HashiCorp Vault

v5.6.0 published on Tuesday, Aug 16, 2022 by Pulumi

AuthBackend

Provides a resource for managing an JWT auth backend within Vault.

Example Usage

using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.Jwt.AuthBackend("example", new()
    {
        BoundIssuer = "https://myco.auth0.com/",
        Description = "Demonstration of the Terraform JWT auth backend",
        OidcDiscoveryUrl = "https://myco.auth0.com/",
        Path = "jwt",
    });

});
package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
			BoundIssuer:      pulumi.String("https://myco.auth0.com/"),
			Description:      pulumi.String("Demonstration of the Terraform JWT auth backend"),
			OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
			Path:             pulumi.String("jwt"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()        
            .boundIssuer("https://myco.auth0.com/")
            .description("Demonstration of the Terraform JWT auth backend")
            .oidcDiscoveryUrl("https://myco.auth0.com/")
            .path("jwt")
            .build());

    }
}
import pulumi
import pulumi_vault as vault

example = vault.jwt.AuthBackend("example",
    bound_issuer="https://myco.auth0.com/",
    description="Demonstration of the Terraform JWT auth backend",
    oidc_discovery_url="https://myco.auth0.com/",
    path="jwt")
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.jwt.AuthBackend("example", {
    boundIssuer: "https://myco.auth0.com/",
    description: "Demonstration of the Terraform JWT auth backend",
    oidcDiscoveryUrl: "https://myco.auth0.com/",
    path: "jwt",
});
resources:
  example:
    type: vault:jwt:AuthBackend
    properties:
      boundIssuer: https://myco.auth0.com/
      description: Demonstration of the Terraform JWT auth backend
      oidcDiscoveryUrl: https://myco.auth0.com/
      path: jwt

Create a AuthBackend Resource

new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);
@overload
def AuthBackend(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                bound_issuer: Optional[str] = None,
                default_role: Optional[str] = None,
                description: Optional[str] = None,
                jwks_ca_pem: Optional[str] = None,
                jwks_url: Optional[str] = None,
                jwt_supported_algs: Optional[Sequence[str]] = None,
                jwt_validation_pubkeys: Optional[Sequence[str]] = None,
                local: Optional[bool] = None,
                namespace_in_state: Optional[bool] = None,
                oidc_client_id: Optional[str] = None,
                oidc_client_secret: Optional[str] = None,
                oidc_discovery_ca_pem: Optional[str] = None,
                oidc_discovery_url: Optional[str] = None,
                oidc_response_mode: Optional[str] = None,
                oidc_response_types: Optional[Sequence[str]] = None,
                path: Optional[str] = None,
                provider_config: Optional[Mapping[str, str]] = None,
                tune: Optional[AuthBackendTuneArgs] = None,
                type: Optional[str] = None)
@overload
def AuthBackend(resource_name: str,
                args: Optional[AuthBackendArgs] = None,
                opts: Optional[ResourceOptions] = None)
func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)
public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)
public AuthBackend(String name, AuthBackendArgs args)
public AuthBackend(String name, AuthBackendArgs args, CustomResourceOptions options)
type: vault:jwt:AuthBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AuthBackendArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AuthBackend Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AuthBackend resource accepts the following input properties:

BoundIssuer string

The value against which to match the iss claim in a JWT

DefaultRole string

The default role to use if none is provided during login

Description string

The description of the auth backend

JwksCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

JwksUrl string

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

JwtSupportedAlgs List<string>

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

JwtValidationPubkeys List<string>

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

Local bool

Specifies if the auth method is local only.

NamespaceInState bool

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

OidcClientId string

Client ID used for OIDC backends

OidcClientSecret string

Client Secret used for OIDC backends

OidcDiscoveryCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

OidcDiscoveryUrl string

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

OidcResponseMode string

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

OidcResponseTypes List<string>

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

Path string

Path to mount the JWT/OIDC auth backend

ProviderConfig Dictionary<string, string>

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

Tune AuthBackendTuneArgs
Type string

Type of auth backend. Should be one of jwt or oidc. Default - jwt

BoundIssuer string

The value against which to match the iss claim in a JWT

DefaultRole string

The default role to use if none is provided during login

Description string

The description of the auth backend

JwksCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

JwksUrl string

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

JwtSupportedAlgs []string

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

JwtValidationPubkeys []string

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

Local bool

Specifies if the auth method is local only.

