Docs
Packagesvault.identity.OidcProvider
Explore with Pulumi AI
Manages OIDC Providers in a Vault server. See the Vault documentation for more information.
Example Usage
using System.Collections.Generic;
using System.Text.Json;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var testOidcKey = new Vault.Identity.OidcKey("testOidcKey", new()
{
AllowedClientIds = new[]
{
"*",
},
RotationPeriod = 3600,
VerificationTtl = 3600,
});
var testOidcAssignment = new Vault.Identity.OidcAssignment("testOidcAssignment", new()
{
EntityIds = new[]
{
"fake-ascbascas-2231a-sdfaa",
},
GroupIds = new[]
{
"fake-sajkdsad-32414-sfsada",
},
});
var testOidcClient = new Vault.Identity.OidcClient("testOidcClient", new()
{
Key = testOidcKey.Name,
RedirectUris = new[]
{
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback",
},
Assignments = new[]
{
testOidcAssignment.Name,
},
IdTokenTtl = 2400,
AccessTokenTtl = 7200,
});
var testOidcScope = new Vault.Identity.OidcScope("testOidcScope", new()
{
Template = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["groups"] = "{{identity.entity.groups.names}}",
}),
Description = "Groups scope.",
});
var testOidcProvider = new Vault.Identity.OidcProvider("testOidcProvider", new()
{
HttpsEnabled = false,
IssuerHost = "127.0.0.1:8200",
AllowedClientIds = new[]
{
testOidcClient.ClientId,
},
ScopesSupporteds = new[]
{
testOidcScope.Name,
},
});
});
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/identity"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
testOidcKey, err := identity.NewOidcKey(ctx, "testOidcKey", &identity.OidcKeyArgs{
AllowedClientIds: pulumi.StringArray{
pulumi.String("*"),
},
RotationPeriod: pulumi.Int(3600),
VerificationTtl: pulumi.Int(3600),
})
if err != nil {
return err
}
testOidcAssignment, err := identity.NewOidcAssignment(ctx, "testOidcAssignment", &identity.OidcAssignmentArgs{
EntityIds: pulumi.StringArray{
pulumi.String("fake-ascbascas-2231a-sdfaa"),
},
GroupIds: pulumi.StringArray{
pulumi.String("fake-sajkdsad-32414-sfsada"),
},
})
if err != nil {
return err
}
testOidcClient, err := identity.NewOidcClient(ctx, "testOidcClient", &identity.OidcClientArgs{
Key: testOidcKey.Name,
RedirectUris: pulumi.StringArray{
pulumi.String("http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback"),
pulumi.String("http://127.0.0.1:8251/callback"),
pulumi.String("http://127.0.0.1:8080/callback"),
},
Assignments: pulumi.StringArray{
testOidcAssignment.Name,
},
IdTokenTtl: pulumi.Int(2400),
AccessTokenTtl: pulumi.Int(7200),
})
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"groups": "{{identity.entity.groups.names}}",
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
testOidcScope, err := identity.NewOidcScope(ctx, "testOidcScope", &identity.OidcScopeArgs{
Template: pulumi.String(json0),
Description: pulumi.String("Groups scope."),
})
if err != nil {
return err
}
_, err = identity.NewOidcProvider(ctx, "testOidcProvider", &identity.OidcProviderArgs{
HttpsEnabled: pulumi.Bool(false),
IssuerHost: pulumi.String("127.0.0.1:8200"),
AllowedClientIds: pulumi.StringArray{
testOidcClient.ClientId,
},
ScopesSupporteds: pulumi.StringArray{
testOidcScope.Name,
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.identity.OidcKey;
import com.pulumi.vault.identity.OidcKeyArgs;
import com.pulumi.vault.identity.OidcAssignment;
import com.pulumi.vault.identity.OidcAssignmentArgs;
import com.pulumi.vault.identity.OidcClient;
import com.pulumi.vault.identity.OidcClientArgs;
import com.pulumi.vault.identity.OidcScope;
import com.pulumi.vault.identity.OidcScopeArgs;
import com.pulumi.vault.identity.OidcProvider;
import com.pulumi.vault.identity.OidcProviderArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var testOidcKey = new OidcKey("testOidcKey", OidcKeyArgs.builder()
