PyPI - pulumi-vault - Versions diffs - 7.6.0a1764657486__py3-none-any.whl - Mend

pulumi-vault 7.6.0a1764657486__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (274) hide show

pulumi_vault/__init__.py +1399 -0
pulumi_vault/_inputs.py +2701 -0
pulumi_vault/_utilities.py +331 -0
pulumi_vault/ad/__init__.py +12 -0
pulumi_vault/ad/get_access_credentials.py +177 -0
pulumi_vault/ad/secret_backend.py +1916 -0
pulumi_vault/ad/secret_library.py +546 -0
pulumi_vault/ad/secret_role.py +499 -0
pulumi_vault/alicloud/__init__.py +9 -0
pulumi_vault/alicloud/auth_backend_role.py +866 -0
pulumi_vault/approle/__init__.py +12 -0
pulumi_vault/approle/auth_backend_login.py +571 -0
pulumi_vault/approle/auth_backend_role.py +1082 -0
pulumi_vault/approle/auth_backend_role_secret_id.py +796 -0
pulumi_vault/approle/get_auth_backend_role_id.py +169 -0
pulumi_vault/audit.py +499 -0
pulumi_vault/audit_request_header.py +277 -0
pulumi_vault/auth_backend.py +565 -0
pulumi_vault/aws/__init__.py +22 -0
pulumi_vault/aws/auth_backend_cert.py +420 -0
pulumi_vault/aws/auth_backend_client.py +1259 -0
pulumi_vault/aws/auth_backend_config_identity.py +494 -0
pulumi_vault/aws/auth_backend_identity_whitelist.py +380 -0
pulumi_vault/aws/auth_backend_login.py +1046 -0
pulumi_vault/aws/auth_backend_role.py +1961 -0
pulumi_vault/aws/auth_backend_role_tag.py +638 -0
pulumi_vault/aws/auth_backend_roletag_blacklist.py +366 -0
pulumi_vault/aws/auth_backend_sts_role.py +414 -0
pulumi_vault/aws/get_access_credentials.py +369 -0
pulumi_vault/aws/get_static_access_credentials.py +137 -0
pulumi_vault/aws/secret_backend.py +2018 -0
pulumi_vault/aws/secret_backend_role.py +1188 -0
pulumi_vault/aws/secret_backend_static_role.py +639 -0
pulumi_vault/azure/__init__.py +15 -0
pulumi_vault/azure/_inputs.py +108 -0
pulumi_vault/azure/auth_backend_config.py +1096 -0
pulumi_vault/azure/auth_backend_role.py +1176 -0
pulumi_vault/azure/backend.py +1793 -0
pulumi_vault/azure/backend_role.py +883 -0
pulumi_vault/azure/get_access_credentials.py +400 -0
pulumi_vault/azure/outputs.py +107 -0
pulumi_vault/cert_auth_backend_role.py +1539 -0
pulumi_vault/config/__init__.py +9 -0
pulumi_vault/config/__init__.pyi +164 -0
pulumi_vault/config/_inputs.py +73 -0
pulumi_vault/config/outputs.py +1225 -0
pulumi_vault/config/ui_custom_message.py +530 -0
pulumi_vault/config/vars.py +230 -0
pulumi_vault/consul/__init__.py +10 -0
pulumi_vault/consul/secret_backend.py +1517 -0
pulumi_vault/consul/secret_backend_role.py +847 -0
pulumi_vault/database/__init__.py +14 -0
pulumi_vault/database/_inputs.py +11907 -0
pulumi_vault/database/outputs.py +8496 -0
pulumi_vault/database/secret_backend_connection.py +1676 -0
pulumi_vault/database/secret_backend_role.py +840 -0
pulumi_vault/database/secret_backend_static_role.py +881 -0
pulumi_vault/database/secrets_mount.py +2160 -0
pulumi_vault/egp_policy.py +399 -0
pulumi_vault/gcp/__init__.py +17 -0
pulumi_vault/gcp/_inputs.py +441 -0
pulumi_vault/gcp/auth_backend.py +1486 -0
pulumi_vault/gcp/auth_backend_role.py +1235 -0
pulumi_vault/gcp/get_auth_backend_role.py +514 -0
pulumi_vault/gcp/outputs.py +302 -0
pulumi_vault/gcp/secret_backend.py +1807 -0
pulumi_vault/gcp/secret_impersonated_account.py +484 -0
pulumi_vault/gcp/secret_roleset.py +554 -0
pulumi_vault/gcp/secret_static_account.py +557 -0
pulumi_vault/generic/__init__.py +11 -0
pulumi_vault/generic/endpoint.py +786 -0
pulumi_vault/generic/get_secret.py +306 -0
pulumi_vault/generic/secret.py +486 -0
pulumi_vault/get_auth_backend.py +226 -0
pulumi_vault/get_auth_backends.py +170 -0
pulumi_vault/get_namespace.py +226 -0
pulumi_vault/get_namespaces.py +202 -0
pulumi_vault/get_nomad_access_token.py +210 -0
pulumi_vault/get_policy_document.py +160 -0
pulumi_vault/get_raft_autopilot_state.py +267 -0
pulumi_vault/github/__init__.py +13 -0
pulumi_vault/github/_inputs.py +225 -0
pulumi_vault/github/auth_backend.py +1194 -0
pulumi_vault/github/outputs.py +174 -0
pulumi_vault/github/team.py +380 -0
pulumi_vault/github/user.py +380 -0
pulumi_vault/identity/__init__.py +35 -0
pulumi_vault/identity/entity.py +447 -0
pulumi_vault/identity/entity_alias.py +398 -0
pulumi_vault/identity/entity_policies.py +455 -0
pulumi_vault/identity/get_entity.py +384 -0
pulumi_vault/identity/get_group.py +467 -0
pulumi_vault/identity/get_oidc_client_creds.py +175 -0
pulumi_vault/identity/get_oidc_openid_config.py +334 -0
pulumi_vault/identity/get_oidc_public_keys.py +179 -0
pulumi_vault/identity/group.py +805 -0
pulumi_vault/identity/group_alias.py +386 -0
pulumi_vault/identity/group_member_entity_ids.py +444 -0
pulumi_vault/identity/group_member_group_ids.py +467 -0
pulumi_vault/identity/group_policies.py +471 -0
