AuthProvider

dbt Cloud v1.8.2, May 14 26

Viewing docs for dbt Cloud v1.8.2
published on Thursday, May 14, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-dbtcloud

Viewing docs for dbt Cloud v1.8.2
published on Thursday, May 14, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-dbtcloud

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as dbtcloud from "@pulumi/dbtcloud";
import * as std from "@pulumi/std";

const config = new pulumi.Config();
const samlCert = config.require("samlCert");
const saml = new dbtcloud.AuthProvider("saml", {
    type: "saml",
    entityId: "https://your-idp.example.com/metadata",
    ssoUrl: "https://your-idp.example.com/sso/saml",
    certWo: samlCert,
    certWoVersion: 1,
});
export const loginUrl = saml.loginUrl;
// SAML — all optional fields
const samlFull = new dbtcloud.AuthProvider("saml_full", {
    type: "saml",
    entityId: "https://your-idp.example.com/metadata",
    ssoUrl: "https://your-idp.example.com/sso/saml",
    cert: std.file({
        input: "idp-cert.pem",
    }).then(invoke => invoke.result),
    signRequest: true,
    attributeMap: JSON.stringify({
        email: "nameID",
        first_name: "firstName",
        last_name: "lastName",
    }),
    allowPasswordBackdoor: false,
});
// Okta (identical to SAML, different type value)
const okta = new dbtcloud.AuthProvider("okta", {
    type: "okta",
    entityId: "http://www.okta.com/<okta_app_id>",
    ssoUrl: "https://<your-org>.okta.com/app/<app_path>/sso/saml",
    certWo: samlCert,
    certWoVersion: 1,
});
const azureClientSecret = config.require("azureClientSecret");
const azureSingleTenant = new dbtcloud.AuthProvider("azure_single_tenant", {
    type: "azure_single_tenant",
    clientId: "00000000-0000-0000-0000-000000000000",
    tenantId: "11111111-1111-1111-1111-111111111111",
    clientSecretWo: azureClientSecret,
    clientSecretWoVersion: 1,
    domain: "acme.com",
    includeIndirectGroups: true,
    maxGroupsToRetrieve: 500,
});
// Azure AD — multi tenant (no tenant_id required)
const azureMultiTenant = new dbtcloud.AuthProvider("azure_multi_tenant", {
    type: "azure_multi_tenant",
    clientId: "00000000-0000-0000-0000-000000000000",
    clientSecretWo: azureClientSecret,
    clientSecretWoVersion: 1,
});
// Azure Active Directory
const azureActiveDirectory = new dbtcloud.AuthProvider("azure_active_directory", {
    type: "azure_active_directory",
    clientId: "00000000-0000-0000-0000-000000000000",
    tenantId: "11111111-1111-1111-1111-111111111111",
    clientSecretWo: azureClientSecret,
    clientSecretWoVersion: 1,
    domain: "acme.com",
});
const gsuiteClientSecret = config.require("gsuiteClientSecret");
const gsuite = new dbtcloud.AuthProvider("gsuite", {
    type: "gsuite",
    clientId: "000000000000-xxxx.apps.googleusercontent.com",
    clientSecretWo: gsuiteClientSecret,
    clientSecretWoVersion: 1,
    adminRefreshToken: "<oauth-refresh-token>",
    domain: "acme.com",
    gsuiteAdminId: "admin@acme.com",
});

import pulumi
import json
import pulumi_dbtcloud as dbtcloud
import pulumi_std as std

config = pulumi.Config()
saml_cert = config.require("samlCert")
saml = dbtcloud.AuthProvider("saml",
    type="saml",
    entity_id="https://your-idp.example.com/metadata",
    sso_url="https://your-idp.example.com/sso/saml",
    cert_wo=saml_cert,
    cert_wo_version=1)
pulumi.export("loginUrl", saml.login_url)
# SAML — all optional fields
saml_full = dbtcloud.AuthProvider("saml_full",
    type="saml",
    entity_id="https://your-idp.example.com/metadata",
    sso_url="https://your-idp.example.com/sso/saml",
    cert=std.file(input="idp-cert.pem").result,
    sign_request=True,
    attribute_map=json.dumps({
        "email": "nameID",
        "first_name": "firstName",
        "last_name": "lastName",
    }),
    allow_password_backdoor=False)
# Okta (identical to SAML, different type value)
okta = dbtcloud.AuthProvider("okta",
    type="okta",
    entity_id="http://www.okta.com/<okta_app_id>",
    sso_url="https://<your-org>.okta.com/app/<app_path>/sso/saml",
    cert_wo=saml_cert,
    cert_wo_version=1)
azure_client_secret = config.require("azureClientSecret")
azure_single_tenant = dbtcloud.AuthProvider("azure_single_tenant",
    type="azure_single_tenant",
    client_id="00000000-0000-0000-0000-000000000000",
    tenant_id="11111111-1111-1111-1111-111111111111",
    client_secret_wo=azure_client_secret,
    client_secret_wo_version=1,
    domain="acme.com",
    include_indirect_groups=True,
    max_groups_to_retrieve=500)
# Azure AD — multi tenant (no tenant_id required)
azure_multi_tenant = dbtcloud.AuthProvider("azure_multi_tenant",
    type="azure_multi_tenant",
    client_id="00000000-0000-0000-0000-000000000000",
    client_secret_wo=azure_client_secret,
    client_secret_wo_version=1)
# Azure Active Directory
azure_active_directory = dbtcloud.AuthProvider("azure_active_directory",
    type="azure_active_directory",
    client_id="00000000-0000-0000-0000-000000000000",
    tenant_id="11111111-1111-1111-1111-111111111111",
    client_secret_wo=azure_client_secret,
    client_secret_wo_version=1,
    domain="acme.com")
gsuite_client_secret = config.require("gsuiteClientSecret")
gsuite = dbtcloud.AuthProvider("gsuite",
    type="gsuite",
    client_id="000000000000-xxxx.apps.googleusercontent.com",
    client_secret_wo=gsuite_client_secret,
    client_secret_wo_version=1,
    admin_refresh_token="<oauth-refresh-token>",
    domain="acme.com",
    gsuite_admin_id="admin@acme.com")

