Module identity

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Functions

getEntity
getGroup

Others

Resources

Resource Entity

class Entity extends CustomResource

constructor

new Entity(name: string, args?: EntityArgs, opts?: pulumi.CustomResourceOptions)

Create a Entity resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: EntityState, opts?: pulumi.CustomResourceOptions): Entity

Get an existing Entity resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Entity

Returns true if the given object is an instance of Entity. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property disabled

public disabled: pulumi.Output<boolean | undefined>;

True/false Is this entity currently disabled. Defaults to false

property externalPolicies

public externalPolicies: pulumi.Output<boolean | undefined>;

false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault.identity.EntityPolicies to manage policies for this entity in a decoupled manner.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property metadata

public metadata: pulumi.Output<{[key: string]: string} | undefined>;

A Map of additional metadata to associate with the user.

property name

public name: pulumi.Output<string>;

Name of the identity entity to create.

property policies

public policies: pulumi.Output<string[] | undefined>;

A list of policies to apply to the entity.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource EntityAlias

class EntityAlias extends CustomResource

constructor

new EntityAlias(name: string, args: EntityAliasArgs, opts?: pulumi.CustomResourceOptions)

Create a EntityAlias resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: EntityAliasState, opts?: pulumi.CustomResourceOptions): EntityAlias

Get an existing EntityAlias resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is EntityAlias

Returns true if the given object is an instance of EntityAlias. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property canonicalId

public canonicalId: pulumi.Output<string>;

Entity ID to which this alias belongs to.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property mountAccessor

public mountAccessor: pulumi.Output<string>;

Accessor of the mount to which the alias should belong to.

property name

public name: pulumi.Output<string>;

Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource EntityPolicies

class EntityPolicies extends CustomResource

Manages policies for an Identity Entity for Vault. The Identity secrets engine is the identity management solution for Vault.

Example Usage

Exclusive Policies

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const entity = new vault.identity.Entity("entity", {externalPolicies: true});
const policies = new vault.identity.EntityPolicies("policies", {
    policies: [
        "default",
        "test",
    ],
    exclusive: true,
    entityId: entity.id,
});

Non-exclusive Policies

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const entity = new vault.identity.Entity("entity", {externalPolicies: true});
const _default = new vault.identity.EntityPolicies("default", {
    policies: [
        "default",
        "test",
    ],
    exclusive: false,
    entityId: entity.id,
});
const others = new vault.identity.EntityPolicies("others", {
    policies: ["others"],
    exclusive: false,
    entityId: entity.id,
});

constructor

new EntityPolicies(name: string, args: EntityPoliciesArgs, opts?: pulumi.CustomResourceOptions)

Create a EntityPolicies resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: EntityPoliciesState, opts?: pulumi.CustomResourceOptions): EntityPolicies

Get an existing EntityPolicies resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is EntityPolicies

Returns true if the given object is an instance of EntityPolicies. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property entityId

public entityId: pulumi.Output<string>;

Entity ID to assign policies to.

property entityName

public entityName: pulumi.Output<string>;

The name of the entity that are assigned the policies.

property exclusive

public exclusive: pulumi.Output<boolean | undefined>;

Defaults to true.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policies

public policies: pulumi.Output<string[]>;

List of policies to assign to the entity

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Group

class Group extends CustomResource

Creates an Identity Group for Vault. The Identity secrets engine is the identity management solution for Vault.

A group can contain multiple entities as its members. A group can also have subgroups. Policies set on the group is granted to all members of the group. During request time, when the token’s entity ID is being evaluated for the policies that it has access to; along with the policies on the entity itself, policies that are inherited due to group memberships are also granted.

Example Usage

Internal Group

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const internal = new vault.identity.Group("internal", {
    metadata: {
        version: "2",
    },
    policies: [
        "dev",
        "test",
    ],
    type: "internal",
});

External Group

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const group = new vault.identity.Group("group", {
    metadata: {
        version: "1",
    },
    policies: ["test"],
    type: "external",
});

constructor

new Group(name: string, args?: GroupArgs, opts?: pulumi.CustomResourceOptions)

Create a Group resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupState, opts?: pulumi.CustomResourceOptions): Group

Get an existing Group resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Group