pulumi_vault/identity/mfa_duo.py +674 -0
pulumi_vault/identity/mfa_login_enforcement.py +566 -0
pulumi_vault/identity/mfa_okta.py +626 -0
pulumi_vault/identity/mfa_pingid.py +616 -0
pulumi_vault/identity/mfa_totp.py +758 -0
pulumi_vault/identity/oidc.py +268 -0
pulumi_vault/identity/oidc_assignment.py +375 -0
pulumi_vault/identity/oidc_client.py +667 -0
pulumi_vault/identity/oidc_key.py +474 -0
pulumi_vault/identity/oidc_key_allowed_client_id.py +298 -0
pulumi_vault/identity/oidc_provider.py +550 -0
pulumi_vault/identity/oidc_role.py +543 -0
pulumi_vault/identity/oidc_scope.py +355 -0
pulumi_vault/identity/outputs.py +137 -0
pulumi_vault/jwt/__init__.py +12 -0
pulumi_vault/jwt/_inputs.py +225 -0
pulumi_vault/jwt/auth_backend.py +1347 -0
pulumi_vault/jwt/auth_backend_role.py +1847 -0
pulumi_vault/jwt/outputs.py +174 -0
pulumi_vault/kmip/__init__.py +11 -0
pulumi_vault/kmip/secret_backend.py +1591 -0
pulumi_vault/kmip/secret_role.py +1194 -0
pulumi_vault/kmip/secret_scope.py +372 -0
pulumi_vault/kubernetes/__init__.py +15 -0
pulumi_vault/kubernetes/auth_backend_config.py +654 -0
pulumi_vault/kubernetes/auth_backend_role.py +1031 -0
pulumi_vault/kubernetes/get_auth_backend_config.py +280 -0
pulumi_vault/kubernetes/get_auth_backend_role.py +470 -0
pulumi_vault/kubernetes/get_service_account_token.py +344 -0
pulumi_vault/kubernetes/secret_backend.py +1341 -0
pulumi_vault/kubernetes/secret_backend_role.py +1140 -0
pulumi_vault/kv/__init__.py +18 -0
pulumi_vault/kv/_inputs.py +124 -0
pulumi_vault/kv/get_secret.py +240 -0
pulumi_vault/kv/get_secret_subkeys_v2.py +275 -0
pulumi_vault/kv/get_secret_v2.py +315 -0
pulumi_vault/kv/get_secrets_list.py +186 -0
pulumi_vault/kv/get_secrets_list_v2.py +243 -0
pulumi_vault/kv/outputs.py +102 -0
pulumi_vault/kv/secret.py +397 -0
pulumi_vault/kv/secret_backend_v2.py +455 -0
pulumi_vault/kv/secret_v2.py +970 -0
pulumi_vault/ldap/__init__.py +19 -0
pulumi_vault/ldap/_inputs.py +225 -0
pulumi_vault/ldap/auth_backend.py +2520 -0
pulumi_vault/ldap/auth_backend_group.py +386 -0
pulumi_vault/ldap/auth_backend_user.py +439 -0
pulumi_vault/ldap/get_dynamic_credentials.py +181 -0
pulumi_vault/ldap/get_static_credentials.py +192 -0
pulumi_vault/ldap/outputs.py +174 -0
pulumi_vault/ldap/secret_backend.py +2207 -0
pulumi_vault/ldap/secret_backend_dynamic_role.py +767 -0
pulumi_vault/ldap/secret_backend_library_set.py +552 -0
pulumi_vault/ldap/secret_backend_static_role.py +541 -0
pulumi_vault/managed/__init__.py +11 -0
pulumi_vault/managed/_inputs.py +944 -0
pulumi_vault/managed/keys.py +398 -0
pulumi_vault/managed/outputs.py +667 -0
pulumi_vault/mfa_duo.py +589 -0
pulumi_vault/mfa_okta.py +623 -0
pulumi_vault/mfa_pingid.py +670 -0
pulumi_vault/mfa_totp.py +620 -0
pulumi_vault/mongodbatlas/__init__.py +10 -0
pulumi_vault/mongodbatlas/secret_backend.py +388 -0
pulumi_vault/mongodbatlas/secret_role.py +726 -0
pulumi_vault/mount.py +1262 -0
pulumi_vault/namespace.py +452 -0
pulumi_vault/nomad_secret_backend.py +1559 -0
pulumi_vault/nomad_secret_role.py +489 -0
pulumi_vault/oci_auth_backend.py +676 -0
pulumi_vault/oci_auth_backend_role.py +852 -0
pulumi_vault/okta/__init__.py +13 -0
pulumi_vault/okta/_inputs.py +320 -0
pulumi_vault/okta/auth_backend.py +1231 -0
pulumi_vault/okta/auth_backend_group.py +369 -0
pulumi_vault/okta/auth_backend_user.py +416 -0
pulumi_vault/okta/outputs.py +244 -0
pulumi_vault/outputs.py +502 -0
pulumi_vault/pkisecret/__init__.py +38 -0
pulumi_vault/pkisecret/_inputs.py +270 -0
pulumi_vault/pkisecret/backend_acme_eab.py +550 -0
pulumi_vault/pkisecret/backend_config_acme.py +690 -0
pulumi_vault/pkisecret/backend_config_auto_tidy.py +1370 -0
pulumi_vault/pkisecret/backend_config_cluster.py +370 -0
pulumi_vault/pkisecret/backend_config_cmpv2.py +693 -0
pulumi_vault/pkisecret/backend_config_est.py +756 -0
pulumi_vault/pkisecret/backend_config_scep.py +738 -0
pulumi_vault/pkisecret/get_backend_cert_metadata.py +277 -0
pulumi_vault/pkisecret/get_backend_config_cmpv2.py +226 -0
pulumi_vault/pkisecret/get_backend_config_est.py +251 -0
pulumi_vault/pkisecret/get_backend_config_scep.py +271 -0
pulumi_vault/pkisecret/get_backend_issuer.py +395 -0
pulumi_vault/pkisecret/get_backend_issuers.py +192 -0
pulumi_vault/pkisecret/get_backend_key.py +211 -0
pulumi_vault/pkisecret/get_backend_keys.py +192 -0
pulumi_vault/pkisecret/outputs.py +270 -0
pulumi_vault/pkisecret/secret_backend_cert.py +1315 -0
pulumi_vault/pkisecret/secret_backend_config_ca.py +386 -0
pulumi_vault/pkisecret/secret_backend_config_issuers.py +392 -0
pulumi_vault/pkisecret/secret_backend_config_urls.py +462 -0
pulumi_vault/pkisecret/secret_backend_crl_config.py +846 -0
