Nomad v2.5.0, Apr 17 25

Nomad v2.5.0 published on Thursday, Apr 17, 2025 by Pulumi

nomad.AclAuthMethod

Explore with Pulumi AI

Nomad v2.5.0 published on Thursday, Apr 17, 2025 by Pulumi

pulumi/pulumi-nomad

Example Usage

Creating an ALC Auth Method:

import * as pulumi from "@pulumi/pulumi";
import * as nomad from "@pulumi/nomad";

const myNomadAclAuthMethod = new nomad.AclAuthMethod("my_nomad_acl_auth_method", {
    name: "my-nomad-acl-auth-method",
    type: "OIDC",
    tokenLocality: "global",
    maxTokenTtl: "10m0s",
    tokenNameFormat: `${auth_method_type}-${value.user}`,
    "default": true,
    config: {
        oidcDiscoveryUrl: "https://uk.auth0.com/",
        oidcClientId: "someclientid",
        oidcClientSecret: "someclientsecret-t",
        boundAudiences: ["someclientid"],
        allowedRedirectUris: [
            "http://localhost:4649/oidc/callback",
            "http://localhost:4646/ui/settings/tokens",
        ],
        listClaimMappings: {
            "http://nomad.internal/roles": "roles",
        },
    },
});

import pulumi
import pulumi_nomad as nomad

my_nomad_acl_auth_method = nomad.AclAuthMethod("my_nomad_acl_auth_method",
    name="my-nomad-acl-auth-method",
    type="OIDC",
    token_locality="global",
    max_token_ttl="10m0s",
    token_name_format="${auth_method_type}-${value.user}",
    default=True,
    config={
        "oidc_discovery_url": "https://uk.auth0.com/",
        "oidc_client_id": "someclientid",
        "oidc_client_secret": "someclientsecret-t",
        "bound_audiences": ["someclientid"],
        "allowed_redirect_uris": [
            "http://localhost:4649/oidc/callback",
            "http://localhost:4646/ui/settings/tokens",
        ],
        "list_claim_mappings": {
            "http://nomad.internal/roles": "roles",
        },
    })

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-nomad/sdk/v2/go/nomad"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := nomad.NewAclAuthMethod(ctx, "my_nomad_acl_auth_method", &nomad.AclAuthMethodArgs{
			Name:            pulumi.String("my-nomad-acl-auth-method"),
			Type:            pulumi.String("OIDC"),
			TokenLocality:   pulumi.String("global"),
			MaxTokenTtl:     pulumi.String("10m0s"),
			TokenNameFormat: pulumi.Sprintf("${auth_method_type}-${value.user}"),
			Default:         pulumi.Bool(true),
			Config: &nomad.AclAuthMethodConfigArgs{
				OidcDiscoveryUrl: pulumi.String("https://uk.auth0.com/"),
				OidcClientId:     pulumi.String("someclientid"),
				OidcClientSecret: pulumi.String("someclientsecret-t"),
				BoundAudiences: pulumi.StringArray{
					pulumi.String("someclientid"),
				},
				AllowedRedirectUris: pulumi.StringArray{
					pulumi.String("http://localhost:4649/oidc/callback"),
					pulumi.String("http://localhost:4646/ui/settings/tokens"),
				},
				ListClaimMappings: pulumi.StringMap{
					"http://nomad.internal/roles": pulumi.String("roles"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Nomad = Pulumi.Nomad;

return await Deployment.RunAsync(() => 
{
    var myNomadAclAuthMethod = new Nomad.AclAuthMethod("my_nomad_acl_auth_method", new()
    {
        Name = "my-nomad-acl-auth-method",
        Type = "OIDC",
        TokenLocality = "global",
        MaxTokenTtl = "10m0s",
        TokenNameFormat = "${auth_method_type}-${value.user}",
        Default = true,
        Config = new Nomad.Inputs.AclAuthMethodConfigArgs
        {
            OidcDiscoveryUrl = "https://uk.auth0.com/",
            OidcClientId = "someclientid",
            OidcClientSecret = "someclientsecret-t",
            BoundAudiences = new[]
            {
                "someclientid",
            },
            AllowedRedirectUris = new[]
            {
                "http://localhost:4649/oidc/callback",
                "http://localhost:4646/ui/settings/tokens",
            },
            ListClaimMappings = 
            {
                { "http://nomad.internal/roles", "roles" },
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.nomad.AclAuthMethod;
import com.pulumi.nomad.AclAuthMethodArgs;
import com.pulumi.nomad.inputs.AclAuthMethodConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var myNomadAclAuthMethod = new AclAuthMethod("myNomadAclAuthMethod", AclAuthMethodArgs.builder()
            .name("my-nomad-acl-auth-method")
            .type("OIDC")
            .tokenLocality("global")
            .maxTokenTtl("10m0s")
            .tokenNameFormat("${auth_method_type}-${value.user}")
            .default_(true)
            .config(AclAuthMethodConfigArgs.builder()
                .oidcDiscoveryUrl("https://uk.auth0.com/")
                .oidcClientId("someclientid")
                .oidcClientSecret("someclientsecret-t")
                .boundAudiences("someclientid")
                .allowedRedirectUris(                
                    "http://localhost:4649/oidc/callback",
                    "http://localhost:4646/ui/settings/tokens")
                .listClaimMappings(Map.of("http://nomad.internal/roles", "roles"))
                .build())
            .build());

    }
}

resources:
  myNomadAclAuthMethod:
    type: nomad:AclAuthMethod
    name: my_nomad_acl_auth_method
    properties:
      name: my-nomad-acl-auth-method
      type: OIDC
      tokenLocality: global
      maxTokenTtl: 10m0s
      tokenNameFormat: $${auth_method_type}-$${value.user}
      default: true
      config:
        oidcDiscoveryUrl: https://uk.auth0.com/
        oidcClientId: someclientid
        oidcClientSecret: someclientsecret-t
        boundAudiences:
          - someclientid
        allowedRedirectUris:
          - http://localhost:4649/oidc/callback
          - http://localhost:4646/ui/settings/tokens
        listClaimMappings:
          http://nomad.internal/roles: roles

Create AclAuthMethod Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AclAuthMethod(name: string, args: AclAuthMethodArgs, opts?: CustomResourceOptions);

@overload
def AclAuthMethod(resource_name: str,
                  args: AclAuthMethodArgs,
                  opts: Optional[ResourceOptions] = None)