Returns true if the given object is an instance of Group. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property externalPolicies

public externalPolicies: pulumi.Output<boolean | undefined>;

false by default. If set to true, this resource will ignore any policies return from Vault or specified in the resource. You can use vault.identity.GroupPolicies to manage policies for this group in a decoupled manner.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property memberEntityIds

public memberEntityIds: pulumi.Output<string[]>;

A list of Entity IDs to be assigned as group members. Not allowed on external groups.

property memberGroupIds

public memberGroupIds: pulumi.Output<string[] | undefined>;

A list of Group IDs to be assigned as group members. Not allowed on external groups.

property metadata

public metadata: pulumi.Output<{[key: string]: string} | undefined>;

A Map of additional metadata to associate with the group.

property name

public name: pulumi.Output<string>;

Name of the identity group to create.

property policies

public policies: pulumi.Output<string[] | undefined>;

A list of policies to apply to the group.

property type

public type: pulumi.Output<string | undefined>;

Type of the group, internal or external. Defaults to internal.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource GroupAlias

class GroupAlias extends CustomResource

Creates an Identity Group Alias for Vault. The Identity secrets engine is the identity management solution for Vault.

Group aliases allows entity membership in external groups to be managed semi-automatically. External group serves as a mapping to a group that is outside of the identity store. External groups can have one (and only one) alias. This alias should map to a notion of group that is outside of the identity store. For example, groups in LDAP, and teams in GitHub. A username in LDAP, belonging to a group in LDAP, can get its entity ID added as a member of a group in Vault automatically during logins and token renewals. This works only if the group in Vault is an external group and has an alias that maps to the group in LDAP. If the user is removed from the group in LDAP, that change gets reflected in Vault only upon the subsequent login or renewal operation.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const group = new vault.identity.Group("group", {
    policies: ["test"],
    type: "external",
});
const github = new vault.AuthBackend("github", {
    path: "github",
    type: "github",
});
const groupAlias = new vault.identity.GroupAlias("group-alias", {
    canonicalId: group.id,
    mountAccessor: github.accessor,
    name: "Github_Team_Slug",
});

constructor

new GroupAlias(name: string, args: GroupAliasArgs, opts?: pulumi.CustomResourceOptions)

Create a GroupAlias resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupAliasState, opts?: pulumi.CustomResourceOptions): GroupAlias

Get an existing GroupAlias resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is GroupAlias

Returns true if the given object is an instance of GroupAlias. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property canonicalId

public canonicalId: pulumi.Output<string>;

ID of the group to which this is an alias.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property mountAccessor

public mountAccessor: pulumi.Output<string>;

Mount accessor of the authentication backend to which this alias belongs to.

property name

public name: pulumi.Output<string>;

Name of the group alias to create.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource GroupPolicies

class GroupPolicies extends CustomResource

Manages policies for an Identity Group for Vault. The Identity secrets engine is the identity management solution for Vault.

Example Usage

Exclusive Policies

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const internal = new vault.identity.Group("internal", {
    type: "internal",
    externalPolicies: true,
    metadata: {
        version: "2",
    },
});
const policies = new vault.identity.GroupPolicies("policies", {
    policies: [
        "default",
        "test",
    ],
    exclusive: true,
    groupId: internal.id,
});

Non-exclusive Policies

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const internal = new vault.identity.Group("internal", {
    type: "internal",
    externalPolicies: true,
    metadata: {
        version: "2",
    },
});
const _default = new vault.identity.GroupPolicies("default", {
    policies: [
        "default",
        "test",
    ],
    exclusive: false,
    groupId: internal.id,
});
const others = new vault.identity.GroupPolicies("others", {
    policies: ["others"],
    exclusive: false,
    groupId: internal.id,
});

constructor

new GroupPolicies(name: string, args: GroupPoliciesArgs, opts?: pulumi.CustomResourceOptions)

Create a GroupPolicies resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupPoliciesState, opts?: pulumi.CustomResourceOptions): GroupPolicies

Get an existing GroupPolicies resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is GroupPolicies

Returns true if the given object is an instance of GroupPolicies. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property exclusive

public exclusive: pulumi.Output<boolean | undefined>;

Defaults to true.

property groupId

public groupId: pulumi.Output<string>;

Group ID to assign policies to.

property groupName

public groupName: pulumi.Output<string>;

The name of the group that are assigned the policies.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policies

public policies: pulumi.Output<string[]>;

List of policies to assign to the group

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Oidc

class Oidc extends CustomResource

Configure the Identity Tokens Backend.