pulumi_vault/pkisecret/secret_backend_intermediate_cert_request.py +1629 -0
pulumi_vault/pkisecret/secret_backend_intermediate_set_signed.py +444 -0
pulumi_vault/pkisecret/secret_backend_issuer.py +1089 -0
pulumi_vault/pkisecret/secret_backend_key.py +613 -0
pulumi_vault/pkisecret/secret_backend_role.py +2694 -0
pulumi_vault/pkisecret/secret_backend_root_cert.py +2134 -0
pulumi_vault/pkisecret/secret_backend_root_sign_intermediate.py +2031 -0
pulumi_vault/pkisecret/secret_backend_sign.py +1194 -0
pulumi_vault/plugin.py +596 -0
pulumi_vault/plugin_pinned_version.py +299 -0
pulumi_vault/policy.py +279 -0
pulumi_vault/provider.py +781 -0
pulumi_vault/pulumi-plugin.json +5 -0
pulumi_vault/py.typed +0 -0
pulumi_vault/quota_lease_count.py +504 -0
pulumi_vault/quota_rate_limit.py +751 -0
pulumi_vault/rabbitmq/__init__.py +12 -0
pulumi_vault/rabbitmq/_inputs.py +235 -0
pulumi_vault/rabbitmq/outputs.py +144 -0
pulumi_vault/rabbitmq/secret_backend.py +1437 -0
pulumi_vault/rabbitmq/secret_backend_role.py +496 -0
pulumi_vault/raft_autopilot.py +609 -0
pulumi_vault/raft_snapshot_agent_config.py +1591 -0
pulumi_vault/rgp_policy.py +349 -0
pulumi_vault/saml/__init__.py +12 -0
pulumi_vault/saml/_inputs.py +225 -0
pulumi_vault/saml/auth_backend.py +811 -0
pulumi_vault/saml/auth_backend_role.py +1068 -0
pulumi_vault/saml/outputs.py +174 -0
pulumi_vault/scep_auth_backend_role.py +908 -0
pulumi_vault/secrets/__init__.py +18 -0
pulumi_vault/secrets/_inputs.py +110 -0
pulumi_vault/secrets/outputs.py +94 -0
pulumi_vault/secrets/sync_association.py +450 -0
pulumi_vault/secrets/sync_aws_destination.py +780 -0
pulumi_vault/secrets/sync_azure_destination.py +736 -0
pulumi_vault/secrets/sync_config.py +303 -0
pulumi_vault/secrets/sync_gcp_destination.py +572 -0
pulumi_vault/secrets/sync_gh_destination.py +688 -0
pulumi_vault/secrets/sync_github_apps.py +376 -0
pulumi_vault/secrets/sync_vercel_destination.py +603 -0
pulumi_vault/ssh/__init__.py +13 -0
pulumi_vault/ssh/_inputs.py +76 -0
pulumi_vault/ssh/get_secret_backend_sign.py +294 -0
pulumi_vault/ssh/outputs.py +51 -0
pulumi_vault/ssh/secret_backend_ca.py +588 -0
pulumi_vault/ssh/secret_backend_role.py +1493 -0
pulumi_vault/terraformcloud/__init__.py +11 -0
pulumi_vault/terraformcloud/secret_backend.py +1321 -0
pulumi_vault/terraformcloud/secret_creds.py +445 -0
pulumi_vault/terraformcloud/secret_role.py +563 -0
pulumi_vault/token.py +1026 -0
pulumi_vault/tokenauth/__init__.py +9 -0
pulumi_vault/tokenauth/auth_backend_role.py +1135 -0
pulumi_vault/transform/__init__.py +14 -0
pulumi_vault/transform/alphabet.py +348 -0
pulumi_vault/transform/get_decode.py +287 -0
pulumi_vault/transform/get_encode.py +291 -0
pulumi_vault/transform/role.py +350 -0
pulumi_vault/transform/template.py +592 -0
pulumi_vault/transform/transformation.py +608 -0
pulumi_vault/transit/__init__.py +15 -0
pulumi_vault/transit/get_cmac.py +256 -0
pulumi_vault/transit/get_decrypt.py +181 -0
pulumi_vault/transit/get_encrypt.py +174 -0
pulumi_vault/transit/get_sign.py +328 -0
pulumi_vault/transit/get_verify.py +373 -0
pulumi_vault/transit/secret_backend_key.py +1202 -0
pulumi_vault/transit/secret_cache_config.py +302 -0
pulumi_vault-7.6.0a1764657486.dist-info/METADATA +92 -0
pulumi_vault-7.6.0a1764657486.dist-info/RECORD +274 -0
pulumi_vault-7.6.0a1764657486.dist-info/WHEEL +5 -0
pulumi_vault-7.6.0a1764657486.dist-info/top_level.txt +1 -0

pulumi_vault/azure/backend_role.py ADDED Viewed

@@ -0,0 +1,883 @@
+# coding=utf-8
+# *** WARNING: this file was generated by pulumi-language-python. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+import builtins as _builtins
+import warnings
+import sys
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
+from .. import _utilities
+from . import outputs
+from ._inputs import *
+__all__ = ['BackendRoleArgs', 'BackendRole']
+@pulumi.input_type
+class BackendRoleArgs:
+    def __init__(__self__, *,
+                 role: pulumi.Input[_builtins.str],
+                 application_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]]] = None,
+                 azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]]] = None,
+                 backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 explicit_max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 permanently_delete: Optional[pulumi.Input[_builtins.bool]] = None,
+                 persist_app: Optional[pulumi.Input[_builtins.bool]] = None,
+                 sign_in_audience: Optional[pulumi.Input[_builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[_builtins.str]] = None):
+        """
+        The set of arguments for constructing a BackendRole resource.
