1. Docs
  2. Reference
  3. API
  4. @pulumi/vault
  5. jwt

Module jwt

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Resources

Others

Resources

Resource AuthBackend

class AuthBackend extends CustomResource

constructor

new AuthBackend(name: string, args?: AuthBackendArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackend resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendState, opts?: pulumi.CustomResourceOptions): AuthBackend

Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackend

Returns true if the given object is an instance of AuthBackend. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accessor

public accessor: pulumi.Output<string>;

The accessor of the JWT auth backend

property boundIssuer

public boundIssuer: pulumi.Output<string | undefined>;

The value against which to match the iss claim in a JWT

property defaultRole

public defaultRole: pulumi.Output<string | undefined>;

The default role to use if none is provided during login

property description

public description: pulumi.Output<string | undefined>;

The description of the auth backend

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property jwksCaPem

public jwksCaPem: pulumi.Output<string | undefined>;

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

property jwksUrl

public jwksUrl: pulumi.Output<string | undefined>;

JWKS URL to use to authenticate signatures. Cannot be used with “oidcDiscoveryUrl” or “jwtValidationPubkeys”.

property jwtSupportedAlgs

public jwtSupportedAlgs: pulumi.Output<string[] | undefined>;

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

property jwtValidationPubkeys

public jwtValidationPubkeys: pulumi.Output<string[] | undefined>;

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidcDiscoveryUrl

property oidcClientId

public oidcClientId: pulumi.Output<string | undefined>;

Client ID used for OIDC backends

property oidcClientSecret

public oidcClientSecret: pulumi.Output<string | undefined>;

Client Secret used for OIDC backends

property oidcDiscoveryCaPem

public oidcDiscoveryCaPem: pulumi.Output<string | undefined>;

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

property oidcDiscoveryUrl

public oidcDiscoveryUrl: pulumi.Output<string | undefined>;

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwtValidationPubkeys

property path

public path: pulumi.Output<string | undefined>;

Path to mount the JWT/OIDC auth backend

property tune

public tune: pulumi.Output<AuthBackendTune>;

property type

public type: pulumi.Output<string | undefined>;

Type of auth backend. Should be one of jwt or oidc. Default - jwt

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendRole

class AuthBackendRole extends CustomResource

Manages an JWT/OIDC auth backend role in a Vault server. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const jwt = new vault.jwt.AuthBackend("jwt", {path: "jwt"});
const example = new vault.jwt.AuthBackendRole("example", {
    backend: jwt.path,
    roleName: "test-role",
    tokenPolicies: [
        "default",
        "dev",
        "prod",
    ],
    boundAudiences: ["https://myco.test"],
    userClaim: "https://vault/user",
    roleType: "jwt",
});

constructor

new AuthBackendRole(name: string, args: AuthBackendRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendRole resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoleState, opts?: pulumi.CustomResourceOptions): AuthBackendRole

Get an existing AuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendRole

Returns true if the given object is an instance of AuthBackendRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property allowedRedirectUris

public allowedRedirectUris: pulumi.Output<string[] | undefined>;

The list of allowed values for redirectUri during OIDC logins. Required for OIDC roles

property backend

public backend: pulumi.Output<string | undefined>;

The unique name of the auth backend to configure. Defaults to jwt.

property boundAudiences

public boundAudiences: pulumi.Output<string[] | undefined>;

(Required for roles of type jwt, optional for roles of type oidc) List of aud claims to match against. Any match is sufficient.

property boundCidrs

public boundCidrs: pulumi.Output<string[] | undefined>;

If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.

property boundClaims

public boundClaims: pulumi.Output<{[key: string]: any} | undefined>;

If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.

property boundSubject

public boundSubject: pulumi.Output<string | undefined>;

If set, requires that the sub claim matches this value.

property claimMappings

public claimMappings: pulumi.Output<{[key: string]: any} | undefined>;

If set, a map of claims (keys) to be copied to specified metadata fields (values).

property clockSkewLeeway

public clockSkewLeeway: pulumi.Output<number | undefined>;

The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property expirationLeeway

public expirationLeeway: pulumi.Output<number | undefined>;

The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property groupsClaim

public groupsClaim: pulumi.Output<string | undefined>;

The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.

property groupsClaimDelimiterPattern

public groupsClaimDelimiterPattern: pulumi.Output<string | undefined>;

