HashiCorp Vault v5.15.0, Sep 8 23

HashiCorp Vault v5.15.0 published on Friday, Sep 8, 2023 by Pulumi

vault.jwt.AuthBackend

Explore with Pulumi AI

HashiCorp Vault v5.15.0 published on Friday, Sep 8, 2023 by Pulumi

pulumi/pulumi-vault

Example Usage

Manage JWT auth backend

using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.Jwt.AuthBackend("example", new()
    {
        BoundIssuer = "https://myco.auth0.com/",
        Description = "Demonstration of the Terraform JWT auth backend",
        OidcDiscoveryUrl = "https://myco.auth0.com/",
        Path = "jwt",
    });

});

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
			BoundIssuer:      pulumi.String("https://myco.auth0.com/"),
			Description:      pulumi.String("Demonstration of the Terraform JWT auth backend"),
			OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
			Path:             pulumi.String("jwt"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()        
            .boundIssuer("https://myco.auth0.com/")
            .description("Demonstration of the Terraform JWT auth backend")
            .oidcDiscoveryUrl("https://myco.auth0.com/")
            .path("jwt")
            .build());

    }
}

import pulumi
import pulumi_vault as vault

example = vault.jwt.AuthBackend("example",
    bound_issuer="https://myco.auth0.com/",
    description="Demonstration of the Terraform JWT auth backend",
    oidc_discovery_url="https://myco.auth0.com/",
    path="jwt")

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.jwt.AuthBackend("example", {
    boundIssuer: "https://myco.auth0.com/",
    description: "Demonstration of the Terraform JWT auth backend",
    oidcDiscoveryUrl: "https://myco.auth0.com/",
    path: "jwt",
});

resources:
  example:
    type: vault:jwt:AuthBackend
    properties:
      boundIssuer: https://myco.auth0.com/
      description: Demonstration of the Terraform JWT auth backend
      oidcDiscoveryUrl: https://myco.auth0.com/
      path: jwt

Manage OIDC auth backend

using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.Jwt.AuthBackend("example", new()
    {
        BoundIssuer = "https://myco.auth0.com/",
        Description = "Demonstration of the Terraform JWT auth backend",
        OidcClientId = "1234567890",
        OidcClientSecret = "secret123456",
        OidcDiscoveryUrl = "https://myco.auth0.com/",
        Path = "oidc",
        Tune = new Vault.Jwt.Inputs.AuthBackendTuneArgs
        {
            ListingVisibility = "unauth",
        },
        Type = "oidc",
    });

});

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
			BoundIssuer:      pulumi.String("https://myco.auth0.com/"),
			Description:      pulumi.String("Demonstration of the Terraform JWT auth backend"),
			OidcClientId:     pulumi.String("1234567890"),
			OidcClientSecret: pulumi.String("secret123456"),
			OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
			Path:             pulumi.String("oidc"),
			Tune: &jwt.AuthBackendTuneArgs{
				ListingVisibility: pulumi.String("unauth"),
			},
			Type: pulumi.String("oidc"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import com.pulumi.vault.jwt.inputs.AuthBackendTuneArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()        
            .boundIssuer("https://myco.auth0.com/")
            .description("Demonstration of the Terraform JWT auth backend")
            .oidcClientId("1234567890")
            .oidcClientSecret("secret123456")
            .oidcDiscoveryUrl("https://myco.auth0.com/")
            .path("oidc")
            .tune(AuthBackendTuneArgs.builder()
                .listingVisibility("unauth")
                .build())
            .type("oidc")
            .build());

    }
}

import pulumi
import pulumi_vault as vault

example = vault.jwt.AuthBackend("example",
    bound_issuer="https://myco.auth0.com/",
    description="Demonstration of the Terraform JWT auth backend",
    oidc_client_id="1234567890",
    oidc_client_secret="secret123456",
    oidc_discovery_url="https://myco.auth0.com/",
    path="oidc",
    tune=vault.jwt.AuthBackendTuneArgs(
        listing_visibility="unauth",
    ),
    type="oidc")

