vault.jwt.AuthBackend
Explore with Pulumi AI
Provides a resource for managing an JWT auth backend within Vault.
Example Usage
Manage JWT auth backend
using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.Jwt.AuthBackend("example", new()
{
BoundIssuer = "https://myco.auth0.com/",
Description = "Demonstration of the Terraform JWT auth backend",
OidcDiscoveryUrl = "https://myco.auth0.com/",
Path = "jwt",
});
});
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
BoundIssuer: pulumi.String("https://myco.auth0.com/"),
Description: pulumi.String("Demonstration of the Terraform JWT auth backend"),
OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
Path: pulumi.String("jwt"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AuthBackend("example", AuthBackendArgs.builder()
.boundIssuer("https://myco.auth0.com/")
.description("Demonstration of the Terraform JWT auth backend")
.oidcDiscoveryUrl("https://myco.auth0.com/")
.path("jwt")
.build());
}
}
import pulumi
import pulumi_vault as vault
example = vault.jwt.AuthBackend("example",
bound_issuer="https://myco.auth0.com/",
description="Demonstration of the Terraform JWT auth backend",
oidc_discovery_url="https://myco.auth0.com/",
path="jwt")
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.jwt.AuthBackend("example", {
boundIssuer: "https://myco.auth0.com/",
description: "Demonstration of the Terraform JWT auth backend",
oidcDiscoveryUrl: "https://myco.auth0.com/",
path: "jwt",
});
resources:
example:
type: vault:jwt:AuthBackend
properties:
boundIssuer: https://myco.auth0.com/
description: Demonstration of the Terraform JWT auth backend
oidcDiscoveryUrl: https://myco.auth0.com/
path: jwt
Manage OIDC auth backend
using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.Jwt.AuthBackend("example", new()
{
BoundIssuer = "https://myco.auth0.com/",
Description = "Demonstration of the Terraform JWT auth backend",
OidcClientId = "1234567890",
OidcClientSecret = "secret123456",
OidcDiscoveryUrl = "https://myco.auth0.com/",
Path = "oidc",
Tune = new Vault.Jwt.Inputs.AuthBackendTuneArgs
{
ListingVisibility = "unauth",
},
Type = "oidc",
});
});
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
BoundIssuer: pulumi.String("https://myco.auth0.com/"),
Description: pulumi.String("Demonstration of the Terraform JWT auth backend"),
OidcClientId: pulumi.String("1234567890"),
OidcClientSecret: pulumi.String("secret123456"),
OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
Path: pulumi.String("oidc"),
Tune: &jwt.AuthBackendTuneArgs{
ListingVisibility: pulumi.String("unauth"),
},
Type: pulumi.String("oidc"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import com.pulumi.vault.jwt.inputs.AuthBackendTuneArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AuthBackend("example", AuthBackendArgs.builder()
.boundIssuer("https://myco.auth0.com/")
.description("Demonstration of the Terraform JWT auth backend")
.oidcClientId("1234567890")
.oidcClientSecret("secret123456")
.oidcDiscoveryUrl("https://myco.auth0.com/")
.path("oidc")
.tune(AuthBackendTuneArgs.builder()
.listingVisibility("unauth")
.build())
.type("oidc")
.build());
}
}
import pulumi
import pulumi_vault as vault
example = vault.jwt.AuthBackend("example",
bound_issuer="https://myco.auth0.com/",
description="Demonstration of the Terraform JWT auth backend",
oidc_client_id="1234567890",
oidc_client_secret="secret123456",
oidc_discovery_url="https://myco.auth0.com/",
path="oidc",
tune=vault.jwt.AuthBackendTuneArgs(
listing_visibility="unauth",
),
type="oidc")
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.jwt.AuthBackend("example", {
boundIssuer: "https://myco.auth0.com/",
description: "Demonstration of the Terraform JWT auth backend",
oidcClientId: "1234567890",
oidcClientSecret: "secret123456",
oidcDiscoveryUrl: "https://myco.auth0.com/",
path: "oidc",
tune: {
listingVisibility: "unauth",
},
type: "oidc",
});
resources:
example:
type: vault:jwt:AuthBackend
properties:
boundIssuer: https://myco.auth0.com/
description: Demonstration of the Terraform JWT auth backend
oidcClientId: 1234567890
oidcClientSecret: secret123456
oidcDiscoveryUrl: https://myco.auth0.com/
path: oidc
tune:
listingVisibility: unauth
type: oidc
config
using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gsuite = new Vault.Jwt.AuthBackend("gsuite", new()
{
Description = "OIDC backend",
OidcDiscoveryUrl = "https://accounts.google.com",
Path = "oidc",
ProviderConfig =
{
{ "fetch_groups", "true" },
{ "fetch_user_info", "true" },
{ "groups_recurse_max_depth", "1" },
{ "provider", "gsuite" },
},
Type = "oidc",
});
});
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := jwt.NewAuthBackend(ctx, "gsuite", &jwt.AuthBackendArgs{
Description: pulumi.String("OIDC backend"),