.allowedClientIds("*")
.rotationPeriod(3600)
.verificationTtl(3600)
.build());
var testOidcAssignment = new OidcAssignment("testOidcAssignment", OidcAssignmentArgs.builder()
.entityIds("fake-ascbascas-2231a-sdfaa")
.groupIds("fake-sajkdsad-32414-sfsada")
.build());
var testOidcClient = new OidcClient("testOidcClient", OidcClientArgs.builder()
.key(testOidcKey.name())
.redirectUris(
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback")
.assignments(testOidcAssignment.name())
.idTokenTtl(2400)
.accessTokenTtl(7200)
.build());
var testOidcScope = new OidcScope("testOidcScope", OidcScopeArgs.builder()
.template(serializeJson(
jsonObject(
jsonProperty("groups", "{{identity.entity.groups.names}}")
)))
.description("Groups scope.")
.build());
var testOidcProvider = new OidcProvider("testOidcProvider", OidcProviderArgs.builder()
.httpsEnabled(false)
.issuerHost("127.0.0.1:8200")
.allowedClientIds(testOidcClient.clientId())
.scopesSupporteds(testOidcScope.name())
.build());
}
}
import pulumi
import json
import pulumi_vault as vault
test_oidc_key = vault.identity.OidcKey("testOidcKey",
allowed_client_ids=["*"],
rotation_period=3600,
verification_ttl=3600)
test_oidc_assignment = vault.identity.OidcAssignment("testOidcAssignment",
entity_ids=["fake-ascbascas-2231a-sdfaa"],
group_ids=["fake-sajkdsad-32414-sfsada"])
test_oidc_client = vault.identity.OidcClient("testOidcClient",
key=test_oidc_key.name,
redirect_uris=[
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback",
],
assignments=[test_oidc_assignment.name],
id_token_ttl=2400,
access_token_ttl=7200)
test_oidc_scope = vault.identity.OidcScope("testOidcScope",
template=json.dumps({
"groups": "{{identity.entity.groups.names}}",
}),
description="Groups scope.")
test_oidc_provider = vault.identity.OidcProvider("testOidcProvider",
https_enabled=False,
issuer_host="127.0.0.1:8200",
allowed_client_ids=[test_oidc_client.client_id],
scopes_supporteds=[test_oidc_scope.name])
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const testOidcKey = new vault.identity.OidcKey("testOidcKey", {
allowedClientIds: ["*"],
rotationPeriod: 3600,
verificationTtl: 3600,
});
const testOidcAssignment = new vault.identity.OidcAssignment("testOidcAssignment", {
entityIds: ["fake-ascbascas-2231a-sdfaa"],
groupIds: ["fake-sajkdsad-32414-sfsada"],
});
const testOidcClient = new vault.identity.OidcClient("testOidcClient", {
key: testOidcKey.name,
redirectUris: [
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback",
],
assignments: [testOidcAssignment.name],
idTokenTtl: 2400,
accessTokenTtl: 7200,
});
const testOidcScope = new vault.identity.OidcScope("testOidcScope", {
template: JSON.stringify({
groups: "{{identity.entity.groups.names}}",
}),
description: "Groups scope.",
});
const testOidcProvider = new vault.identity.OidcProvider("testOidcProvider", {
httpsEnabled: false,
issuerHost: "127.0.0.1:8200",
allowedClientIds: [testOidcClient.clientId],
scopesSupporteds: [testOidcScope.name],
});
resources:
testOidcKey:
type: vault:identity:OidcKey
properties:
allowedClientIds:
- '*'
rotationPeriod: 3600
verificationTtl: 3600
testOidcAssignment:
type: vault:identity:OidcAssignment
properties:
entityIds:
- fake-ascbascas-2231a-sdfaa
groupIds:
- fake-sajkdsad-32414-sfsada
testOidcClient:
type: vault:identity:OidcClient
properties:
key: ${testOidcKey.name}
redirectUris:
- http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback
- http://127.0.0.1:8251/callback
- http://127.0.0.1:8080/callback
assignments:
- ${testOidcAssignment.name}
idTokenTtl: 2400
accessTokenTtl: 7200
testOidcScope:
type: vault:identity:OidcScope
properties:
template:
Fn::ToJSON:
groups: '{{identity.entity.groups.names}}'
description: Groups scope.
