Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi IDP Pulumi Cloud Packages Tutorials
  1. Packages
  2. HashiCorp Vault Provider
  3. API Docs
  4. jwt
  5. AuthBackend
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
pulumi/pulumi-vault

vault.jwt.AuthBackend

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
pulumi/pulumi-vault

    Provides a resource for managing an JWT auth backend within Vault.

    Example Usage

    Manage JWT auth backend:

    import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.jwt.AuthBackend("example", {
    description: "Demonstration of the Terraform JWT auth backend",
    path: "jwt",
    oidcDiscoveryUrl: "https://myco.auth0.com/",
    boundIssuer: "https://myco.auth0.com/",
});

    import pulumi
import pulumi_vault as vault

example = vault.jwt.AuthBackend("example",
    description="Demonstration of the Terraform JWT auth backend",
    path="jwt",
    oidc_discovery_url="https://myco.auth0.com/",
    bound_issuer="https://myco.auth0.com/")

    package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
			Description:      pulumi.String("Demonstration of the Terraform JWT auth backend"),
			Path:             pulumi.String("jwt"),
			OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
			BoundIssuer:      pulumi.String("https://myco.auth0.com/"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.Jwt.AuthBackend("example", new()
    {
        Description = "Demonstration of the Terraform JWT auth backend",
        Path = "jwt",
        OidcDiscoveryUrl = "https://myco.auth0.com/",
        BoundIssuer = "https://myco.auth0.com/",
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()
            .description("Demonstration of the Terraform JWT auth backend")
            .path("jwt")
            .oidcDiscoveryUrl("https://myco.auth0.com/")
            .boundIssuer("https://myco.auth0.com/")
            .build());

    }
}

    resources:
  example:
    type: vault:jwt:AuthBackend
    properties:
      description: Demonstration of the Terraform JWT auth backend
      path: jwt
      oidcDiscoveryUrl: https://myco.auth0.com/
      boundIssuer: https://myco.auth0.com/

    Manage OIDC auth backend:

    import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const example = new vault.jwt.AuthBackend("example", {
    description: "Demonstration of the Terraform JWT auth backend",
    path: "oidc",
    type: "oidc",
    oidcDiscoveryUrl: "https://myco.auth0.com/",
    oidcClientId: "1234567890",
    oidcClientSecret: "secret123456",
    boundIssuer: "https://myco.auth0.com/",
    tune: {
        listingVisibility: "unauth",
    },
});

    import pulumi
import pulumi_vault as vault

example = vault.jwt.AuthBackend("example",
    description="Demonstration of the Terraform JWT auth backend",
    path="oidc",
    type="oidc",
    oidc_discovery_url="https://myco.auth0.com/",
    oidc_client_id="1234567890",
    oidc_client_secret="secret123456",
    bound_issuer="https://myco.auth0.com/",
    tune={
        "listing_visibility": "unauth",
    })

    package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
			Description:      pulumi.String("Demonstration of the Terraform JWT auth backend"),
			Path:             pulumi.String("oidc"),
			Type:             pulumi.String("oidc"),
			OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
			OidcClientId:     pulumi.String("1234567890"),
			OidcClientSecret: pulumi.String("secret123456"),
			BoundIssuer:      pulumi.String("https://myco.auth0.com/"),
			Tune: &jwt.AuthBackendTuneArgs{
				ListingVisibility: pulumi.String("unauth"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var example = new Vault.Jwt.AuthBackend("example", new()
    {
        Description = "Demonstration of the Terraform JWT auth backend",
        Path = "oidc",
        Type = "oidc",
        OidcDiscoveryUrl = "https://myco.auth0.com/",
        OidcClientId = "1234567890",
        OidcClientSecret = "secret123456",
        BoundIssuer = "https://myco.auth0.com/",
        Tune = new Vault.Jwt.Inputs.AuthBackendTuneArgs
        {
            ListingVisibility = "unauth",
        },
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import com.pulumi.vault.jwt.inputs.AuthBackendTuneArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new AuthBackend("example", AuthBackendArgs.builder()
            .description("Demonstration of the Terraform JWT auth backend")
            .path("oidc")
            .type("oidc")
            .oidcDiscoveryUrl("https://myco.auth0.com/")
            .oidcClientId("1234567890")
            .oidcClientSecret("secret123456")
            .boundIssuer("https://myco.auth0.com/")
            .tune(AuthBackendTuneArgs.builder()
                .listingVisibility("unauth")
                .build())
            .build());

