1. Packages
  2. HashiCorp Vault
  3. API Docs
  4. jwt
  5. AuthBackend
HashiCorp Vault v5.15.0 published on Friday, Sep 8, 2023 by Pulumi

vault.jwt.AuthBackend

Explore with Pulumi AI

vault logo
HashiCorp Vault v5.15.0 published on Friday, Sep 8, 2023 by Pulumi

    Provides a resource for managing an JWT auth backend within Vault.

    Example Usage

    Manage JWT auth backend

    using System.Collections.Generic;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Vault.Jwt.AuthBackend("example", new()
        {
            BoundIssuer = "https://myco.auth0.com/",
            Description = "Demonstration of the Terraform JWT auth backend",
            OidcDiscoveryUrl = "https://myco.auth0.com/",
            Path = "jwt",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
    			BoundIssuer:      pulumi.String("https://myco.auth0.com/"),
    			Description:      pulumi.String("Demonstration of the Terraform JWT auth backend"),
    			OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
    			Path:             pulumi.String("jwt"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.jwt.AuthBackend;
    import com.pulumi.vault.jwt.AuthBackendArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new AuthBackend("example", AuthBackendArgs.builder()        
                .boundIssuer("https://myco.auth0.com/")
                .description("Demonstration of the Terraform JWT auth backend")
                .oidcDiscoveryUrl("https://myco.auth0.com/")
                .path("jwt")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_vault as vault
    
    example = vault.jwt.AuthBackend("example",
        bound_issuer="https://myco.auth0.com/",
        description="Demonstration of the Terraform JWT auth backend",
        oidc_discovery_url="https://myco.auth0.com/",
        path="jwt")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const example = new vault.jwt.AuthBackend("example", {
        boundIssuer: "https://myco.auth0.com/",
        description: "Demonstration of the Terraform JWT auth backend",
        oidcDiscoveryUrl: "https://myco.auth0.com/",
        path: "jwt",
    });
    
    resources:
      example:
        type: vault:jwt:AuthBackend
        properties:
          boundIssuer: https://myco.auth0.com/
          description: Demonstration of the Terraform JWT auth backend
          oidcDiscoveryUrl: https://myco.auth0.com/
          path: jwt
    

    Manage OIDC auth backend

    using System.Collections.Generic;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Vault.Jwt.AuthBackend("example", new()
        {
            BoundIssuer = "https://myco.auth0.com/",
            Description = "Demonstration of the Terraform JWT auth backend",
            OidcClientId = "1234567890",
            OidcClientSecret = "secret123456",
            OidcDiscoveryUrl = "https://myco.auth0.com/",
            Path = "oidc",
            Tune = new Vault.Jwt.Inputs.AuthBackendTuneArgs
            {
                ListingVisibility = "unauth",
            },
            Type = "oidc",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
    			BoundIssuer:      pulumi.String("https://myco.auth0.com/"),
    			Description:      pulumi.String("Demonstration of the Terraform JWT auth backend"),
    			OidcClientId:     pulumi.String("1234567890"),
    			OidcClientSecret: pulumi.String("secret123456"),
    			OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
    			Path:             pulumi.String("oidc"),
    			Tune: &jwt.AuthBackendTuneArgs{
    				ListingVisibility: pulumi.String("unauth"),
    			},
    			Type: pulumi.String("oidc"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.jwt.AuthBackend;
    import com.pulumi.vault.jwt.AuthBackendArgs;
    import com.pulumi.vault.jwt.inputs.AuthBackendTuneArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new AuthBackend("example", AuthBackendArgs.builder()        
                .boundIssuer("https://myco.auth0.com/")
                .description("Demonstration of the Terraform JWT auth backend")
                .oidcClientId("1234567890")
                .oidcClientSecret("secret123456")
                .oidcDiscoveryUrl("https://myco.auth0.com/")
                .path("oidc")
                .tune(AuthBackendTuneArgs.builder()
                    .listingVisibility("unauth")
                    .build())
                .type("oidc")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_vault as vault
    
