulumi.Input[_builtins.bool]] = None,
+                 auth_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 bound_account_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_ami_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_ec2_instance_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_instance_profile_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_principal_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_iam_role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_regions: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_subnet_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 bound_vpc_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 disallow_reauthentication: Optional[pulumi.Input[_builtins.bool]] = None,
+                 inferred_aws_region: Optional[pulumi.Input[_builtins.str]] = None,
+                 inferred_entity_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 resolve_aws_unique_ids: Optional[pulumi.Input[_builtins.bool]] = None,
+                 role: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_tag: Optional[pulumi.Input[_builtins.str]] = None,
+                 token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
+                 token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_period: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+                 token_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 __props__=None):
+        opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
+        if not isinstance(opts, pulumi.ResourceOptions):
+            raise TypeError('Expected resource options to be a ResourceOptions instance')
+        if opts.id is None:
+            if __props__ is not None:
+                raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
+            __props__ = AuthBackendRoleArgs.__new__(AuthBackendRoleArgs)
+            __props__.__dict__["alias_metadata"] = alias_metadata
+            __props__.__dict__["allow_instance_migration"] = allow_instance_migration
+            __props__.__dict__["auth_type"] = auth_type
+            __props__.__dict__["backend"] = backend
+            __props__.__dict__["bound_account_ids"] = bound_account_ids
+            __props__.__dict__["bound_ami_ids"] = bound_ami_ids
+            __props__.__dict__["bound_ec2_instance_ids"] = bound_ec2_instance_ids
+            __props__.__dict__["bound_iam_instance_profile_arns"] = bound_iam_instance_profile_arns
+            __props__.__dict__["bound_iam_principal_arns"] = bound_iam_principal_arns
+            __props__.__dict__["bound_iam_role_arns"] = bound_iam_role_arns
+            __props__.__dict__["bound_regions"] = bound_regions
+            __props__.__dict__["bound_subnet_ids"] = bound_subnet_ids
+            __props__.__dict__["bound_vpc_ids"] = bound_vpc_ids
+            __props__.__dict__["disallow_reauthentication"] = disallow_reauthentication
+            __props__.__dict__["inferred_aws_region"] = inferred_aws_region
+            __props__.__dict__["inferred_entity_type"] = inferred_entity_type
+            __props__.__dict__["namespace"] = namespace
+            __props__.__dict__["resolve_aws_unique_ids"] = resolve_aws_unique_ids
+            if role is None and not opts.urn:
+                raise TypeError("Missing required property 'role'")
+            __props__.__dict__["role"] = role
+            __props__.__dict__["role_tag"] = role_tag
+            __props__.__dict__["token_bound_cidrs"] = token_bound_cidrs
+            __props__.__dict__["token_explicit_max_ttl"] = token_explicit_max_ttl
+            __props__.__dict__["token_max_ttl"] = token_max_ttl
+            __props__.__dict__["token_no_default_policy"] = token_no_default_policy
+            __props__.__dict__["token_num_uses"] = token_num_uses
+            __props__.__dict__["token_period"] = token_period
+            __props__.__dict__["token_policies"] = token_policies
+            __props__.__dict__["token_ttl"] = token_ttl
+            __props__.__dict__["token_type"] = token_type
+            __props__.__dict__["role_id"] = None
+        super(AuthBackendRole, __self__).__init__(
+            'vault:aws/authBackendRole:AuthBackendRole',
+            resource_name,
+            __props__,
+            opts)
+    @staticmethod
+    def get(resource_name: str,
+            id: pulumi.Input[str],
+            opts: Optional[pulumi.ResourceOptions] = None,
+            alias_metadata: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+            allow_instance_migration: Optional[pulumi.Input[_builtins.bool]] = None,
+            auth_type: Optional[pulumi.Input[_builtins.str]] = None,
+            backend: Optional[pulumi.Input[_builtins.str]] = None,
+            bound_account_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_ami_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_ec2_instance_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_iam_instance_profile_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_iam_principal_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_iam_role_arns: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_regions: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_subnet_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            bound_vpc_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            disallow_reauthentication: Optional[pulumi.Input[_builtins.bool]] = None,
+            inferred_aws_region: Optional[pulumi.Input[_builtins.str]] = None,
+            inferred_entity_type: Optional[pulumi.Input[_builtins.str]] = None,
+            namespace: Optional[pulumi.Input[_builtins.str]] = None,
+            resolve_aws_unique_ids: Optional[pulumi.Input[_builtins.bool]] = None,
+            role: Optional[pulumi.Input[_builtins.str]] = None,
+            role_id: Optional[pulumi.Input[_builtins.str]] = None,
+            role_tag: Optional[pulumi.Input[_builtins.str]] = None,
+            token_bound_cidrs: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            token_explicit_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+            token_max_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+            token_no_default_policy: Optional[pulumi.Input[_builtins.bool]] = None,
+            token_num_uses: Optional[pulumi.Input[_builtins.int]] = None,
+            token_period: Optional[pulumi.Input[_builtins.int]] = None,
+            token_policies: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            token_ttl: Optional[pulumi.Input[_builtins.int]] = None,
+            token_type: Optional[pulumi.Input[_builtins.str]] = None) -> 'AuthBackendRole':
+        """
+        Get an existing AuthBackendRole resource's state with the given name, id, and optional extra
+        properties used to qualify the lookup.