The Identity secrets engine is the identity management solution for Vault. It internally maintains the clients who are recognized by Vault.

NOTE: Each Vault server may only have one Identity Tokens Backend configuration. Multiple configurations of the resource against the same Vault server will cause a perpetual difference.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const server = new vault.identity.Oidc("server", {
    issuer: "https://www.acme.com",
});

constructor

new Oidc(name: string, args?: OidcArgs, opts?: pulumi.CustomResourceOptions)

Create a Oidc resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OidcState, opts?: pulumi.CustomResourceOptions): Oidc

Get an existing Oidc resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Oidc

Returns true if the given object is an instance of Oidc. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property issuer

public issuer: pulumi.Output<string>;

Issuer URL to be used in the iss claim of the token. If not set, Vault’s apiAddr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components, but no query or fragment components.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource OidcKey

class OidcKey extends CustomResource

constructor

new OidcKey(name: string, args?: OidcKeyArgs, opts?: pulumi.CustomResourceOptions)

Create a OidcKey resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OidcKeyState, opts?: pulumi.CustomResourceOptions): OidcKey

Get an existing OidcKey resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is OidcKey

Returns true if the given object is an instance of OidcKey. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property algorithm

public algorithm: pulumi.Output<string | undefined>;

Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.

property allowedClientIds

public allowedClientIds: pulumi.Output<string[]>;

Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If “*“, all roles are allowed.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

Name of the OIDC Key to create.

property rotationPeriod

public rotationPeriod: pulumi.Output<number | undefined>;

How often to generate a new signing key in number of seconds

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property verificationTtl

public verificationTtl: pulumi.Output<number | undefined>;

“Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.

Resource OidcKeyAllowedClientID

class OidcKeyAllowedClientID extends CustomResource

constructor

new OidcKeyAllowedClientID(name: string, args: OidcKeyAllowedClientIDArgs, opts?: pulumi.CustomResourceOptions)

Create a OidcKeyAllowedClientID resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OidcKeyAllowedClientIDState, opts?: pulumi.CustomResourceOptions): OidcKeyAllowedClientID

Get an existing OidcKeyAllowedClientID resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is OidcKeyAllowedClientID

Returns true if the given object is an instance of OidcKeyAllowedClientID. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property allowedClientId

public allowedClientId: pulumi.Output<string>;

Client ID to allow usage with the OIDC named key

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property keyName

public keyName: pulumi.Output<string>;

Name of the OIDC Key allow the Client ID.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource OidcRole

class OidcRole extends CustomResource

constructor

new OidcRole(name: string, args: OidcRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a OidcRole resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OidcRoleState, opts?: pulumi.CustomResourceOptions): OidcRole

Get an existing OidcRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is OidcRole

Returns true if the given object is an instance of OidcRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property clientId

public clientId: pulumi.Output<string>;

The value that will be included in the aud field of all the OIDC identity tokens issued by this role

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property key

public key: pulumi.Output<string>;

A configured named key, the key must already exist before tokens can be issued.

property name

public name: pulumi.Output<string>;

Name of the OIDC Role to create.

property template

public template: pulumi.Output<string | undefined>;

The template string to use for generating tokens. This may be in string-ified JSON or base64 format. See the documentation for the template format.

property ttl

public ttl: pulumi.Output<number | undefined>;

TTL of the tokens generated against the role in number of seconds.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getEntity

getEntity(args?: GetEntityArgs, opts?: pulumi.InvokeOptions): Promise<GetEntityResult>

Function getGroup

getGroup(args?: GetGroupArgs, opts?: pulumi.InvokeOptions): Promise<GetGroupResult>

Others

interface EntityAliasArgs

interface EntityAliasArgs

The set of arguments for constructing a EntityAlias resource.

property canonicalId

canonicalId: pulumi.Input<string>;

Entity ID to which this alias belongs to.

property mountAccessor

mountAccessor: pulumi.Input<string>;

Accessor of the mount to which the alias should belong to.

property name

name?: pulumi.Input<string>;

interface EntityAliasState

interface EntityAliasState

Input properties used for looking up and filtering EntityAlias resources.

property canonicalId

canonicalId?: pulumi.Input<string>;

Entity ID to which this alias belongs to.

property mountAccessor

mountAccessor?: pulumi.Input<string>;