testOidcProvider:
type: vault:identity:OidcProvider
properties:
httpsEnabled: false
issuerHost: 127.0.0.1:8200
allowedClientIds:
- ${testOidcClient.clientId}
scopesSupporteds:
- ${testOidcScope.name}
Create OidcProvider Resource
new OidcProvider(name: string, args?: OidcProviderArgs, opts?: CustomResourceOptions);@overload
def OidcProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
allowed_client_ids: Optional[Sequence[str]] = None,
https_enabled: Optional[bool] = None,
issuer_host: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
scopes_supporteds: Optional[Sequence[str]] = None)
@overload
def OidcProvider(resource_name: str,
args: Optional[OidcProviderArgs] = None,
opts: Optional[ResourceOptions] = None)func NewOidcProvider(ctx *Context, name string, args *OidcProviderArgs, opts ...ResourceOption) (*OidcProvider, error)public OidcProvider(string name, OidcProviderArgs? args = null, CustomResourceOptions? opts = null)
public OidcProvider(String name, OidcProviderArgs args)
public OidcProvider(String name, OidcProviderArgs args, CustomResourceOptions options)
type: vault:identity:OidcProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args OidcProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args OidcProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args OidcProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args OidcProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args OidcProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
OidcProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The OidcProvider resource accepts the following input properties:
- Allowed
Client List<string>Ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- Https
Enabled bool Set to true if the issuer endpoint uses HTTPS.
- Issuer
Host string The host for the issuer. Can be either host or host:port.
- Name string
The name of the provider.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- Scopes
Supporteds List<string> The scopes available for requesting on the provider.
- Allowed
Client []stringIds The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- Https
Enabled bool Set to true if the issuer endpoint uses HTTPS.
- Issuer
Host string The host for the issuer. Can be either host or host:port.
- Name string
The name of the provider.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- Scopes
Supporteds []string The scopes available for requesting on the provider.
- allowed
Client List<String>Ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- https
Enabled Boolean Set to true if the issuer endpoint uses HTTPS.
- issuer
Host String The host for the issuer. Can be either host or host:port.
- name String
The name of the provider.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- scopes
Supporteds List<String> The scopes available for requesting on the provider.
- allowed
Client string[]Ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- https
Enabled boolean Set to true if the issuer endpoint uses HTTPS.
- issuer
Host string The host for the issuer. Can be either host or host:port.
- name string
The name of the provider.
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- scopes
Supporteds string[] The scopes available for requesting on the provider.
- allowed_
client_ Sequence[str]ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- https_
enabled bool Set to true if the issuer endpoint uses HTTPS.
- issuer_
host str The host for the issuer. Can be either host or host:port.
- name str
The name of the provider.
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- scopes_
supporteds Sequence[str] The scopes available for requesting on the provider.
- allowed
Client List<String>Ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- https
Enabled Boolean Set to true if the issuer endpoint uses HTTPS.
- issuer
Host String The host for the issuer. Can be either host or host:port.
- name String
The name of the provider.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- scopes
Supporteds List<String> The scopes available for requesting on the provider.