+        :param str resource_name: The unique name of the resulting resource.
+        :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] alias_metadata: The metadata to be tied to generated entity alias.
+                 This should be a list or map containing the metadata in key value pairs.
+        :param pulumi.Input[_builtins.bool] allow_instance_migration: If set to `true`, allows migration of
+               the underlying instance where the client resides.
+        :param pulumi.Input[_builtins.str] auth_type: The auth type permitted for this role. Valid choices
+               are `ec2` and `iam`. Defaults to `iam`.
+        :param pulumi.Input[_builtins.str] backend: Path to the mounted aws auth backend.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_account_ids: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they should be using the
+               account ID specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_ami_ids: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that they should be using the AMI ID
+               specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_ec2_instance_ids: Only EC2 instances that match this instance ID will be permitted to log in.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_instance_profile_arns: If set, defines a constraint on
+               the EC2 instances that can perform the login operation that they must be
+               associated with an IAM instance profile ARN which has a prefix that matches
+               the value specified by this field. The value is prefix-matched as though it
+               were a glob ending in `*`. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_principal_arns: If set, defines the IAM principal that
+               must be authenticated when `auth_type` is set to `iam`. Wildcards are
+               supported at the end of the ARN.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_iam_role_arns: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they must match the IAM
+               role ARN specified by this field. `auth_type` must be set to `ec2` or
+               `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_regions: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that the region in their identity
+               document must match the one specified by this field. `auth_type` must be set
+               to `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+               constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_subnet_ids: If set, defines a constraint on the EC2
+               instances that can perform the login operation that they be associated with
+               the subnet ID that matches the value specified by this field. `auth_type`
+               must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+               to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] bound_vpc_ids: If set, defines a constraint on the EC2 instances
+               that can perform the login operation that they be associated with the VPC ID
+               that matches the value specified by this field. `auth_type` must be set to
+               `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+               constraint.
+        :param pulumi.Input[_builtins.bool] disallow_reauthentication: IF set to `true`, only allows a
+               single token to be granted per instance ID. This can only be set when
+               `auth_type` is set to `ec2`.
+        :param pulumi.Input[_builtins.str] inferred_aws_region: When `inferred_entity_type` is set, this
+               is the region to search for the inferred entities. Required if
+               `inferred_entity_type` is set. This only applies when `auth_type` is set to
+               `iam`.
+        :param pulumi.Input[_builtins.str] inferred_entity_type: If set, instructs Vault to turn on
+               inferencing. The only valid value is `ec2_instance`, which instructs Vault to
+               infer that the role comes from an EC2 instance in an IAM instance profile.
+               This only applies when `auth_type` is set to `iam`.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+               *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.bool] resolve_aws_unique_ids: Only valid when
+               `auth_type` is `iam`. If set to `true`, the `bound_iam_principal_arns` are
+               resolved to [AWS Unique
+               IDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+               for the bound principal ARN. This field is ignored when a
+               `bound_iam_principal_arn` ends in a wildcard. Resolving to unique IDs more
+               closely mimics the behavior of AWS services in that if an IAM user or role is
+               deleted and a new one is recreated with the same name, those new users or
+               roles won't get access to roles in Vault that were permissioned to the prior
+               principals of the same name. Defaults to `true`.
+               Once set to `true`, this cannot be changed to `false` without recreating the role.