OidcDiscoveryUrl: pulumi.String("https://accounts.google.com"),
Path: pulumi.String("oidc"),
ProviderConfig: pulumi.StringMap{
"fetch_groups": pulumi.String("true"),
"fetch_user_info": pulumi.String("true"),
"groups_recurse_max_depth": pulumi.String("1"),
"provider": pulumi.String("gsuite"),
},
Type: pulumi.String("oidc"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gsuite = new AuthBackend("gsuite", AuthBackendArgs.builder()
.description("OIDC backend")
.oidcDiscoveryUrl("https://accounts.google.com")
.path("oidc")
.providerConfig(Map.ofEntries(
Map.entry("fetch_groups", true),
Map.entry("fetch_user_info", true),
Map.entry("groups_recurse_max_depth", 1),
Map.entry("provider", "gsuite")
))
.type("oidc")
.build());
}
}
import pulumi
import pulumi_vault as vault
gsuite = vault.jwt.AuthBackend("gsuite",
description="OIDC backend",
oidc_discovery_url="https://accounts.google.com",
path="oidc",
provider_config={
"fetch_groups": "true",
"fetch_user_info": "true",
"groups_recurse_max_depth": "1",
"provider": "gsuite",
},
type="oidc")
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const gsuite = new vault.jwt.AuthBackend("gsuite", {
description: "OIDC backend",
oidcDiscoveryUrl: "https://accounts.google.com",
path: "oidc",
providerConfig: {
fetch_groups: true,
fetch_user_info: true,
groups_recurse_max_depth: 1,
provider: "gsuite",
},
type: "oidc",
});
resources:
gsuite:
type: vault:jwt:AuthBackend
properties:
description: OIDC backend
oidcDiscoveryUrl: https://accounts.google.com
path: oidc
providerConfig:
fetch_groups: true
fetch_user_info: true
groups_recurse_max_depth: 1
provider: gsuite
type: oidc
Create AuthBackend Resource
new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);
@overload
def AuthBackend(resource_name: str,
opts: Optional[ResourceOptions] = None,
bound_issuer: Optional[str] = None,
default_role: Optional[str] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
jwks_ca_pem: Optional[str] = None,
jwks_url: Optional[str] = None,
jwt_supported_algs: Optional[Sequence[str]] = None,
jwt_validation_pubkeys: Optional[Sequence[str]] = None,
local: Optional[bool] = None,
namespace: Optional[str] = None,
namespace_in_state: Optional[bool] = None,
oidc_client_id: Optional[str] = None,
oidc_client_secret: Optional[str] = None,
oidc_discovery_ca_pem: Optional[str] = None,
oidc_discovery_url: Optional[str] = None,
oidc_response_mode: Optional[str] = None,
oidc_response_types: Optional[Sequence[str]] = None,
path: Optional[str] = None,
provider_config: Optional[Mapping[str, str]] = None,
tune: Optional[AuthBackendTuneArgs] = None,
type: Optional[str] = None)
@overload
def AuthBackend(resource_name: str,
args: Optional[AuthBackendArgs] = None,
opts: Optional[ResourceOptions] = None)
func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)
public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)
public AuthBackend(String name, AuthBackendArgs args)
public AuthBackend(String name, AuthBackendArgs args, CustomResourceOptions options)
type: vault:jwt:AuthBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
AuthBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AuthBackend resource accepts the following input properties:
- Bound
Issuer string The value against which to match the iss claim in a JWT
- Default
Role string The default role to use if none is provided during login
- Description string
The description of the auth backend
- Disable
Remount bool If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Jwks
Ca stringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- Jwks
Url string JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- Jwt
Supported List<string>Algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- Jwt
Validation List<string>Pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- Local bool
Specifies if the auth method is local only.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Namespace
In boolState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- Oidc
Client stringId Client ID used for OIDC backends
- Oidc
Client stringSecret Client Secret used for OIDC backends
- Oidc
Discovery stringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- Oidc
Discovery stringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- Oidc
Response stringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- Oidc
Response List<string>Types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- Path string
Path to mount the JWT/OIDC auth backend
- Provider
Config Dictionary<string, string> Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- Tune
Auth
Backend Tune - Type string
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- Bound
Issuer string The value against which to match the iss claim in a JWT
- Default