package main

import (
	"encoding/json"

	"github.com/pulumi/pulumi-dbtcloud/sdk/go/dbtcloud"
	"github.com/pulumi/pulumi-std/sdk/v2/go/std"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		cfg := config.New(ctx, "")
		samlCert := cfg.Require("samlCert")
		saml, err := dbtcloud.NewAuthProvider(ctx, "saml", &dbtcloud.AuthProviderArgs{
			Type:          pulumi.String("saml"),
			EntityId:      pulumi.String("https://your-idp.example.com/metadata"),
			SsoUrl:        pulumi.String("https://your-idp.example.com/sso/saml"),
			CertWo:        pulumi.String(pulumi.String(samlCert)),
			CertWoVersion: pulumi.Int(1),
		})
		if err != nil {
			return err
		}
		ctx.Export("loginUrl", saml.LoginUrl)
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "idp-cert.pem",
		}, nil)
		if err != nil {
			return err
		}
		tmpJSON0, err := json.Marshal(map[string]interface{}{
			"email":      "nameID",
			"first_name": "firstName",
			"last_name":  "lastName",
		})
		if err != nil {
			return err
		}
		json0 := string(tmpJSON0)
		// SAML — all optional fields
		_, err = dbtcloud.NewAuthProvider(ctx, "saml_full", &dbtcloud.AuthProviderArgs{
			Type:                  pulumi.String("saml"),
			EntityId:              pulumi.String("https://your-idp.example.com/metadata"),
			SsoUrl:                pulumi.String("https://your-idp.example.com/sso/saml"),
			Cert:                  pulumi.String(invokeFile.Result),
			SignRequest:           pulumi.Bool(true),
			AttributeMap:          pulumi.String(pulumi.String(json0)),
			AllowPasswordBackdoor: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		// Okta (identical to SAML, different type value)
		_, err = dbtcloud.NewAuthProvider(ctx, "okta", &dbtcloud.AuthProviderArgs{
			Type:          pulumi.String("okta"),
			EntityId:      pulumi.String("http://www.okta.com/<okta_app_id>"),
			SsoUrl:        pulumi.String("https://<your-org>.okta.com/app/<app_path>/sso/saml"),
			CertWo:        pulumi.String(pulumi.String(samlCert)),
			CertWoVersion: pulumi.Int(1),
		})
		if err != nil {
			return err
		}
		azureClientSecret := cfg.Require("azureClientSecret")
		_, err = dbtcloud.NewAuthProvider(ctx, "azure_single_tenant", &dbtcloud.AuthProviderArgs{
			Type:                  pulumi.String("azure_single_tenant"),
			ClientId:              pulumi.String("00000000-0000-0000-0000-000000000000"),
			TenantId:              pulumi.String("11111111-1111-1111-1111-111111111111"),
			ClientSecretWo:        pulumi.String(pulumi.String(azureClientSecret)),
			ClientSecretWoVersion: pulumi.Int(1),
			Domain:                pulumi.String("acme.com"),
			IncludeIndirectGroups: pulumi.Bool(true),
			MaxGroupsToRetrieve:   pulumi.Int(500),
		})
		if err != nil {
			return err
		}
		// Azure AD — multi tenant (no tenant_id required)
		_, err = dbtcloud.NewAuthProvider(ctx, "azure_multi_tenant", &dbtcloud.AuthProviderArgs{
			Type:                  pulumi.String("azure_multi_tenant"),
			ClientId:              pulumi.String("00000000-0000-0000-0000-000000000000"),
			ClientSecretWo:        pulumi.String(pulumi.String(azureClientSecret)),
			ClientSecretWoVersion: pulumi.Int(1),
		})
		if err != nil {
			return err
		}
		// Azure Active Directory
		_, err = dbtcloud.NewAuthProvider(ctx, "azure_active_directory", &dbtcloud.AuthProviderArgs{
			Type:                  pulumi.String("azure_active_directory"),
			ClientId:              pulumi.String("00000000-0000-0000-0000-000000000000"),
			TenantId:              pulumi.String("11111111-1111-1111-1111-111111111111"),
			ClientSecretWo:        pulumi.String(pulumi.String(azureClientSecret)),
			ClientSecretWoVersion: pulumi.Int(1),
			Domain:                pulumi.String("acme.com"),
		})
		if err != nil {
			return err
		}
		gsuiteClientSecret := cfg.Require("gsuiteClientSecret")
		_, err = dbtcloud.NewAuthProvider(ctx, "gsuite", &dbtcloud.AuthProviderArgs{
			Type:                  pulumi.String("gsuite"),
			ClientId:              pulumi.String("000000000000-xxxx.apps.googleusercontent.com"),
			ClientSecretWo:        pulumi.String(pulumi.String(gsuiteClientSecret)),
			ClientSecretWoVersion: pulumi.Int(1),
			AdminRefreshToken:     pulumi.String("<oauth-refresh-token>"),
			Domain:                pulumi.String("acme.com"),
			GsuiteAdminId:         pulumi.String("admin@acme.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using DbtCloud = Pulumi.DbtCloud;
using Std = Pulumi.Std;