@overload
def AclAuthMethod(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  config: Optional[AclAuthMethodConfigArgs] = None,
                  max_token_ttl: Optional[str] = None,
                  token_locality: Optional[str] = None,
                  type: Optional[str] = None,
                  default: Optional[bool] = None,
                  name: Optional[str] = None,
                  token_name_format: Optional[str] = None)

func NewAclAuthMethod(ctx *Context, name string, args AclAuthMethodArgs, opts ...ResourceOption) (*AclAuthMethod, error)

public AclAuthMethod(string name, AclAuthMethodArgs args, CustomResourceOptions? opts = null)

public AclAuthMethod(String name, AclAuthMethodArgs args)
public AclAuthMethod(String name, AclAuthMethodArgs args, CustomResourceOptions options)

type: nomad:AclAuthMethod
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AclAuthMethodArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AclAuthMethodArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AclAuthMethodArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AclAuthMethodArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AclAuthMethodArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var aclAuthMethodResource = new Nomad.AclAuthMethod("aclAuthMethodResource", new()
{
    Config = new Nomad.Inputs.AclAuthMethodConfigArgs
    {
        AllowedRedirectUris = new[]
        {
            "string",
        },
        BoundAudiences = new[]
        {
            "string",
        },
        BoundIssuers = new[]
        {
            "string",
        },
        ClaimMappings = 
        {
            { "string", "string" },
        },
        ClockSkewLeeway = "string",
        DiscoveryCaPems = new[]
        {
            "string",
        },
        ExpirationLeeway = "string",
        JwksCaCert = "string",
        JwksUrl = "string",
        JwtValidationPubKeys = new[]
        {
            "string",
        },
        ListClaimMappings = 
        {
            { "string", "string" },
        },
        NotBeforeLeeway = "string",
        OidcClientAssertion = new Nomad.Inputs.AclAuthMethodConfigOidcClientAssertionArgs
        {
            KeySource = "string",
            Audiences = new[]
            {
                "string",
            },
            ExtraHeaders = 
            {
                { "string", "string" },
            },
            KeyAlgorithm = "string",
            PrivateKey = new Nomad.Inputs.AclAuthMethodConfigOidcClientAssertionPrivateKeyArgs
            {
                KeyId = "string",
                KeyIdHeader = "string",
                PemCert = "string",
                PemCertFile = "string",
                PemKey = "string",
                PemKeyFile = "string",
            },
        },
        OidcClientId = "string",
        OidcClientSecret = "string",
        OidcDisableUserinfo = false,
        OidcDiscoveryUrl = "string",
        OidcEnablePkce = false,
        OidcScopes = new[]
        {
            "string",
        },
        SigningAlgs = new[]
        {
            "string",
        },
        VerboseLogging = false,
    },
    MaxTokenTtl = "string",
    TokenLocality = "string",
    Type = "string",
    Default = false,
    Name = "string",
    TokenNameFormat = "string",
});

example, err := nomad.NewAclAuthMethod(ctx, "aclAuthMethodResource", &nomad.AclAuthMethodArgs{
	Config: &nomad.AclAuthMethodConfigArgs{
		AllowedRedirectUris: pulumi.StringArray{
			pulumi.String("string"),
		},
		BoundAudiences: pulumi.StringArray{
			pulumi.String("string"),
		},
		BoundIssuers: pulumi.StringArray{
			pulumi.String("string"),
		},
		ClaimMappings: pulumi.StringMap{
			"string": pulumi.String("string"),
		},
		ClockSkewLeeway: pulumi.String("string"),
		DiscoveryCaPems: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExpirationLeeway: pulumi.String("string"),
		JwksCaCert:       pulumi.String("string"),
		JwksUrl:          pulumi.String("string"),
		JwtValidationPubKeys: pulumi.StringArray{
			pulumi.String("string"),
		},
		ListClaimMappings: pulumi.StringMap{
			"string": pulumi.String("string"),
		},
		NotBeforeLeeway: pulumi.String("string"),
		OidcClientAssertion: &nomad.AclAuthMethodConfigOidcClientAssertionArgs{
			KeySource: pulumi.String("string"),
			Audiences: pulumi.StringArray{
				pulumi.String("string"),
			},
			ExtraHeaders: pulumi.StringMap{
				"string": pulumi.String("string"),
			},
			KeyAlgorithm: pulumi.String("string"),
			PrivateKey: &nomad.AclAuthMethodConfigOidcClientAssertionPrivateKeyArgs{
				KeyId:       pulumi.String("string"),
				KeyIdHeader: pulumi.String("string"),
				PemCert:     pulumi.String("string"),
				PemCertFile: pulumi.String("string"),
				PemKey:      pulumi.String("string"),
				PemKeyFile:  pulumi.String("string"),
			},
		},
		OidcClientId:        pulumi.String("string"),
		OidcClientSecret:    pulumi.String("string"),
		OidcDisableUserinfo: pulumi.Bool(false),
		OidcDiscoveryUrl:    pulumi.String("string"),
		OidcEnablePkce:      pulumi.Bool(false),
		OidcScopes: pulumi.StringArray{
			pulumi.String("string"),
		},
		SigningAlgs: pulumi.StringArray{
			pulumi.String("string"),
		},
		VerboseLogging: pulumi.Bool(false),
	},
	MaxTokenTtl:     pulumi.String("string"),
	TokenLocality:   pulumi.String("string"),
	Type:            pulumi.String("string"),
	Default:         pulumi.Bool(false),
	Name:            pulumi.String("string"),
	TokenNameFormat: pulumi.String("string"),
})

var aclAuthMethodResource = new AclAuthMethod("aclAuthMethodResource", AclAuthMethodArgs.builder()
    .config(AclAuthMethodConfigArgs.builder()
        .allowedRedirectUris("string")
        .boundAudiences("string")
        .boundIssuers("string")
        .claimMappings(Map.of("string", "string"))
        .clockSkewLeeway("string")
        .discoveryCaPems("string")
        .expirationLeeway("string")
        .jwksCaCert("string")
        .jwksUrl("string")
        .jwtValidationPubKeys("string")
        .listClaimMappings(Map.of("string", "string"))
        .notBeforeLeeway("string")
        .oidcClientAssertion(AclAuthMethodConfigOidcClientAssertionArgs.builder()
            .keySource("string")
            .audiences("string")
            .extraHeaders(Map.of("string", "string"))
            .keyAlgorithm("string")
            .privateKey(AclAuthMethodConfigOidcClientAssertionPrivateKeyArgs.builder()
                .keyId("string")
                .keyIdHeader("string")
                .pemCert("string")
                .pemCertFile("string")
                .pemKey("string")
                .pemKeyFile("string")
                .build())
            .build())
        .oidcClientId("string")
        .oidcClientSecret("string")
        .oidcDisableUserinfo(false)
        .oidcDiscoveryUrl("string")
        .oidcEnablePkce(false)
        .oidcScopes("string")
        .signingAlgs("string")
        .verboseLogging(false)
        .build())
    .maxTokenTtl("string")
    .tokenLocality("string")
    .type("string")
    .default_(false)
    .name("string")
    .tokenNameFormat("string")
    .build());