Accessor of the mount to which the alias should belong to.

property name

name?: pulumi.Input<string>;

interface EntityArgs

interface EntityArgs

The set of arguments for constructing a Entity resource.

property disabled

disabled?: pulumi.Input<boolean>;

True/false Is this entity currently disabled. Defaults to false

property externalPolicies

externalPolicies?: pulumi.Input<boolean>;

property metadata

metadata?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A Map of additional metadata to associate with the user.

property name

name?: pulumi.Input<string>;

Name of the identity entity to create.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

A list of policies to apply to the entity.

interface EntityPoliciesArgs

interface EntityPoliciesArgs

The set of arguments for constructing a EntityPolicies resource.

property entityId

entityId: pulumi.Input<string>;

Entity ID to assign policies to.

property exclusive

exclusive?: pulumi.Input<boolean>;

Defaults to true.

property policies

policies: pulumi.Input<pulumi.Input<string>[]>;

List of policies to assign to the entity

interface EntityPoliciesState

interface EntityPoliciesState

Input properties used for looking up and filtering EntityPolicies resources.

property entityId

entityId?: pulumi.Input<string>;

Entity ID to assign policies to.

property entityName

entityName?: pulumi.Input<string>;

The name of the entity that are assigned the policies.

property exclusive

exclusive?: pulumi.Input<boolean>;

Defaults to true.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to assign to the entity

interface EntityState

interface EntityState

Input properties used for looking up and filtering Entity resources.

property disabled

disabled?: pulumi.Input<boolean>;

True/false Is this entity currently disabled. Defaults to false

property externalPolicies

externalPolicies?: pulumi.Input<boolean>;

property metadata

metadata?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A Map of additional metadata to associate with the user.

property name

name?: pulumi.Input<string>;

Name of the identity entity to create.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

A list of policies to apply to the entity.

interface GetEntityArgs

interface GetEntityArgs

A collection of arguments for invoking getEntity.

property aliasId

aliasId?: undefined | string;

ID of the alias.

property aliasMountAccessor

aliasMountAccessor?: undefined | string;

Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with aliasName.

property aliasName

aliasName?: undefined | string;

Name of the alias. This should be supplied in conjunction with aliasMountAccessor.

property entityId

entityId?: undefined | string;

ID of the entity.

property entityName

entityName?: undefined | string;

Name of the entity.

interface GetEntityResult

interface GetEntityResult

A collection of values returned by getEntity.

property aliasId

aliasId: string;

property aliasMountAccessor

aliasMountAccessor: string;

property aliasName

aliasName: string;

property aliases

aliases: GetEntityAlias[];

A list of entity alias. Structure is documented below.

property creationTime

creationTime: string;

Creation time of the Alias

property dataJson

dataJson: string;

A string containing the full data payload retrieved from Vault, serialized in JSON format.

property directGroupIds

directGroupIds: string[];

List of Group IDs of which the entity is directly a member of

property disabled

disabled: boolean;

Whether the entity is disabled

property entityId

entityId: string;

property entityName

entityName: string;

property groupIds

groupIds: string[];

List of all Group IDs of which the entity is a member of

property id

id: string;

The provider-assigned unique ID for this managed resource.

property inheritedGroupIds

inheritedGroupIds: string[];

List of all Group IDs of which the entity is a member of transitively

property lastUpdateTime

lastUpdateTime: string;

Last update time of the alias

property mergedEntityIds

mergedEntityIds: string[];

Other entity IDs which is merged with this entity

property metadata

metadata: {[key: string]: any};

Arbitrary metadata

property namespaceId

namespaceId: string;

Namespace of which the entity is part of

property policies

policies: string[];

List of policies attached to the entity

interface GetGroupArgs

interface GetGroupArgs

A collection of arguments for invoking getGroup.

property aliasId

aliasId?: undefined | string;

ID of the alias.

property aliasMountAccessor

aliasMountAccessor?: undefined | string;

Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with aliasName.

property aliasName

aliasName?: undefined | string;

Name of the alias. This should be supplied in conjunction with aliasMountAccessor.

property groupId

groupId?: undefined | string;

ID of the group.

property groupName

groupName?: undefined | string;

Name of the group.

interface GetGroupResult

interface GetGroupResult

A collection of values returned by getGroup.

property aliasCanonicalId

aliasCanonicalId: string;