NamespaceInState bool

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

OidcClientId string

Client ID used for OIDC backends

OidcClientSecret string

Client Secret used for OIDC backends

OidcDiscoveryCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

OidcDiscoveryUrl string

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

OidcResponseMode string

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

OidcResponseTypes []string

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

Path string

Path to mount the JWT/OIDC auth backend

ProviderConfig map[string]string

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

Tune AuthBackendTuneArgs
Type string

Type of auth backend. Should be one of jwt or oidc. Default - jwt

boundIssuer String

The value against which to match the iss claim in a JWT

defaultRole String

The default role to use if none is provided during login

description String

The description of the auth backend

jwksCaPem String

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwksUrl String

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

jwtSupportedAlgs List<String>

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwtValidationPubkeys List<String>

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

local Boolean

Specifies if the auth method is local only.

namespaceInState Boolean

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

oidcClientId String

Client ID used for OIDC backends

oidcClientSecret String

Client Secret used for OIDC backends

oidcDiscoveryCaPem String

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidcDiscoveryUrl String

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

oidcResponseMode String

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

oidcResponseTypes List<String>

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

path String

Path to mount the JWT/OIDC auth backend

providerConfig Map<String,String>

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

tune AuthBackendTuneArgs
type String

Type of auth backend. Should be one of jwt or oidc. Default - jwt

boundIssuer string

The value against which to match the iss claim in a JWT

defaultRole string

The default role to use if none is provided during login

description string

The description of the auth backend

jwksCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwksUrl string

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

jwtSupportedAlgs string[]

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwtValidationPubkeys string[]

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

local boolean

Specifies if the auth method is local only.

namespaceInState boolean

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

oidcClientId string

Client ID used for OIDC backends

oidcClientSecret string

Client Secret used for OIDC backends

oidcDiscoveryCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidcDiscoveryUrl string

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

oidcResponseMode string

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

oidcResponseTypes string[]

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

path string

Path to mount the JWT/OIDC auth backend

providerConfig {[key: string]: string}

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

tune AuthBackendTuneArgs
type string

Type of auth backend. Should be one of jwt or oidc. Default - jwt

bound_issuer str

The value against which to match the iss claim in a JWT

default_role str

The default role to use if none is provided during login

description str

The description of the auth backend

jwks_ca_pem str

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwks_url str

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

jwt_supported_algs Sequence[str]

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwt_validation_pubkeys Sequence[str]

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

local bool

Specifies if the auth method is local only.

namespace_in_state bool

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

oidc_client_id str

Client ID used for OIDC backends

oidc_client_secret str

Client Secret used for OIDC backends

oidc_discovery_ca_pem str

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidc_discovery_url str

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

oidc_response_mode str

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

oidc_response_types Sequence[str]

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

path str

Path to mount the JWT/OIDC auth backend

provider_config Mapping[str, str]

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

tune AuthBackendTuneArgs
type str

Type of auth backend. Should be one of jwt or oidc. Default - jwt

boundIssuer String

The value against which to match the iss claim in a JWT

defaultRole String

The default role to use if none is provided during login

description String

The description of the auth backend

jwksCaPem String

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwksUrl String

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

jwtSupportedAlgs List<String>

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwtValidationPubkeys List<String>

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

local Boolean

Specifies if the auth method is local only.

namespaceInState Boolean

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

oidcClientId String

Client ID used for OIDC backends

oidcClientSecret String

Client Secret used for OIDC backends

oidcDiscoveryCaPem String

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidcDiscoveryUrl String

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

oidcResponseMode String

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

oidcResponseTypes List<String>

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

path String

Path to mount the JWT/OIDC auth backend

providerConfig Map<String>

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

tune Property Map
type String

Type of auth backend. Should be one of jwt or oidc. Default - jwt

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:

Accessor string

The accessor for this auth method

Id string

The provider-assigned unique ID for this managed resource.

Accessor string

The accessor for this auth method

Id string

The provider-assigned unique ID for this managed resource.

accessor String

The accessor for this auth method

id String

The provider-assigned unique ID for this managed resource.

accessor string

The accessor for this auth method

id string

The provider-assigned unique ID for this managed resource.

accessor str

The accessor for this auth method

id str

The provider-assigned unique ID for this managed resource.

accessor String

The accessor for this auth method

id String

The provider-assigned unique ID for this managed resource.