(Optional; Deprecated. This field has been removed since Vault 1.1. If the groups claim is not at the top level, it can now be specified as a JSONPointer.) A pattern of delimiters used to allow the groupsClaim to live outside of the top-level JWT structure. For instance, a groupsClaim of meta/user.name/groups with this field set to // will expect nested structures named meta, user.name, and groups. If this field was set to /./ the groups information would expect to be via nested structures of meta, user, name, and groups.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property maxTtl

public maxTtl: pulumi.Output<number | undefined>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property notBeforeLeeway

public notBeforeLeeway: pulumi.Output<number | undefined>;

The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property numUses

public numUses: pulumi.Output<number | undefined>;

If set, puts a use-count limitation on the issued token.

property oidcScopes

public oidcScopes: pulumi.Output<string[] | undefined>;

If set, a list of OIDC scopes to be used with an OIDC role. The standard scope “openid” is automatically included and need not be specified.

property period

public period: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

public policies: pulumi.Output<string[] | undefined>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleName

public roleName: pulumi.Output<string>;

The name of the role.

property roleType

public roleType: pulumi.Output<string>;

Type of role, either “oidc” (default) or “jwt”.

property tokenBoundCidrs

public tokenBoundCidrs: pulumi.Output<string[] | undefined>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

public tokenExplicitMaxTtl: pulumi.Output<number | undefined>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

public tokenMaxTtl: pulumi.Output<number | undefined>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

public tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

public tokenNumUses: pulumi.Output<number | undefined>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

public tokenPeriod: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

public tokenPolicies: pulumi.Output<string[] | undefined>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

public tokenTtl: pulumi.Output<number | undefined>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

public tokenType: pulumi.Output<string | undefined>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

public ttl: pulumi.Output<number | undefined>;

The TTL period of tokens issued using this role, provided as a number of seconds.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property userClaim

public userClaim: pulumi.Output<string>;

The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.

property verboseOidcLogging

public verboseOidcLogging: pulumi.Output<boolean | undefined>;

Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.

Others

interface AuthBackendArgs

interface AuthBackendArgs

The set of arguments for constructing a AuthBackend resource.

property boundIssuer

boundIssuer?: pulumi.Input<string>;

The value against which to match the iss claim in a JWT

property defaultRole

defaultRole?: pulumi.Input<string>;

The default role to use if none is provided during login

property description

description?: pulumi.Input<string>;

The description of the auth backend

property jwksCaPem

jwksCaPem?: pulumi.Input<string>;

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

property jwksUrl

jwksUrl?: pulumi.Input<string>;

JWKS URL to use to authenticate signatures. Cannot be used with “oidcDiscoveryUrl” or “jwtValidationPubkeys”.

property jwtSupportedAlgs

jwtSupportedAlgs?: pulumi.Input<pulumi.Input<string>[]>;

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

property jwtValidationPubkeys

jwtValidationPubkeys?: pulumi.Input<pulumi.Input<string>[]>;

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidcDiscoveryUrl

property oidcClientId

oidcClientId?: pulumi.Input<string>;

Client ID used for OIDC backends

property oidcClientSecret

oidcClientSecret?: pulumi.Input<string>;

Client Secret used for OIDC backends

property oidcDiscoveryCaPem

oidcDiscoveryCaPem?: pulumi.Input<string>;

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

property oidcDiscoveryUrl

oidcDiscoveryUrl?: pulumi.Input<string>;

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwtValidationPubkeys

property path

path?: pulumi.Input<string>;

Path to mount the JWT/OIDC auth backend

property tune

tune?: pulumi.Input<AuthBackendTune>;

property type

type?: pulumi.Input<string>;

Type of auth backend. Should be one of jwt or oidc. Default - jwt

interface AuthBackendRoleArgs

interface AuthBackendRoleArgs

The set of arguments for constructing a AuthBackendRole resource.

property allowedRedirectUris

allowedRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;

The list of allowed values for redirectUri during OIDC logins. Required for OIDC roles

property backend

backend?: pulumi.Input<string>;

The unique name of the auth backend to configure. Defaults to jwt.

property boundAudiences

boundAudiences?: pulumi.Input<pulumi.Input<string>[]>;

(Required for roles of type jwt, optional for roles of type oidc) List of aud claims to match against. Any match is sufficient.

property boundCidrs

DEPRECATED use token_bound_cidrs instead if you are running Vault >= 1.2
boundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.

property boundClaims

boundClaims?: pulumi.Input<{[key: string]: any}>;

If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.

property boundSubject

boundSubject?: pulumi.Input<string>;

If set, requires that the sub claim matches this value.

property claimMappings

claimMappings?: pulumi.Input<{[key: string]: any}>;