Canonical ID of the Alias

property aliasCreationTime

aliasCreationTime: string;

Creation time of the Alias

property aliasId

aliasId: string;

property aliasLastUpdateTime

aliasLastUpdateTime: string;

Last update time of the alias

property aliasMergedFromCanonicalIds

aliasMergedFromCanonicalIds: string[];

List of canonical IDs merged with this alias

property aliasMetadata

aliasMetadata: {[key: string]: any};

Arbitrary metadata

property aliasMountAccessor

aliasMountAccessor: string;

property aliasMountPath

aliasMountPath: string;

Authentication mount path which this alias belongs to

property aliasMountType

aliasMountType: string;

Authentication mount type which this alias belongs to

property aliasName

aliasName: string;

property creationTime

creationTime: string;

Creation timestamp of the group

property dataJson

dataJson: string;

A string containing the full data payload retrieved from Vault, serialized in JSON format.

property groupId

groupId: string;

property groupName

groupName: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property lastUpdateTime

lastUpdateTime: string;

Last updated time of the group

property memberEntityIds

memberEntityIds: string[];

List of Entity IDs which are members of this group

property memberGroupIds

memberGroupIds: string[];

List of Group IDs which are members of this group

property metadata

metadata: {[key: string]: any};

Arbitrary metadata

property modifyIndex

modifyIndex: number;

Modify index of the group

property namespaceId

namespaceId: string;

Namespace of which the group is part of

property parentGroupIds

parentGroupIds: string[];

List of Group IDs which are parents of this group.

property policies

policies: string[];

List of policies attached to the group

property type

type: string;

Type of group

interface GroupAliasArgs

interface GroupAliasArgs

The set of arguments for constructing a GroupAlias resource.

property canonicalId

canonicalId: pulumi.Input<string>;

ID of the group to which this is an alias.

property mountAccessor

mountAccessor: pulumi.Input<string>;

Mount accessor of the authentication backend to which this alias belongs to.

property name

name: pulumi.Input<string>;

Name of the group alias to create.

interface GroupAliasState

interface GroupAliasState

Input properties used for looking up and filtering GroupAlias resources.

property canonicalId

canonicalId?: pulumi.Input<string>;

ID of the group to which this is an alias.

property mountAccessor

mountAccessor?: pulumi.Input<string>;

Mount accessor of the authentication backend to which this alias belongs to.

property name

name?: pulumi.Input<string>;

Name of the group alias to create.

interface GroupArgs

interface GroupArgs

The set of arguments for constructing a Group resource.

property externalPolicies

externalPolicies?: pulumi.Input<boolean>;

property memberEntityIds

memberEntityIds?: pulumi.Input<pulumi.Input<string>[]>;

A list of Entity IDs to be assigned as group members. Not allowed on external groups.

property memberGroupIds

memberGroupIds?: pulumi.Input<pulumi.Input<string>[]>;

A list of Group IDs to be assigned as group members. Not allowed on external groups.

property metadata

metadata?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A Map of additional metadata to associate with the group.

property name

name?: pulumi.Input<string>;

Name of the identity group to create.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

A list of policies to apply to the group.

property type

type?: pulumi.Input<string>;

Type of the group, internal or external. Defaults to internal.

interface GroupPoliciesArgs

interface GroupPoliciesArgs

The set of arguments for constructing a GroupPolicies resource.

property exclusive

exclusive?: pulumi.Input<boolean>;

Defaults to true.

property groupId

groupId: pulumi.Input<string>;

Group ID to assign policies to.

property policies

policies: pulumi.Input<pulumi.Input<string>[]>;

List of policies to assign to the group

interface GroupPoliciesState

interface GroupPoliciesState

Input properties used for looking up and filtering GroupPolicies resources.

property exclusive

exclusive?: pulumi.Input<boolean>;

Defaults to true.

property groupId

groupId?: pulumi.Input<string>;

Group ID to assign policies to.

property groupName

groupName?: pulumi.Input<string>;

The name of the group that are assigned the policies.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to assign to the group

interface GroupState

interface GroupState

Input properties used for looking up and filtering Group resources.

property externalPolicies

externalPolicies?: pulumi.Input<boolean>;

property memberEntityIds

memberEntityIds?: pulumi.Input<pulumi.Input<string>[]>;

A list of Entity IDs to be assigned as group members. Not allowed on external groups.