return await Deployment.RunAsync(() => 
{
    var config = new Config();
    var samlCert = config.Require("samlCert");
    var saml = new DbtCloud.AuthProvider("saml", new()
    {
        Type = "saml",
        EntityId = "https://your-idp.example.com/metadata",
        SsoUrl = "https://your-idp.example.com/sso/saml",
        CertWo = samlCert,
        CertWoVersion = 1,
    });

    // SAML — all optional fields
    var samlFull = new DbtCloud.AuthProvider("saml_full", new()
    {
        Type = "saml",
        EntityId = "https://your-idp.example.com/metadata",
        SsoUrl = "https://your-idp.example.com/sso/saml",
        Cert = Std.File.Invoke(new()
        {
            Input = "idp-cert.pem",
        }).Apply(invoke => invoke.Result),
        SignRequest = true,
        AttributeMap = JsonSerializer.Serialize(new Dictionary<string, object?>
        {
            ["email"] = "nameID",
            ["first_name"] = "firstName",
            ["last_name"] = "lastName",
        }),
        AllowPasswordBackdoor = false,
    });

    // Okta (identical to SAML, different type value)
    var okta = new DbtCloud.AuthProvider("okta", new()
    {
        Type = "okta",
        EntityId = "http://www.okta.com/<okta_app_id>",
        SsoUrl = "https://<your-org>.okta.com/app/<app_path>/sso/saml",
        CertWo = samlCert,
        CertWoVersion = 1,
    });

    var azureClientSecret = config.Require("azureClientSecret");
    var azureSingleTenant = new DbtCloud.AuthProvider("azure_single_tenant", new()
    {
        Type = "azure_single_tenant",
        ClientId = "00000000-0000-0000-0000-000000000000",
        TenantId = "11111111-1111-1111-1111-111111111111",
        ClientSecretWo = azureClientSecret,
        ClientSecretWoVersion = 1,
        Domain = "acme.com",
        IncludeIndirectGroups = true,
        MaxGroupsToRetrieve = 500,
    });

    // Azure AD — multi tenant (no tenant_id required)
    var azureMultiTenant = new DbtCloud.AuthProvider("azure_multi_tenant", new()
    {
        Type = "azure_multi_tenant",
        ClientId = "00000000-0000-0000-0000-000000000000",
        ClientSecretWo = azureClientSecret,
        ClientSecretWoVersion = 1,
    });

    // Azure Active Directory
    var azureActiveDirectory = new DbtCloud.AuthProvider("azure_active_directory", new()
    {
        Type = "azure_active_directory",
        ClientId = "00000000-0000-0000-0000-000000000000",
        TenantId = "11111111-1111-1111-1111-111111111111",
        ClientSecretWo = azureClientSecret,
        ClientSecretWoVersion = 1,
        Domain = "acme.com",
    });

    var gsuiteClientSecret = config.Require("gsuiteClientSecret");
    var gsuite = new DbtCloud.AuthProvider("gsuite", new()
    {
        Type = "gsuite",
        ClientId = "000000000000-xxxx.apps.googleusercontent.com",
        ClientSecretWo = gsuiteClientSecret,
        ClientSecretWoVersion = 1,
        AdminRefreshToken = "<oauth-refresh-token>",
        Domain = "acme.com",
        GsuiteAdminId = "admin@acme.com",
    });

    return new Dictionary<string, object?>
    {
        ["loginUrl"] = saml.LoginUrl,
    };
});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.dbtcloud.AuthProvider;
import com.pulumi.dbtcloud.AuthProviderArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var config = ctx.config();
        final var samlCert = config.require("samlCert");
        var saml = new AuthProvider("saml", AuthProviderArgs.builder()
            .type("saml")
            .entityId("https://your-idp.example.com/metadata")
            .ssoUrl("https://your-idp.example.com/sso/saml")
            .certWo(samlCert)
            .certWoVersion(1)
            .build());

        ctx.export("loginUrl", saml.loginUrl());
        // SAML — all optional fields
        var samlFull = new AuthProvider("samlFull", AuthProviderArgs.builder()
            .type("saml")
            .entityId("https://your-idp.example.com/metadata")
            .ssoUrl("https://your-idp.example.com/sso/saml")
            .cert(StdFunctions.file(FileArgs.builder()
                .input("idp-cert.pem")
                .build()).result())
            .signRequest(true)
            .attributeMap(serializeJson(
                jsonObject(
                    jsonProperty("email", "nameID"),
                    jsonProperty("first_name", "firstName"),
                    jsonProperty("last_name", "lastName")
                )))
            .allowPasswordBackdoor(false)
            .build());