    }
}

    resources:
  example:
    type: vault:jwt:AuthBackend
    properties:
      description: Demonstration of the Terraform JWT auth backend
      path: oidc
      type: oidc
      oidcDiscoveryUrl: https://myco.auth0.com/
      oidcClientId: '1234567890'
      oidcClientSecret: secret123456
      boundIssuer: https://myco.auth0.com/
      tune:
        listingVisibility: unauth

    Configuring the auth backend with a `provider_config:

    import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const gsuite = new vault.jwt.AuthBackend("gsuite", {
    description: "OIDC backend",
    oidcDiscoveryUrl: "https://accounts.google.com",
    path: "oidc",
    type: "oidc",
    providerConfig: {
        provider: "gsuite",
        fetch_groups: "true",
        fetch_user_info: "true",
        groups_recurse_max_depth: "1",
    },
});

    import pulumi
import pulumi_vault as vault

gsuite = vault.jwt.AuthBackend("gsuite",
    description="OIDC backend",
    oidc_discovery_url="https://accounts.google.com",
    path="oidc",
    type="oidc",
    provider_config={
        "provider": "gsuite",
        "fetch_groups": "true",
        "fetch_user_info": "true",
        "groups_recurse_max_depth": "1",
    })

    package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := jwt.NewAuthBackend(ctx, "gsuite", &jwt.AuthBackendArgs{
			Description:      pulumi.String("OIDC backend"),
			OidcDiscoveryUrl: pulumi.String("https://accounts.google.com"),
			Path:             pulumi.String("oidc"),
			Type:             pulumi.String("oidc"),
			ProviderConfig: pulumi.StringMap{
				"provider":                 pulumi.String("gsuite"),
				"fetch_groups":             pulumi.String("true"),
				"fetch_user_info":          pulumi.String("true"),
				"groups_recurse_max_depth": pulumi.String("1"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var gsuite = new Vault.Jwt.AuthBackend("gsuite", new()
    {
        Description = "OIDC backend",
        OidcDiscoveryUrl = "https://accounts.google.com",
        Path = "oidc",
        Type = "oidc",
        ProviderConfig = 
        {
            { "provider", "gsuite" },
            { "fetch_groups", "true" },
            { "fetch_user_info", "true" },
            { "groups_recurse_max_depth", "1" },
        },
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var gsuite = new AuthBackend("gsuite", AuthBackendArgs.builder()
            .description("OIDC backend")
            .oidcDiscoveryUrl("https://accounts.google.com")
            .path("oidc")
            .type("oidc")
            .providerConfig(Map.ofEntries(
                Map.entry("provider", "gsuite"),
                Map.entry("fetch_groups", "true"),
                Map.entry("fetch_user_info", "true"),
                Map.entry("groups_recurse_max_depth", "1")
            ))
            .build());

    }
}

    resources:
  gsuite:
    type: vault:jwt:AuthBackend
    properties:
      description: OIDC backend
      oidcDiscoveryUrl: https://accounts.google.com
      path: oidc
      type: oidc
      providerConfig:
        provider: gsuite
        fetch_groups: true
        fetch_user_info: true
        groups_recurse_max_depth: 1

    Create AuthBackend Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);
    @overload
def AuthBackend(resource_name: str,
                args: Optional[AuthBackendArgs] = None,
                opts: Optional[ResourceOptions] = None)