property memberGroupIds

memberGroupIds?: pulumi.Input<pulumi.Input<string>[]>;

A list of Group IDs to be assigned as group members. Not allowed on external groups.

property metadata

metadata?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A Map of additional metadata to associate with the group.

property name

name?: pulumi.Input<string>;

Name of the identity group to create.

property policies

policies?: pulumi.Input<pulumi.Input<string>[]>;

A list of policies to apply to the group.

property type

type?: pulumi.Input<string>;

Type of the group, internal or external. Defaults to internal.

interface OidcArgs

interface OidcArgs

The set of arguments for constructing a Oidc resource.

property issuer

issuer?: pulumi.Input<string>;

interface OidcKeyAllowedClientIDArgs

interface OidcKeyAllowedClientIDArgs

The set of arguments for constructing a OidcKeyAllowedClientID resource.

property allowedClientId

allowedClientId: pulumi.Input<string>;

Client ID to allow usage with the OIDC named key

property keyName

keyName: pulumi.Input<string>;

Name of the OIDC Key allow the Client ID.

interface OidcKeyAllowedClientIDState

interface OidcKeyAllowedClientIDState

Input properties used for looking up and filtering OidcKeyAllowedClientID resources.

property allowedClientId

allowedClientId?: pulumi.Input<string>;

Client ID to allow usage with the OIDC named key

property keyName

keyName?: pulumi.Input<string>;

Name of the OIDC Key allow the Client ID.

interface OidcKeyArgs

interface OidcKeyArgs

The set of arguments for constructing a OidcKey resource.

property algorithm

algorithm?: pulumi.Input<string>;

Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.

property allowedClientIds

allowedClientIds?: pulumi.Input<pulumi.Input<string>[]>;

Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If “*“, all roles are allowed.

property name

name?: pulumi.Input<string>;

Name of the OIDC Key to create.

property rotationPeriod

rotationPeriod?: pulumi.Input<number>;

How often to generate a new signing key in number of seconds

property verificationTtl

verificationTtl?: pulumi.Input<number>;

“Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.

interface OidcKeyState

interface OidcKeyState

Input properties used for looking up and filtering OidcKey resources.

property algorithm

algorithm?: pulumi.Input<string>;

Signing algorithm to use. Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.

property allowedClientIds

allowedClientIds?: pulumi.Input<pulumi.Input<string>[]>;

Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If “*“, all roles are allowed.

property name

name?: pulumi.Input<string>;

Name of the OIDC Key to create.

property rotationPeriod

rotationPeriod?: pulumi.Input<number>;

How often to generate a new signing key in number of seconds

property verificationTtl

verificationTtl?: pulumi.Input<number>;

“Controls how long the public portion of a signing key will be available for verification after being rotated in seconds.

interface OidcRoleArgs

interface OidcRoleArgs

The set of arguments for constructing a OidcRole resource.

property key

key: pulumi.Input<string>;

A configured named key, the key must already exist before tokens can be issued.

property name

name?: pulumi.Input<string>;

Name of the OIDC Role to create.

property template

template?: pulumi.Input<string>;

The template string to use for generating tokens. This may be in string-ified JSON or base64 format. See the documentation for the template format.

property ttl

ttl?: pulumi.Input<number>;

TTL of the tokens generated against the role in number of seconds.

interface OidcRoleState

interface OidcRoleState

Input properties used for looking up and filtering OidcRole resources.

property clientId

clientId?: pulumi.Input<string>;

The value that will be included in the aud field of all the OIDC identity tokens issued by this role

property key

key?: pulumi.Input<string>;

A configured named key, the key must already exist before tokens can be issued.

property name

name?: pulumi.Input<string>;

Name of the OIDC Role to create.

property template

template?: pulumi.Input<string>;

The template string to use for generating tokens. This may be in string-ified JSON or base64 format. See the documentation for the template format.

property ttl

ttl?: pulumi.Input<number>;

TTL of the tokens generated against the role in number of seconds.

interface OidcState

interface OidcState

Input properties used for looking up and filtering Oidc resources.

property issuer

issuer?: pulumi.Input<string>;

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Module identity

Resources

Functions

Others

Resources

Example Usage

Exclusive Policies

Non-exclusive Policies

Example Usage

Internal Group

External Group

Example Usage

Example Usage

Exclusive Policies

Non-exclusive Policies

Example Usage

Functions

Others