        // Okta (identical to SAML, different type value)
        var okta = new AuthProvider("okta", AuthProviderArgs.builder()
            .type("okta")
            .entityId("http://www.okta.com/<okta_app_id>")
            .ssoUrl("https://<your-org>.okta.com/app/<app_path>/sso/saml")
            .certWo(samlCert)
            .certWoVersion(1)
            .build());

        final var azureClientSecret = config.require("azureClientSecret");
        var azureSingleTenant = new AuthProvider("azureSingleTenant", AuthProviderArgs.builder()
            .type("azure_single_tenant")
            .clientId("00000000-0000-0000-0000-000000000000")
            .tenantId("11111111-1111-1111-1111-111111111111")
            .clientSecretWo(azureClientSecret)
            .clientSecretWoVersion(1)
            .domain("acme.com")
            .includeIndirectGroups(true)
            .maxGroupsToRetrieve(500)
            .build());

        // Azure AD — multi tenant (no tenant_id required)
        var azureMultiTenant = new AuthProvider("azureMultiTenant", AuthProviderArgs.builder()
            .type("azure_multi_tenant")
            .clientId("00000000-0000-0000-0000-000000000000")
            .clientSecretWo(azureClientSecret)
            .clientSecretWoVersion(1)
            .build());

        // Azure Active Directory
        var azureActiveDirectory = new AuthProvider("azureActiveDirectory", AuthProviderArgs.builder()
            .type("azure_active_directory")
            .clientId("00000000-0000-0000-0000-000000000000")
            .tenantId("11111111-1111-1111-1111-111111111111")
            .clientSecretWo(azureClientSecret)
            .clientSecretWoVersion(1)
            .domain("acme.com")
            .build());

        final var gsuiteClientSecret = config.require("gsuiteClientSecret");
        var gsuite = new AuthProvider("gsuite", AuthProviderArgs.builder()
            .type("gsuite")
            .clientId("000000000000-xxxx.apps.googleusercontent.com")
            .clientSecretWo(gsuiteClientSecret)
            .clientSecretWoVersion(1)
            .adminRefreshToken("<oauth-refresh-token>")
            .domain("acme.com")
            .gsuiteAdminId("admin@acme.com")
            .build());

    }
}

configuration:
  # SAML — write-only cert (recommended, not stored in state)
  # //
  # // Requires Terraform >= 1.11 for write-only attribute support.
  # // Bump cert_wo_version to rotate the cert without recreating the resource.
  samlCert:
    type: string
  # Azure AD — single tenant
  azureClientSecret:
    type: string
  # Google Workspace
  gsuiteClientSecret:
    type: string
resources:
  saml:
    type: dbtcloud:AuthProvider
    properties:
      type: saml
      entityId: https://your-idp.example.com/metadata
      ssoUrl: https://your-idp.example.com/sso/saml
      certWo: ${samlCert}
      certWoVersion: 1
  # SAML — all optional fields
  samlFull:
    type: dbtcloud:AuthProvider
    name: saml_full
    properties:
      type: saml
      entityId: https://your-idp.example.com/metadata
      ssoUrl: https://your-idp.example.com/sso/saml
      cert:
        fn::invoke:
          function: std:file
          arguments:
            input: idp-cert.pem
          return: result
      signRequest: true
      attributeMap:
        fn::toJSON:
          email: nameID
          first_name: firstName
          last_name: lastName
      allowPasswordBackdoor: false
  # Okta (identical to SAML, different type value)
  okta:
    type: dbtcloud:AuthProvider
    properties:
      type: okta
      entityId: http://www.okta.com/<okta_app_id>
      ssoUrl: https://<your-org>.okta.com/app/<app_path>/sso/saml
      certWo: ${samlCert}
      certWoVersion: 1
  azureSingleTenant:
    type: dbtcloud:AuthProvider
    name: azure_single_tenant
    properties:
      type: azure_single_tenant
      clientId: 00000000-0000-0000-0000-000000000000
      tenantId: 11111111-1111-1111-1111-111111111111
      clientSecretWo: ${azureClientSecret}
      clientSecretWoVersion: 1
      domain: acme.com
      includeIndirectGroups: true
      maxGroupsToRetrieve: 500
  # Azure AD — multi tenant (no tenant_id required)
  azureMultiTenant:
    type: dbtcloud:AuthProvider
    name: azure_multi_tenant
    properties:
      type: azure_multi_tenant
      clientId: 00000000-0000-0000-0000-000000000000
      clientSecretWo: ${azureClientSecret}
      clientSecretWoVersion: 1
  # Azure Active Directory
  azureActiveDirectory:
    type: dbtcloud:AuthProvider
    name: azure_active_directory
    properties:
      type: azure_active_directory
      clientId: 00000000-0000-0000-0000-000000000000
      tenantId: 11111111-1111-1111-1111-111111111111
      clientSecretWo: ${azureClientSecret}
      clientSecretWoVersion: 1
      domain: acme.com
  gsuite:
    type: dbtcloud:AuthProvider
    properties:
      type: gsuite
      clientId: 000000000000-xxxx.apps.googleusercontent.com
      clientSecretWo: ${gsuiteClientSecret}
      clientSecretWoVersion: 1
      adminRefreshToken: <oauth-refresh-token>
      domain: acme.com
      gsuiteAdminId: admin@acme.com
outputs:
  loginUrl: ${saml.loginUrl}

Example coming soon!