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.jwt.AuthBackend("example", {
    boundIssuer: "https://myco.auth0.com/",
    description: "Demonstration of the Terraform JWT auth backend",
    oidcClientId: "1234567890",
    oidcClientSecret: "secret123456",
    oidcDiscoveryUrl: "https://myco.auth0.com/",
    path: "oidc",
    tune: {
        listingVisibility: "unauth",
    },
    type: "oidc",
});

resources:
  example:
    type: vault:jwt:AuthBackend
    properties:
      boundIssuer: https://myco.auth0.com/
      description: Demonstration of the Terraform JWT auth backend
      oidcClientId: 1234567890
      oidcClientSecret: secret123456
      oidcDiscoveryUrl: https://myco.auth0.com/
      path: oidc
      tune:
        listingVisibility: unauth
      type: oidc

config

using System.Collections.Generic;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var gsuite = new Vault.Jwt.AuthBackend("gsuite", new()
    {
        Description = "OIDC backend",
        OidcDiscoveryUrl = "https://accounts.google.com",
        Path = "oidc",
        ProviderConfig = 
        {
            { "fetch_groups", "true" },
            { "fetch_user_info", "true" },
            { "groups_recurse_max_depth", "1" },
            { "provider", "gsuite" },
        },
        Type = "oidc",
    });

});

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := jwt.NewAuthBackend(ctx, "gsuite", &jwt.AuthBackendArgs{
			Description:      pulumi.String("OIDC backend"),
			OidcDiscoveryUrl: pulumi.String("https://accounts.google.com"),
			Path:             pulumi.String("oidc"),
			ProviderConfig: pulumi.StringMap{
				"fetch_groups":             pulumi.String("true"),
				"fetch_user_info":          pulumi.String("true"),
				"groups_recurse_max_depth": pulumi.String("1"),
				"provider":                 pulumi.String("gsuite"),
			},
			Type: pulumi.String("oidc"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var gsuite = new AuthBackend("gsuite", AuthBackendArgs.builder()        
            .description("OIDC backend")
            .oidcDiscoveryUrl("https://accounts.google.com")
            .path("oidc")
            .providerConfig(Map.ofEntries(
                Map.entry("fetch_groups", true),
                Map.entry("fetch_user_info", true),
                Map.entry("groups_recurse_max_depth", 1),
                Map.entry("provider", "gsuite")
            ))
            .type("oidc")
            .build());

    }
}

import pulumi
import pulumi_vault as vault

gsuite = vault.jwt.AuthBackend("gsuite",
    description="OIDC backend",
    oidc_discovery_url="https://accounts.google.com",
    path="oidc",
    provider_config={
        "fetch_groups": "true",
        "fetch_user_info": "true",
        "groups_recurse_max_depth": "1",
        "provider": "gsuite",
    },
    type="oidc")

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const gsuite = new vault.jwt.AuthBackend("gsuite", {
    description: "OIDC backend",
    oidcDiscoveryUrl: "https://accounts.google.com",
    path: "oidc",
    providerConfig: {
        fetch_groups: true,
        fetch_user_info: true,
        groups_recurse_max_depth: 1,
        provider: "gsuite",
    },
    type: "oidc",
});

resources:
  gsuite:
    type: vault:jwt:AuthBackend
    properties:
      description: OIDC backend
      oidcDiscoveryUrl: https://accounts.google.com
      path: oidc
      providerConfig:
        fetch_groups: true
        fetch_user_info: true
        groups_recurse_max_depth: 1
        provider: gsuite
      type: oidc

Create AuthBackend Resource

new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);

@overload
def AuthBackend(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                bound_issuer: Optional[str] = None,
                default_role: Optional[str] = None,
                description: Optional[str] = None,
                disable_remount: Optional[bool] = None,
                jwks_ca_pem: Optional[str] = None,
                jwks_url: Optional[str] = None,
                jwt_supported_algs: Optional[Sequence[str]] = None,
                jwt_validation_pubkeys: Optional[Sequence[str]] = None,
                local: Optional[bool] = None,
                namespace: Optional[str] = None,
                namespace_in_state: Optional[bool] = None,
                oidc_client_id: Optional[str] = None,
                oidc_client_secret: Optional[str] = None,
                oidc_discovery_ca_pem: Optional[str] = None,
                oidc_discovery_url: Optional[str] = None,
                oidc_response_mode: Optional[str] = None,
                oidc_response_types: Optional[Sequence[str]] = None,
                path: Optional[str] = None,
                provider_config: Optional[Mapping[str, str]] = None,
                tune: Optional[AuthBackendTuneArgs] = None,
                type: Optional[str] = None)
@overload
def AuthBackend(resource_name: str,
                args: Optional[AuthBackendArgs] = None,
                opts: Optional[ResourceOptions] = None)

func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)

public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)

public AuthBackend(String name, AuthBackendArgs args)
public AuthBackend(String name, AuthBackendArgs args, CustomResourceOptions options)

type: vault:jwt:AuthBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthBackendArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AuthBackendArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AuthBackendArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthBackendArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AuthBackendArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

AuthBackend Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AuthBackend resource accepts the following input properties:

BoundIssuer string: The value against which to match the iss claim in a JWT
DefaultRole string: The default role to use if none is provided during login
Description string: The description of the auth backend
DisableRemount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
JwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
JwtSupportedAlgs List<string>: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys List<string>: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
Local bool: Specifies if the auth method is local only.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NamespaceInState bool: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
OidcClientId string: Client ID used for OIDC backends
OidcClientSecret string: Client Secret used for OIDC backends
OidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
OidcResponseMode string: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
OidcResponseTypes List<string>: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
Path string: Path to mount the JWT/OIDC auth backend
ProviderConfig Dictionary<string, string>: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
Tune AuthBackendTune
Type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

BoundIssuer string: The value against which to match the iss claim in a JWT
DefaultRole string: The default role to use if none is provided during login
Description string: The description of the auth backend
DisableRemount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
JwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
JwtSupportedAlgs []string: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys []string: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
Local bool: Specifies if the auth method is local only.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NamespaceInState bool: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
OidcClientId string: Client ID used for OIDC backends
OidcClientSecret string: Client Secret used for OIDC backends
OidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
OidcResponseMode string: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
OidcResponseTypes []string: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
Path string: Path to mount the JWT/OIDC auth backend
ProviderConfig map[string]string: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
Tune AuthBackendTuneArgs
Type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

boundIssuer String: The value against which to match the iss claim in a JWT
defaultRole String: The default role to use if none is provided during login
description String: The description of the auth backend
disableRemount Boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
jwksCaPem String: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl String: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwtSupportedAlgs List<String>: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys List<String>: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
local Boolean: Specifies if the auth method is local only.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
namespaceInState Boolean: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
oidcClientId String: Client ID used for OIDC backends
oidcClientSecret String: Client Secret used for OIDC backends
oidcDiscoveryCaPem String: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl String: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
oidcResponseMode String: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
oidcResponseTypes List<String>: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
path String: Path to mount the JWT/OIDC auth backend
providerConfig Map<String,String>: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTune
type String: Type of auth backend. Should be one of jwt or oidc. Default - jwt

boundIssuer string: The value against which to match the iss claim in a JWT
defaultRole string: The default role to use if none is provided during login
description string: The description of the auth backend
disableRemount boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
jwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwtSupportedAlgs string[]: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys string[]: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
local boolean: Specifies if the auth method is local only.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
namespaceInState boolean: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
oidcClientId string: Client ID used for OIDC backends
oidcClientSecret string: Client Secret used for OIDC backends
oidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
oidcResponseMode string: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
oidcResponseTypes string[]: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
path string: Path to mount the JWT/OIDC auth backend
providerConfig {[key: string]: string}: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTune
type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

bound_issuer str: The value against which to match the iss claim in a JWT
default_role str: The default role to use if none is provided during login
description str: The description of the auth backend
disable_remount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
jwks_ca_pem str: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwks_url str: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwt_supported_algs Sequence[str]: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwt_validation_pubkeys Sequence[str]: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
local bool: Specifies if the auth method is local only.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
namespace_in_state bool: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
oidc_client_id str: Client ID used for OIDC backends
oidc_client_secret str: Client Secret used for OIDC backends
oidc_discovery_ca_pem str: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidc_discovery_url str: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
oidc_response_mode str: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
oidc_response_types Sequence[str]: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
path str: Path to mount the JWT/OIDC auth backend
provider_config Mapping[str, str]: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTuneArgs
type str: Type of auth backend. Should be one of jwt or oidc. Default - jwt

boundIssuer String: The value against which to match the iss claim in a JWT
defaultRole String: The default role to use if none is provided during login
description String: The description of the auth backend
disableRemount Boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
jwksCaPem String: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl String: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwtSupportedAlgs List<String>: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys List<String>: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
local Boolean: Specifies if the auth method is local only.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
namespaceInState Boolean: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
oidcClientId String: Client ID used for OIDC backends
oidcClientSecret String: Client Secret used for OIDC backends
oidcDiscoveryCaPem String: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl String: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
oidcResponseMode String: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
oidcResponseTypes List<String>: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
path String: Path to mount the JWT/OIDC auth backend
providerConfig Map<String>: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune Property Map
type String: Type of auth backend. Should be one of jwt or oidc. Default - jwt

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:

Accessor string: The accessor for this auth method
Id string: The provider-assigned unique ID for this managed resource.