    example = vault.jwt.AuthBackend("example",
        bound_issuer="https://myco.auth0.com/",
        description="Demonstration of the Terraform JWT auth backend",
        oidc_client_id="1234567890",
        oidc_client_secret="secret123456",
        oidc_discovery_url="https://myco.auth0.com/",
        path="oidc",
        tune=vault.jwt.AuthBackendTuneArgs(
            listing_visibility="unauth",
        ),
        type="oidc")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const example = new vault.jwt.AuthBackend("example", {
        boundIssuer: "https://myco.auth0.com/",
        description: "Demonstration of the Terraform JWT auth backend",
        oidcClientId: "1234567890",
        oidcClientSecret: "secret123456",
        oidcDiscoveryUrl: "https://myco.auth0.com/",
        path: "oidc",
        tune: {
            listingVisibility: "unauth",
        },
        type: "oidc",
    });
    
    resources:
      example:
        type: vault:jwt:AuthBackend
        properties:
          boundIssuer: https://myco.auth0.com/
          description: Demonstration of the Terraform JWT auth backend
          oidcClientId: 1234567890
          oidcClientSecret: secret123456
          oidcDiscoveryUrl: https://myco.auth0.com/
          path: oidc
          tune:
            listingVisibility: unauth
          type: oidc
    

    config

    using System.Collections.Generic;
    using Pulumi;
    using Vault = Pulumi.Vault;
    
    return await Deployment.RunAsync(() => 
    {
        var gsuite = new Vault.Jwt.AuthBackend("gsuite", new()
        {
            Description = "OIDC backend",
            OidcDiscoveryUrl = "https://accounts.google.com",
            Path = "oidc",
            ProviderConfig = 
            {
                { "fetch_groups", "true" },
                { "fetch_user_info", "true" },
                { "groups_recurse_max_depth", "1" },
                { "provider", "gsuite" },
            },
            Type = "oidc",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/jwt"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := jwt.NewAuthBackend(ctx, "gsuite", &jwt.AuthBackendArgs{
    			Description:      pulumi.String("OIDC backend"),
    			OidcDiscoveryUrl: pulumi.String("https://accounts.google.com"),
    			Path:             pulumi.String("oidc"),
    			ProviderConfig: pulumi.StringMap{
    				"fetch_groups":             pulumi.String("true"),
    				"fetch_user_info":          pulumi.String("true"),
    				"groups_recurse_max_depth": pulumi.String("1"),
    				"provider":                 pulumi.String("gsuite"),
    			},
    			Type: pulumi.String("oidc"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.vault.jwt.AuthBackend;
    import com.pulumi.vault.jwt.AuthBackendArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var gsuite = new AuthBackend("gsuite", AuthBackendArgs.builder()        
                .description("OIDC backend")
                .oidcDiscoveryUrl("https://accounts.google.com")
                .path("oidc")
                .providerConfig(Map.ofEntries(
                    Map.entry("fetch_groups", true),
                    Map.entry("fetch_user_info", true),
                    Map.entry("groups_recurse_max_depth", 1),
                    Map.entry("provider", "gsuite")
                ))
                .type("oidc")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_vault as vault
    
    gsuite = vault.jwt.AuthBackend("gsuite",
        description="OIDC backend",
        oidc_discovery_url="https://accounts.google.com",
        path="oidc",
        provider_config={
            "fetch_groups": "true",
            "fetch_user_info": "true",
            "groups_recurse_max_depth": "1",
            "provider": "gsuite",
        },
        type="oidc")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as vault from "@pulumi/vault";
    
    const gsuite = new vault.jwt.AuthBackend("gsuite", {
        description: "OIDC backend",
        oidcDiscoveryUrl: "https://accounts.google.com",
        path: "oidc",
        providerConfig: {
            fetch_groups: true,
            fetch_user_info: true,
            groups_recurse_max_depth: 1,
            provider: "gsuite",
        },
        type: "oidc",
    });
    
    resources:
      gsuite:
        type: vault:jwt:AuthBackend
        properties:
          description: OIDC backend
          oidcDiscoveryUrl: https://accounts.google.com
          path: oidc
          providerConfig:
            fetch_groups: true
            fetch_user_info: true
            groups_recurse_max_depth: 1
            provider: gsuite
          type: oidc
    

