vault.kubernetes.getAuthBackendConfig

HashiCorp Vault v7.5.0, Nov 21 25

HashiCorp Vault v7.5.0 published on Friday, Nov 21, 2025 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

HashiCorp Vault v7.5.0 published on Friday, Nov 21, 2025 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const config = vault.kubernetes.getAuthBackendConfig({
    backend: "my-kubernetes-backend",
});
export const tokenReviewerJwt = config.then(config => config.tokenReviewerJwt);

import pulumi
import pulumi_vault as vault

config = vault.kubernetes.get_auth_backend_config(backend="my-kubernetes-backend")
pulumi.export("tokenReviewerJwt", config.token_reviewer_jwt)

package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		config, err := kubernetes.LookupAuthBackendConfig(ctx, &kubernetes.LookupAuthBackendConfigArgs{
			Backend: pulumi.StringRef("my-kubernetes-backend"),
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("tokenReviewerJwt", config.TokenReviewerJwt)
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var config = Vault.Kubernetes.GetAuthBackendConfig.Invoke(new()
    {
        Backend = "my-kubernetes-backend",
    });

    return new Dictionary<string, object?>
    {
        ["tokenReviewerJwt"] = config.Apply(getAuthBackendConfigResult => getAuthBackendConfigResult.TokenReviewerJwt),
    };
});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.kubernetes.KubernetesFunctions;
import com.pulumi.vault.kubernetes.inputs.GetAuthBackendConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var config = KubernetesFunctions.getAuthBackendConfig(GetAuthBackendConfigArgs.builder()
            .backend("my-kubernetes-backend")
            .build());

        ctx.export("tokenReviewerJwt", config.tokenReviewerJwt());
    }
}

variables:
  config:
    fn::invoke:
      function: vault:kubernetes:getAuthBackendConfig
      arguments:
        backend: my-kubernetes-backend
outputs:
  tokenReviewerJwt: ${config.tokenReviewerJwt}

Using getAuthBackendConfig

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getAuthBackendConfig(args: GetAuthBackendConfigArgs, opts?: InvokeOptions): Promise<GetAuthBackendConfigResult>
function getAuthBackendConfigOutput(args: GetAuthBackendConfigOutputArgs, opts?: InvokeOptions): Output<GetAuthBackendConfigResult>

def get_auth_backend_config(backend: Optional[str] = None,
                            disable_iss_validation: Optional[bool] = None,
                            disable_local_ca_jwt: Optional[bool] = None,
                            issuer: Optional[str] = None,
                            kubernetes_ca_cert: Optional[str] = None,
                            kubernetes_host: Optional[str] = None,
                            namespace: Optional[str] = None,
                            pem_keys: Optional[Sequence[str]] = None,
                            use_annotations_as_alias_metadata: Optional[bool] = None,
                            opts: Optional[InvokeOptions] = None) -> GetAuthBackendConfigResult
def get_auth_backend_config_output(backend: Optional[pulumi.Input[str]] = None,
                            disable_iss_validation: Optional[pulumi.Input[bool]] = None,
                            disable_local_ca_jwt: Optional[pulumi.Input[bool]] = None,
                            issuer: Optional[pulumi.Input[str]] = None,
                            kubernetes_ca_cert: Optional[pulumi.Input[str]] = None,
                            kubernetes_host: Optional[pulumi.Input[str]] = None,
                            namespace: Optional[pulumi.Input[str]] = None,
                            pem_keys: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                            use_annotations_as_alias_metadata: Optional[pulumi.Input[bool]] = None,
                            opts: Optional[InvokeOptions] = None) -> Output[GetAuthBackendConfigResult]

func LookupAuthBackendConfig(ctx *Context, args *LookupAuthBackendConfigArgs, opts ...InvokeOption) (*LookupAuthBackendConfigResult, error)
func LookupAuthBackendConfigOutput(ctx *Context, args *LookupAuthBackendConfigOutputArgs, opts ...InvokeOption) LookupAuthBackendConfigResultOutput

> Note: This function is named LookupAuthBackendConfig in the Go SDK.

public static class GetAuthBackendConfig 
{
    public static Task<GetAuthBackendConfigResult> InvokeAsync(GetAuthBackendConfigArgs args, InvokeOptions? opts = null)
    public static Output<GetAuthBackendConfigResult> Invoke(GetAuthBackendConfigInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetAuthBackendConfigResult> getAuthBackendConfig(GetAuthBackendConfigArgs args, InvokeOptions options)
public static Output<GetAuthBackendConfigResult> getAuthBackendConfig(GetAuthBackendConfigArgs args, InvokeOptions options)

fn::invoke:
  function: vault:kubernetes/getAuthBackendConfig:getAuthBackendConfig
  arguments:
    # arguments dictionary

