Docs
Packagesvault.gcp.AuthBackend
Explore with Pulumi AI
Provides a resource to configure the GCP auth backend within Vault.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as vault from "@pulumi/vault";
const gcp = new vault.gcp.AuthBackend("gcp", {
credentials: fs.readFileSync("vault-gcp-credentials.json", "utf8"),
customEndpoint: {
api: "www.googleapis.com",
iam: "iam.googleapis.com",
crm: "cloudresourcemanager.googleapis.com",
compute: "compute.googleapis.com",
},
});
import pulumi
import pulumi_vault as vault
gcp = vault.gcp.AuthBackend("gcp",
credentials=(lambda path: open(path).read())("vault-gcp-credentials.json"),
custom_endpoint=vault.gcp.AuthBackendCustomEndpointArgs(
api="www.googleapis.com",
iam="iam.googleapis.com",
crm="cloudresourcemanager.googleapis.com",
compute="compute.googleapis.com",
))
package main
import (
"os"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func readFileOrPanic(path string) pulumi.StringPtrInput {
data, err := os.ReadFile(path)
if err != nil {
panic(err.Error())
}
return pulumi.String(string(data))
}
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gcp.NewAuthBackend(ctx, "gcp", &gcp.AuthBackendArgs{
Credentials: readFileOrPanic("vault-gcp-credentials.json"),
CustomEndpoint: &gcp.AuthBackendCustomEndpointArgs{
Api: pulumi.String("www.googleapis.com"),
Iam: pulumi.String("iam.googleapis.com"),
Crm: pulumi.String("cloudresourcemanager.googleapis.com"),
Compute: pulumi.String("compute.googleapis.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.IO;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gcp = new Vault.Gcp.AuthBackend("gcp", new()
{
Credentials = File.ReadAllText("vault-gcp-credentials.json"),
CustomEndpoint = new Vault.Gcp.Inputs.AuthBackendCustomEndpointArgs
{
Api = "www.googleapis.com",
Iam = "iam.googleapis.com",
Crm = "cloudresourcemanager.googleapis.com",
Compute = "compute.googleapis.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.AuthBackend;
import com.pulumi.vault.gcp.AuthBackendArgs;
import com.pulumi.vault.gcp.inputs.AuthBackendCustomEndpointArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gcp = new AuthBackend("gcp", AuthBackendArgs.builder()
.credentials(Files.readString(Paths.get("vault-gcp-credentials.json")))
.customEndpoint(AuthBackendCustomEndpointArgs.builder()
.api("www.googleapis.com")
.iam("iam.googleapis.com")
.crm("cloudresourcemanager.googleapis.com")
.compute("compute.googleapis.com")
.build())
.build());
}
}
resources:
gcp:
type: vault:gcp:AuthBackend
properties:
credentials:
fn::readFile: vault-gcp-credentials.json
customEndpoint:
api: www.googleapis.com
iam: iam.googleapis.com
crm: cloudresourcemanager.googleapis.com
compute: compute.googleapis.com
Create AuthBackend Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);@overload
def AuthBackend(resource_name: str,
args: Optional[AuthBackendArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def AuthBackend(resource_name: str,
opts: Optional[ResourceOptions] = None,
client_email: Optional[str] = None,
client_id: Optional[str] = None,
credentials: Optional[str] = None,
custom_endpoint: Optional[AuthBackendCustomEndpointArgs] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
local: Optional[bool] = None,
namespace: Optional[str] = None,
path: Optional[str] = None,
private_key_id: Optional[str] = None,
project_id: Optional[str] = None,
tune: Optional[AuthBackendTuneArgs] = None)func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)
public AuthBackend(String name, AuthBackendArgs args)
public AuthBackend(String name, AuthBackendArgs args, CustomResourceOptions options)
type: vault:gcp:AuthBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
var authBackendResource = new Vault.Gcp.AuthBackend("authBackendResource", new()
{
ClientEmail = "string",
ClientId = "string",
Credentials = "string",
CustomEndpoint = new Vault.Gcp.Inputs.AuthBackendCustomEndpointArgs
{
Api = "string",
Compute = "string",
Crm = "string",
Iam = "string",
},
Description = "string",
DisableRemount = false,
Local = false,
Namespace = "string",
Path = "string",
PrivateKeyId = "string",
ProjectId = "string",
Tune = new Vault.Gcp.Inputs.AuthBackendTuneArgs
{
AllowedResponseHeaders = new[]
{
"string",
},
AuditNonHmacRequestKeys = new[]
{
"string",
},
AuditNonHmacResponseKeys = new[]
{
"string",
},
DefaultLeaseTtl = "string",