Look up an Existing AuthBackend Resource

Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accessor: Optional[str] = None,
        bound_issuer: Optional[str] = None,
        default_role: Optional[str] = None,
        description: Optional[str] = None,
        jwks_ca_pem: Optional[str] = None,
        jwks_url: Optional[str] = None,
        jwt_supported_algs: Optional[Sequence[str]] = None,
        jwt_validation_pubkeys: Optional[Sequence[str]] = None,
        local: Optional[bool] = None,
        namespace_in_state: Optional[bool] = None,
        oidc_client_id: Optional[str] = None,
        oidc_client_secret: Optional[str] = None,
        oidc_discovery_ca_pem: Optional[str] = None,
        oidc_discovery_url: Optional[str] = None,
        oidc_response_mode: Optional[str] = None,
        oidc_response_types: Optional[Sequence[str]] = None,
        path: Optional[str] = None,
        provider_config: Optional[Mapping[str, str]] = None,
        tune: Optional[AuthBackendTuneArgs] = None,
        type: Optional[str] = None) -> AuthBackend
func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)
public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)
public static AuthBackend get(String name, Output<String> id, AuthBackendState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Accessor string

The accessor for this auth method

BoundIssuer string

The value against which to match the iss claim in a JWT

DefaultRole string

The default role to use if none is provided during login

Description string

The description of the auth backend

JwksCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

JwksUrl string

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

JwtSupportedAlgs List<string>

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

JwtValidationPubkeys List<string>

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

Local bool

Specifies if the auth method is local only.

NamespaceInState bool

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

OidcClientId string

Client ID used for OIDC backends

OidcClientSecret string

Client Secret used for OIDC backends

OidcDiscoveryCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

OidcDiscoveryUrl string

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

OidcResponseMode string

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

OidcResponseTypes List<string>

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

Path string

Path to mount the JWT/OIDC auth backend

ProviderConfig Dictionary<string, string>

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

Tune AuthBackendTuneArgs
Type string

Type of auth backend. Should be one of jwt or oidc. Default - jwt

Accessor string

The accessor for this auth method

BoundIssuer string

The value against which to match the iss claim in a JWT

DefaultRole string

The default role to use if none is provided during login

Description string

The description of the auth backend

JwksCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

JwksUrl string

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

JwtSupportedAlgs []string

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

JwtValidationPubkeys []string

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

Local bool

Specifies if the auth method is local only.

NamespaceInState bool

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

OidcClientId string

Client ID used for OIDC backends

OidcClientSecret string

Client Secret used for OIDC backends

OidcDiscoveryCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

OidcDiscoveryUrl string

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

OidcResponseMode string

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

OidcResponseTypes []string

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

Path string

Path to mount the JWT/OIDC auth backend

ProviderConfig map[string]string

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

Tune AuthBackendTuneArgs
Type string

Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor String

The accessor for this auth method

boundIssuer String

The value against which to match the iss claim in a JWT

defaultRole String

The default role to use if none is provided during login

description String

The description of the auth backend

jwksCaPem String

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwksUrl String

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

jwtSupportedAlgs List<String>

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwtValidationPubkeys List<String>

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

local Boolean

Specifies if the auth method is local only.

namespaceInState Boolean

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

oidcClientId String

Client ID used for OIDC backends

oidcClientSecret String

Client Secret used for OIDC backends

oidcDiscoveryCaPem String

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidcDiscoveryUrl String

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

oidcResponseMode String

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

oidcResponseTypes List<String>

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

path String

Path to mount the JWT/OIDC auth backend

providerConfig Map<String,String>

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

tune AuthBackendTuneArgs
type String

Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor string

The accessor for this auth method

boundIssuer string

The value against which to match the iss claim in a JWT

defaultRole string

The default role to use if none is provided during login

description string

The description of the auth backend

jwksCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwksUrl string

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

jwtSupportedAlgs string[]

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwtValidationPubkeys string[]

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

local boolean

Specifies if the auth method is local only.

namespaceInState boolean

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

oidcClientId string

Client ID used for OIDC backends

oidcClientSecret string

Client Secret used for OIDC backends

oidcDiscoveryCaPem string

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidcDiscoveryUrl string

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

oidcResponseMode string

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

oidcResponseTypes string[]

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

path string

Path to mount the JWT/OIDC auth backend

providerConfig {[key: string]: string}

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

tune AuthBackendTuneArgs
type string

Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor str

The accessor for this auth method

bound_issuer str

The value against which to match the iss claim in a JWT

default_role str

The default role to use if none is provided during login

description str

The description of the auth backend

jwks_ca_pem str

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwks_url str

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

jwt_supported_algs Sequence[str]