Create AuthProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AuthProvider(name: string, args: AuthProviderArgs, opts?: CustomResourceOptions);

@overload
def AuthProvider(resource_name: str,
                 args: AuthProviderArgs,
                 opts: Optional[ResourceOptions] = None)

@overload
def AuthProvider(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 type: Optional[str] = None,
                 client_secret_wo_version: Optional[int] = None,
                 attribute_map: Optional[str] = None,
                 authorization_url: Optional[str] = None,
                 cert: Optional[str] = None,
                 cert_wo: Optional[str] = None,
                 cert_wo_version: Optional[int] = None,
                 client_id: Optional[str] = None,
                 client_secret: Optional[str] = None,
                 admin_refresh_token: Optional[str] = None,
                 client_secret_wo: Optional[str] = None,
                 gsuite_admin_id: Optional[str] = None,
                 entity_id: Optional[str] = None,
                 domain: Optional[str] = None,
                 include_indirect_groups: Optional[bool] = None,
                 max_groups_to_retrieve: Optional[int] = None,
                 sign_request: Optional[bool] = None,
                 slug: Optional[str] = None,
                 sso_url: Optional[str] = None,
                 tenant_id: Optional[str] = None,
                 allow_password_backdoor: Optional[bool] = None)

func NewAuthProvider(ctx *Context, name string, args AuthProviderArgs, opts ...ResourceOption) (*AuthProvider, error)

public AuthProvider(string name, AuthProviderArgs args, CustomResourceOptions? opts = null)

public AuthProvider(String name, AuthProviderArgs args)
public AuthProvider(String name, AuthProviderArgs args, CustomResourceOptions options)

type: dbtcloud:AuthProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

resource "dbtcloud_authprovider" "name" {
    # resource properties
}

Parameters

name string: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var authProviderResource = new DbtCloud.AuthProvider("authProviderResource", new()
{
    Type = "string",
    ClientSecretWoVersion = 0,
    AttributeMap = "string",
    AuthorizationUrl = "string",
    Cert = "string",
    CertWo = "string",
    CertWoVersion = 0,
    ClientId = "string",
    ClientSecret = "string",
    AdminRefreshToken = "string",
    ClientSecretWo = "string",
    GsuiteAdminId = "string",
    EntityId = "string",
    Domain = "string",
    IncludeIndirectGroups = false,
    MaxGroupsToRetrieve = 0,
    SignRequest = false,
    Slug = "string",
    SsoUrl = "string",
    TenantId = "string",
    AllowPasswordBackdoor = false,
});

example, err := dbtcloud.NewAuthProvider(ctx, "authProviderResource", &dbtcloud.AuthProviderArgs{
	Type:                  pulumi.String("string"),
	ClientSecretWoVersion: pulumi.Int(0),
	AttributeMap:          pulumi.String("string"),
	AuthorizationUrl:      pulumi.String("string"),
	Cert:                  pulumi.String("string"),
	CertWo:                pulumi.String("string"),
	CertWoVersion:         pulumi.Int(0),
	ClientId:              pulumi.String("string"),
	ClientSecret:          pulumi.String("string"),
	AdminRefreshToken:     pulumi.String("string"),
	ClientSecretWo:        pulumi.String("string"),
	GsuiteAdminId:         pulumi.String("string"),
	EntityId:              pulumi.String("string"),
	Domain:                pulumi.String("string"),
	IncludeIndirectGroups: pulumi.Bool(false),
	MaxGroupsToRetrieve:   pulumi.Int(0),
	SignRequest:           pulumi.Bool(false),
	Slug:                  pulumi.String("string"),
	SsoUrl:                pulumi.String("string"),
	TenantId:              pulumi.String("string"),
	AllowPasswordBackdoor: pulumi.Bool(false),
})

resource "dbtcloud_authprovider" "authProviderResource" {
  type                     = "string"
  client_secret_wo_version = 0
  attribute_map            = "string"
  authorization_url        = "string"
  cert                     = "string"
  cert_wo                  = "string"
  cert_wo_version          = 0
  client_id                = "string"
  client_secret            = "string"
  admin_refresh_token      = "string"
  client_secret_wo         = "string"
  gsuite_admin_id          = "string"
  entity_id                = "string"
  domain                   = "string"
  include_indirect_groups  = false
  max_groups_to_retrieve   = 0
  sign_request             = false
  slug                     = "string"
  sso_url                  = "string"
  tenant_id                = "string"
  allow_password_backdoor  = false
}

var authProviderResource = new AuthProvider("authProviderResource", AuthProviderArgs.builder()
    .type("string")
    .clientSecretWoVersion(0)
    .attributeMap("string")
    .authorizationUrl("string")
    .cert("string")
    .certWo("string")
    .certWoVersion(0)
    .clientId("string")
    .clientSecret("string")
    .adminRefreshToken("string")
    .clientSecretWo("string")
    .gsuiteAdminId("string")
    .entityId("string")
    .domain("string")
    .includeIndirectGroups(false)
    .maxGroupsToRetrieve(0)
    .signRequest(false)
    .slug("string")
    .ssoUrl("string")
    .tenantId("string")
    .allowPasswordBackdoor(false)
    .build());

auth_provider_resource = dbtcloud.AuthProvider("authProviderResource",
    type="string",
    client_secret_wo_version=0,
    attribute_map="string",
    authorization_url="string",
    cert="string",
    cert_wo="string",
    cert_wo_version=0,
    client_id="string",
    client_secret="string",
    admin_refresh_token="string",
    client_secret_wo="string",
    gsuite_admin_id="string",
    entity_id="string",
    domain="string",
    include_indirect_groups=False,
    max_groups_to_retrieve=0,
    sign_request=False,
    slug="string",
    sso_url="string",
    tenant_id="string",
    allow_password_backdoor=False)