ListingVisibility = "string",
MaxLeaseTtl = "string",
PassthroughRequestHeaders = new[]
{
"string",
},
TokenType = "string",
},
});
example, err := gcp.NewAuthBackend(ctx, "authBackendResource", &gcp.AuthBackendArgs{
ClientEmail: pulumi.String("string"),
ClientId: pulumi.String("string"),
Credentials: pulumi.String("string"),
CustomEndpoint: &gcp.AuthBackendCustomEndpointArgs{
Api: pulumi.String("string"),
Compute: pulumi.String("string"),
Crm: pulumi.String("string"),
Iam: pulumi.String("string"),
},
Description: pulumi.String("string"),
DisableRemount: pulumi.Bool(false),
Local: pulumi.Bool(false),
Namespace: pulumi.String("string"),
Path: pulumi.String("string"),
PrivateKeyId: pulumi.String("string"),
ProjectId: pulumi.String("string"),
Tune: &gcp.AuthBackendTuneArgs{
AllowedResponseHeaders: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacRequestKeys: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacResponseKeys: pulumi.StringArray{
pulumi.String("string"),
},
DefaultLeaseTtl: pulumi.String("string"),
ListingVisibility: pulumi.String("string"),
MaxLeaseTtl: pulumi.String("string"),
PassthroughRequestHeaders: pulumi.StringArray{
pulumi.String("string"),
},
TokenType: pulumi.String("string"),
},
})
var authBackendResource = new AuthBackend("authBackendResource", AuthBackendArgs.builder()
.clientEmail("string")
.clientId("string")
.credentials("string")
.customEndpoint(AuthBackendCustomEndpointArgs.builder()
.api("string")
.compute("string")
.crm("string")
.iam("string")
.build())
.description("string")
.disableRemount(false)
.local(false)
.namespace("string")
.path("string")
.privateKeyId("string")
.projectId("string")
.tune(AuthBackendTuneArgs.builder()
.allowedResponseHeaders("string")
.auditNonHmacRequestKeys("string")
.auditNonHmacResponseKeys("string")
.defaultLeaseTtl("string")
.listingVisibility("string")
.maxLeaseTtl("string")
.passthroughRequestHeaders("string")
.tokenType("string")
.build())
.build());
auth_backend_resource = vault.gcp.AuthBackend("authBackendResource",
client_email="string",
client_id="string",
credentials="string",
custom_endpoint=vault.gcp.AuthBackendCustomEndpointArgs(
api="string",
compute="string",
crm="string",
iam="string",
),
description="string",
disable_remount=False,
local=False,
namespace="string",
path="string",
private_key_id="string",
project_id="string",
tune=vault.gcp.AuthBackendTuneArgs(
allowed_response_headers=["string"],
audit_non_hmac_request_keys=["string"],
audit_non_hmac_response_keys=["string"],
default_lease_ttl="string",
listing_visibility="string",
max_lease_ttl="string",
passthrough_request_headers=["string"],
token_type="string",
))
const authBackendResource = new vault.gcp.AuthBackend("authBackendResource", {
clientEmail: "string",
clientId: "string",
credentials: "string",
customEndpoint: {
api: "string",
compute: "string",
crm: "string",
iam: "string",
},
description: "string",
disableRemount: false,
local: false,
namespace: "string",
path: "string",
privateKeyId: "string",
projectId: "string",
tune: {
allowedResponseHeaders: ["string"],
auditNonHmacRequestKeys: ["string"],
auditNonHmacResponseKeys: ["string"],
defaultLeaseTtl: "string",
listingVisibility: "string",
maxLeaseTtl: "string",
passthroughRequestHeaders: ["string"],
tokenType: "string",
},
});
type: vault:gcp:AuthBackend
properties:
clientEmail: string
clientId: string
credentials: string
customEndpoint:
api: string
compute: string
crm: string
iam: string
description: string
disableRemount: false
local: false
namespace: string
path: string
privateKeyId: string
projectId: string
tune:
allowedResponseHeaders:
- string
auditNonHmacRequestKeys:
- string
auditNonHmacResponseKeys:
- string
defaultLeaseTtl: string
listingVisibility: string
maxLeaseTtl: string
passthroughRequestHeaders:
- string
tokenType: string
AuthBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AuthBackend resource accepts the following input properties:
- Client
Email string - The clients email associated with the credentials
- Client
Id string - The Client ID of the credentials
- Credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- Custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- Description string
- A description of the auth method.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Path string
- The path to mount the auth method — this defaults to 'gcp'.