+        :param pulumi.Input[_builtins.str] role: Name of the Azure role
+        :param pulumi.Input[_builtins.str] application_object_id: Application Object ID for an existing service principal that will
+               be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
+        :param pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]] azure_groups: List of Azure groups to be assigned to the generated service principal.
+        :param pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]] azure_roles: List of Azure roles to be assigned to the generated service principal.
+        :param pulumi.Input[_builtins.str] backend: Path to the mounted Azure auth backend
+        :param pulumi.Input[_builtins.str] description: Human-friendly description of the mount for the backend.
+        :param pulumi.Input[_builtins.str] explicit_max_ttl: Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        :param pulumi.Input[_builtins.str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
+               suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+               *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
+               deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
+        :param pulumi.Input[_builtins.bool] persist_app: If set to true, persists the created service principal and application for the lifetime of the role
+        :param pulumi.Input[_builtins.str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
+               Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        :param pulumi.Input[_builtins.str] ttl: Specifies the default TTL for service principals generated using this role.
+               Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        pulumi.set(__self__, "role", role)
+        if application_object_id is not None:
+            pulumi.set(__self__, "application_object_id", application_object_id)
+        if azure_groups is not None:
+            pulumi.set(__self__, "azure_groups", azure_groups)
+        if azure_roles is not None:
+            pulumi.set(__self__, "azure_roles", azure_roles)
+        if backend is not None:
+            pulumi.set(__self__, "backend", backend)
+        if description is not None:
+            pulumi.set(__self__, "description", description)
+        if explicit_max_ttl is not None:
+            pulumi.set(__self__, "explicit_max_ttl", explicit_max_ttl)
+        if max_ttl is not None:
+            pulumi.set(__self__, "max_ttl", max_ttl)
+        if namespace is not None:
+            pulumi.set(__self__, "namespace", namespace)
+        if permanently_delete is not None:
+            pulumi.set(__self__, "permanently_delete", permanently_delete)
+        if persist_app is not None:
+            pulumi.set(__self__, "persist_app", persist_app)
+        if sign_in_audience is not None:
+            pulumi.set(__self__, "sign_in_audience", sign_in_audience)
+        if tags is not None:
+            pulumi.set(__self__, "tags", tags)
+        if ttl is not None:
+            pulumi.set(__self__, "ttl", ttl)
+    @_builtins.property
+    @pulumi.getter
+    def role(self) -> pulumi.Input[_builtins.str]:
+        """
+        Name of the Azure role
+        """
+        return pulumi.get(self, "role")
+    @role.setter
+    def role(self, value: pulumi.Input[_builtins.str]):
+        pulumi.set(self, "role", value)
+    @_builtins.property
+    @pulumi.getter(name="applicationObjectId")
+    def application_object_id(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Application Object ID for an existing service principal that will
+        be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
+        """
+        return pulumi.get(self, "application_object_id")
+    @application_object_id.setter
+    def application_object_id(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "application_object_id", value)
+    @_builtins.property
+    @pulumi.getter(name="azureGroups")
+    def azure_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]]]:
+        """
+        List of Azure groups to be assigned to the generated service principal.
+        """
+        return pulumi.get(self, "azure_groups")
+    @azure_groups.setter
+    def azure_groups(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]]]):
+        pulumi.set(self, "azure_groups", value)
+    @_builtins.property
+    @pulumi.getter(name="azureRoles")
+    def azure_roles(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]]]:
+        """
+        List of Azure roles to be assigned to the generated service principal.
+        """
+        return pulumi.get(self, "azure_roles")
+    @azure_roles.setter
+    def azure_roles(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]]]):
+        pulumi.set(self, "azure_roles", value)
+    @_builtins.property
+    @pulumi.getter
+    def backend(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Path to the mounted Azure auth backend
+        """
+        return pulumi.get(self, "backend")
+    @backend.setter
+    def backend(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "backend", value)
+    @_builtins.property
+    @pulumi.getter
+    def description(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Human-friendly description of the mount for the backend.