@overload
def AuthBackend(resource_name: str,
                opts: Optional[ResourceOptions] = None,
                bound_issuer: Optional[str] = None,
                default_role: Optional[str] = None,
                description: Optional[str] = None,
                disable_remount: Optional[bool] = None,
                jwks_ca_pem: Optional[str] = None,
                jwks_url: Optional[str] = None,
                jwt_supported_algs: Optional[Sequence[str]] = None,
                jwt_validation_pubkeys: Optional[Sequence[str]] = None,
                local: Optional[bool] = None,
                namespace: Optional[str] = None,
                namespace_in_state: Optional[bool] = None,
                oidc_client_id: Optional[str] = None,
                oidc_client_secret: Optional[str] = None,
                oidc_discovery_ca_pem: Optional[str] = None,
                oidc_discovery_url: Optional[str] = None,
                oidc_response_mode: Optional[str] = None,
                oidc_response_types: Optional[Sequence[str]] = None,
                path: Optional[str] = None,
                provider_config: Optional[Mapping[str, str]] = None,
                tune: Optional[AuthBackendTuneArgs] = None,
                type: Optional[str] = None)
    func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)
    public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)
    public AuthBackend(String name, AuthBackendArgs args)
public AuthBackend(String name, AuthBackendArgs args, CustomResourceOptions options)

    type: vault:jwt:AuthBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AuthBackendArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var exampleauthBackendResourceResourceFromJwtauthBackend = new Vault.Jwt.AuthBackend("exampleauthBackendResourceResourceFromJwtauthBackend", new()
{
    BoundIssuer = "string",
    DefaultRole = "string",
    Description = "string",
    DisableRemount = false,
    JwksCaPem = "string",
    JwksUrl = "string",
    JwtSupportedAlgs = new[]
    {
        "string",
    },
    JwtValidationPubkeys = new[]
    {
        "string",
    },
    Local = false,
    Namespace = "string",
    NamespaceInState = false,
    OidcClientId = "string",
    OidcClientSecret = "string",
    OidcDiscoveryCaPem = "string",
    OidcDiscoveryUrl = "string",
    OidcResponseMode = "string",
    OidcResponseTypes = new[]
    {
        "string",
    },
    Path = "string",
    ProviderConfig = 
    {
        { "string", "string" },
    },
    Tune = new Vault.Jwt.Inputs.AuthBackendTuneArgs
    {
        AllowedResponseHeaders = new[]
        {
            "string",
        },
        AuditNonHmacRequestKeys = new[]
        {
            "string",
        },
        AuditNonHmacResponseKeys = new[]
        {
            "string",
        },
        DefaultLeaseTtl = "string",
        ListingVisibility = "string",
        MaxLeaseTtl = "string",
        PassthroughRequestHeaders = new[]
        {
            "string",
        },
        TokenType = "string",
    },
    Type = "string",
});

    example, err := jwt.NewAuthBackend(ctx, "exampleauthBackendResourceResourceFromJwtauthBackend", &jwt.AuthBackendArgs{
	BoundIssuer:    pulumi.String("string"),
	DefaultRole:    pulumi.String("string"),
	Description:    pulumi.String("string"),
	DisableRemount: pulumi.Bool(false),
	JwksCaPem:      pulumi.String("string"),
	JwksUrl:        pulumi.String("string"),
	JwtSupportedAlgs: pulumi.StringArray{
		pulumi.String("string"),
	},
	JwtValidationPubkeys: pulumi.StringArray{
		pulumi.String("string"),
	},
	Local:              pulumi.Bool(false),
	Namespace:          pulumi.String("string"),
	NamespaceInState:   pulumi.Bool(false),
	OidcClientId:       pulumi.String("string"),
	OidcClientSecret:   pulumi.String("string"),
	OidcDiscoveryCaPem: pulumi.String("string"),
	OidcDiscoveryUrl:   pulumi.String("string"),
	OidcResponseMode:   pulumi.String("string"),
	OidcResponseTypes: pulumi.StringArray{
		pulumi.String("string"),
	},
	Path: pulumi.String("string"),
	ProviderConfig: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	Tune: &jwt.AuthBackendTuneArgs{
		AllowedResponseHeaders: pulumi.StringArray{
			pulumi.String("string"),
		},
		AuditNonHmacRequestKeys: pulumi.StringArray{
			pulumi.String("string"),
		},
		AuditNonHmacResponseKeys: pulumi.StringArray{
			pulumi.String("string"),
		},
		DefaultLeaseTtl:   pulumi.String("string"),
		ListingVisibility: pulumi.String("string"),
		MaxLeaseTtl:       pulumi.String("string"),
		PassthroughRequestHeaders: pulumi.StringArray{
			pulumi.String("string"),
		},
		TokenType: pulumi.String("string"),
	},
	Type: pulumi.String("string"),
})