+        :param pulumi.Input[_builtins.str] role: The name of the role.
+        :param pulumi.Input[_builtins.str] role_id: The Vault generated role ID.
+        :param pulumi.Input[_builtins.str] role_tag: If set, enable role tags for this role. The value set
+               for this field should be the key of the tag on the EC2 instance. `auth_type`
+               must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+               to use this constraint.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_bound_cidrs: Specifies the blocks of IP addresses which are allowed to use the generated token
+        :param pulumi.Input[_builtins.int] token_explicit_max_ttl: Generated Token's Explicit Maximum TTL in seconds
+        :param pulumi.Input[_builtins.int] token_max_ttl: The maximum lifetime of the generated token
+        :param pulumi.Input[_builtins.bool] token_no_default_policy: If true, the 'default' policy will not automatically be added to generated tokens
+        :param pulumi.Input[_builtins.int] token_num_uses: The maximum number of times a token may be used, a value of zero means unlimited
+        :param pulumi.Input[_builtins.int] token_period: Generated Token's Period
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] token_policies: Generated Token's Policies
+        :param pulumi.Input[_builtins.int] token_ttl: The initial ttl of the token to generate in seconds
+        :param pulumi.Input[_builtins.str] token_type: The type of token to generate, service or batch
+        """
+        opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
+        __props__ = _AuthBackendRoleState.__new__(_AuthBackendRoleState)
+        __props__.__dict__["alias_metadata"] = alias_metadata
+        __props__.__dict__["allow_instance_migration"] = allow_instance_migration
+        __props__.__dict__["auth_type"] = auth_type
+        __props__.__dict__["backend"] = backend
+        __props__.__dict__["bound_account_ids"] = bound_account_ids
+        __props__.__dict__["bound_ami_ids"] = bound_ami_ids
+        __props__.__dict__["bound_ec2_instance_ids"] = bound_ec2_instance_ids
+        __props__.__dict__["bound_iam_instance_profile_arns"] = bound_iam_instance_profile_arns
+        __props__.__dict__["bound_iam_principal_arns"] = bound_iam_principal_arns
+        __props__.__dict__["bound_iam_role_arns"] = bound_iam_role_arns
+        __props__.__dict__["bound_regions"] = bound_regions
+        __props__.__dict__["bound_subnet_ids"] = bound_subnet_ids
+        __props__.__dict__["bound_vpc_ids"] = bound_vpc_ids
+        __props__.__dict__["disallow_reauthentication"] = disallow_reauthentication
+        __props__.__dict__["inferred_aws_region"] = inferred_aws_region
+        __props__.__dict__["inferred_entity_type"] = inferred_entity_type
+        __props__.__dict__["namespace"] = namespace
+        __props__.__dict__["resolve_aws_unique_ids"] = resolve_aws_unique_ids
+        __props__.__dict__["role"] = role
+        __props__.__dict__["role_id"] = role_id
+        __props__.__dict__["role_tag"] = role_tag
+        __props__.__dict__["token_bound_cidrs"] = token_bound_cidrs
+        __props__.__dict__["token_explicit_max_ttl"] = token_explicit_max_ttl
+        __props__.__dict__["token_max_ttl"] = token_max_ttl
+        __props__.__dict__["token_no_default_policy"] = token_no_default_policy
+        __props__.__dict__["token_num_uses"] = token_num_uses
+        __props__.__dict__["token_period"] = token_period
+        __props__.__dict__["token_policies"] = token_policies
+        __props__.__dict__["token_ttl"] = token_ttl
+        __props__.__dict__["token_type"] = token_type
+        return AuthBackendRole(resource_name, opts=opts, __props__=__props__)
+    @_builtins.property
+    @pulumi.getter(name="aliasMetadata")
+    def alias_metadata(self) -> pulumi.Output[Optional[Mapping[str, _builtins.str]]]:
+        """
+        The metadata to be tied to generated entity alias.
+          This should be a list or map containing the metadata in key value pairs.
+        """
+        return pulumi.get(self, "alias_metadata")
+    @_builtins.property
+    @pulumi.getter(name="allowInstanceMigration")
+    def allow_instance_migration(self) -> pulumi.Output[Optional[_builtins.bool]]:
+        """
+        If set to `true`, allows migration of
+        the underlying instance where the client resides.