+        """
+        return pulumi.get(self, "description")
+    @description.setter
+    def description(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "description", value)
+    @_builtins.property
+    @pulumi.getter(name="explicitMaxTtl")
+    def explicit_max_ttl(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        """
+        return pulumi.get(self, "explicit_max_ttl")
+    @explicit_max_ttl.setter
+    def explicit_max_ttl(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "explicit_max_ttl", value)
+    @_builtins.property
+    @pulumi.getter(name="maxTtl")
+    def max_ttl(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies the maximum TTL for service principals generated using this role. Accepts time
+        suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+        """
+        return pulumi.get(self, "max_ttl")
+    @max_ttl.setter
+    def max_ttl(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "max_ttl", value)
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "namespace")
+    @namespace.setter
+    def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "namespace", value)
+    @_builtins.property
+    @pulumi.getter(name="permanentlyDelete")
+    def permanently_delete(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        Indicates whether the applications and service principals created by Vault will be permanently
+        deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
+        """
+        return pulumi.get(self, "permanently_delete")
+    @permanently_delete.setter
+    def permanently_delete(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "permanently_delete", value)
+    @_builtins.property
+    @pulumi.getter(name="persistApp")
+    def persist_app(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If set to true, persists the created service principal and application for the lifetime of the role
+        """
+        return pulumi.get(self, "persist_app")
+    @persist_app.setter
+    def persist_app(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "persist_app", value)
+    @_builtins.property
+    @pulumi.getter(name="signInAudience")
+    def sign_in_audience(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies the security principal types that are allowed to sign in to the application.
+        Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "sign_in_audience")
+    @sign_in_audience.setter
+    def sign_in_audience(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "sign_in_audience", value)
+    @_builtins.property
+    @pulumi.getter
+    def tags(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "tags")
+    @tags.setter
+    def tags(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "tags", value)
+    @_builtins.property
+    @pulumi.getter
+    def ttl(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies the default TTL for service principals generated using this role.
+        Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        return pulumi.get(self, "ttl")
+    @ttl.setter
+    def ttl(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "ttl", value)
+@pulumi.input_type
+class _BackendRoleState:
+    def __init__(__self__, *,
+                 application_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]]] = None,
+                 azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]]] = None,
+                 backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 explicit_max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 permanently_delete: Optional[pulumi.Input[_builtins.bool]] = None,
+                 persist_app: Optional[pulumi.Input[_builtins.bool]] = None,
+                 role: Optional[pulumi.Input[_builtins.str]] = None,
+                 sign_in_audience: Optional[pulumi.Input[_builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[_builtins.str]] = None):
+        """
+        Input properties used for looking up and filtering BackendRole resources.
+        :param pulumi.Input[_builtins.str] application_object_id: Application Object ID for an existing service principal that will
+               be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
+        :param pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]] azure_groups: List of Azure groups to be assigned to the generated service principal.
+        :param pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]] azure_roles: List of Azure roles to be assigned to the generated service principal.
+        :param pulumi.Input[_builtins.str] backend: Path to the mounted Azure auth backend
+        :param pulumi.Input[_builtins.str] description: Human-friendly description of the mount for the backend.
+        :param pulumi.Input[_builtins.str] explicit_max_ttl: Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        :param pulumi.Input[_builtins.str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
+               suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+               *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
+               deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
+        :param pulumi.Input[_builtins.bool] persist_app: If set to true, persists the created service principal and application for the lifetime of the role
+        :param pulumi.Input[_builtins.str] role: Name of the Azure role
+        :param pulumi.Input[_builtins.str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
+               Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        :param pulumi.Input[_builtins.str] ttl: Specifies the default TTL for service principals generated using this role.
+               Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        if application_object_id is not None:
+            pulumi.set(__self__, "application_object_id", application_object_id)
+        if azure_groups is not None:
+            pulumi.set(__self__, "azure_groups", azure_groups)
+        if azure_roles is not None:
+            pulumi.set(__self__, "azure_roles", azure_roles)
+        if backend is not None:
+            pulumi.set(__self__, "backend", backend)
+        if description is not None:
+            pulumi.set(__self__, "description", description)
+        if explicit_max_ttl is not None:
+            pulumi.set(__self__, "explicit_max_ttl", explicit_max_ttl)
+        if max_ttl is not None:
+            pulumi.set(__self__, "max_ttl", max_ttl)
+        if namespace is not None:
+            pulumi.set(__self__, "namespace", namespace)
+        if permanently_delete is not None:
+            pulumi.set(__self__, "permanently_delete", permanently_delete)
+        if persist_app is not None:
+            pulumi.set(__self__, "persist_app", persist_app)
+        if role is not None:
+            pulumi.set(__self__, "role", role)
+        if sign_in_audience is not None:
+            pulumi.set(__self__, "sign_in_audience", sign_in_audience)
+        if tags is not None:
+            pulumi.set(__self__, "tags", tags)
+        if ttl is not None:
+            pulumi.set(__self__, "ttl", ttl)
+    @_builtins.property
+    @pulumi.getter(name="applicationObjectId")
+    def application_object_id(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Application Object ID for an existing service principal that will
+        be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
+        """
+        return pulumi.get(self, "application_object_id")
+    @application_object_id.setter
+    def application_object_id(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "application_object_id", value)
+    @_builtins.property
+    @pulumi.getter(name="azureGroups")
+    def azure_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]]]:
+        """
+        List of Azure groups to be assigned to the generated service principal.
+        """
+        return pulumi.get(self, "azure_groups")
+    @azure_groups.setter
+    def azure_groups(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureGroupArgs']]]]):
+        pulumi.set(self, "azure_groups", value)
+    @_builtins.property
+    @pulumi.getter(name="azureRoles")
+    def azure_roles(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]]]:
+        """
+        List of Azure roles to be assigned to the generated service principal.