Role string The default role to use if none is provided during login
- Description string
The description of the auth backend
- Disable
Remount bool If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Jwks
Ca stringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- Jwks
Url string JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- Jwt
Supported []stringAlgs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- Jwt
Validation []stringPubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- Local bool
Specifies if the auth method is local only.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Namespace
In boolState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- Oidc
Client stringId Client ID used for OIDC backends
- Oidc
Client stringSecret Client Secret used for OIDC backends
- Oidc
Discovery stringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- Oidc
Discovery stringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- Oidc
Response stringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- Oidc
Response []stringTypes List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- Path string
Path to mount the JWT/OIDC auth backend
- Provider
Config map[string]string Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- Tune
Auth
Backend Tune Args - Type string
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- bound
Issuer String The value against which to match the iss claim in a JWT
- default
Role String The default role to use if none is provided during login
- description String
The description of the auth backend
- disable
Remount Boolean If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca StringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url String JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported List<String>Algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation List<String>Pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local Boolean
Specifies if the auth method is local only.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- namespace
In BooleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- oidc
Client StringId Client ID used for OIDC backends
- oidc
Client StringSecret Client Secret used for OIDC backends
- oidc
Discovery StringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery StringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response StringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- oidc
Response List<String>Types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- path String
Path to mount the JWT/OIDC auth backend
- provider
Config Map<String,String> Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune - type String
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- bound
Issuer string The value against which to match the iss claim in a JWT
- default
Role string The default role to use if none is provided during login
- description string
The description of the auth backend
- disable
Remount boolean If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca stringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url string JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported string[]Algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation string[]Pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local boolean
Specifies if the auth method is local only.
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- namespace
In booleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- oidc
Client stringId Client ID used for OIDC backends
- oidc
Client stringSecret Client Secret used for OIDC backends
- oidc
Discovery stringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery stringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response stringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- oidc
Response string[]Types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- path string
Path to mount the JWT/OIDC auth backend
- provider
Config {[key: string]: string} Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune - type string
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- bound_
issuer str The value against which to match the iss claim in a JWT
- default_
role str The default role to use if none is provided during login
- description str
The description of the auth backend
- disable_
remount bool If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks_
ca_ strpem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks_
url str JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt_
supported_ Sequence[str]algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt_
validation_ Sequence[str]pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local bool
Specifies if the auth method is local only.