+        """
+        return pulumi.get(self, "allow_instance_migration")
+    @_builtins.property
+    @pulumi.getter(name="authType")
+    def auth_type(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        The auth type permitted for this role. Valid choices
+        are `ec2` and `iam`. Defaults to `iam`.
+        """
+        return pulumi.get(self, "auth_type")
+    @_builtins.property
+    @pulumi.getter
+    def backend(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Path to the mounted aws auth backend.
+        """
+        return pulumi.get(self, "backend")
+    @_builtins.property
+    @pulumi.getter(name="boundAccountIds")
+    def bound_account_ids(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they should be using the
+        account ID specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_account_ids")
+    @_builtins.property
+    @pulumi.getter(name="boundAmiIds")
+    def bound_ami_ids(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that they should be using the AMI ID
+        specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_ami_ids")
+    @_builtins.property
+    @pulumi.getter(name="boundEc2InstanceIds")
+    def bound_ec2_instance_ids(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        Only EC2 instances that match this instance ID will be permitted to log in.
+        """
+        return pulumi.get(self, "bound_ec2_instance_ids")
+    @_builtins.property
+    @pulumi.getter(name="boundIamInstanceProfileArns")
+    def bound_iam_instance_profile_arns(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        If set, defines a constraint on
+        the EC2 instances that can perform the login operation that they must be
+        associated with an IAM instance profile ARN which has a prefix that matches
+        the value specified by this field. The value is prefix-matched as though it
+        were a glob ending in `*`. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_iam_instance_profile_arns")
+    @_builtins.property
+    @pulumi.getter(name="boundIamPrincipalArns")
+    def bound_iam_principal_arns(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        If set, defines the IAM principal that
+        must be authenticated when `auth_type` is set to `iam`. Wildcards are
+        supported at the end of the ARN.
+        """
+        return pulumi.get(self, "bound_iam_principal_arns")
+    @_builtins.property
+    @pulumi.getter(name="boundIamRoleArns")
+    def bound_iam_role_arns(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they must match the IAM
+        role ARN specified by this field. `auth_type` must be set to `ec2` or
+        `inferred_entity_type` must be set to `ec2_instance` to use this constraint.
+        """
+        return pulumi.get(self, "bound_iam_role_arns")
+    @_builtins.property
+    @pulumi.getter(name="boundRegions")
+    def bound_regions(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that the region in their identity
+        document must match the one specified by this field. `auth_type` must be set
+        to `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+        constraint.
+        """
+        return pulumi.get(self, "bound_regions")
+    @_builtins.property
+    @pulumi.getter(name="boundSubnetIds")
+    def bound_subnet_ids(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        If set, defines a constraint on the EC2
+        instances that can perform the login operation that they be associated with
+        the subnet ID that matches the value specified by this field. `auth_type`
+        must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+        to use this constraint.
+        """
+        return pulumi.get(self, "bound_subnet_ids")
+    @_builtins.property
+    @pulumi.getter(name="boundVpcIds")
+    def bound_vpc_ids(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        If set, defines a constraint on the EC2 instances
+        that can perform the login operation that they be associated with the VPC ID
+        that matches the value specified by this field. `auth_type` must be set to
+        `ec2` or `inferred_entity_type` must be set to `ec2_instance` to use this
+        constraint.
+        """
+        return pulumi.get(self, "bound_vpc_ids")
+    @_builtins.property
+    @pulumi.getter(name="disallowReauthentication")
+    def disallow_reauthentication(self) -> pulumi.Output[Optional[_builtins.bool]]:
+        """
+        IF set to `true`, only allows a
+        single token to be granted per instance ID. This can only be set when
+        `auth_type` is set to `ec2`.
+        """
+        return pulumi.get(self, "disallow_reauthentication")
+    @_builtins.property
+    @pulumi.getter(name="inferredAwsRegion")
+    def inferred_aws_region(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        When `inferred_entity_type` is set, this
+        is the region to search for the inferred entities. Required if
+        `inferred_entity_type` is set. This only applies when `auth_type` is set to
+        `iam`.
+        """
+        return pulumi.get(self, "inferred_aws_region")
+    @_builtins.property
+    @pulumi.getter(name="inferredEntityType")
+    def inferred_entity_type(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        If set, instructs Vault to turn on
+        inferencing. The only valid value is `ec2_instance`, which instructs Vault to
+        infer that the role comes from an EC2 instance in an IAM instance profile.