- Private
Key stringId - The ID of the private key from the credentials
- Project
Id string - The GCP Project ID
- Tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- Client
Email string - The clients email associated with the credentials
- Client
Id string - The Client ID of the credentials
- Credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- Custom
Endpoint AuthBackend Custom Endpoint Args Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- Description string
- A description of the auth method.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Path string
- The path to mount the auth method — this defaults to 'gcp'.
- Private
Key stringId - The ID of the private key from the credentials
- Project
Id string - The GCP Project ID
- Tune
Auth
Backend Tune Args Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- client
Email String - The clients email associated with the credentials
- client
Id String - The Client ID of the credentials
- credentials String
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description String
- A description of the auth method.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - path String
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key StringId - The ID of the private key from the credentials
- project
Id String - The GCP Project ID
- tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- client
Email string - The clients email associated with the credentials
- client
Id string - The Client ID of the credentials
- credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description string
- A description of the auth method.
- disable
Remount boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- local boolean
- Specifies if the auth method is local only.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - path string
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key stringId - The ID of the private key from the credentials
- project
Id string - The GCP Project ID
- tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- client_
email str - The clients email associated with the credentials
- client_
id str - The Client ID of the credentials
- credentials str
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom_
endpoint AuthBackend Custom Endpoint Args Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description str
- A description of the auth method.
- disable_
remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- local bool
- Specifies if the auth method is local only.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - path str
- The path to mount the auth method — this defaults to 'gcp'.
- private_
key_ strid - The ID of the private key from the credentials
- project_
id str - The GCP Project ID
- tune
Auth
Backend Tune Args Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- client
Email String - The clients email associated with the credentials
- client
Id String - The Client ID of the credentials
- credentials String
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint Property Map Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description String
- A description of the auth method.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - path String
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key StringId - The ID of the private key from the credentials
- project
Id String - The GCP Project ID
- tune Property Map
Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
Outputs
All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:
- Accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- Id string
- The provider-assigned unique ID for this managed resource.
- Accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- Id string
- The provider-assigned unique ID for this managed resource.
- accessor String
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- id String
- The provider-assigned unique ID for this managed resource.
- accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- id string
- The provider-assigned unique ID for this managed resource.
- accessor str
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- id str
- The provider-assigned unique ID for this managed resource.
- accessor String
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AuthBackend Resource
Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessor: Optional[str] = None,
client_email: Optional[str] = None,
client_id: Optional[str] = None,
credentials: Optional[str] = None,
custom_endpoint: Optional[AuthBackendCustomEndpointArgs] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
local: Optional[bool] = None,
namespace: Optional[str] = None,
path: Optional[str] = None,
private_key_id: Optional[str] = None,
project_id: Optional[str] = None,
tune: Optional[AuthBackendTuneArgs] = None) -> AuthBackendfunc GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)public static AuthBackend get(String name, Output<String> id, AuthBackendState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- Client
Email string - The clients email associated with the credentials
- Client
Id string - The Client ID of the credentials
- Credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- Custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- Description string
- A description of the auth method.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Path string
- The path to mount the auth method — this defaults to 'gcp'.
- Private
Key stringId - The ID of the private key from the credentials
- Project
Id string - The GCP Project ID
- Tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- Accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- Client
Email string - The clients email associated with the credentials
- Client
Id string - The Client ID of the credentials
- Credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- Custom
Endpoint AuthBackend Custom Endpoint Args Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- Description string
- A description of the auth method.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - Path string
- The path to mount the auth method — this defaults to 'gcp'.
- Private
Key stringId - The ID of the private key from the credentials
- Project
Id string - The GCP Project ID
- Tune
Auth
Backend Tune Args Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- accessor String
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- client
Email String - The clients email associated with the credentials
- client
Id String - The Client ID of the credentials
- credentials String
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description String
- A description of the auth method.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - path String
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key StringId - The ID of the private key from the credentials
- project
Id String - The GCP Project ID
- tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- client
Email string - The clients email associated with the credentials
- client
Id string - The Client ID of the credentials
- credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description string
- A description of the auth method.