acl_auth_method_resource = nomad.AclAuthMethod("aclAuthMethodResource",
    config={
        "allowed_redirect_uris": ["string"],
        "bound_audiences": ["string"],
        "bound_issuers": ["string"],
        "claim_mappings": {
            "string": "string",
        },
        "clock_skew_leeway": "string",
        "discovery_ca_pems": ["string"],
        "expiration_leeway": "string",
        "jwks_ca_cert": "string",
        "jwks_url": "string",
        "jwt_validation_pub_keys": ["string"],
        "list_claim_mappings": {
            "string": "string",
        },
        "not_before_leeway": "string",
        "oidc_client_assertion": {
            "key_source": "string",
            "audiences": ["string"],
            "extra_headers": {
                "string": "string",
            },
            "key_algorithm": "string",
            "private_key": {
                "key_id": "string",
                "key_id_header": "string",
                "pem_cert": "string",
                "pem_cert_file": "string",
                "pem_key": "string",
                "pem_key_file": "string",
            },
        },
        "oidc_client_id": "string",
        "oidc_client_secret": "string",
        "oidc_disable_userinfo": False,
        "oidc_discovery_url": "string",
        "oidc_enable_pkce": False,
        "oidc_scopes": ["string"],
        "signing_algs": ["string"],
        "verbose_logging": False,
    },
    max_token_ttl="string",
    token_locality="string",
    type="string",
    default=False,
    name="string",
    token_name_format="string")

const aclAuthMethodResource = new nomad.AclAuthMethod("aclAuthMethodResource", {
    config: {
        allowedRedirectUris: ["string"],
        boundAudiences: ["string"],
        boundIssuers: ["string"],
        claimMappings: {
            string: "string",
        },
        clockSkewLeeway: "string",
        discoveryCaPems: ["string"],
        expirationLeeway: "string",
        jwksCaCert: "string",
        jwksUrl: "string",
        jwtValidationPubKeys: ["string"],
        listClaimMappings: {
            string: "string",
        },
        notBeforeLeeway: "string",
        oidcClientAssertion: {
            keySource: "string",
            audiences: ["string"],
            extraHeaders: {
                string: "string",
            },
            keyAlgorithm: "string",
            privateKey: {
                keyId: "string",
                keyIdHeader: "string",
                pemCert: "string",
                pemCertFile: "string",
                pemKey: "string",
                pemKeyFile: "string",
            },
        },
        oidcClientId: "string",
        oidcClientSecret: "string",
        oidcDisableUserinfo: false,
        oidcDiscoveryUrl: "string",
        oidcEnablePkce: false,
        oidcScopes: ["string"],
        signingAlgs: ["string"],
        verboseLogging: false,
    },
    maxTokenTtl: "string",
    tokenLocality: "string",
    type: "string",
    "default": false,
    name: "string",
    tokenNameFormat: "string",
});

type: nomad:AclAuthMethod
properties:
    config:
        allowedRedirectUris:
            - string
        boundAudiences:
            - string
        boundIssuers:
            - string
        claimMappings:
            string: string
        clockSkewLeeway: string
        discoveryCaPems:
            - string
        expirationLeeway: string
        jwksCaCert: string
        jwksUrl: string
        jwtValidationPubKeys:
            - string
        listClaimMappings:
            string: string
        notBeforeLeeway: string
        oidcClientAssertion:
            audiences:
                - string
            extraHeaders:
                string: string
            keyAlgorithm: string
            keySource: string
            privateKey:
                keyId: string
                keyIdHeader: string
                pemCert: string
                pemCertFile: string
                pemKey: string
                pemKeyFile: string
        oidcClientId: string
        oidcClientSecret: string
        oidcDisableUserinfo: false
        oidcDiscoveryUrl: string
        oidcEnablePkce: false
        oidcScopes:
            - string
        signingAlgs:
            - string
        verboseLogging: false
    default: false
    maxTokenTtl: string
    name: string
    tokenLocality: string
    tokenNameFormat: string
    type: string

AclAuthMethod Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AclAuthMethod resource accepts the following input properties:

Config AclAuthMethodConfig: (block: <required>) - Configuration specific to the auth method provider.
MaxTokenTtl string: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
TokenLocality string: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
Type string: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.
Default bool: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
Name string: (string: <required>) - The identifier of the ACL Auth Method.
TokenNameFormat string: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.

Config AclAuthMethodConfigArgs: (block: <required>) - Configuration specific to the auth method provider.
MaxTokenTtl string: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
TokenLocality string: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
Type string: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.
Default bool: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
Name string: (string: <required>) - The identifier of the ACL Auth Method.
TokenNameFormat string: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.

config AclAuthMethodConfig: (block: <required>) - Configuration specific to the auth method provider.
maxTokenTtl String: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
tokenLocality String: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
type String: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.
default_ Boolean: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
name String: (string: <required>) - The identifier of the ACL Auth Method.
tokenNameFormat String: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.

config AclAuthMethodConfig: (block: <required>) - Configuration specific to the auth method provider.
maxTokenTtl string: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
tokenLocality string: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
type string: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.
default boolean: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
name string: (string: <required>) - The identifier of the ACL Auth Method.
tokenNameFormat string: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.

config AclAuthMethodConfigArgs: (block: <required>) - Configuration specific to the auth method provider.
max_token_ttl str: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
token_locality str: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
type str: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.
default bool: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
name str: (string: <required>) - The identifier of the ACL Auth Method.
token_name_format str: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.

config Property Map: (block: <required>) - Configuration specific to the auth method provider.
maxTokenTtl String: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
tokenLocality String: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
type String: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.
default Boolean: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
name String: (string: <required>) - The identifier of the ACL Auth Method.
tokenNameFormat String: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.