+        This only applies when `auth_type` is set to `iam`.
+        """
+        return pulumi.get(self, "inferred_entity_type")
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "namespace")
+    @_builtins.property
+    @pulumi.getter(name="resolveAwsUniqueIds")
+    def resolve_aws_unique_ids(self) -> pulumi.Output[Optional[_builtins.bool]]:
+        """
+        Only valid when
+        `auth_type` is `iam`. If set to `true`, the `bound_iam_principal_arns` are
+        resolved to [AWS Unique
+        IDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)
+        for the bound principal ARN. This field is ignored when a
+        `bound_iam_principal_arn` ends in a wildcard. Resolving to unique IDs more
+        closely mimics the behavior of AWS services in that if an IAM user or role is
+        deleted and a new one is recreated with the same name, those new users or
+        roles won't get access to roles in Vault that were permissioned to the prior
+        principals of the same name. Defaults to `true`.
+        Once set to `true`, this cannot be changed to `false` without recreating the role.
+        """
+        return pulumi.get(self, "resolve_aws_unique_ids")
+    @_builtins.property
+    @pulumi.getter
+    def role(self) -> pulumi.Output[_builtins.str]:
+        """
+        The name of the role.
+        """
+        return pulumi.get(self, "role")
+    @_builtins.property
+    @pulumi.getter(name="roleId")
+    def role_id(self) -> pulumi.Output[_builtins.str]:
+        """
+        The Vault generated role ID.
+        """
+        return pulumi.get(self, "role_id")
+    @_builtins.property
+    @pulumi.getter(name="roleTag")
+    def role_tag(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        If set, enable role tags for this role. The value set
+        for this field should be the key of the tag on the EC2 instance. `auth_type`
+        must be set to `ec2` or `inferred_entity_type` must be set to `ec2_instance`
+        to use this constraint.
+        """
+        return pulumi.get(self, "role_tag")
+    @_builtins.property
+    @pulumi.getter(name="tokenBoundCidrs")
+    def token_bound_cidrs(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        Specifies the blocks of IP addresses which are allowed to use the generated token
+        """
+        return pulumi.get(self, "token_bound_cidrs")
+    @_builtins.property
+    @pulumi.getter(name="tokenExplicitMaxTtl")
+    def token_explicit_max_ttl(self) -> pulumi.Output[Optional[_builtins.int]]:
+        """
+        Generated Token's Explicit Maximum TTL in seconds
+        """
+        return pulumi.get(self, "token_explicit_max_ttl")
+    @_builtins.property
+    @pulumi.getter(name="tokenMaxTtl")
+    def token_max_ttl(self) -> pulumi.Output[Optional[_builtins.int]]:
+        """
+        The maximum lifetime of the generated token
+        """
+        return pulumi.get(self, "token_max_ttl")
+    @_builtins.property
+    @pulumi.getter(name="tokenNoDefaultPolicy")
+    def token_no_default_policy(self) -> pulumi.Output[Optional[_builtins.bool]]:
+        """
+        If true, the 'default' policy will not automatically be added to generated tokens
+        """
+        return pulumi.get(self, "token_no_default_policy")
+    @_builtins.property
+    @pulumi.getter(name="tokenNumUses")
+    def token_num_uses(self) -> pulumi.Output[Optional[_builtins.int]]:
+        """
+        The maximum number of times a token may be used, a value of zero means unlimited
+        """
+        return pulumi.get(self, "token_num_uses")
+    @_builtins.property
+    @pulumi.getter(name="tokenPeriod")
+    def token_period(self) -> pulumi.Output[Optional[_builtins.int]]:
+        """
+        Generated Token's Period
+        """
+        return pulumi.get(self, "token_period")
+    @_builtins.property
+    @pulumi.getter(name="tokenPolicies")
+    def token_policies(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        Generated Token's Policies
+        """
+        return pulumi.get(self, "token_policies")
+    @_builtins.property
+    @pulumi.getter(name="tokenTtl")
+    def token_ttl(self) -> pulumi.Output[Optional[_builtins.int]]:
+        """
+        The initial ttl of the token to generate in seconds
+        """
+        return pulumi.get(self, "token_ttl")
+    @_builtins.property
+    @pulumi.getter(name="tokenType")
+    def token_type(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        The type of token to generate, service or batch
+        """
+        return pulumi.get(self, "token_type")