+        """
+        return pulumi.get(self, "azure_roles")
+    @azure_roles.setter
+    def azure_roles(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['BackendRoleAzureRoleArgs']]]]):
+        pulumi.set(self, "azure_roles", value)
+    @_builtins.property
+    @pulumi.getter
+    def backend(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Path to the mounted Azure auth backend
+        """
+        return pulumi.get(self, "backend")
+    @backend.setter
+    def backend(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "backend", value)
+    @_builtins.property
+    @pulumi.getter
+    def description(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Human-friendly description of the mount for the backend.
+        """
+        return pulumi.get(self, "description")
+    @description.setter
+    def description(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "description", value)
+    @_builtins.property
+    @pulumi.getter(name="explicitMaxTtl")
+    def explicit_max_ttl(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        """
+        return pulumi.get(self, "explicit_max_ttl")
+    @explicit_max_ttl.setter
+    def explicit_max_ttl(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "explicit_max_ttl", value)
+    @_builtins.property
+    @pulumi.getter(name="maxTtl")
+    def max_ttl(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies the maximum TTL for service principals generated using this role. Accepts time
+        suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+        """
+        return pulumi.get(self, "max_ttl")
+    @max_ttl.setter
+    def max_ttl(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "max_ttl", value)
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "namespace")
+    @namespace.setter
+    def namespace(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "namespace", value)
+    @_builtins.property
+    @pulumi.getter(name="permanentlyDelete")
+    def permanently_delete(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        Indicates whether the applications and service principals created by Vault will be permanently
+        deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
+        """
+        return pulumi.get(self, "permanently_delete")
+    @permanently_delete.setter
+    def permanently_delete(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "permanently_delete", value)
+    @_builtins.property
+    @pulumi.getter(name="persistApp")
+    def persist_app(self) -> Optional[pulumi.Input[_builtins.bool]]:
+        """
+        If set to true, persists the created service principal and application for the lifetime of the role
+        """
+        return pulumi.get(self, "persist_app")
+    @persist_app.setter
+    def persist_app(self, value: Optional[pulumi.Input[_builtins.bool]]):
+        pulumi.set(self, "persist_app", value)
+    @_builtins.property
+    @pulumi.getter
+    def role(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Name of the Azure role
+        """
+        return pulumi.get(self, "role")
+    @role.setter
+    def role(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "role", value)
+    @_builtins.property
+    @pulumi.getter(name="signInAudience")
+    def sign_in_audience(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies the security principal types that are allowed to sign in to the application.
+        Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "sign_in_audience")
+    @sign_in_audience.setter
+    def sign_in_audience(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "sign_in_audience", value)
+    @_builtins.property
+    @pulumi.getter
+    def tags(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+        """
+        A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "tags")
+    @tags.setter
+    def tags(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+        pulumi.set(self, "tags", value)
+    @_builtins.property
+    @pulumi.getter
+    def ttl(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        Specifies the default TTL for service principals generated using this role.
+        Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        return pulumi.get(self, "ttl")
+    @ttl.setter
+    def ttl(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "ttl", value)
+@pulumi.type_token("vault:azure/backendRole:BackendRole")
+class BackendRole(pulumi.CustomResource):
+    @overload
+    def __init__(__self__,
+                 resource_name: str,
+                 opts: Optional[pulumi.ResourceOptions] = None,
+                 application_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]]] = None,
+                 azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]]] = None,
+                 backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 explicit_max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 permanently_delete: Optional[pulumi.Input[_builtins.bool]] = None,
+                 persist_app: Optional[pulumi.Input[_builtins.bool]] = None,
+                 role: Optional[pulumi.Input[_builtins.str]] = None,
+                 sign_in_audience: Optional[pulumi.Input[_builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 __props__=None):
+        """
+        ## Example Usage
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+        azure = vault.azure.Backend("azure",
+            subscription_id=subscription_id,
+            tenant_id=tenant_id,
+            client_secret=client_secret,
+            client_id=client_id)
+        generated_role = vault.azure.BackendRole("generated_role",
+            backend=azure.path,
+            role="generated_role",
+            sign_in_audience="AzureADMyOrg",
+            tags=[
+                "team:engineering",
+                "environment:development",
+            ],
+            ttl="300",
+            max_ttl="600",
+            azure_roles=[{
+                "role_name": "Reader",
+                "scope": f"/subscriptions/{subscription_id}/resourceGroups/azure-vault-group",
+            }])
+        existing_object_id = vault.azure.BackendRole("existing_object_id",
+            backend=azure.path,
+            role="existing_object_id",
+            application_object_id="11111111-2222-3333-4444-44444444444",
+            ttl="300",
+            max_ttl="600")
+        ```
+        :param str resource_name: The name of the resource.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[_builtins.str] application_object_id: Application Object ID for an existing service principal that will
+               be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
+        :param pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]] azure_groups: List of Azure groups to be assigned to the generated service principal.
+        :param pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]] azure_roles: List of Azure roles to be assigned to the generated service principal.
+        :param pulumi.Input[_builtins.str] backend: Path to the mounted Azure auth backend
+        :param pulumi.Input[_builtins.str] description: Human-friendly description of the mount for the backend.
+        :param pulumi.Input[_builtins.str] explicit_max_ttl: Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        :param pulumi.Input[_builtins.str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
+               suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+               *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
+               deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
+        :param pulumi.Input[_builtins.bool] persist_app: If set to true, persists the created service principal and application for the lifetime of the role
+        :param pulumi.Input[_builtins.str] role: Name of the Azure role
+        :param pulumi.Input[_builtins.str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
+               Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        :param pulumi.Input[_builtins.str] ttl: Specifies the default TTL for service principals generated using this role.