    Create AuthBackend Resource

    new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);
    @overload
    def AuthBackend(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    bound_issuer: Optional[str] = None,
                    default_role: Optional[str] = None,
                    description: Optional[str] = None,
                    disable_remount: Optional[bool] = None,
                    jwks_ca_pem: Optional[str] = None,
                    jwks_url: Optional[str] = None,
                    jwt_supported_algs: Optional[Sequence[str]] = None,
                    jwt_validation_pubkeys: Optional[Sequence[str]] = None,
                    local: Optional[bool] = None,
                    namespace: Optional[str] = None,
                    namespace_in_state: Optional[bool] = None,
                    oidc_client_id: Optional[str] = None,
                    oidc_client_secret: Optional[str] = None,
                    oidc_discovery_ca_pem: Optional[str] = None,
                    oidc_discovery_url: Optional[str] = None,
                    oidc_response_mode: Optional[str] = None,
                    oidc_response_types: Optional[Sequence[str]] = None,
                    path: Optional[str] = None,
                    provider_config: Optional[Mapping[str, str]] = None,
                    tune: Optional[AuthBackendTuneArgs] = None,
                    type: Optional[str] = None)
    @overload
    def AuthBackend(resource_name: str,
                    args: Optional[AuthBackendArgs] = None,
                    opts: Optional[ResourceOptions] = None)
    func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)
    public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)
    public AuthBackend(String name, AuthBackendArgs args)
    public AuthBackend(String name, AuthBackendArgs args, CustomResourceOptions options)
    
    type: vault:jwt:AuthBackend
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    AuthBackend Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The AuthBackend resource accepts the following input properties:

    BoundIssuer string

    The value against which to match the iss claim in a JWT

    DefaultRole string

    The default role to use if none is provided during login

    Description string

    The description of the auth backend

    DisableRemount bool

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    JwksCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    JwksUrl string

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    JwtSupportedAlgs List<string>

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    JwtValidationPubkeys List<string>

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    Local bool

    Specifies if the auth method is local only.

    Namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    NamespaceInState bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    OidcClientId string

    Client ID used for OIDC backends

    OidcClientSecret string

    Client Secret used for OIDC backends

    OidcDiscoveryCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    OidcDiscoveryUrl string

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    OidcResponseMode string

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    OidcResponseTypes List<string>

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    Path string

    Path to mount the JWT/OIDC auth backend

    ProviderConfig Dictionary<string, string>

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    Tune AuthBackendTune
    Type string

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    BoundIssuer string

    The value against which to match the iss claim in a JWT

    DefaultRole string

    The default role to use if none is provided during login

    Description string

    The description of the auth backend

    DisableRemount bool

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    JwksCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    JwksUrl string

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    JwtSupportedAlgs []string

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    JwtValidationPubkeys []string

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    Local bool

    Specifies if the auth method is local only.

    Namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    NamespaceInState bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    OidcClientId string

    Client ID used for OIDC backends

    OidcClientSecret string

    Client Secret used for OIDC backends

    OidcDiscoveryCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    OidcDiscoveryUrl string

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    OidcResponseMode string

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    OidcResponseTypes []string

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    Path string

    Path to mount the JWT/OIDC auth backend

    ProviderConfig map[string]string

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    Tune AuthBackendTuneArgs
    Type string

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    boundIssuer String

    The value against which to match the iss claim in a JWT

    defaultRole String

    The default role to use if none is provided during login

    description String

    The description of the auth backend

    disableRemount Boolean

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    jwksCaPem String

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    jwksUrl String

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    jwtSupportedAlgs List<String>

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    jwtValidationPubkeys List<String>

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    local Boolean

    Specifies if the auth method is local only.

    namespace String

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    namespaceInState Boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    oidcClientId String

    Client ID used for OIDC backends

    oidcClientSecret String

    Client Secret used for OIDC backends

    oidcDiscoveryCaPem String

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    oidcDiscoveryUrl String

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    oidcResponseMode String

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    oidcResponseTypes List<String>

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    path String

    Path to mount the JWT/OIDC auth backend

    providerConfig Map<String,String>

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    tune AuthBackendTune
    type String

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    boundIssuer string

    The value against which to match the iss claim in a JWT

    defaultRole string

    The default role to use if none is provided during login

    description string

    The description of the auth backend

    disableRemount boolean

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    jwksCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    jwksUrl string

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    jwtSupportedAlgs string[]