Outputs

All input properties are implicitly available as output properties. Additionally, the AclAuthMethod resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing AclAuthMethod Resource

Get an existing AclAuthMethod resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AclAuthMethodState, opts?: CustomResourceOptions): AclAuthMethod

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        config: Optional[AclAuthMethodConfigArgs] = None,
        default: Optional[bool] = None,
        max_token_ttl: Optional[str] = None,
        name: Optional[str] = None,
        token_locality: Optional[str] = None,
        token_name_format: Optional[str] = None,
        type: Optional[str] = None) -> AclAuthMethod

func GetAclAuthMethod(ctx *Context, name string, id IDInput, state *AclAuthMethodState, opts ...ResourceOption) (*AclAuthMethod, error)

public static AclAuthMethod Get(string name, Input<string> id, AclAuthMethodState? state, CustomResourceOptions? opts = null)

public static AclAuthMethod get(String name, Output<String> id, AclAuthMethodState state, CustomResourceOptions options)

resources:  _:    type: nomad:AclAuthMethod    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Config AclAuthMethodConfig: (block: <required>) - Configuration specific to the auth method provider.
Default bool: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
MaxTokenTtl string: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
Name string: (string: <required>) - The identifier of the ACL Auth Method.
TokenLocality string: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
TokenNameFormat string: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.
Type string: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.

Config AclAuthMethodConfigArgs: (block: <required>) - Configuration specific to the auth method provider.
Default bool: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
MaxTokenTtl string: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
Name string: (string: <required>) - The identifier of the ACL Auth Method.
TokenLocality string: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
TokenNameFormat string: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.
Type string: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.

config AclAuthMethodConfig: (block: <required>) - Configuration specific to the auth method provider.
default_ Boolean: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
maxTokenTtl String: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
name String: (string: <required>) - The identifier of the ACL Auth Method.
tokenLocality String: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
tokenNameFormat String: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.
type String: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.

config AclAuthMethodConfig: (block: <required>) - Configuration specific to the auth method provider.
default boolean: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
maxTokenTtl string: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
name string: (string: <required>) - The identifier of the ACL Auth Method.
tokenLocality string: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
tokenNameFormat string: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.
type string: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.

config AclAuthMethodConfigArgs: (block: <required>) - Configuration specific to the auth method provider.
default bool: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
max_token_ttl str: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
name str: (string: <required>) - The identifier of the ACL Auth Method.
token_locality str: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
token_name_format str: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.
type str: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.

config Property Map: (block: <required>) - Configuration specific to the auth method provider.
default Boolean: (bool: false) - Defines whether this ACL Auth Method is to be set as default.
maxTokenTtl String: (string: <required>) - Defines the maximum life of a token created by this method and is specified as a time duration such as "15h".
name String: (string: <required>) - The identifier of the ACL Auth Method.
tokenLocality String: (string: <required>) - Defines whether the ACL Auth Method creates a local or global token when performing SSO login. This field must be set to either local or global.
tokenNameFormat String: (string: "${auth_method_type}-${auth_method_name}") - Defines the token name format for the generated tokens This can be lightly templated using HIL '${foo}' syntax.
type String: (string: <required>) - ACL Auth Method SSO workflow type. Valid values, are OIDC and JWT.

Supporting Types

AclAuthMethodConfig, AclAuthMethodConfigArgs

AllowedRedirectUris List<string>: ([]string: <optional>) - A list of allowed values that can be used for the redirect URI.
BoundAudiences List<string>: ([]string: <optional>) - List of auth claims that are valid for login.
BoundIssuers List<string>: ([]string: <optional>) - The value against which to match the iss claim in a JWT.
ClaimMappings Dictionary<string, string>: Mappings of claims (key) that will be copied to a metadata field (value).
ClockSkewLeeway string: (string: <optional>) - Duration of leeway when validating all claims in the form of a time duration such as "5m" or "1h".
DiscoveryCaPems List<string>: ([]string: <optional>) - PEM encoded CA certs for use by the TLS client used to talk with the OIDC Discovery URL.
ExpirationLeeway string: (string: <optional>) - Duration of leeway when validating expiration of a JWT in the form of a time duration such as "5m" or "1h".
JwksCaCert string: (string: <optional>) - PEM encoded CA cert for use by the TLS client used to talk with the JWKS server.
JwksUrl string: (string: <optional>) - JSON Web Key Sets url for authenticating signatures.
JwtValidationPubKeys List<string>: ([]string: <optional>) - List of PEM-encoded public keys to use to authenticate signatures locally.
ListClaimMappings Dictionary<string, string>: Mappings of list claims (key) that will be copied to a metadata field (value).
NotBeforeLeeway string: (string: <optional>) - Duration of leeway when validating not before values of a token in the form of a time duration such as "5m" or "1h".
OidcClientAssertion AclAuthMethodConfigOidcClientAssertion: (OIDCClientAssertion: <optional>) - Optionally send a signed JWT ("[private key jwt][]") as a client assertion to the OIDC provider. Browse to the [OIDC concepts][concepts-assertions] page to learn more.
OidcClientId string: (string: <optional>) - The OAuth Client ID configured with the OIDC provider.
OidcClientSecret string: (string: <optional>) - The OAuth Client Secret configured with the OIDC provider.
OidcDisableUserinfo bool: (bool: false) - When set to true, Nomad will not make a request to the identity provider to get OIDC UserInfo. You may wish to set this if your identity provider doesn't send any additional claims from the UserInfo endpoint.
OidcDiscoveryUrl string: (string: <optional>) - The OIDC Discovery URL, without any .well-known component (base path).
OidcEnablePkce bool: (bool: false) - When set to true, Nomad will include [PKCE][] verification in the auth flow. Even with PKCE enabled in Nomad, you may still need to enable it in your OIDC provider.
OidcScopes List<string>: ([]string: <optional>) - List of OIDC scopes.
SigningAlgs List<string>: ([]string: <optional>) - A list of supported signing algorithms.
VerboseLogging bool: Enable OIDC verbose logging on the Nomad server.