Accessor string: The accessor for this auth method
Id string: The provider-assigned unique ID for this managed resource.

accessor String: The accessor for this auth method
id String: The provider-assigned unique ID for this managed resource.

accessor string: The accessor for this auth method
id string: The provider-assigned unique ID for this managed resource.

accessor str: The accessor for this auth method
id str: The provider-assigned unique ID for this managed resource.

accessor String: The accessor for this auth method
id String: The provider-assigned unique ID for this managed resource.

Look up Existing AuthBackend Resource

Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accessor: Optional[str] = None,
        bound_issuer: Optional[str] = None,
        default_role: Optional[str] = None,
        description: Optional[str] = None,
        disable_remount: Optional[bool] = None,
        jwks_ca_pem: Optional[str] = None,
        jwks_url: Optional[str] = None,
        jwt_supported_algs: Optional[Sequence[str]] = None,
        jwt_validation_pubkeys: Optional[Sequence[str]] = None,
        local: Optional[bool] = None,
        namespace: Optional[str] = None,
        namespace_in_state: Optional[bool] = None,
        oidc_client_id: Optional[str] = None,
        oidc_client_secret: Optional[str] = None,
        oidc_discovery_ca_pem: Optional[str] = None,
        oidc_discovery_url: Optional[str] = None,
        oidc_response_mode: Optional[str] = None,
        oidc_response_types: Optional[Sequence[str]] = None,
        path: Optional[str] = None,
        provider_config: Optional[Mapping[str, str]] = None,
        tune: Optional[AuthBackendTuneArgs] = None,
        type: Optional[str] = None) -> AuthBackend

func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)

public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)

public static AuthBackend get(String name, Output<String> id, AuthBackendState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Accessor string: The accessor for this auth method
BoundIssuer string: The value against which to match the iss claim in a JWT
DefaultRole string: The default role to use if none is provided during login
Description string: The description of the auth backend
DisableRemount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
JwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
JwtSupportedAlgs List<string>: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys List<string>: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
Local bool: Specifies if the auth method is local only.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NamespaceInState bool: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
OidcClientId string: Client ID used for OIDC backends
OidcClientSecret string: Client Secret used for OIDC backends
OidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
OidcResponseMode string: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
OidcResponseTypes List<string>: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
Path string: Path to mount the JWT/OIDC auth backend
ProviderConfig Dictionary<string, string>: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
Tune AuthBackendTune
Type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

Accessor string: The accessor for this auth method
BoundIssuer string: The value against which to match the iss claim in a JWT
DefaultRole string: The default role to use if none is provided during login
Description string: The description of the auth backend
DisableRemount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
JwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
JwtSupportedAlgs []string: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys []string: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
Local bool: Specifies if the auth method is local only.
Namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
NamespaceInState bool: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
OidcClientId string: Client ID used for OIDC backends
OidcClientSecret string: Client Secret used for OIDC backends
OidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
OidcResponseMode string: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
OidcResponseTypes []string: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
Path string: Path to mount the JWT/OIDC auth backend
ProviderConfig map[string]string: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
Tune AuthBackendTuneArgs
Type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor String: The accessor for this auth method
boundIssuer String: The value against which to match the iss claim in a JWT
defaultRole String: The default role to use if none is provided during login
description String: The description of the auth backend
disableRemount Boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
jwksCaPem String: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl String: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwtSupportedAlgs List<String>: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys List<String>: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
local Boolean: Specifies if the auth method is local only.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
namespaceInState Boolean: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
oidcClientId String: Client ID used for OIDC backends
oidcClientSecret String: Client Secret used for OIDC backends
oidcDiscoveryCaPem String: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl String: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
oidcResponseMode String: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
oidcResponseTypes List<String>: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
path String: Path to mount the JWT/OIDC auth backend
providerConfig Map<String,String>: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTune
type String: Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor string: The accessor for this auth method
boundIssuer string: The value against which to match the iss claim in a JWT
defaultRole string: The default role to use if none is provided during login
description string: The description of the auth backend
disableRemount boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
jwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwtSupportedAlgs string[]: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys string[]: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
local boolean: Specifies if the auth method is local only.
namespace string: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
namespaceInState boolean: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
oidcClientId string: Client ID used for OIDC backends
oidcClientSecret string: Client Secret used for OIDC backends
oidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
oidcResponseMode string: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
oidcResponseTypes string[]: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
path string: Path to mount the JWT/OIDC auth backend
providerConfig {[key: string]: string}: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTune
type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor str: The accessor for this auth method
bound_issuer str: The value against which to match the iss claim in a JWT
default_role str: The default role to use if none is provided during login
description str: The description of the auth backend
disable_remount bool: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
jwks_ca_pem str: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwks_url str: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwt_supported_algs Sequence[str]: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwt_validation_pubkeys Sequence[str]: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
local bool: Specifies if the auth method is local only.
namespace str: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
namespace_in_state bool: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
oidc_client_id str: Client ID used for OIDC backends
oidc_client_secret str: Client Secret used for OIDC backends
oidc_discovery_ca_pem str: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidc_discovery_url str: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
oidc_response_mode str: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
oidc_response_types Sequence[str]: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
path str: Path to mount the JWT/OIDC auth backend
provider_config Mapping[str, str]: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune AuthBackendTuneArgs
type str: Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor String: The accessor for this auth method
boundIssuer String: The value against which to match the iss claim in a JWT
defaultRole String: The default role to use if none is provided during login
description String: The description of the auth backend
disableRemount Boolean: If set, opts out of mount migration on path updates. See here for more info on Mount Migration
jwksCaPem String: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl String: JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
jwtSupportedAlgs List<String>: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys List<String>: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
local Boolean: Specifies if the auth method is local only.
namespace String: The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
namespaceInState Boolean: Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
oidcClientId String: Client ID used for OIDC backends
oidcClientSecret String: Client Secret used for OIDC backends
oidcDiscoveryCaPem String: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl String: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
oidcResponseMode String: The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
oidcResponseTypes List<String>: List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
path String: Path to mount the JWT/OIDC auth backend
providerConfig Map<String>: Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
tune Property Map
type String: Type of auth backend. Should be one of jwt or oidc. Default - jwt