const authProviderResource = new dbtcloud.AuthProvider("authProviderResource", {
    type: "string",
    clientSecretWoVersion: 0,
    attributeMap: "string",
    authorizationUrl: "string",
    cert: "string",
    certWo: "string",
    certWoVersion: 0,
    clientId: "string",
    clientSecret: "string",
    adminRefreshToken: "string",
    clientSecretWo: "string",
    gsuiteAdminId: "string",
    entityId: "string",
    domain: "string",
    includeIndirectGroups: false,
    maxGroupsToRetrieve: 0,
    signRequest: false,
    slug: "string",
    ssoUrl: "string",
    tenantId: "string",
    allowPasswordBackdoor: false,
});

type: dbtcloud:AuthProvider
properties:
    adminRefreshToken: string
    allowPasswordBackdoor: false
    attributeMap: string
    authorizationUrl: string
    cert: string
    certWo: string
    certWoVersion: 0
    clientId: string
    clientSecret: string
    clientSecretWo: string
    clientSecretWoVersion: 0
    domain: string
    entityId: string
    gsuiteAdminId: string
    includeIndirectGroups: false
    maxGroupsToRetrieve: 0
    signRequest: false
    slug: string
    ssoUrl: string
    tenantId: string
    type: string

AuthProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AuthProvider resource accepts the following input properties:

Type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
AdminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
AllowPasswordBackdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
AttributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
AuthorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
Cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
CertWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
CertWoVersion int: Increment to rotate certWo without changing the value.
ClientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
ClientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
ClientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
ClientSecretWoVersion int: Increment to rotate clientSecretWo without changing the value.
Domain string: Primary domain for the Azure AD or Google Workspace tenant.
EntityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
GsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
IncludeIndirectGroups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
MaxGroupsToRetrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
SignRequest bool: Whether to sign SAML authentication requests. Defaults to false.
Slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
SsoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
TenantId string: Azure AD tenant ID. Required for azureSingleTenant.

Type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
AdminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
AllowPasswordBackdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
AttributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
AuthorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
Cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
CertWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
CertWoVersion int: Increment to rotate certWo without changing the value.
ClientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
ClientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
ClientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
ClientSecretWoVersion int: Increment to rotate clientSecretWo without changing the value.
Domain string: Primary domain for the Azure AD or Google Workspace tenant.
EntityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
GsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
IncludeIndirectGroups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
MaxGroupsToRetrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
SignRequest bool: Whether to sign SAML authentication requests. Defaults to false.
Slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
SsoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
TenantId string: Azure AD tenant ID. Required for azureSingleTenant.

type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
admin_refresh_token string: Google Workspace admin OAuth refresh token used to fetch group memberships.
allow_password_backdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attribute_map string: JSON map of SAML attribute names to dbt Cloud user fields.
authorization_url string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
cert_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
cert_wo_version number: Increment to rotate certWo without changing the value.
client_id string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
client_secret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
client_secret_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
client_secret_wo_version number: Increment to rotate clientSecretWo without changing the value.
domain string: Primary domain for the Azure AD or Google Workspace tenant.
entity_id string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuite_admin_id string: Google Workspace admin email used to fetch group memberships.
include_indirect_groups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
max_groups_to_retrieve number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
sign_request bool: Whether to sign SAML authentication requests. Defaults to false.
slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
sso_url string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenant_id string: Azure AD tenant ID. Required for azureSingleTenant.

type String: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
adminRefreshToken String: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor Boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap String: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl String: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert String: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion Integer: Increment to rotate certWo without changing the value.
clientId String: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret String: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion Integer: Increment to rotate clientSecretWo without changing the value.
domain String: Primary domain for the Azure AD or Google Workspace tenant.
entityId String: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId String: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups Boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
maxGroupsToRetrieve Integer: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest Boolean: Whether to sign SAML authentication requests. Defaults to false.
slug String: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl String: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenantId String: Azure AD tenant ID. Required for azureSingleTenant.

type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
adminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion number: Increment to rotate certWo without changing the value.
clientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion number: Increment to rotate clientSecretWo without changing the value.
domain string: Primary domain for the Azure AD or Google Workspace tenant.
entityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
maxGroupsToRetrieve number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest boolean: Whether to sign SAML authentication requests. Defaults to false.
slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenantId string: Azure AD tenant ID. Required for azureSingleTenant.

type str: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
admin_refresh_token str: Google Workspace admin OAuth refresh token used to fetch group memberships.
allow_password_backdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attribute_map str: JSON map of SAML attribute names to dbt Cloud user fields.
authorization_url str: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert str: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
cert_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
cert_wo_version int: Increment to rotate certWo without changing the value.
client_id str: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
client_secret str: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
client_secret_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
client_secret_wo_version int: Increment to rotate clientSecretWo without changing the value.
domain str: Primary domain for the Azure AD or Google Workspace tenant.
entity_id str: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuite_admin_id str: Google Workspace admin email used to fetch group memberships.
include_indirect_groups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
max_groups_to_retrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
sign_request bool: Whether to sign SAML authentication requests. Defaults to false.
slug str: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
sso_url str: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenant_id str: Azure AD tenant ID. Required for azureSingleTenant.

type String: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
adminRefreshToken String: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor Boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap String: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl String: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert String: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion Number: Increment to rotate certWo without changing the value.
clientId String: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret String: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion Number: Increment to rotate clientSecretWo without changing the value.
domain String: Primary domain for the Azure AD or Google Workspace tenant.
entityId String: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId String: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups Boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
maxGroupsToRetrieve Number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest Boolean: Whether to sign SAML authentication requests. Defaults to false.
slug String: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl String: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenantId String: Azure AD tenant ID. Required for azureSingleTenant.