AllowedRedirectUris []string: ([]string: <optional>) - A list of allowed values that can be used for the redirect URI.
BoundAudiences []string: ([]string: <optional>) - List of auth claims that are valid for login.
BoundIssuers []string: ([]string: <optional>) - The value against which to match the iss claim in a JWT.
ClaimMappings map[string]string: Mappings of claims (key) that will be copied to a metadata field (value).
ClockSkewLeeway string: (string: <optional>) - Duration of leeway when validating all claims in the form of a time duration such as "5m" or "1h".
DiscoveryCaPems []string: ([]string: <optional>) - PEM encoded CA certs for use by the TLS client used to talk with the OIDC Discovery URL.
ExpirationLeeway string: (string: <optional>) - Duration of leeway when validating expiration of a JWT in the form of a time duration such as "5m" or "1h".
JwksCaCert string: (string: <optional>) - PEM encoded CA cert for use by the TLS client used to talk with the JWKS server.
JwksUrl string: (string: <optional>) - JSON Web Key Sets url for authenticating signatures.
JwtValidationPubKeys []string: ([]string: <optional>) - List of PEM-encoded public keys to use to authenticate signatures locally.
ListClaimMappings map[string]string: Mappings of list claims (key) that will be copied to a metadata field (value).
NotBeforeLeeway string: (string: <optional>) - Duration of leeway when validating not before values of a token in the form of a time duration such as "5m" or "1h".
OidcClientAssertion AclAuthMethodConfigOidcClientAssertion: (OIDCClientAssertion: <optional>) - Optionally send a signed JWT ("[private key jwt][]") as a client assertion to the OIDC provider. Browse to the [OIDC concepts][concepts-assertions] page to learn more.
OidcClientId string: (string: <optional>) - The OAuth Client ID configured with the OIDC provider.
OidcClientSecret string: (string: <optional>) - The OAuth Client Secret configured with the OIDC provider.
OidcDisableUserinfo bool: (bool: false) - When set to true, Nomad will not make a request to the identity provider to get OIDC UserInfo. You may wish to set this if your identity provider doesn't send any additional claims from the UserInfo endpoint.
OidcDiscoveryUrl string: (string: <optional>) - The OIDC Discovery URL, without any .well-known component (base path).
OidcEnablePkce bool: (bool: false) - When set to true, Nomad will include [PKCE][] verification in the auth flow. Even with PKCE enabled in Nomad, you may still need to enable it in your OIDC provider.
OidcScopes []string: ([]string: <optional>) - List of OIDC scopes.
SigningAlgs []string: ([]string: <optional>) - A list of supported signing algorithms.
VerboseLogging bool: Enable OIDC verbose logging on the Nomad server.

allowedRedirectUris List<String>: ([]string: <optional>) - A list of allowed values that can be used for the redirect URI.
boundAudiences List<String>: ([]string: <optional>) - List of auth claims that are valid for login.
boundIssuers List<String>: ([]string: <optional>) - The value against which to match the iss claim in a JWT.
claimMappings Map<String,String>: Mappings of claims (key) that will be copied to a metadata field (value).
clockSkewLeeway String: (string: <optional>) - Duration of leeway when validating all claims in the form of a time duration such as "5m" or "1h".
discoveryCaPems List<String>: ([]string: <optional>) - PEM encoded CA certs for use by the TLS client used to talk with the OIDC Discovery URL.
expirationLeeway String: (string: <optional>) - Duration of leeway when validating expiration of a JWT in the form of a time duration such as "5m" or "1h".
jwksCaCert String: (string: <optional>) - PEM encoded CA cert for use by the TLS client used to talk with the JWKS server.
jwksUrl String: (string: <optional>) - JSON Web Key Sets url for authenticating signatures.
jwtValidationPubKeys List<String>: ([]string: <optional>) - List of PEM-encoded public keys to use to authenticate signatures locally.
listClaimMappings Map<String,String>: Mappings of list claims (key) that will be copied to a metadata field (value).
notBeforeLeeway String: (string: <optional>) - Duration of leeway when validating not before values of a token in the form of a time duration such as "5m" or "1h".
oidcClientAssertion AclAuthMethodConfigOidcClientAssertion: (OIDCClientAssertion: <optional>) - Optionally send a signed JWT ("[private key jwt][]") as a client assertion to the OIDC provider. Browse to the [OIDC concepts][concepts-assertions] page to learn more.
oidcClientId String: (string: <optional>) - The OAuth Client ID configured with the OIDC provider.
oidcClientSecret String: (string: <optional>) - The OAuth Client Secret configured with the OIDC provider.
oidcDisableUserinfo Boolean: (bool: false) - When set to true, Nomad will not make a request to the identity provider to get OIDC UserInfo. You may wish to set this if your identity provider doesn't send any additional claims from the UserInfo endpoint.
oidcDiscoveryUrl String: (string: <optional>) - The OIDC Discovery URL, without any .well-known component (base path).
oidcEnablePkce Boolean: (bool: false) - When set to true, Nomad will include [PKCE][] verification in the auth flow. Even with PKCE enabled in Nomad, you may still need to enable it in your OIDC provider.
oidcScopes List<String>: ([]string: <optional>) - List of OIDC scopes.
signingAlgs List<String>: ([]string: <optional>) - A list of supported signing algorithms.
verboseLogging Boolean: Enable OIDC verbose logging on the Nomad server.

allowedRedirectUris string[]: ([]string: <optional>) - A list of allowed values that can be used for the redirect URI.
boundAudiences string[]: ([]string: <optional>) - List of auth claims that are valid for login.
boundIssuers string[]: ([]string: <optional>) - The value against which to match the iss claim in a JWT.
claimMappings {[key: string]: string}: Mappings of claims (key) that will be copied to a metadata field (value).
clockSkewLeeway string: (string: <optional>) - Duration of leeway when validating all claims in the form of a time duration such as "5m" or "1h".
discoveryCaPems string[]: ([]string: <optional>) - PEM encoded CA certs for use by the TLS client used to talk with the OIDC Discovery URL.
expirationLeeway string: (string: <optional>) - Duration of leeway when validating expiration of a JWT in the form of a time duration such as "5m" or "1h".
jwksCaCert string: (string: <optional>) - PEM encoded CA cert for use by the TLS client used to talk with the JWKS server.
jwksUrl string: (string: <optional>) - JSON Web Key Sets url for authenticating signatures.
jwtValidationPubKeys string[]: ([]string: <optional>) - List of PEM-encoded public keys to use to authenticate signatures locally.
listClaimMappings {[key: string]: string}: Mappings of list claims (key) that will be copied to a metadata field (value).
notBeforeLeeway string: (string: <optional>) - Duration of leeway when validating not before values of a token in the form of a time duration such as "5m" or "1h".
oidcClientAssertion AclAuthMethodConfigOidcClientAssertion: (OIDCClientAssertion: <optional>) - Optionally send a signed JWT ("[private key jwt][]") as a client assertion to the OIDC provider. Browse to the [OIDC concepts][concepts-assertions] page to learn more.
oidcClientId string: (string: <optional>) - The OAuth Client ID configured with the OIDC provider.
oidcClientSecret string: (string: <optional>) - The OAuth Client Secret configured with the OIDC provider.
oidcDisableUserinfo boolean: (bool: false) - When set to true, Nomad will not make a request to the identity provider to get OIDC UserInfo. You may wish to set this if your identity provider doesn't send any additional claims from the UserInfo endpoint.
oidcDiscoveryUrl string: (string: <optional>) - The OIDC Discovery URL, without any .well-known component (base path).
oidcEnablePkce boolean: (bool: false) - When set to true, Nomad will include [PKCE][] verification in the auth flow. Even with PKCE enabled in Nomad, you may still need to enable it in your OIDC provider.
oidcScopes string[]: ([]string: <optional>) - List of OIDC scopes.
signingAlgs string[]: ([]string: <optional>) - A list of supported signing algorithms.
verboseLogging boolean: Enable OIDC verbose logging on the Nomad server.