The following arguments are supported:

Backend string: The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to "kubernetes".
DisableIssValidation bool: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
DisableLocalCaJwt bool: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
Issuer string: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
KubernetesCaCert string: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
KubernetesHost string: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
Namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PemKeys List<string>: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
UseAnnotationsAsAliasMetadata bool: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+

Backend string: The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to "kubernetes".
DisableIssValidation bool: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
DisableLocalCaJwt bool: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
Issuer string: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
KubernetesCaCert string: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
KubernetesHost string: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
Namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
PemKeys []string: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
UseAnnotationsAsAliasMetadata bool: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+

backend String: The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to "kubernetes".
disableIssValidation Boolean: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
disableLocalCaJwt Boolean: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
issuer String: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetesCaCert String: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetesHost String: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
namespace String: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pemKeys List<String>: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
useAnnotationsAsAliasMetadata Boolean: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+

backend string: The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to "kubernetes".
disableIssValidation boolean: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
disableLocalCaJwt boolean: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
issuer string: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetesCaCert string: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetesHost string: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
namespace string: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pemKeys string[]: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
useAnnotationsAsAliasMetadata boolean: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+

backend str: The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to "kubernetes".
disable_iss_validation bool: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
disable_local_ca_jwt bool: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
issuer str: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetes_ca_cert str: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetes_host str: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
namespace str: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pem_keys Sequence[str]: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
use_annotations_as_alias_metadata bool: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+

backend String: The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to "kubernetes".
disableIssValidation Boolean: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
disableLocalCaJwt Boolean: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
issuer String: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetesCaCert String: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetesHost String: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
namespace String: The namespace of the target resource. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
pemKeys List<String>: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
useAnnotationsAsAliasMetadata Boolean: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+

getAuthBackendConfig Result

The following output properties are available:

DisableIssValidation bool: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
DisableLocalCaJwt bool: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
Id string: The provider-assigned unique ID for this managed resource.
Issuer string: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
KubernetesCaCert string: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
KubernetesHost string: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
PemKeys List<string>: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
UseAnnotationsAsAliasMetadata bool: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+
Backend string
Namespace string

DisableIssValidation bool: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
DisableLocalCaJwt bool: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
Id string: The provider-assigned unique ID for this managed resource.
Issuer string: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
KubernetesCaCert string: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
KubernetesHost string: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
PemKeys []string: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
UseAnnotationsAsAliasMetadata bool: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+
Backend string
Namespace string

disableIssValidation Boolean: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
disableLocalCaJwt Boolean: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
id String: The provider-assigned unique ID for this managed resource.
issuer String: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetesCaCert String: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetesHost String: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
pemKeys List<String>: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
useAnnotationsAsAliasMetadata Boolean: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+
backend String
namespace String

disableIssValidation boolean: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
disableLocalCaJwt boolean: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
id string: The provider-assigned unique ID for this managed resource.
issuer string: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetesCaCert string: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetesHost string: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
pemKeys string[]: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
useAnnotationsAsAliasMetadata boolean: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+
backend string
namespace string

disable_iss_validation bool: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
disable_local_ca_jwt bool: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
id str: The provider-assigned unique ID for this managed resource.
issuer str: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetes_ca_cert str: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetes_host str: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
pem_keys Sequence[str]: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
use_annotations_as_alias_metadata bool: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+
backend str
namespace str

disableIssValidation Boolean: (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
disableLocalCaJwt Boolean: (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault v1.5.4+ or Vault auth kubernetes plugin v0.7.1+
id String: The provider-assigned unique ID for this managed resource.
issuer String: Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.
kubernetesCaCert String: PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
kubernetesHost String: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
pemKeys List<String>: Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
useAnnotationsAsAliasMetadata Boolean: (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault v1.16+ or Vault auth kubernetes plugin v0.18.0+
backend String
namespace String

Package Details

Repository: Vault pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

HashiCorp Vault v7.5.0 published on Friday, Nov 21, 2025 by Pulumi

Schema (JSON)

pulumi/pulumi-vault

vault.kubernetes.getAuthBackendConfig

On this page

On this page

Example Usage

Using getAuthBackendConfig

getAuthBackendConfig Result

Package Details

On this page

On this page