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- namespace_
in_ boolstate Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- oidc_
client_ strid Client ID used for OIDC backends
- oidc_
client_ strsecret Client Secret used for OIDC backends
- oidc_
discovery_ strca_ pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc_
discovery_ strurl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc_
response_ strmode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- oidc_
response_ Sequence[str]types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- path str
Path to mount the JWT/OIDC auth backend
- provider_
config Mapping[str, str] Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune Args - type str
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- bound
Issuer String The value against which to match the iss claim in a JWT
- default
Role String The default role to use if none is provided during login
- description String
The description of the auth backend
- disable
Remount Boolean If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca StringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url String JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported List<String>Algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation List<String>Pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local Boolean
Specifies if the auth method is local only.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- namespace
In BooleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- oidc
Client StringId Client ID used for OIDC backends
- oidc
Client StringSecret Client Secret used for OIDC backends
- oidc
Discovery StringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery StringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response StringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- oidc
Response List<String>Types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- path String
Path to mount the JWT/OIDC auth backend
- provider
Config Map<String> Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune Property Map
- type String
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
Outputs
All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:
Look up Existing AuthBackend Resource
Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessor: Optional[str] = None,
bound_issuer: Optional[str] = None,
default_role: Optional[str] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
jwks_ca_pem: Optional[str] = None,
jwks_url: Optional[str] = None,
jwt_supported_algs: Optional[Sequence[str]] = None,
jwt_validation_pubkeys: Optional[Sequence[str]] = None,
local: Optional[bool] = None,
namespace: Optional[str] = None,
namespace_in_state: Optional[bool] = None,
oidc_client_id: Optional[str] = None,
oidc_client_secret: Optional[str] = None,
oidc_discovery_ca_pem: Optional[str] = None,
oidc_discovery_url: Optional[str] = None,
oidc_response_mode: Optional[str] = None,
oidc_response_types: Optional[Sequence[str]] = None,
path: Optional[str] = None,
provider_config: Optional[Mapping[str, str]] = None,
tune: Optional[AuthBackendTuneArgs] = None,
type: Optional[str] = None) -> AuthBackend
func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)
public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)
public static AuthBackend get(String name, Output<String> id, AuthBackendState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessor string
The accessor for this auth method
- Bound
Issuer string The value against which to match the iss claim in a JWT
- Default
Role string The default role to use if none is provided during login
- Description string
The description of the auth backend
- Disable
Remount bool If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Jwks
Ca stringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- Jwks
Url string JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- Jwt
Supported List<string>Algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- Jwt
Validation List<string>Pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- Local bool
Specifies if the auth method is local only.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Namespace
In boolState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- Oidc
Client stringId Client ID used for OIDC backends
- Oidc
Client stringSecret Client Secret used for OIDC backends
- Oidc
Discovery stringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- Oidc
Discovery stringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- Oidc
Response stringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- Oidc
Response List<string>Types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- Path string
Path to mount the JWT/OIDC auth backend
- Provider
Config Dictionary<string, string> Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- Tune
Auth
Backend Tune - Type string
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- Accessor string
The accessor for this auth method
- Bound
Issuer string The value against which to match the iss claim in a JWT
- Default
Role string The default role to use if none is provided during login
- Description string
The description of the auth backend
- Disable
Remount bool If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Jwks
Ca stringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- Jwks
Url string JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- Jwt
Supported []stringAlgs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- Jwt
Validation []stringPubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- Local bool
Specifies if the auth method is local only.
- Namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- Namespace
In boolState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- Oidc
Client stringId Client ID used for OIDC backends
- Oidc
Client stringSecret Client Secret used for OIDC backends
- Oidc
Discovery stringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- Oidc
Discovery stringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- Oidc
Response stringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- Oidc
Response []stringTypes List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- Path string
Path to mount the JWT/OIDC auth backend
- Provider
Config map[string]string Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- Tune
Auth
Backend Tune Args - Type string
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- accessor String
The accessor for this auth method
- bound
Issuer String The value against which to match the iss claim in a JWT
- default
Role String The default role to use if none is provided during login
- description String
The description of the auth backend
- disable
Remount Boolean If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca StringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url String JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported List<String>Algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation List<String>Pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local Boolean
Specifies if the auth method is local only.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- namespace
In BooleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- oidc
Client StringId Client ID used for OIDC backends
- oidc
Client StringSecret Client Secret used for OIDC backends
- oidc
Discovery StringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery StringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response StringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- oidc
Response List<String>Types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- path String
Path to mount the JWT/OIDC auth backend
- provider
Config Map<String,String> Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune - type String
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- accessor string
The accessor for this auth method
- bound
Issuer string The value against which to match the iss claim in a JWT
- default
Role string The default role to use if none is provided during login
- description string
The description of the auth backend
- disable
Remount boolean If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca stringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url string JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported string[]Algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation string[]Pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local boolean
Specifies if the auth method is local only.