    var exampleauthBackendResourceResourceFromJwtauthBackend = new com.pulumi.vault.jwt.AuthBackend("exampleauthBackendResourceResourceFromJwtauthBackend", com.pulumi.vault.jwt.AuthBackendArgs.builder()
    .boundIssuer("string")
    .defaultRole("string")
    .description("string")
    .disableRemount(false)
    .jwksCaPem("string")
    .jwksUrl("string")
    .jwtSupportedAlgs("string")
    .jwtValidationPubkeys("string")
    .local(false)
    .namespace("string")
    .namespaceInState(false)
    .oidcClientId("string")
    .oidcClientSecret("string")
    .oidcDiscoveryCaPem("string")
    .oidcDiscoveryUrl("string")
    .oidcResponseMode("string")
    .oidcResponseTypes("string")
    .path("string")
    .providerConfig(Map.of("string", "string"))
    .tune(AuthBackendTuneArgs.builder()
        .allowedResponseHeaders("string")
        .auditNonHmacRequestKeys("string")
        .auditNonHmacResponseKeys("string")
        .defaultLeaseTtl("string")
        .listingVisibility("string")
        .maxLeaseTtl("string")
        .passthroughRequestHeaders("string")
        .tokenType("string")
        .build())
    .type("string")
    .build());

    exampleauth_backend_resource_resource_from_jwtauth_backend = vault.jwt.AuthBackend("exampleauthBackendResourceResourceFromJwtauthBackend",
    bound_issuer="string",
    default_role="string",
    description="string",
    disable_remount=False,
    jwks_ca_pem="string",
    jwks_url="string",
    jwt_supported_algs=["string"],
    jwt_validation_pubkeys=["string"],
    local=False,
    namespace="string",
    namespace_in_state=False,
    oidc_client_id="string",
    oidc_client_secret="string",
    oidc_discovery_ca_pem="string",
    oidc_discovery_url="string",
    oidc_response_mode="string",
    oidc_response_types=["string"],
    path="string",
    provider_config={
        "string": "string",
    },
    tune={
        "allowed_response_headers": ["string"],
        "audit_non_hmac_request_keys": ["string"],
        "audit_non_hmac_response_keys": ["string"],
        "default_lease_ttl": "string",
        "listing_visibility": "string",
        "max_lease_ttl": "string",
        "passthrough_request_headers": ["string"],
        "token_type": "string",
    },
    type="string")

    const exampleauthBackendResourceResourceFromJwtauthBackend = new vault.jwt.AuthBackend("exampleauthBackendResourceResourceFromJwtauthBackend", {
    boundIssuer: "string",
    defaultRole: "string",
    description: "string",
    disableRemount: false,
    jwksCaPem: "string",
    jwksUrl: "string",
    jwtSupportedAlgs: ["string"],
    jwtValidationPubkeys: ["string"],
    local: false,
    namespace: "string",
    namespaceInState: false,
    oidcClientId: "string",
    oidcClientSecret: "string",
    oidcDiscoveryCaPem: "string",
    oidcDiscoveryUrl: "string",
    oidcResponseMode: "string",
    oidcResponseTypes: ["string"],
    path: "string",
    providerConfig: {
        string: "string",
    },
    tune: {
        allowedResponseHeaders: ["string"],
        auditNonHmacRequestKeys: ["string"],
        auditNonHmacResponseKeys: ["string"],
        defaultLeaseTtl: "string",
        listingVisibility: "string",
        maxLeaseTtl: "string",
        passthroughRequestHeaders: ["string"],
        tokenType: "string",
    },
    type: "string",
});