+               Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        ...
+    @overload
+    def __init__(__self__,
+                 resource_name: str,
+                 args: BackendRoleArgs,
+                 opts: Optional[pulumi.ResourceOptions] = None):
+        """
+        ## Example Usage
+        ```python
+        import pulumi
+        import pulumi_vault as vault
+        azure = vault.azure.Backend("azure",
+            subscription_id=subscription_id,
+            tenant_id=tenant_id,
+            client_secret=client_secret,
+            client_id=client_id)
+        generated_role = vault.azure.BackendRole("generated_role",
+            backend=azure.path,
+            role="generated_role",
+            sign_in_audience="AzureADMyOrg",
+            tags=[
+                "team:engineering",
+                "environment:development",
+            ],
+            ttl="300",
+            max_ttl="600",
+            azure_roles=[{
+                "role_name": "Reader",
+                "scope": f"/subscriptions/{subscription_id}/resourceGroups/azure-vault-group",
+            }])
+        existing_object_id = vault.azure.BackendRole("existing_object_id",
+            backend=azure.path,
+            role="existing_object_id",
+            application_object_id="11111111-2222-3333-4444-44444444444",
+            ttl="300",
+            max_ttl="600")
+        ```
+        :param str resource_name: The name of the resource.
+        :param BackendRoleArgs args: The arguments to use to populate this resource's properties.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        """
+        ...
+    def __init__(__self__, resource_name: str, *args, **kwargs):
+        resource_args, opts = _utilities.get_resource_args_opts(BackendRoleArgs, pulumi.ResourceOptions, *args, **kwargs)
+        if resource_args is not None:
+            __self__._internal_init(resource_name, opts, **resource_args.__dict__)
+        else:
+            __self__._internal_init(resource_name, *args, **kwargs)
+    def _internal_init(__self__,
+                 resource_name: str,
+                 opts: Optional[pulumi.ResourceOptions] = None,
+                 application_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]]] = None,
+                 azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]]] = None,
+                 backend: Optional[pulumi.Input[_builtins.str]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 explicit_max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 namespace: Optional[pulumi.Input[_builtins.str]] = None,
+                 permanently_delete: Optional[pulumi.Input[_builtins.bool]] = None,
+                 persist_app: Optional[pulumi.Input[_builtins.bool]] = None,
+                 role: Optional[pulumi.Input[_builtins.str]] = None,
+                 sign_in_audience: Optional[pulumi.Input[_builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 ttl: Optional[pulumi.Input[_builtins.str]] = None,
+                 __props__=None):
+        opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
+        if not isinstance(opts, pulumi.ResourceOptions):
+            raise TypeError('Expected resource options to be a ResourceOptions instance')
+        if opts.id is None:
+            if __props__ is not None:
+                raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
+            __props__ = BackendRoleArgs.__new__(BackendRoleArgs)
+            __props__.__dict__["application_object_id"] = application_object_id
+            __props__.__dict__["azure_groups"] = azure_groups
+            __props__.__dict__["azure_roles"] = azure_roles
+            __props__.__dict__["backend"] = backend
+            __props__.__dict__["description"] = description
+            __props__.__dict__["explicit_max_ttl"] = explicit_max_ttl
+            __props__.__dict__["max_ttl"] = max_ttl
+            __props__.__dict__["namespace"] = namespace
+            __props__.__dict__["permanently_delete"] = permanently_delete
+            __props__.__dict__["persist_app"] = persist_app
+            if role is None and not opts.urn:
+                raise TypeError("Missing required property 'role'")
+            __props__.__dict__["role"] = role
+            __props__.__dict__["sign_in_audience"] = sign_in_audience
+            __props__.__dict__["tags"] = tags
+            __props__.__dict__["ttl"] = ttl
+        super(BackendRole, __self__).__init__(
+            'vault:azure/backendRole:BackendRole',
+            resource_name,
+            __props__,
+            opts)
+    @staticmethod
+    def get(resource_name: str,
+            id: pulumi.Input[str],
+            opts: Optional[pulumi.ResourceOptions] = None,
+            application_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+            azure_groups: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]]] = None,
+            azure_roles: Optional[pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]]] = None,
+            backend: Optional[pulumi.Input[_builtins.str]] = None,
+            description: Optional[pulumi.Input[_builtins.str]] = None,
+            explicit_max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+            max_ttl: Optional[pulumi.Input[_builtins.str]] = None,
+            namespace: Optional[pulumi.Input[_builtins.str]] = None,
+            permanently_delete: Optional[pulumi.Input[_builtins.bool]] = None,
+            persist_app: Optional[pulumi.Input[_builtins.bool]] = None,
+            role: Optional[pulumi.Input[_builtins.str]] = None,
+            sign_in_audience: Optional[pulumi.Input[_builtins.str]] = None,
+            tags: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            ttl: Optional[pulumi.Input[_builtins.str]] = None) -> 'BackendRole':
+        """
+        Get an existing BackendRole resource's state with the given name, id, and optional extra
+        properties used to qualify the lookup.
+        :param str resource_name: The unique name of the resulting resource.
+        :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[_builtins.str] application_object_id: Application Object ID for an existing service principal that will
+               be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
+        :param pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureGroupArgs', 'BackendRoleAzureGroupArgsDict']]]] azure_groups: List of Azure groups to be assigned to the generated service principal.
+        :param pulumi.Input[Sequence[pulumi.Input[Union['BackendRoleAzureRoleArgs', 'BackendRoleAzureRoleArgsDict']]]] azure_roles: List of Azure roles to be assigned to the generated service principal.