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    jwtValidationPubkeys string[]

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    local boolean

    Specifies if the auth method is local only.

    namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    namespaceInState boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    oidcClientId string

    Client ID used for OIDC backends

    oidcClientSecret string

    Client Secret used for OIDC backends

    oidcDiscoveryCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    oidcDiscoveryUrl string

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    oidcResponseMode string

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    oidcResponseTypes string[]

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    path string

    Path to mount the JWT/OIDC auth backend

    providerConfig {[key: string]: string}

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    tune AuthBackendTune
    type string

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    bound_issuer str

    The value against which to match the iss claim in a JWT

    default_role str

    The default role to use if none is provided during login

    description str

    The description of the auth backend

    disable_remount bool

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    jwks_ca_pem str

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    jwks_url str

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    jwt_supported_algs Sequence[str]

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    jwt_validation_pubkeys Sequence[str]

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    local bool

    Specifies if the auth method is local only.

    namespace str

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    namespace_in_state bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    oidc_client_id str

    Client ID used for OIDC backends

    oidc_client_secret str

    Client Secret used for OIDC backends

    oidc_discovery_ca_pem str

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    oidc_discovery_url str

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    oidc_response_mode str

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    oidc_response_types Sequence[str]

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    path str

    Path to mount the JWT/OIDC auth backend

    provider_config Mapping[str, str]

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    tune AuthBackendTuneArgs
    type str

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    boundIssuer String

    The value against which to match the iss claim in a JWT

    defaultRole String

    The default role to use if none is provided during login

    description String

    The description of the auth backend

    disableRemount Boolean

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    jwksCaPem String

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    jwksUrl String

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    jwtSupportedAlgs List<String>

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    jwtValidationPubkeys List<String>

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    local Boolean

    Specifies if the auth method is local only.

    namespace String

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    namespaceInState Boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    oidcClientId String

    Client ID used for OIDC backends

    oidcClientSecret String

    Client Secret used for OIDC backends

    oidcDiscoveryCaPem String

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    oidcDiscoveryUrl String

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    oidcResponseMode String

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    oidcResponseTypes List<String>

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    path String

    Path to mount the JWT/OIDC auth backend

    providerConfig Map<String>

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    tune Property Map
    type String

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:

    Accessor string

    The accessor for this auth method

    Id string

    The provider-assigned unique ID for this managed resource.

    Accessor string

    The accessor for this auth method

    Id string

    The provider-assigned unique ID for this managed resource.

    accessor String

    The accessor for this auth method

    id String

    The provider-assigned unique ID for this managed resource.

    accessor string

    The accessor for this auth method

    id string

    The provider-assigned unique ID for this managed resource.

    accessor str

    The accessor for this auth method

    id str

    The provider-assigned unique ID for this managed resource.

    accessor String

    The accessor for this auth method

    id String

    The provider-assigned unique ID for this managed resource.

    Look up Existing AuthBackend Resource

    Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            accessor: Optional[str] = None,
            bound_issuer: Optional[str] = None,
            default_role: Optional[str] = None,
            description: Optional[str] = None,
            disable_remount: Optional[bool] = None,
            jwks_ca_pem: Optional[str] = None,
            jwks_url: Optional[str] = None,
            jwt_supported_algs: Optional[Sequence[str]] = None,
            jwt_validation_pubkeys: Optional[Sequence[str]] = None,
            local: Optional[bool] = None,
            namespace: Optional[str] = None,
            namespace_in_state: Optional[bool] = None,
            oidc_client_id: Optional[str] = None,
            oidc_client_secret: Optional[str] = None,
            oidc_discovery_ca_pem: Optional[str] = None,
            oidc_discovery_url: Optional[str] = None,
            oidc_response_mode: Optional[str] = None,
            oidc_response_types: Optional[Sequence[str]] = None,
            path: Optional[str] = None,
            provider_config: Optional[Mapping[str, str]] = None,
            tune: Optional[AuthBackendTuneArgs] = None,
            type: Optional[str] = None) -> AuthBackend
    func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)
    public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)
    public static AuthBackend get(String name, Output<String> id, AuthBackendState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Accessor string

    The accessor for this auth method

    BoundIssuer string

    The value against which to match the iss claim in a JWT

    DefaultRole string

    The default role to use if none is provided during login

    Description string

    The description of the auth backend

    DisableRemount bool

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    JwksCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    JwksUrl string

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    JwtSupportedAlgs List<string>

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    JwtValidationPubkeys List<string>

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    Local bool

    Specifies if the auth method is local only.

    Namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    NamespaceInState bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    OidcClientId string

    Client ID used for OIDC backends

    OidcClientSecret string

    Client Secret used for OIDC backends

    OidcDiscoveryCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    OidcDiscoveryUrl string

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    OidcResponseMode string

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    OidcResponseTypes List<string>

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    Path string

    Path to mount the JWT/OIDC auth backend

    ProviderConfig Dictionary<string, string>

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    Tune AuthBackendTune
    Type string

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    Accessor string

    The accessor for this auth method

    BoundIssuer string

    The value against which to match the iss claim in a JWT

    DefaultRole string

    The default role to use if none is provided during login

    Description string

    The description of the auth backend

    DisableRemount bool

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    JwksCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    JwksUrl string

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    JwtSupportedAlgs []string

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    JwtValidationPubkeys []string

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    Local bool

    Specifies if the auth method is local only.

    Namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    NamespaceInState bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    OidcClientId string

    Client ID used for OIDC backends

    OidcClientSecret string

    Client Secret used for OIDC backends

    OidcDiscoveryCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    OidcDiscoveryUrl string

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    OidcResponseMode string

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    OidcResponseTypes []string

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    Path string

    Path to mount the JWT/OIDC auth backend

    ProviderConfig map[string]string

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    Tune AuthBackendTuneArgs
    Type string

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    accessor String

    The accessor for this auth method

    boundIssuer String

    The value against which to match the iss claim in a JWT

    defaultRole String

    The default role to use if none is provided during login

    description String

    The description of the auth backend

    disableRemount Boolean

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    jwksCaPem String

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    jwksUrl String

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    jwtSupportedAlgs List<String>

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    jwtValidationPubkeys List<String>

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    local Boolean

    Specifies if the auth method is local only.

    namespace String

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    namespaceInState Boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    oidcClientId String

    Client ID used for OIDC backends

    oidcClientSecret String

    Client Secret used for OIDC backends

    oidcDiscoveryCaPem String

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    oidcDiscoveryUrl String

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    oidcResponseMode String

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    oidcResponseTypes List<String>

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    path String

    Path to mount the JWT/OIDC auth backend

    providerConfig Map<String,String>

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    tune AuthBackendTune
    type String

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    accessor string

    The accessor for this auth method

    boundIssuer string

    The value against which to match the iss claim in a JWT

    defaultRole string

    The default role to use if none is provided during login

    description string

    The description of the auth backend

    disableRemount boolean

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    jwksCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    jwksUrl string

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    jwtSupportedAlgs string[]

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    jwtValidationPubkeys string[]

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    local boolean

    Specifies if the auth method is local only.

    namespace string

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    namespaceInState boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    oidcClientId string

    Client ID used for OIDC backends

    oidcClientSecret string

    Client Secret used for OIDC backends

    oidcDiscoveryCaPem string

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    oidcDiscoveryUrl string

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    oidcResponseMode string

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    oidcResponseTypes string[]

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    path string

    Path to mount the JWT/OIDC auth backend

    providerConfig {[key: string]: string}

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    tune AuthBackendTune
    type string

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    accessor str

    The accessor for this auth method

    bound_issuer str

    The value against which to match the iss claim in a JWT

    default_role str

    The default role to use if none is provided during login

    description str

    The description of the auth backend

    disable_remount bool

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    jwks_ca_pem str

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    jwks_url str

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    jwt_supported_algs Sequence[str]

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    jwt_validation_pubkeys Sequence[str]

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    local bool

    Specifies if the auth method is local only.

    namespace str

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    namespace_in_state bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    oidc_client_id str

    Client ID used for OIDC backends

    oidc_client_secret str

    Client Secret used for OIDC backends

    oidc_discovery_ca_pem str

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    oidc_discovery_url str

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    oidc_response_mode str

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    oidc_response_types Sequence[str]

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    path str

    Path to mount the JWT/OIDC auth backend

    provider_config Mapping[str, str]