- disable
Remount boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- local boolean
- Specifies if the auth method is local only.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - path string
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key stringId - The ID of the private key from the credentials
- project
Id string - The GCP Project ID
- tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- accessor str
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- client_
email str - The clients email associated with the credentials
- client_
id str - The Client ID of the credentials
- credentials str
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom_
endpoint AuthBackend Custom Endpoint Args Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description str
- A description of the auth method.
- disable_
remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- local bool
- Specifies if the auth method is local only.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - path str
- The path to mount the auth method — this defaults to 'gcp'.
- private_
key_ strid - The ID of the private key from the credentials
- project_
id str - The GCP Project ID
- tune
Auth
Backend Tune Args Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
- accessor String
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- client
Email String - The clients email associated with the credentials
- client
Id String - The Client ID of the credentials
- credentials String
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint Property Map Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description String
- A description of the auth method.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise. - path String
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key StringId - The ID of the private key from the credentials
- project
Id String - The GCP Project ID
- tune Property Map
Extra configuration block. Structure is documented below.
The
tuneblock is used to tune the auth backend:
Supporting Types
AuthBackendCustomEndpoint, AuthBackendCustomEndpointArgs
- Api string
- Replaces the service endpoint used in API requests to
https://www.googleapis.com. - Compute string
Replaces the service endpoint used in API requests to
https://compute.googleapis.com.The endpoint value provided for a given key has the form of
scheme://host:port. Thescheme://and:portportions of the endpoint value are optional.- Crm string
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com. - Iam string
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com.
- Api string
- Replaces the service endpoint used in API requests to
https://www.googleapis.com. - Compute string
Replaces the service endpoint used in API requests to
https://compute.googleapis.com.The endpoint value provided for a given key has the form of
scheme://host:port. Thescheme://and:portportions of the endpoint value are optional.- Crm string
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com. - Iam string
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com.
- api String
- Replaces the service endpoint used in API requests to
https://www.googleapis.com. - compute String
Replaces the service endpoint used in API requests to
https://compute.googleapis.com.The endpoint value provided for a given key has the form of
scheme://host:port. Thescheme://and:portportions of the endpoint value are optional.- crm String
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com. - iam String
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com.
- api string
- Replaces the service endpoint used in API requests to
https://www.googleapis.com. - compute string
Replaces the service endpoint used in API requests to
https://compute.googleapis.com.The endpoint value provided for a given key has the form of
scheme://host:port. Thescheme://and:portportions of the endpoint value are optional.- crm string
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com. - iam string
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com.
- api str
- Replaces the service endpoint used in API requests to
https://www.googleapis.com. - compute str
Replaces the service endpoint used in API requests to
https://compute.googleapis.com.The endpoint value provided for a given key has the form of
scheme://host:port. Thescheme://and:portportions of the endpoint value are optional.- crm str
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com. - iam str
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com.
- api String
- Replaces the service endpoint used in API requests to
https://www.googleapis.com. - compute String
Replaces the service endpoint used in API requests to
https://compute.googleapis.com.The endpoint value provided for a given key has the form of
scheme://host:port. Thescheme://and:portportions of the endpoint value are optional.- crm String
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com. - iam String
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com.
AuthBackendTune, AuthBackendTuneArgs
- Allowed
Response List<string>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- Max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- Passthrough
Request List<string>Headers - List of headers to whitelist and pass from the request to the backend.
- Token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- Allowed
Response []stringHeaders - List of headers to whitelist and allowing a plugin to include them in the response.
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- Max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- Passthrough
Request []stringHeaders - List of headers to whitelist and pass from the request to the backend.
- Token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- allowed
Response List<String>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease StringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease StringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request List<String>Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type String Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- allowed
Response string[]Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request string[]Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- allowed_
response_ Sequence[str]headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default_
lease_ strttl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing_
visibility str - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max_
lease_ strttl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough_
request_ Sequence[str]headers - List of headers to whitelist and pass from the request to the backend.
- token_
type str Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- allowed
Response List<String>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease StringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease StringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request List<String>Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type String Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
Import
GCP authentication backends can be imported using the backend name, e.g.
$ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vaultTerraform Provider.