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthProvider resource produces the following output properties:

CertExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
CreatedAt string
Id string: The provider-assigned unique ID for this managed resource.
LoginUrl string: The SSO login URL for the account, auto-generated from the slug.
State int: The state of the auth provider (1 = active).
UpdatedAt string

CertExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
CreatedAt string
Id string: The provider-assigned unique ID for this managed resource.
LoginUrl string: The SSO login URL for the account, auto-generated from the slug.
State int: The state of the auth provider (1 = active).
UpdatedAt string

cert_expiry_date string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
created_at string
id string: The provider-assigned unique ID for this managed resource.
login_url string: The SSO login URL for the account, auto-generated from the slug.
state number: The state of the auth provider (1 = active).
updated_at string

certExpiryDate String: Expiry date of the SAML X.509 certificate (SAML/Okta only).
createdAt String
id String: The provider-assigned unique ID for this managed resource.
loginUrl String: The SSO login URL for the account, auto-generated from the slug.
state Integer: The state of the auth provider (1 = active).
updatedAt String

certExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
createdAt string
id string: The provider-assigned unique ID for this managed resource.
loginUrl string: The SSO login URL for the account, auto-generated from the slug.
state number: The state of the auth provider (1 = active).
updatedAt string

cert_expiry_date str: Expiry date of the SAML X.509 certificate (SAML/Okta only).
created_at str
id str: The provider-assigned unique ID for this managed resource.
login_url str: The SSO login URL for the account, auto-generated from the slug.
state int: The state of the auth provider (1 = active).
updated_at str

certExpiryDate String: Expiry date of the SAML X.509 certificate (SAML/Okta only).
createdAt String
id String: The provider-assigned unique ID for this managed resource.
loginUrl String: The SSO login URL for the account, auto-generated from the slug.
state Number: The state of the auth provider (1 = active).
updatedAt String

Look up Existing AuthProvider Resource

Get an existing AuthProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthProviderState, opts?: CustomResourceOptions): AuthProvider

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        admin_refresh_token: Optional[str] = None,
        allow_password_backdoor: Optional[bool] = None,
        attribute_map: Optional[str] = None,
        authorization_url: Optional[str] = None,
        cert: Optional[str] = None,
        cert_expiry_date: Optional[str] = None,
        cert_wo: Optional[str] = None,
        cert_wo_version: Optional[int] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        client_secret_wo: Optional[str] = None,
        client_secret_wo_version: Optional[int] = None,
        created_at: Optional[str] = None,
        domain: Optional[str] = None,
        entity_id: Optional[str] = None,
        gsuite_admin_id: Optional[str] = None,
        include_indirect_groups: Optional[bool] = None,
        login_url: Optional[str] = None,
        max_groups_to_retrieve: Optional[int] = None,
        sign_request: Optional[bool] = None,
        slug: Optional[str] = None,
        sso_url: Optional[str] = None,
        state: Optional[int] = None,
        tenant_id: Optional[str] = None,
        type: Optional[str] = None,
        updated_at: Optional[str] = None) -> AuthProvider

func GetAuthProvider(ctx *Context, name string, id IDInput, state *AuthProviderState, opts ...ResourceOption) (*AuthProvider, error)

public static AuthProvider Get(string name, Input<string> id, AuthProviderState? state, CustomResourceOptions? opts = null)

public static AuthProvider get(String name, Output<String> id, AuthProviderState state, CustomResourceOptions options)

resources:  _:    type: dbtcloud:AuthProvider    get:      id: ${id}

import {
  to = dbtcloud_authprovider.example
  id = "${id}"
}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AdminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
AllowPasswordBackdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
AttributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
AuthorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
Cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
CertExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
CertWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
CertWoVersion int: Increment to rotate certWo without changing the value.
ClientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
ClientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
ClientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
ClientSecretWoVersion int: Increment to rotate clientSecretWo without changing the value.
CreatedAt string
Domain string: Primary domain for the Azure AD or Google Workspace tenant.
EntityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
GsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
IncludeIndirectGroups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
LoginUrl string: The SSO login URL for the account, auto-generated from the slug.
MaxGroupsToRetrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
SignRequest bool: Whether to sign SAML authentication requests. Defaults to false.
Slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
SsoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
State int: The state of the auth provider (1 = active).
TenantId string: Azure AD tenant ID. Required for azureSingleTenant.
Type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
UpdatedAt string

AdminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
AllowPasswordBackdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
AttributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
AuthorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
Cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
CertExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
CertWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
CertWoVersion int: Increment to rotate certWo without changing the value.
ClientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
ClientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
ClientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
ClientSecretWoVersion int: Increment to rotate clientSecretWo without changing the value.
CreatedAt string
Domain string: Primary domain for the Azure AD or Google Workspace tenant.
EntityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
GsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
IncludeIndirectGroups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
LoginUrl string: The SSO login URL for the account, auto-generated from the slug.
MaxGroupsToRetrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
SignRequest bool: Whether to sign SAML authentication requests. Defaults to false.
Slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
SsoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
State int: The state of the auth provider (1 = active).
TenantId string: Azure AD tenant ID. Required for azureSingleTenant.
Type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
UpdatedAt string

admin_refresh_token string: Google Workspace admin OAuth refresh token used to fetch group memberships.
allow_password_backdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attribute_map string: JSON map of SAML attribute names to dbt Cloud user fields.
authorization_url string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
cert_expiry_date string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
cert_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
cert_wo_version number: Increment to rotate certWo without changing the value.
client_id string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
client_secret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
client_secret_wo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
client_secret_wo_version number: Increment to rotate clientSecretWo without changing the value.
created_at string
domain string: Primary domain for the Azure AD or Google Workspace tenant.
entity_id string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuite_admin_id string: Google Workspace admin email used to fetch group memberships.
include_indirect_groups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
login_url string: The SSO login URL for the account, auto-generated from the slug.
max_groups_to_retrieve number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
sign_request bool: Whether to sign SAML authentication requests. Defaults to false.
slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
sso_url string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state number: The state of the auth provider (1 = active).
tenant_id string: Azure AD tenant ID. Required for azureSingleTenant.
type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updated_at string

adminRefreshToken String: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor Boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap String: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl String: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert String: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certExpiryDate String: Expiry date of the SAML X.509 certificate (SAML/Okta only).
certWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion Integer: Increment to rotate certWo without changing the value.
clientId String: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret String: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion Integer: Increment to rotate clientSecretWo without changing the value.
createdAt String
domain String: Primary domain for the Azure AD or Google Workspace tenant.
entityId String: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId String: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups Boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
loginUrl String: The SSO login URL for the account, auto-generated from the slug.
maxGroupsToRetrieve Integer: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest Boolean: Whether to sign SAML authentication requests. Defaults to false.
slug String: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl String: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state Integer: The state of the auth provider (1 = active).
tenantId String: Azure AD tenant ID. Required for azureSingleTenant.
type String: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updatedAt String

adminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
certWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion number: Increment to rotate certWo without changing the value.
clientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion number: Increment to rotate clientSecretWo without changing the value.
createdAt string
domain string: Primary domain for the Azure AD or Google Workspace tenant.
entityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
loginUrl string: The SSO login URL for the account, auto-generated from the slug.
maxGroupsToRetrieve number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest boolean: Whether to sign SAML authentication requests. Defaults to false.
slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state number: The state of the auth provider (1 = active).
tenantId string: Azure AD tenant ID. Required for azureSingleTenant.
type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updatedAt string

admin_refresh_token str: Google Workspace admin OAuth refresh token used to fetch group memberships.
allow_password_backdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attribute_map str: JSON map of SAML attribute names to dbt Cloud user fields.
authorization_url str: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert str: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
cert_expiry_date str: Expiry date of the SAML X.509 certificate (SAML/Okta only).
cert_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
cert_wo_version int: Increment to rotate certWo without changing the value.
client_id str: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
client_secret str: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
client_secret_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
client_secret_wo_version int: Increment to rotate clientSecretWo without changing the value.
created_at str
domain str: Primary domain for the Azure AD or Google Workspace tenant.
entity_id str: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuite_admin_id str: Google Workspace admin email used to fetch group memberships.
include_indirect_groups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
login_url str: The SSO login URL for the account, auto-generated from the slug.
max_groups_to_retrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
sign_request bool: Whether to sign SAML authentication requests. Defaults to false.
slug str: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
sso_url str: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state int: The state of the auth provider (1 = active).
tenant_id str: Azure AD tenant ID. Required for azureSingleTenant.
type str: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updated_at str

adminRefreshToken String: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor Boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap String: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl String: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert String: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certExpiryDate String: Expiry date of the SAML X.509 certificate (SAML/Okta only).
certWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion Number: Increment to rotate certWo without changing the value.
clientId String: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret String: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion Number: Increment to rotate clientSecretWo without changing the value.
createdAt String
domain String: Primary domain for the Azure AD or Google Workspace tenant.
entityId String: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId String: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups Boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
loginUrl String: The SSO login URL for the account, auto-generated from the slug.
maxGroupsToRetrieve Number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest Boolean: Whether to sign SAML authentication requests. Defaults to false.
slug String: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl String: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state Number: The state of the auth provider (1 = active).
tenantId String: Azure AD tenant ID. Required for azureSingleTenant.
type String: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updatedAt String

Import

Import an existing auth provider by its numeric ID. The ID can be found via the dbt Cloud API: GET /api/v3/accounts/{account_id}/auth-provider/

$ pulumi import dbtcloud:index/authProvider:AuthProvider example 12345

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: dbtcloud pulumi/pulumi-dbtcloud
License: Apache-2.0
Notes: This Pulumi package is based on the dbtcloud Terraform Provider.

Viewing docs for dbt Cloud v1.8.2
published on Thursday, May 14, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-dbtcloud

dbtcloud.AuthProvider

On this page

On this page

Example Usage

Create AuthProvider Resource

Constructor syntax

Parameters

Constructor example

AuthProvider Resource Properties

Inputs

Outputs

Look up Existing AuthProvider Resource

Import

Package Details

On this page

On this page