    type: vault:jwt:AuthBackend
properties:
    boundIssuer: string
    defaultRole: string
    description: string
    disableRemount: false
    jwksCaPem: string
    jwksUrl: string
    jwtSupportedAlgs:
        - string
    jwtValidationPubkeys:
        - string
    local: false
    namespace: string
    namespaceInState: false
    oidcClientId: string
    oidcClientSecret: string
    oidcDiscoveryCaPem: string
    oidcDiscoveryUrl: string
    oidcResponseMode: string
    oidcResponseTypes:
        - string
    path: string
    providerConfig:
        string: string
    tune:
        allowedResponseHeaders:
            - string
        auditNonHmacRequestKeys:
            - string
        auditNonHmacResponseKeys:
            - string
        defaultLeaseTtl: string
        listingVisibility: string
        maxLeaseTtl: string
        passthroughRequestHeaders:
            - string
        tokenType: string
    type: string

    AuthBackend Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The AuthBackend resource accepts the following input properties:

    BoundIssuer string
    The value against which to match the iss claim in a JWT
    DefaultRole string
    The default role to use if none is provided during login
    Description string
    The description of the auth backend
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    JwksCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    JwksUrl string
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    JwtSupportedAlgs List<string>
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    JwtValidationPubkeys List<string>
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    Local bool
    Specifies if the auth method is local only.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NamespaceInState bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    OidcClientId string
    Client ID used for OIDC backends
    OidcClientSecret string
    Client Secret used for OIDC backends
    OidcDiscoveryCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    OidcDiscoveryUrl string
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    OidcResponseMode string
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    OidcResponseTypes List<string>
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    Path string
    Path to mount the JWT/OIDC auth backend
    ProviderConfig Dictionary<string, string>
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    Tune AuthBackendTune
    Type string
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    BoundIssuer string
    The value against which to match the iss claim in a JWT
    DefaultRole string
    The default role to use if none is provided during login
    Description string
    The description of the auth backend
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    JwksCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    JwksUrl string
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    JwtSupportedAlgs []string
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    JwtValidationPubkeys []string
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    Local bool
    Specifies if the auth method is local only.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NamespaceInState bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    OidcClientId string
    Client ID used for OIDC backends
    OidcClientSecret string
    Client Secret used for OIDC backends
    OidcDiscoveryCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    OidcDiscoveryUrl string
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    OidcResponseMode string
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    OidcResponseTypes []string
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    Path string
    Path to mount the JWT/OIDC auth backend
    ProviderConfig map[string]string
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    Tune AuthBackendTuneArgs
    Type string
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    boundIssuer String
    The value against which to match the iss claim in a JWT
    defaultRole String
    The default role to use if none is provided during login
    description String
    The description of the auth backend
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    jwksCaPem String
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    jwksUrl String
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    jwtSupportedAlgs List<String>
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    jwtValidationPubkeys List<String>
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    local Boolean
    Specifies if the auth method is local only.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    namespaceInState Boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    oidcClientId String
    Client ID used for OIDC backends
    oidcClientSecret String
    Client Secret used for OIDC backends
    oidcDiscoveryCaPem String
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    oidcDiscoveryUrl String
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    oidcResponseMode String
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    oidcResponseTypes List<String>
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    path String
    Path to mount the JWT/OIDC auth backend
    providerConfig Map<String,String>
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    tune AuthBackendTune
    type String
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    boundIssuer string
    The value against which to match the iss claim in a JWT
    defaultRole string
    The default role to use if none is provided during login
    description string
    The description of the auth backend
    disableRemount boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    jwksCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    jwksUrl string
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    jwtSupportedAlgs string[]
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    jwtValidationPubkeys string[]
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    local boolean
    Specifies if the auth method is local only.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    namespaceInState boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    oidcClientId string
    Client ID used for OIDC backends
    oidcClientSecret string
    Client Secret used for OIDC backends
    oidcDiscoveryCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    oidcDiscoveryUrl string
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    oidcResponseMode string
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    oidcResponseTypes string[]
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    path string
    Path to mount the JWT/OIDC auth backend
    providerConfig {[key: string]: string}
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    tune AuthBackendTune
    type string
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    bound_issuer str
    The value against which to match the iss claim in a JWT
    default_role str
    The default role to use if none is provided during login
    description str
    The description of the auth backend
    disable_remount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    jwks_ca_pem str
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    jwks_url str
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    jwt_supported_algs Sequence[str]
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    jwt_validation_pubkeys Sequence[str]
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    local bool
    Specifies if the auth method is local only.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    namespace_in_state bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    oidc_client_id str
    Client ID used for OIDC backends
    oidc_client_secret str
    Client Secret used for OIDC backends
    oidc_discovery_ca_pem str
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    oidc_discovery_url str
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    oidc_response_mode str
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    oidc_response_types Sequence[str]
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    path str
    Path to mount the JWT/OIDC auth backend
    provider_config Mapping[str, str]
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    tune AuthBackendTuneArgs
    type str
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    boundIssuer String
    The value against which to match the iss claim in a JWT
    defaultRole String
    The default role to use if none is provided during login
    description String
    The description of the auth backend
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    jwksCaPem String
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    jwksUrl String
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    jwtSupportedAlgs List<String>
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    jwtValidationPubkeys List<String>
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    local Boolean
    Specifies if the auth method is local only.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    namespaceInState Boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    oidcClientId String
    Client ID used for OIDC backends
    oidcClientSecret String
    Client Secret used for OIDC backends
    oidcDiscoveryCaPem String
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    oidcDiscoveryUrl String
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    oidcResponseMode String
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    oidcResponseTypes List<String>
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    path String
    Path to mount the JWT/OIDC auth backend
    providerConfig Map<String>
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    tune Property Map
    type String
    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:

    Accessor string
    The accessor for this auth method
    Id string
    The provider-assigned unique ID for this managed resource.
    Accessor string
    The accessor for this auth method
    Id string
    The provider-assigned unique ID for this managed resource.
    accessor String
    The accessor for this auth method
    id String
    The provider-assigned unique ID for this managed resource.
    accessor string
    The accessor for this auth method
    id string
    The provider-assigned unique ID for this managed resource.
    accessor str
    The accessor for this auth method
    id str
    The provider-assigned unique ID for this managed resource.
    accessor String
    The accessor for this auth method
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing AuthBackend Resource

    Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        accessor: Optional[str] = None,
        bound_issuer: Optional[str] = None,
        default_role: Optional[str] = None,
        description: Optional[str] = None,
        disable_remount: Optional[bool] = None,
        jwks_ca_pem: Optional[str] = None,
        jwks_url: Optional[str] = None,
        jwt_supported_algs: Optional[Sequence[str]] = None,
        jwt_validation_pubkeys: Optional[Sequence[str]] = None,
        local: Optional[bool] = None,
        namespace: Optional[str] = None,
        namespace_in_state: Optional[bool] = None,
        oidc_client_id: Optional[str] = None,
        oidc_client_secret: Optional[str] = None,
        oidc_discovery_ca_pem: Optional[str] = None,
        oidc_discovery_url: Optional[str] = None,
        oidc_response_mode: Optional[str] = None,
        oidc_response_types: Optional[Sequence[str]] = None,
        path: Optional[str] = None,
        provider_config: Optional[Mapping[str, str]] = None,
        tune: Optional[AuthBackendTuneArgs] = None,
        type: Optional[str] = None) -> AuthBackend
    func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)
    public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)
    public static AuthBackend get(String name, Output<String> id, AuthBackendState state, CustomResourceOptions options)
    resources:  _:    type: vault:jwt:AuthBackend    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Accessor string
    The accessor for this auth method
    BoundIssuer string
    The value against which to match the iss claim in a JWT
    DefaultRole string
    The default role to use if none is provided during login
    Description string
    The description of the auth backend
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    JwksCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    JwksUrl string
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    JwtSupportedAlgs List<string>
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    JwtValidationPubkeys List<string>
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    Local bool
    Specifies if the auth method is local only.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NamespaceInState bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    OidcClientId string
    Client ID used for OIDC backends
    OidcClientSecret string
    Client Secret used for OIDC backends
    OidcDiscoveryCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    OidcDiscoveryUrl string
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    OidcResponseMode string
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    OidcResponseTypes List<string>
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    Path string
    Path to mount the JWT/OIDC auth backend
    ProviderConfig Dictionary<string, string>
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    Tune AuthBackendTune
    Type string
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    Accessor string
    The accessor for this auth method
    BoundIssuer string
    The value against which to match the iss claim in a JWT
    DefaultRole string
    The default role to use if none is provided during login
    Description string
    The description of the auth backend
    DisableRemount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    JwksCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    JwksUrl string
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    JwtSupportedAlgs []string
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    JwtValidationPubkeys []string
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    Local bool
    Specifies if the auth method is local only.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    NamespaceInState bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    OidcClientId string
    Client ID used for OIDC backends
    OidcClientSecret string
    Client Secret used for OIDC backends
    OidcDiscoveryCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    OidcDiscoveryUrl string
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    OidcResponseMode string
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    OidcResponseTypes []string
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    Path string
    Path to mount the JWT/OIDC auth backend
    ProviderConfig map[string]string
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    Tune AuthBackendTuneArgs
    Type string
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    accessor String
    The accessor for this auth method
    boundIssuer String
    The value against which to match the iss claim in a JWT
    defaultRole String
    The default role to use if none is provided during login
