AuthBackend

Provides a resource for managing an JWT auth backend within Vault.

Example Usage

using Pulumi;
using Vault = Pulumi.Vault;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Vault.Jwt.AuthBackend("example", new Vault.Jwt.AuthBackendArgs
        {
            BoundIssuer = "https://myco.auth0.com/",
            Description = "Demonstration of the Terraform JWT auth backend",
            OidcDiscoveryUrl = "https://myco.auth0.com/",
            Path = "jwt",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v4/go/vault/jwt"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
			BoundIssuer:      pulumi.String("https://myco.auth0.com/"),
			Description:      pulumi.String("Demonstration of the Terraform JWT auth backend"),
			OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
			Path:             pulumi.String("jwt"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
import pulumi
import pulumi_vault as vault

example = vault.jwt.AuthBackend("example",
    bound_issuer="https://myco.auth0.com/",
    description="Demonstration of the Terraform JWT auth backend",
    oidc_discovery_url="https://myco.auth0.com/",
    path="jwt")
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.jwt.AuthBackend("example", {
    boundIssuer: "https://myco.auth0.com/",
    description: "Demonstration of the Terraform JWT auth backend",
    oidcDiscoveryUrl: "https://myco.auth0.com/",
    path: "jwt",
});

Create a AuthBackend Resource

new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);
@overload
def AuthBackend(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                bound_issuer: Optional[str] = None,
                default_role: Optional[str] = None,
                description: Optional[str] = None,
                jwks_ca_pem: Optional[str] = None,
                jwks_url: Optional[str] = None,
                jwt_supported_algs: Optional[Sequence[str]] = None,
                jwt_validation_pubkeys: Optional[Sequence[str]] = None,
                oidc_client_id: Optional[str] = None,
                oidc_client_secret: Optional[str] = None,
                oidc_discovery_ca_pem: Optional[str] = None,
                oidc_discovery_url: Optional[str] = None,
                path: Optional[str] = None,
                provider_config: Optional[Mapping[str, str]] = None,
                tune: Optional[AuthBackendTuneArgs] = None,
                type: Optional[str] = None)
@overload
def AuthBackend(resource_name: str,
                args: Optional[AuthBackendArgs] = None,
                opts: Optional[ResourceOptions] = None)
func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)
public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)
name string
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.

AuthBackend Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AuthBackend resource accepts the following input properties:

BoundIssuer string
The value against which to match the iss claim in a JWT
DefaultRole string
The default role to use if none is provided during login
Description string
The description of the auth backend
JwksCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string
JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
JwtSupportedAlgs List<string>
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys List<string>
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
OidcClientId string
Client ID used for OIDC backends
OidcClientSecret string
Client Secret used for OIDC backends
OidcDiscoveryCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
Path string
Path to mount the JWT/OIDC auth backend
ProviderConfig Dictionary<string, string>
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
Tune AuthBackendTuneArgs
Type string
Type of auth backend. Should be one of jwt or oidc. Default - jwt
BoundIssuer string
The value against which to match the iss claim in a JWT
DefaultRole string
The default role to use if none is provided during login
Description string
The description of the auth backend
JwksCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string
JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
JwtSupportedAlgs []string
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys []string
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
OidcClientId string
Client ID used for OIDC backends
OidcClientSecret string
Client Secret used for OIDC backends
OidcDiscoveryCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
Path string
Path to mount the JWT/OIDC auth backend
ProviderConfig map[string]string
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
Tune AuthBackendTuneArgs
Type string
Type of auth backend. Should be one of jwt or oidc. Default - jwt
boundIssuer string
The value against which to match the iss claim in a JWT
defaultRole string
The default role to use if none is provided during login
description string
The description of the auth backend
jwksCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl string
JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwtSupportedAlgs string[]
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys string[]
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidcClientId string
Client ID used for OIDC backends
oidcClientSecret string
Client Secret used for OIDC backends
oidcDiscoveryCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl string
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path string
Path to mount the JWT/OIDC auth backend
providerConfig {[key: string]: string}
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTuneArgs
type string
Type of auth backend. Should be one of jwt or oidc. Default - jwt
bound_issuer str
The value against which to match the iss claim in a JWT
default_role str
The default role to use if none is provided during login
description str
The description of the auth backend
jwks_ca_pem str
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwks_url str
JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwt_supported_algs Sequence[str]
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwt_validation_pubkeys Sequence[str]
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidc_client_id str
Client ID used for OIDC backends
oidc_client_secret str
Client Secret used for OIDC backends
oidc_discovery_ca_pem str
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidc_discovery_url str
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path str
Path to mount the JWT/OIDC auth backend
provider_config Mapping[str, str]
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTuneArgs
type str
Type of auth backend. Should be one of jwt or oidc. Default - jwt

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:

Accessor string
The accessor for this auth method
Id string
The provider-assigned unique ID for this managed resource.
Accessor string
The accessor for this auth method
Id string
The provider-assigned unique ID for this managed resource.
accessor string
The accessor for this auth method
id string
The provider-assigned unique ID for this managed resource.
accessor str
The accessor for this auth method
id str
The provider-assigned unique ID for this managed resource.