Supporting Types

AuthBackendTune, AuthBackendTuneArgs

AllowedResponseHeaders List<string>: List of headers to whitelist and allowing a plugin to include them in the response.
AuditNonHmacRequestKeys List<string>: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
AuditNonHmacResponseKeys List<string>: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
DefaultLeaseTtl string: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
ListingVisibility string: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
MaxLeaseTtl string: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
PassthroughRequestHeaders List<string>: List of headers to whitelist and pass from the request to the backend.
TokenType string: Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

AllowedResponseHeaders []string: List of headers to whitelist and allowing a plugin to include them in the response.
AuditNonHmacRequestKeys []string: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
AuditNonHmacResponseKeys []string: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
DefaultLeaseTtl string: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
ListingVisibility string: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
MaxLeaseTtl string: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
PassthroughRequestHeaders []string: List of headers to whitelist and pass from the request to the backend.
TokenType string: Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

allowedResponseHeaders List<String>: List of headers to whitelist and allowing a plugin to include them in the response.
auditNonHmacRequestKeys List<String>: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
auditNonHmacResponseKeys List<String>: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
defaultLeaseTtl String: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listingVisibility String: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
maxLeaseTtl String: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthroughRequestHeaders List<String>: List of headers to whitelist and pass from the request to the backend.
tokenType String: Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

allowedResponseHeaders string[]: List of headers to whitelist and allowing a plugin to include them in the response.
auditNonHmacRequestKeys string[]: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
auditNonHmacResponseKeys string[]: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
defaultLeaseTtl string: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listingVisibility string: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
maxLeaseTtl string: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthroughRequestHeaders string[]: List of headers to whitelist and pass from the request to the backend.
tokenType string: Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

allowed_response_headers Sequence[str]: List of headers to whitelist and allowing a plugin to include them in the response.
audit_non_hmac_request_keys Sequence[str]: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
audit_non_hmac_response_keys Sequence[str]: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
default_lease_ttl str: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listing_visibility str: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
max_lease_ttl str: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthrough_request_headers Sequence[str]: List of headers to whitelist and pass from the request to the backend.
token_type str: Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

allowedResponseHeaders List<String>: List of headers to whitelist and allowing a plugin to include them in the response.
auditNonHmacRequestKeys List<String>: Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
auditNonHmacResponseKeys List<String>: Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
defaultLeaseTtl String: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listingVisibility String: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
maxLeaseTtl String: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthroughRequestHeaders List<String>: List of headers to whitelist and pass from the request to the backend.
tokenType String: Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

Import

JWT auth backend can be imported using the path, e.g.

 $ pulumi import vault:jwt/authBackend:AuthBackend oidc oidc

 $ pulumi import vault:jwt/authBackend:AuthBackend jwt jwt

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v5.15.0 published on Friday, Sep 8, 2023 by Pulumi

pulumi/pulumi-vault

vault.jwt.AuthBackend

On this page

On this page

Example Usage

Create AuthBackend Resource

AuthBackend Resource Properties

Inputs

Outputs

Look up Existing AuthBackend Resource

Supporting Types

AuthBackendTune, AuthBackendTuneArgs

Import

Package Details

On this page

On this page