+        :param pulumi.Input[_builtins.str] backend: Path to the mounted Azure auth backend
+        :param pulumi.Input[_builtins.str] description: Human-friendly description of the mount for the backend.
+        :param pulumi.Input[_builtins.str] explicit_max_ttl: Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        :param pulumi.Input[_builtins.str] max_ttl: Specifies the maximum TTL for service principals generated using this role. Accepts time
+               suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+        :param pulumi.Input[_builtins.str] namespace: The namespace to provision the resource in.
+               The value should not contain leading or trailing forward slashes.
+               The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+               *Available only for Vault Enterprise*.
+        :param pulumi.Input[_builtins.bool] permanently_delete: Indicates whether the applications and service principals created by Vault will be permanently
+               deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
+        :param pulumi.Input[_builtins.bool] persist_app: If set to true, persists the created service principal and application for the lifetime of the role
+        :param pulumi.Input[_builtins.str] role: Name of the Azure role
+        :param pulumi.Input[_builtins.str] sign_in_audience: Specifies the security principal types that are allowed to sign in to the application.
+               Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] tags: A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        :param pulumi.Input[_builtins.str] ttl: Specifies the default TTL for service principals generated using this role.
+               Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
+        __props__ = _BackendRoleState.__new__(_BackendRoleState)
+        __props__.__dict__["application_object_id"] = application_object_id
+        __props__.__dict__["azure_groups"] = azure_groups
+        __props__.__dict__["azure_roles"] = azure_roles
+        __props__.__dict__["backend"] = backend
+        __props__.__dict__["description"] = description
+        __props__.__dict__["explicit_max_ttl"] = explicit_max_ttl
+        __props__.__dict__["max_ttl"] = max_ttl
+        __props__.__dict__["namespace"] = namespace
+        __props__.__dict__["permanently_delete"] = permanently_delete
+        __props__.__dict__["persist_app"] = persist_app
+        __props__.__dict__["role"] = role
+        __props__.__dict__["sign_in_audience"] = sign_in_audience
+        __props__.__dict__["tags"] = tags
+        __props__.__dict__["ttl"] = ttl
+        return BackendRole(resource_name, opts=opts, __props__=__props__)
+    @_builtins.property
+    @pulumi.getter(name="applicationObjectId")
+    def application_object_id(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Application Object ID for an existing service principal that will
+        be used instead of creating dynamic service principals. If present, `azure_roles` and `permanently_delete` will be ignored.
+        """
+        return pulumi.get(self, "application_object_id")
+    @_builtins.property
+    @pulumi.getter(name="azureGroups")
+    def azure_groups(self) -> pulumi.Output[Optional[Sequence['outputs.BackendRoleAzureGroup']]]:
+        """
+        List of Azure groups to be assigned to the generated service principal.
+        """
+        return pulumi.get(self, "azure_groups")
+    @_builtins.property
+    @pulumi.getter(name="azureRoles")
+    def azure_roles(self) -> pulumi.Output[Optional[Sequence['outputs.BackendRoleAzureRole']]]:
+        """
+        List of Azure roles to be assigned to the generated service principal.
+        """
+        return pulumi.get(self, "azure_roles")
+    @_builtins.property
+    @pulumi.getter
+    def backend(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Path to the mounted Azure auth backend
+        """
+        return pulumi.get(self, "backend")
+    @_builtins.property
+    @pulumi.getter
+    def description(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Human-friendly description of the mount for the backend.
+        """
+        return pulumi.get(self, "description")
+    @_builtins.property
+    @pulumi.getter(name="explicitMaxTtl")
+    def explicit_max_ttl(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
+        """
+        return pulumi.get(self, "explicit_max_ttl")
+    @_builtins.property
+    @pulumi.getter(name="maxTtl")
+    def max_ttl(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Specifies the maximum TTL for service principals generated using this role. Accepts time
+        suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+        """
+        return pulumi.get(self, "max_ttl")
+    @_builtins.property
+    @pulumi.getter
+    def namespace(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        The namespace to provision the resource in.
+        The value should not contain leading or trailing forward slashes.
+        The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
+        *Available only for Vault Enterprise*.
+        """
+        return pulumi.get(self, "namespace")
+    @_builtins.property
+    @pulumi.getter(name="permanentlyDelete")
+    def permanently_delete(self) -> pulumi.Output[_builtins.bool]:
+        """
+        Indicates whether the applications and service principals created by Vault will be permanently
+        deleted when the corresponding leases expire. Defaults to `false`. For Vault v1.12+.
+        """
+        return pulumi.get(self, "permanently_delete")
+    @_builtins.property
+    @pulumi.getter(name="persistApp")
+    def persist_app(self) -> pulumi.Output[Optional[_builtins.bool]]:
+        """
+        If set to true, persists the created service principal and application for the lifetime of the role
+        """
+        return pulumi.get(self, "persist_app")
+    @_builtins.property
+    @pulumi.getter
+    def role(self) -> pulumi.Output[_builtins.str]:
+        """
+        Name of the Azure role
+        """
+        return pulumi.get(self, "role")
+    @_builtins.property
+    @pulumi.getter(name="signInAudience")
+    def sign_in_audience(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Specifies the security principal types that are allowed to sign in to the application.
+        Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "sign_in_audience")
+    @_builtins.property
+    @pulumi.getter
+    def tags(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+        """
+        A list of Azure tags to attach to an application. Requires Vault 1.16+.
+        """
+        return pulumi.get(self, "tags")
+    @_builtins.property
+    @pulumi.getter
+    def ttl(self) -> pulumi.Output[Optional[_builtins.str]]:
+        """
+        Specifies the default TTL for service principals generated using this role.
+        Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        return pulumi.get(self, "ttl")