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    tune AuthBackendTuneArgs
    type str

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    accessor String

    The accessor for this auth method

    boundIssuer String

    The value against which to match the iss claim in a JWT

    defaultRole String

    The default role to use if none is provided during login

    description String

    The description of the auth backend

    disableRemount Boolean

    If set, opts out of mount migration on path updates. See here for more info on Mount Migration

    jwksCaPem String

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

    jwksUrl String

    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".

    jwtSupportedAlgs List<String>

    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

    jwtValidationPubkeys List<String>

    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

    local Boolean

    Specifies if the auth method is local only.

    namespace String

    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

    namespaceInState Boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    oidcClientId String

    Client ID used for OIDC backends

    oidcClientSecret String

    Client Secret used for OIDC backends

    oidcDiscoveryCaPem String

    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

    oidcDiscoveryUrl String

    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

    oidcResponseMode String

    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.

    oidcResponseTypes List<String>

    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.

    path String

    Path to mount the JWT/OIDC auth backend

    providerConfig Map<String>

    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.

    tune Property Map
    type String

    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    Supporting Types

    AuthBackendTune, AuthBackendTuneArgs

    AllowedResponseHeaders List<string>

    List of headers to whitelist and allowing a plugin to include them in the response.

    AuditNonHmacRequestKeys List<string>

    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

    AuditNonHmacResponseKeys List<string>

    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

    DefaultLeaseTtl string

    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

    ListingVisibility string

    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

    MaxLeaseTtl string

    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

    PassthroughRequestHeaders List<string>

    List of headers to whitelist and pass from the request to the backend.

    TokenType string

    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

    AllowedResponseHeaders []string

    List of headers to whitelist and allowing a plugin to include them in the response.

    AuditNonHmacRequestKeys []string

    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

    AuditNonHmacResponseKeys []string

    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

    DefaultLeaseTtl string

    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

    ListingVisibility string

    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

    MaxLeaseTtl string

    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

    PassthroughRequestHeaders []string

    List of headers to whitelist and pass from the request to the backend.

    TokenType string

    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

    allowedResponseHeaders List<String>

    List of headers to whitelist and allowing a plugin to include them in the response.

    auditNonHmacRequestKeys List<String>

    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

    auditNonHmacResponseKeys List<String>

    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

    defaultLeaseTtl String

    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

    listingVisibility String

    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

    maxLeaseTtl String

    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

    passthroughRequestHeaders List<String>

    List of headers to whitelist and pass from the request to the backend.

    tokenType String

    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

    allowedResponseHeaders string[]

    List of headers to whitelist and allowing a plugin to include them in the response.

    auditNonHmacRequestKeys string[]

    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

    auditNonHmacResponseKeys string[]

    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

    defaultLeaseTtl string

    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

    listingVisibility string

    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

    maxLeaseTtl string

    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

    passthroughRequestHeaders string[]

    List of headers to whitelist and pass from the request to the backend.

    tokenType string

    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

    allowed_response_headers Sequence[str]

    List of headers to whitelist and allowing a plugin to include them in the response.

    audit_non_hmac_request_keys Sequence[str]

    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

    audit_non_hmac_response_keys Sequence[str]

    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

    default_lease_ttl str

    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

    listing_visibility str

    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

    max_lease_ttl str

    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

    passthrough_request_headers Sequence[str]

    List of headers to whitelist and pass from the request to the backend.

    token_type str

    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

    allowedResponseHeaders List<String>

    List of headers to whitelist and allowing a plugin to include them in the response.

    auditNonHmacRequestKeys List<String>

    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

    auditNonHmacResponseKeys List<String>

    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

    defaultLeaseTtl String

    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string

    listingVisibility String

    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

    maxLeaseTtl String

    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string

    passthroughRequestHeaders List<String>

    List of headers to whitelist and pass from the request to the backend.

    tokenType String

    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

    Import

    JWT auth backend can be imported using the path, e.g.

     $ pulumi import vault:jwt/authBackend:AuthBackend oidc oidc
    

    or

     $ pulumi import vault:jwt/authBackend:AuthBackend jwt jwt
    

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the vault Terraform Provider.

    vault logo
    HashiCorp Vault v5.15.0 published on Friday, Sep 8, 2023 by Pulumi