- namespace string
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- namespace
In booleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- oidc
Client stringId Client ID used for OIDC backends
- oidc
Client stringSecret Client Secret used for OIDC backends
- oidc
Discovery stringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery stringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response stringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- oidc
Response string[]Types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- path string
Path to mount the JWT/OIDC auth backend
- provider
Config {[key: string]: string} Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune - type string
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- accessor str
The accessor for this auth method
- bound_
issuer str The value against which to match the iss claim in a JWT
- default_
role str The default role to use if none is provided during login
- description str
The description of the auth backend
- disable_
remount bool If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks_
ca_ strpem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks_
url str JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt_
supported_ Sequence[str]algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt_
validation_ Sequence[str]pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local bool
Specifies if the auth method is local only.
- namespace str
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- namespace_
in_ boolstate Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- oidc_
client_ strid Client ID used for OIDC backends
- oidc_
client_ strsecret Client Secret used for OIDC backends
- oidc_
discovery_ strca_ pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc_
discovery_ strurl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc_
response_ strmode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- oidc_
response_ Sequence[str]types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- path str
Path to mount the JWT/OIDC auth backend
- provider_
config Mapping[str, str] Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune Args - type str
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- accessor String
The accessor for this auth method
- bound
Issuer String The value against which to match the iss claim in a JWT
- default
Role String The default role to use if none is provided during login
- description String
The description of the auth backend
- disable
Remount Boolean If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca StringPem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url String JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported List<String>Algs A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation List<String>Pubkeys A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local Boolean
Specifies if the auth method is local only.
- namespace String
The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise.- namespace
In BooleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- oidc
Client StringId Client ID used for OIDC backends
- oidc
Client StringSecret Client Secret used for OIDC backends
- oidc
Discovery StringCa Pem The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery StringUrl The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response StringMode The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
.- oidc
Response List<String>Types List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
.- path String
Path to mount the JWT/OIDC auth backend
- provider
Config Map<String> Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune Property Map
- type String
Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
Supporting Types
AuthBackendTune, AuthBackendTuneArgs
- Allowed
Response List<string>Headers List of headers to whitelist and allowing a plugin to include them in the response.
- Audit
Non List<string>Hmac Request Keys Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease stringTtl Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- Listing
Visibility string Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- Max
Lease stringTtl Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- Passthrough
Request List<string>Headers List of headers to whitelist and pass from the request to the backend.
- Token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- Allowed
Response []stringHeaders List of headers to whitelist and allowing a plugin to include them in the response.
- Audit
Non []stringHmac Request Keys Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease stringTtl Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- Listing
Visibility string Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- Max
Lease stringTtl Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- Passthrough
Request []stringHeaders List of headers to whitelist and pass from the request to the backend.
- Token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- allowed
Response List<String>Headers List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease StringTtl Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility String Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease StringTtl Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request List<String>Headers List of headers to whitelist and pass from the request to the backend.
- token
Type String Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- allowed
Response string[]Headers List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non string[]Hmac Request Keys Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease stringTtl Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility string Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease stringTtl Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request string[]Headers List of headers to whitelist and pass from the request to the backend.
- token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- allowed_
response_ Sequence[str]headers List of headers to whitelist and allowing a plugin to include them in the response.
- audit_
non_ Sequence[str]hmac_ request_ keys Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default_
lease_ strttl Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing_
visibility str Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max_
lease_ strttl Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough_
request_ Sequence[str]headers List of headers to whitelist and pass from the request to the backend.
- token_
type str Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- allowed
Response List<String>Headers List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease StringTtl Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility String Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease StringTtl Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request List<String>Headers List of headers to whitelist and pass from the request to the backend.
- token
Type String Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
Import
JWT auth backend can be imported using the path
, e.g.
$ pulumi import vault:jwt/authBackend:AuthBackend oidc oidc
or
$ pulumi import vault:jwt/authBackend:AuthBackend jwt jwt
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
vault
Terraform Provider.