allowed_redirect_uris Sequence[str]: ([]string: <optional>) - A list of allowed values that can be used for the redirect URI.
bound_audiences Sequence[str]: ([]string: <optional>) - List of auth claims that are valid for login.
bound_issuers Sequence[str]: ([]string: <optional>) - The value against which to match the iss claim in a JWT.
claim_mappings Mapping[str, str]: Mappings of claims (key) that will be copied to a metadata field (value).
clock_skew_leeway str: (string: <optional>) - Duration of leeway when validating all claims in the form of a time duration such as "5m" or "1h".
discovery_ca_pems Sequence[str]: ([]string: <optional>) - PEM encoded CA certs for use by the TLS client used to talk with the OIDC Discovery URL.
expiration_leeway str: (string: <optional>) - Duration of leeway when validating expiration of a JWT in the form of a time duration such as "5m" or "1h".
jwks_ca_cert str: (string: <optional>) - PEM encoded CA cert for use by the TLS client used to talk with the JWKS server.
jwks_url str: (string: <optional>) - JSON Web Key Sets url for authenticating signatures.
jwt_validation_pub_keys Sequence[str]: ([]string: <optional>) - List of PEM-encoded public keys to use to authenticate signatures locally.
list_claim_mappings Mapping[str, str]: Mappings of list claims (key) that will be copied to a metadata field (value).
not_before_leeway str: (string: <optional>) - Duration of leeway when validating not before values of a token in the form of a time duration such as "5m" or "1h".
oidc_client_assertion AclAuthMethodConfigOidcClientAssertion: (OIDCClientAssertion: <optional>) - Optionally send a signed JWT ("[private key jwt][]") as a client assertion to the OIDC provider. Browse to the [OIDC concepts][concepts-assertions] page to learn more.
oidc_client_id str: (string: <optional>) - The OAuth Client ID configured with the OIDC provider.
oidc_client_secret str: (string: <optional>) - The OAuth Client Secret configured with the OIDC provider.
oidc_disable_userinfo bool: (bool: false) - When set to true, Nomad will not make a request to the identity provider to get OIDC UserInfo. You may wish to set this if your identity provider doesn't send any additional claims from the UserInfo endpoint.
oidc_discovery_url str: (string: <optional>) - The OIDC Discovery URL, without any .well-known component (base path).
oidc_enable_pkce bool: (bool: false) - When set to true, Nomad will include [PKCE][] verification in the auth flow. Even with PKCE enabled in Nomad, you may still need to enable it in your OIDC provider.
oidc_scopes Sequence[str]: ([]string: <optional>) - List of OIDC scopes.
signing_algs Sequence[str]: ([]string: <optional>) - A list of supported signing algorithms.
verbose_logging bool: Enable OIDC verbose logging on the Nomad server.

allowedRedirectUris List<String>: ([]string: <optional>) - A list of allowed values that can be used for the redirect URI.
boundAudiences List<String>: ([]string: <optional>) - List of auth claims that are valid for login.
boundIssuers List<String>: ([]string: <optional>) - The value against which to match the iss claim in a JWT.
claimMappings Map<String>: Mappings of claims (key) that will be copied to a metadata field (value).
clockSkewLeeway String: (string: <optional>) - Duration of leeway when validating all claims in the form of a time duration such as "5m" or "1h".
discoveryCaPems List<String>: ([]string: <optional>) - PEM encoded CA certs for use by the TLS client used to talk with the OIDC Discovery URL.
expirationLeeway String: (string: <optional>) - Duration of leeway when validating expiration of a JWT in the form of a time duration such as "5m" or "1h".
jwksCaCert String: (string: <optional>) - PEM encoded CA cert for use by the TLS client used to talk with the JWKS server.
jwksUrl String: (string: <optional>) - JSON Web Key Sets url for authenticating signatures.
jwtValidationPubKeys List<String>: ([]string: <optional>) - List of PEM-encoded public keys to use to authenticate signatures locally.
listClaimMappings Map<String>: Mappings of list claims (key) that will be copied to a metadata field (value).
notBeforeLeeway String: (string: <optional>) - Duration of leeway when validating not before values of a token in the form of a time duration such as "5m" or "1h".
oidcClientAssertion Property Map: (OIDCClientAssertion: <optional>) - Optionally send a signed JWT ("[private key jwt][]") as a client assertion to the OIDC provider. Browse to the [OIDC concepts][concepts-assertions] page to learn more.
oidcClientId String: (string: <optional>) - The OAuth Client ID configured with the OIDC provider.
oidcClientSecret String: (string: <optional>) - The OAuth Client Secret configured with the OIDC provider.
oidcDisableUserinfo Boolean: (bool: false) - When set to true, Nomad will not make a request to the identity provider to get OIDC UserInfo. You may wish to set this if your identity provider doesn't send any additional claims from the UserInfo endpoint.
oidcDiscoveryUrl String: (string: <optional>) - The OIDC Discovery URL, without any .well-known component (base path).
oidcEnablePkce Boolean: (bool: false) - When set to true, Nomad will include [PKCE][] verification in the auth flow. Even with PKCE enabled in Nomad, you may still need to enable it in your OIDC provider.
oidcScopes List<String>: ([]string: <optional>) - List of OIDC scopes.
signingAlgs List<String>: ([]string: <optional>) - A list of supported signing algorithms.
verboseLogging Boolean: Enable OIDC verbose logging on the Nomad server.