    description String
    The description of the auth backend
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    jwksCaPem String
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    jwksUrl String
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    jwtSupportedAlgs List<String>
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    jwtValidationPubkeys List<String>
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    local Boolean
    Specifies if the auth method is local only.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    namespaceInState Boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    oidcClientId String
    Client ID used for OIDC backends
    oidcClientSecret String
    Client Secret used for OIDC backends
    oidcDiscoveryCaPem String
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    oidcDiscoveryUrl String
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    oidcResponseMode String
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    oidcResponseTypes List<String>
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    path String
    Path to mount the JWT/OIDC auth backend
    providerConfig Map<String,String>
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    tune AuthBackendTune
    type String
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    accessor string
    The accessor for this auth method
    boundIssuer string
    The value against which to match the iss claim in a JWT
    defaultRole string
    The default role to use if none is provided during login
    description string
    The description of the auth backend
    disableRemount boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    jwksCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    jwksUrl string
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    jwtSupportedAlgs string[]
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    jwtValidationPubkeys string[]
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    local boolean
    Specifies if the auth method is local only.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    namespaceInState boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    oidcClientId string
    Client ID used for OIDC backends
    oidcClientSecret string
    Client Secret used for OIDC backends
    oidcDiscoveryCaPem string
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    oidcDiscoveryUrl string
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    oidcResponseMode string
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    oidcResponseTypes string[]
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    path string
    Path to mount the JWT/OIDC auth backend
    providerConfig {[key: string]: string}
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    tune AuthBackendTune
    type string
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    accessor str
    The accessor for this auth method
    bound_issuer str
    The value against which to match the iss claim in a JWT
    default_role str
    The default role to use if none is provided during login
    description str
    The description of the auth backend
    disable_remount bool
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    jwks_ca_pem str
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    jwks_url str
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    jwt_supported_algs Sequence[str]
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    jwt_validation_pubkeys Sequence[str]
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    local bool
    Specifies if the auth method is local only.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    namespace_in_state bool

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    oidc_client_id str
    Client ID used for OIDC backends
    oidc_client_secret str
    Client Secret used for OIDC backends
    oidc_discovery_ca_pem str
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    oidc_discovery_url str
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    oidc_response_mode str
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    oidc_response_types Sequence[str]
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    path str
    Path to mount the JWT/OIDC auth backend
    provider_config Mapping[str, str]
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    tune AuthBackendTuneArgs
    type str
    Type of auth backend. Should be one of jwt or oidc. Default - jwt
    accessor String
    The accessor for this auth method
    boundIssuer String
    The value against which to match the iss claim in a JWT
    defaultRole String
    The default role to use if none is provided during login
    description String
    The description of the auth backend
    disableRemount Boolean
    If set, opts out of mount migration on path updates. See here for more info on Mount Migration
    jwksCaPem String
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
    jwksUrl String
    JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
    jwtSupportedAlgs List<String>
    A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
    jwtValidationPubkeys List<String>
    A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
    local Boolean
    Specifies if the auth method is local only.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    namespaceInState Boolean

    Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs

    • tune - (Optional) Extra configuration block. Structure is documented below.