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwt_validation_pubkeys Sequence[str]

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

local bool

Specifies if the auth method is local only.

namespace_in_state bool

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

oidc_client_id str

Client ID used for OIDC backends

oidc_client_secret str

Client Secret used for OIDC backends

oidc_discovery_ca_pem str

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidc_discovery_url str

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

oidc_response_mode str

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

oidc_response_types Sequence[str]

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

path str

Path to mount the JWT/OIDC auth backend

provider_config Mapping[str, str]

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

tune AuthBackendTuneArgs
type str

Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor String

The accessor for this auth method

boundIssuer String

The value against which to match the iss claim in a JWT

defaultRole String

The default role to use if none is provided during login

description String

The description of the auth backend

jwksCaPem String

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwksUrl String

JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

jwtSupportedAlgs List<String>

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwtValidationPubkeys List<String>

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

local Boolean

Specifies if the auth method is local only.

namespaceInState Boolean

Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

oidcClientId String

Client ID used for OIDC backends

oidcClientSecret String

Client Secret used for OIDC backends

oidcDiscoveryCaPem String

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidcDiscoveryUrl String

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

oidcResponseMode String

The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

oidcResponseTypes List<String>

List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

path String

Path to mount the JWT/OIDC auth backend

providerConfig Map<String>

Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

tune Property Map
type String

Type of auth backend. Should be one of jwt or oidc. Default - jwt

Supporting Types

AuthBackendTune

AllowedResponseHeaders List<string>

List of headers to whitelist and allowing a plugin to include them in the response.

AuditNonHmacRequestKeys List<string>

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

AuditNonHmacResponseKeys List<string>

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

DefaultLeaseTtl string

Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

ListingVisibility string

Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

MaxLeaseTtl string

Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

PassthroughRequestHeaders List<string>

List of headers to whitelist and pass from the request to the backend.

TokenType string

Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

AllowedResponseHeaders []string

List of headers to whitelist and allowing a plugin to include them in the response.

AuditNonHmacRequestKeys []string

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

AuditNonHmacResponseKeys []string

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

DefaultLeaseTtl string

Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

ListingVisibility string

Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

MaxLeaseTtl string

Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

PassthroughRequestHeaders []string

List of headers to whitelist and pass from the request to the backend.

TokenType string

Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

allowedResponseHeaders List<String>

List of headers to whitelist and allowing a plugin to include them in the response.

auditNonHmacRequestKeys List<String>

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

auditNonHmacResponseKeys List<String>

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

defaultLeaseTtl String

Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

listingVisibility String

Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

maxLeaseTtl String

Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

passthroughRequestHeaders List<String>

List of headers to whitelist and pass from the request to the backend.

tokenType String

Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

allowedResponseHeaders string[]

List of headers to whitelist and allowing a plugin to include them in the response.

auditNonHmacRequestKeys string[]

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

auditNonHmacResponseKeys string[]

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

defaultLeaseTtl string

Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

listingVisibility string

Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

maxLeaseTtl string

Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

passthroughRequestHeaders string[]

List of headers to whitelist and pass from the request to the backend.

tokenType string

Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

allowed_response_headers Sequence[str]

List of headers to whitelist and allowing a plugin to include them in the response.

audit_non_hmac_request_keys Sequence[str]

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

audit_non_hmac_response_keys Sequence[str]

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

default_lease_ttl str

Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

listing_visibility str

Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

max_lease_ttl str

Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

passthrough_request_headers Sequence[str]

List of headers to whitelist and pass from the request to the backend.

token_type str

Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

allowedResponseHeaders List<String>

List of headers to whitelist and allowing a plugin to include them in the response.

auditNonHmacRequestKeys List<String>

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

auditNonHmacResponseKeys List<String>

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

defaultLeaseTtl String

Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

listingVisibility String

Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

maxLeaseTtl String

Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

passthroughRequestHeaders List<String>

List of headers to whitelist and pass from the request to the backend.

tokenType String

Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

Import

JWT auth backend can be imported using the type, e.g.

 $ pulumi import vault:jwt/authBackend:AuthBackend oidc oidc

or

 $ pulumi import vault:jwt/authBackend:AuthBackend jwt jwt

Package Details

Repository
https://github.com/pulumi/pulumi-vault
License
Apache-2.0
Notes

This Pulumi package is based on the vault Terraform Provider.