AclAuthMethodConfigOidcClientAssertion, AclAuthMethodConfigOidcClientAssertionArgs

KeySource string

(string: <required>) - Specifies where to get the private key to sign the JWT. Available sources:

"nomad": Use current active key in Nomad's keyring
"private_key": Use key material in the private_key field
"client_secret": Use the oidc_client_secret as an HMAC key

Audiences List<string>

([]string: optional) - Who processes the assertion. Defaults to the auth method's oidc_discovery_url.

ExtraHeaders Dictionary<string, string>

(map[string]string: optional) - Add to the JWT headers, alongside "kid" and "type". Setting the "kid" header here is not allowed; use private_key.key_id.

KeyAlgorithm string

(string: <optional>) is the key's algorithm. Its default values are based on the key_source:

"nomad": "RS256"; this is from Nomad's keyring and must not be changed
"private_key": "RS256"; must be RS256, RS384, or RS512
"client_secret": "HS256"; must be HS256, HS384, or HS512

PrivateKey AclAuthMethodConfigOidcClientAssertionPrivateKey

(OIDCClientAssertionKey: <optional>) - External key to sign the JWT. key_source must be "private_key" to enable this.

KeySource string

(string: <required>) - Specifies where to get the private key to sign the JWT. Available sources:

"nomad": Use current active key in Nomad's keyring
"private_key": Use key material in the private_key field
"client_secret": Use the oidc_client_secret as an HMAC key

Audiences []string

([]string: optional) - Who processes the assertion. Defaults to the auth method's oidc_discovery_url.

ExtraHeaders map[string]string

(map[string]string: optional) - Add to the JWT headers, alongside "kid" and "type". Setting the "kid" header here is not allowed; use private_key.key_id.

KeyAlgorithm string

(string: <optional>) is the key's algorithm. Its default values are based on the key_source:

"nomad": "RS256"; this is from Nomad's keyring and must not be changed
"private_key": "RS256"; must be RS256, RS384, or RS512
"client_secret": "HS256"; must be HS256, HS384, or HS512

PrivateKey AclAuthMethodConfigOidcClientAssertionPrivateKey

(OIDCClientAssertionKey: <optional>) - External key to sign the JWT. key_source must be "private_key" to enable this.

keySource String

(string: <required>) - Specifies where to get the private key to sign the JWT. Available sources:

"nomad": Use current active key in Nomad's keyring
"private_key": Use key material in the private_key field
"client_secret": Use the oidc_client_secret as an HMAC key

audiences List<String>

([]string: optional) - Who processes the assertion. Defaults to the auth method's oidc_discovery_url.

extraHeaders Map<String,String>

(map[string]string: optional) - Add to the JWT headers, alongside "kid" and "type". Setting the "kid" header here is not allowed; use private_key.key_id.

keyAlgorithm String

(string: <optional>) is the key's algorithm. Its default values are based on the key_source:

"nomad": "RS256"; this is from Nomad's keyring and must not be changed
"private_key": "RS256"; must be RS256, RS384, or RS512
"client_secret": "HS256"; must be HS256, HS384, or HS512

privateKey AclAuthMethodConfigOidcClientAssertionPrivateKey

(OIDCClientAssertionKey: <optional>) - External key to sign the JWT. key_source must be "private_key" to enable this.

keySource string

(string: <required>) - Specifies where to get the private key to sign the JWT. Available sources:

"nomad": Use current active key in Nomad's keyring
"private_key": Use key material in the private_key field
"client_secret": Use the oidc_client_secret as an HMAC key

audiences string[]

([]string: optional) - Who processes the assertion. Defaults to the auth method's oidc_discovery_url.

extraHeaders {[key: string]: string}

(map[string]string: optional) - Add to the JWT headers, alongside "kid" and "type". Setting the "kid" header here is not allowed; use private_key.key_id.

keyAlgorithm string

(string: <optional>) is the key's algorithm. Its default values are based on the key_source:

"nomad": "RS256"; this is from Nomad's keyring and must not be changed
"private_key": "RS256"; must be RS256, RS384, or RS512
"client_secret": "HS256"; must be HS256, HS384, or HS512

privateKey AclAuthMethodConfigOidcClientAssertionPrivateKey

(OIDCClientAssertionKey: <optional>) - External key to sign the JWT. key_source must be "private_key" to enable this.

key_source str

(string: <required>) - Specifies where to get the private key to sign the JWT. Available sources:

"nomad": Use current active key in Nomad's keyring
"private_key": Use key material in the private_key field
"client_secret": Use the oidc_client_secret as an HMAC key

audiences Sequence[str]

([]string: optional) - Who processes the assertion. Defaults to the auth method's oidc_discovery_url.

extra_headers Mapping[str, str]

(map[string]string: optional) - Add to the JWT headers, alongside "kid" and "type". Setting the "kid" header here is not allowed; use private_key.key_id.

key_algorithm str

(string: <optional>) is the key's algorithm. Its default values are based on the key_source:

"nomad": "RS256"; this is from Nomad's keyring and must not be changed
"private_key": "RS256"; must be RS256, RS384, or RS512
"client_secret": "HS256"; must be HS256, HS384, or HS512

private_key AclAuthMethodConfigOidcClientAssertionPrivateKey

(OIDCClientAssertionKey: <optional>) - External key to sign the JWT. key_source must be "private_key" to enable this.

keySource String

(string: <required>) - Specifies where to get the private key to sign the JWT. Available sources:

"nomad": Use current active key in Nomad's keyring
"private_key": Use key material in the private_key field
"client_secret": Use the oidc_client_secret as an HMAC key

audiences List<String>

([]string: optional) - Who processes the assertion. Defaults to the auth method's oidc_discovery_url.

extraHeaders Map<String>

(map[string]string: optional) - Add to the JWT headers, alongside "kid" and "type". Setting the "kid" header here is not allowed; use private_key.key_id.

keyAlgorithm String

(string: <optional>) is the key's algorithm. Its default values are based on the key_source:

"nomad": "RS256"; this is from Nomad's keyring and must not be changed
"private_key": "RS256"; must be RS256, RS384, or RS512
"client_secret": "HS256"; must be HS256, HS384, or HS512

privateKey Property Map

(OIDCClientAssertionKey: <optional>) - External key to sign the JWT. key_source must be "private_key" to enable this.