    The tune block is used to tune the auth backend:

    oidcClientId String
    Client ID used for OIDC backends
    oidcClientSecret String
    Client Secret used for OIDC backends
    oidcDiscoveryCaPem String
    The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
    oidcDiscoveryUrl String
    The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
    oidcResponseMode String
    The response mode to be used in the OAuth2 request. Allowed values are query and form_post. Defaults to query. If using Vault namespaces, and oidc_response_mode is form_post, then namespace_in_state should be set to false.
    oidcResponseTypes List<String>
    List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to ["code"]. Note: id_token may only be used if oidc_response_mode is set to form_post.
    path String
    Path to mount the JWT/OIDC auth backend
    providerConfig Map<String>
    Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
    tune Property Map
    type String
    Type of auth backend. Should be one of jwt or oidc. Default - jwt

    Supporting Types

    AuthBackendTune, AuthBackendTuneArgs

    AllowedResponseHeaders List<string>
    List of headers to whitelist and allowing a plugin to include them in the response.
    AuditNonHmacRequestKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys List<string>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    DefaultLeaseTtl string
    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
    MaxLeaseTtl string
    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
    PassthroughRequestHeaders List<string>
    List of headers to whitelist and pass from the request to the backend.
    TokenType string
    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
    AllowedResponseHeaders []string
    List of headers to whitelist and allowing a plugin to include them in the response.
    AuditNonHmacRequestKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    AuditNonHmacResponseKeys []string
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    DefaultLeaseTtl string
    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
    ListingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
    MaxLeaseTtl string
    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
    PassthroughRequestHeaders []string
    List of headers to whitelist and pass from the request to the backend.
    TokenType string
    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
    allowedResponseHeaders List<String>
    List of headers to whitelist and allowing a plugin to include them in the response.
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtl String
    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
    maxLeaseTtl String
    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
    passthroughRequestHeaders List<String>
    List of headers to whitelist and pass from the request to the backend.
    tokenType String
    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
    allowedResponseHeaders string[]
    List of headers to whitelist and allowing a plugin to include them in the response.
    auditNonHmacRequestKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys string[]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtl string
    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
    listingVisibility string
    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
    maxLeaseTtl string
    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
    passthroughRequestHeaders string[]
    List of headers to whitelist and pass from the request to the backend.
    tokenType string
    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
    allowed_response_headers Sequence[str]
    List of headers to whitelist and allowing a plugin to include them in the response.
    audit_non_hmac_request_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    audit_non_hmac_response_keys Sequence[str]
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    default_lease_ttl str
    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
    listing_visibility str
    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
    max_lease_ttl str
    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
    passthrough_request_headers Sequence[str]
    List of headers to whitelist and pass from the request to the backend.
    token_type str
    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
    allowedResponseHeaders List<String>
    List of headers to whitelist and allowing a plugin to include them in the response.
    auditNonHmacRequestKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
    auditNonHmacResponseKeys List<String>
    Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
    defaultLeaseTtl String
    Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
    listingVisibility String
    Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
    maxLeaseTtl String
    Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
    passthroughRequestHeaders List<String>
    List of headers to whitelist and pass from the request to the backend.
    tokenType String
    Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

    Import

    JWT auth backend can be imported using the path, e.g.

    $ pulumi import vault:jwt/authBackend:AuthBackend oidc oidc

    or

    $ pulumi import vault:jwt/authBackend:AuthBackend jwt jwt

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
    pulumi/pulumi-vault