Look up an Existing AuthBackend Resource

Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accessor: Optional[str] = None,
        bound_issuer: Optional[str] = None,
        default_role: Optional[str] = None,
        description: Optional[str] = None,
        jwks_ca_pem: Optional[str] = None,
        jwks_url: Optional[str] = None,
        jwt_supported_algs: Optional[Sequence[str]] = None,
        jwt_validation_pubkeys: Optional[Sequence[str]] = None,
        oidc_client_id: Optional[str] = None,
        oidc_client_secret: Optional[str] = None,
        oidc_discovery_ca_pem: Optional[str] = None,
        oidc_discovery_url: Optional[str] = None,
        path: Optional[str] = None,
        provider_config: Optional[Mapping[str, str]] = None,
        tune: Optional[AuthBackendTuneArgs] = None,
        type: Optional[str] = None) -> AuthBackend
func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)
public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.

The following state arguments are supported:

Accessor string
The accessor for this auth method
BoundIssuer string
The value against which to match the iss claim in a JWT
DefaultRole string
The default role to use if none is provided during login
Description string
The description of the auth backend
JwksCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string
JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
JwtSupportedAlgs List<string>
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys List<string>
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
OidcClientId string
Client ID used for OIDC backends
OidcClientSecret string
Client Secret used for OIDC backends
OidcDiscoveryCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
Path string
Path to mount the JWT/OIDC auth backend
ProviderConfig Dictionary<string, string>
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
Tune AuthBackendTuneArgs
Type string
Type of auth backend. Should be one of jwt or oidc. Default - jwt
Accessor string
The accessor for this auth method
BoundIssuer string
The value against which to match the iss claim in a JWT
DefaultRole string
The default role to use if none is provided during login
Description string
The description of the auth backend
JwksCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string
JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
JwtSupportedAlgs []string
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys []string
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
OidcClientId string
Client ID used for OIDC backends
OidcClientSecret string
Client Secret used for OIDC backends
OidcDiscoveryCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
Path string
Path to mount the JWT/OIDC auth backend
ProviderConfig map[string]string
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
Tune AuthBackendTuneArgs
Type string
Type of auth backend. Should be one of jwt or oidc. Default - jwt
accessor string
The accessor for this auth method
boundIssuer string
The value against which to match the iss claim in a JWT
defaultRole string
The default role to use if none is provided during login
description string
The description of the auth backend
jwksCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl string
JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwtSupportedAlgs string[]
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys string[]
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidcClientId string
Client ID used for OIDC backends
oidcClientSecret string
Client Secret used for OIDC backends
oidcDiscoveryCaPem string
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl string
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path string
Path to mount the JWT/OIDC auth backend
providerConfig {[key: string]: string}
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTuneArgs
type string
Type of auth backend. Should be one of jwt or oidc. Default - jwt
accessor str
The accessor for this auth method
bound_issuer str
The value against which to match the iss claim in a JWT
default_role str
The default role to use if none is provided during login
description str
The description of the auth backend
jwks_ca_pem str
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwks_url str
JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwt_supported_algs Sequence[str]
A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwt_validation_pubkeys Sequence[str]
A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidc_client_id str
Client ID used for OIDC backends
oidc_client_secret str
Client Secret used for OIDC backends
oidc_discovery_ca_pem str
The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidc_discovery_url str
The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path str
Path to mount the JWT/OIDC auth backend
provider_config Mapping[str, str]
Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTuneArgs
type str
Type of auth backend. Should be one of jwt or oidc. Default - jwt

Supporting Types

AuthBackendTune

AllowedResponseHeaders List<string>
List of headers to whitelist and allowing a plugin to include them in the response.
AuditNonHmacRequestKeys List<string>
Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
AuditNonHmacResponseKeys List<string>
Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
DefaultLeaseTtl string
Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
ListingVisibility string
Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
MaxLeaseTtl string
Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
PassthroughRequestHeaders List<string>
List of headers to whitelist and pass from the request to the backend.
TokenType string
Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.
AllowedResponseHeaders []string
List of headers to whitelist and allowing a plugin to include them in the response.
AuditNonHmacRequestKeys []string
Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
AuditNonHmacResponseKeys []string
Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
DefaultLeaseTtl string
Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
ListingVisibility string
Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
MaxLeaseTtl string
Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
PassthroughRequestHeaders []string
List of headers to whitelist and pass from the request to the backend.
TokenType string
Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.
allowedResponseHeaders string[]
List of headers to whitelist and allowing a plugin to include them in the response.
auditNonHmacRequestKeys string[]
Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
auditNonHmacResponseKeys string[]
Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
defaultLeaseTtl string
Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listingVisibility string
Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
maxLeaseTtl string
Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthroughRequestHeaders string[]
List of headers to whitelist and pass from the request to the backend.
tokenType string
Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.
allowed_response_headers Sequence[str]
List of headers to whitelist and allowing a plugin to include them in the response.
audit_non_hmac_request_keys Sequence[str]
Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
audit_non_hmac_response_keys Sequence[str]
Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
default_lease_ttl str
Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listing_visibility str
Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
max_lease_ttl str
Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthrough_request_headers Sequence[str]
List of headers to whitelist and pass from the request to the backend.
token_type str
Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.

Import

JWT auth backend can be imported using the type, e.g.

 $ pulumi import vault:jwt/authBackend:AuthBackend oidc oidc

or

 $ pulumi import vault:jwt/authBackend:AuthBackend jwt jwt

Package Details

Repository
https://github.com/pulumi/pulumi-vault
License
Apache-2.0
Notes
This Pulumi package is based on the vault Terraform Provider.