AclAuthMethodConfigOidcClientAssertionPrivateKey, AclAuthMethodConfigOidcClientAssertionPrivateKeyArgs

KeyId string: (string: optional) - Becomes the JWT's "kid" header. Mutually exclusive with pem_cert and pem_cert_file. Allowed key_id_header values: "kid" (the default)
KeyIdHeader string: (string: optional) - Which header the provider uses to find the public key to verify the signed JWT. The default and allowed values depend on whether you set key_id, pem_cert, or pem_cert_file. You must set exactly one of those options, so refer to them for their requirements.
PemCert string: (string: optional) - An x509 certificate, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) key_id. Mutually exclusive with pem_cert_file and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
PemCertFile string: (string: optional) - An absolute path to an x509 certificate on Nomad servers' disk, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) header. Mutually exclusive with pem_cert and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
PemKey string: (string: <optional>) - An RSA private key, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key.
PemKeyFile string: (string: optional) - An absolute path to a private key on Nomad servers' disk, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key_file.

KeyId string: (string: optional) - Becomes the JWT's "kid" header. Mutually exclusive with pem_cert and pem_cert_file. Allowed key_id_header values: "kid" (the default)
KeyIdHeader string: (string: optional) - Which header the provider uses to find the public key to verify the signed JWT. The default and allowed values depend on whether you set key_id, pem_cert, or pem_cert_file. You must set exactly one of those options, so refer to them for their requirements.
PemCert string: (string: optional) - An x509 certificate, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) key_id. Mutually exclusive with pem_cert_file and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
PemCertFile string: (string: optional) - An absolute path to an x509 certificate on Nomad servers' disk, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) header. Mutually exclusive with pem_cert and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
PemKey string: (string: <optional>) - An RSA private key, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key.
PemKeyFile string: (string: optional) - An absolute path to a private key on Nomad servers' disk, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key_file.

keyId String: (string: optional) - Becomes the JWT's "kid" header. Mutually exclusive with pem_cert and pem_cert_file. Allowed key_id_header values: "kid" (the default)
keyIdHeader String: (string: optional) - Which header the provider uses to find the public key to verify the signed JWT. The default and allowed values depend on whether you set key_id, pem_cert, or pem_cert_file. You must set exactly one of those options, so refer to them for their requirements.
pemCert String: (string: optional) - An x509 certificate, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) key_id. Mutually exclusive with pem_cert_file and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
pemCertFile String: (string: optional) - An absolute path to an x509 certificate on Nomad servers' disk, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) header. Mutually exclusive with pem_cert and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
pemKey String: (string: <optional>) - An RSA private key, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key.
pemKeyFile String: (string: optional) - An absolute path to a private key on Nomad servers' disk, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key_file.

keyId string: (string: optional) - Becomes the JWT's "kid" header. Mutually exclusive with pem_cert and pem_cert_file. Allowed key_id_header values: "kid" (the default)
keyIdHeader string: (string: optional) - Which header the provider uses to find the public key to verify the signed JWT. The default and allowed values depend on whether you set key_id, pem_cert, or pem_cert_file. You must set exactly one of those options, so refer to them for their requirements.
pemCert string: (string: optional) - An x509 certificate, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) key_id. Mutually exclusive with pem_cert_file and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
pemCertFile string: (string: optional) - An absolute path to an x509 certificate on Nomad servers' disk, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) header. Mutually exclusive with pem_cert and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
pemKey string: (string: <optional>) - An RSA private key, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key.
pemKeyFile string: (string: optional) - An absolute path to a private key on Nomad servers' disk, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key_file.

key_id str: (string: optional) - Becomes the JWT's "kid" header. Mutually exclusive with pem_cert and pem_cert_file. Allowed key_id_header values: "kid" (the default)
key_id_header str: (string: optional) - Which header the provider uses to find the public key to verify the signed JWT. The default and allowed values depend on whether you set key_id, pem_cert, or pem_cert_file. You must set exactly one of those options, so refer to them for their requirements.
pem_cert str: (string: optional) - An x509 certificate, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) key_id. Mutually exclusive with pem_cert_file and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
pem_cert_file str: (string: optional) - An absolute path to an x509 certificate on Nomad servers' disk, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) header. Mutually exclusive with pem_cert and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
pem_key str: (string: <optional>) - An RSA private key, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key.
pem_key_file str: (string: optional) - An absolute path to a private key on Nomad servers' disk, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key_file.

keyId String: (string: optional) - Becomes the JWT's "kid" header. Mutually exclusive with pem_cert and pem_cert_file. Allowed key_id_header values: "kid" (the default)
keyIdHeader String: (string: optional) - Which header the provider uses to find the public key to verify the signed JWT. The default and allowed values depend on whether you set key_id, pem_cert, or pem_cert_file. You must set exactly one of those options, so refer to them for their requirements.
pemCert String: (string: optional) - An x509 certificate, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) key_id. Mutually exclusive with pem_cert_file and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
pemCertFile String: (string: optional) - An absolute path to an x509 certificate on Nomad servers' disk, signed by the private key or a CA, in pem format. Nomad uses this certificate to derive an [x5t#S256][] (or [x5t][]) header. Mutually exclusive with pem_cert and key_id. Allowed key_id_header values: "x5t", "x5t#S256" (default "x5t#S256")
pemKey String: (string: <optional>) - An RSA private key, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key.
pemKeyFile String: (string: optional) - An absolute path to a private key on Nomad servers' disk, in pem format. It is used to sign the JWT. Mutually exclusive with pem_key_file.

Package Details

Repository: HashiCorp Nomad pulumi/pulumi-nomad
License: Apache-2.0
Notes: This Pulumi package is based on the nomad Terraform Provider.

Nomad v2.5.0 published on Thursday, Apr 17, 2025 by Pulumi

pulumi/pulumi-nomad

nomad.AclAuthMethod

On this page

On this page

Example Usage

Create AclAuthMethod Resource

Constructor syntax

Parameters

Constructor example

AclAuthMethod Resource Properties

Inputs

Outputs

Look up Existing AclAuthMethod Resource

Supporting Types

AclAuthMethodConfig, AclAuthMethodConfigArgs

AclAuthMethodConfigOidcClientAssertion, AclAuthMethodConfigOidcClientAssertionArgs

AclAuthMethodConfigOidcClientAssertionPrivateKey, AclAuthMethodConfigOidcClientAssertionPrivateKeyArgs

Package Details

On this page

On this page