Outputs
All input properties are implicitly available as output properties. Additionally, the OidcProvider resource produces the following output properties:
Look up Existing OidcProvider Resource
Get an existing OidcProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: OidcProviderState, opts?: CustomResourceOptions): OidcProvider@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_client_ids: Optional[Sequence[str]] = None,
https_enabled: Optional[bool] = None,
issuer: Optional[str] = None,
issuer_host: Optional[str] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
scopes_supporteds: Optional[Sequence[str]] = None) -> OidcProviderfunc GetOidcProvider(ctx *Context, name string, id IDInput, state *OidcProviderState, opts ...ResourceOption) (*OidcProvider, error)public static OidcProvider Get(string name, Input<string> id, OidcProviderState? state, CustomResourceOptions? opts = null)public static OidcProvider get(String name, Output<String> id, OidcProviderState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Client List<string>Ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- Https
Enabled bool Set to true if the issuer endpoint uses HTTPS.
- Issuer string
Specifies what will be used as the
scheme://host:portcomponent for theissclaim of ID tokens. This value is computed using theissuer_hostandhttps_enabledfields.- Issuer
Host string The host for the issuer. Can be either host or host:port.
- Name string
The name of the provider.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- Scopes
Supporteds List<string> The scopes available for requesting on the provider.
- Allowed
Client []stringIds The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- Https
Enabled bool Set to true if the issuer endpoint uses HTTPS.
- Issuer string
Specifies what will be used as the
scheme://host:portcomponent for theissclaim of ID tokens. This value is computed using theissuer_hostandhttps_enabledfields.- Issuer
Host string The host for the issuer. Can be either host or host:port.
- Name string
The name of the provider.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- Scopes
Supporteds []string The scopes available for requesting on the provider.
- allowed
Client List<String>Ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- https
Enabled Boolean Set to true if the issuer endpoint uses HTTPS.
- issuer String
Specifies what will be used as the
scheme://host:portcomponent for theissclaim of ID tokens. This value is computed using theissuer_hostandhttps_enabledfields.- issuer
Host String The host for the issuer. Can be either host or host:port.
- name String
The name of the provider.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- scopes
Supporteds List<String> The scopes available for requesting on the provider.
- allowed
Client string[]Ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- https
Enabled boolean Set to true if the issuer endpoint uses HTTPS.
- issuer string
Specifies what will be used as the
scheme://host:portcomponent for theissclaim of ID tokens. This value is computed using theissuer_hostandhttps_enabledfields.- issuer
Host string The host for the issuer. Can be either host or host:port.
- name string
The name of the provider.
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- scopes
Supporteds string[] The scopes available for requesting on the provider.
- allowed_
client_ Sequence[str]ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- https_
enabled bool Set to true if the issuer endpoint uses HTTPS.
- issuer str
Specifies what will be used as the
scheme://host:portcomponent for theissclaim of ID tokens. This value is computed using theissuer_hostandhttps_enabledfields.- issuer_
host str The host for the issuer. Can be either host or host:port.
- name str
The name of the provider.
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- scopes_
supporteds Sequence[str] The scopes available for requesting on the provider.
- allowed
Client List<String>Ids The client IDs that are permitted to use the provider. If empty, no clients are allowed. If
*, all clients are allowed.- https
Enabled Boolean Set to true if the issuer endpoint uses HTTPS.
- issuer String
Specifies what will be used as the
scheme://host:portcomponent for theissclaim of ID tokens. This value is computed using theissuer_hostandhttps_enabledfields.- issuer
Host String The host for the issuer. Can be either host or host:port.
- name String
The name of the provider.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespaceis always relative to the provider's configured namespace. Available only for Vault Enterprise.- scopes
Supporteds List<String> The scopes available for requesting on the provider.
Import
OIDC Providers can be imported using the name, e.g.
$ pulumi import vault:identity/oidcProvider:OidcProvider test my-provider
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
vaultTerraform Provider.