If set, a map of claims (keys) to be copied to specified metadata fields (values).

property clockSkewLeeway

clockSkewLeeway?: pulumi.Input<number>;

The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property expirationLeeway

expirationLeeway?: pulumi.Input<number>;

The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property groupsClaim

groupsClaim?: pulumi.Input<string>;

The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.

property groupsClaimDelimiterPattern

DEPRECATED groups_claim_delimiter_pattern has been removed since Vault 1.1. If the groups claim is not at the top level, it can now be specified as a JSONPointer.
groupsClaimDelimiterPattern?: pulumi.Input<string>;

(Optional; Deprecated. This field has been removed since Vault 1.1. If the groups claim is not at the top level, it can now be specified as a JSONPointer.) A pattern of delimiters used to allow the groupsClaim to live outside of the top-level JWT structure. For instance, a groupsClaim of meta/user.name/groups with this field set to // will expect nested structures named meta, user.name, and groups. If this field was set to /./ the groups information would expect to be via nested structures of meta, user, name, and groups.

property maxTtl

DEPRECATED use token_max_ttl instead if you are running Vault >= 1.2
maxTtl?: pulumi.Input<number>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property notBeforeLeeway

notBeforeLeeway?: pulumi.Input<number>;

The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property numUses

DEPRECATED use token_num_uses instead if you are running Vault >= 1.2
numUses?: pulumi.Input<number>;

If set, puts a use-count limitation on the issued token.

property oidcScopes

oidcScopes?: pulumi.Input<pulumi.Input<string>[]>;

If set, a list of OIDC scopes to be used with an OIDC role. The standard scope “openid” is automatically included and need not be specified.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2
period?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2
policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleName

roleName: pulumi.Input<string>;

The name of the role.

property roleType

roleType?: pulumi.Input<string>;

Type of role, either “oidc” (default) or “jwt”.

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

DEPRECATED use token_ttl instead if you are running Vault >= 1.2
ttl?: pulumi.Input<number>;

The TTL period of tokens issued using this role, provided as a number of seconds.

property userClaim

userClaim: pulumi.Input<string>;

The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.

property verboseOidcLogging

verboseOidcLogging?: pulumi.Input<boolean>;

Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.

interface AuthBackendRoleState

interface AuthBackendRoleState

Input properties used for looking up and filtering AuthBackendRole resources.

property allowedRedirectUris

allowedRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;

The list of allowed values for redirectUri during OIDC logins. Required for OIDC roles

property backend

backend?: pulumi.Input<string>;

The unique name of the auth backend to configure. Defaults to jwt.

property boundAudiences

boundAudiences?: pulumi.Input<pulumi.Input<string>[]>;

(Required for roles of type jwt, optional for roles of type oidc) List of aud claims to match against. Any match is sufficient.

property boundCidrs

DEPRECATED use token_bound_cidrs instead if you are running Vault >= 1.2
boundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.

property boundClaims

boundClaims?: pulumi.Input<{[key: string]: any}>;

If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.

property boundSubject

boundSubject?: pulumi.Input<string>;

If set, requires that the sub claim matches this value.

property claimMappings

claimMappings?: pulumi.Input<{[key: string]: any}>;

If set, a map of claims (keys) to be copied to specified metadata fields (values).

property clockSkewLeeway

clockSkewLeeway?: pulumi.Input<number>;

The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property expirationLeeway

expirationLeeway?: pulumi.Input<number>;

The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property groupsClaim

groupsClaim?: pulumi.Input<string>;

The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.

property groupsClaimDelimiterPattern

DEPRECATED groups_claim_delimiter_pattern has been removed since Vault 1.1. If the groups claim is not at the top level, it can now be specified as a JSONPointer.
groupsClaimDelimiterPattern?: pulumi.Input<string>;

(Optional; Deprecated. This field has been removed since Vault 1.1. If the groups claim is not at the top level, it can now be specified as a JSONPointer.) A pattern of delimiters used to allow the groupsClaim to live outside of the top-level JWT structure. For instance, a groupsClaim of meta/user.name/groups with this field set to // will expect nested structures named meta, user.name, and groups. If this field was set to /./ the groups information would expect to be via nested structures of meta, user, name, and groups.

property maxTtl

DEPRECATED use token_max_ttl instead if you are running Vault >= 1.2
maxTtl?: pulumi.Input<number>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property notBeforeLeeway

notBeforeLeeway?: pulumi.Input<number>;

The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

property numUses

DEPRECATED use token_num_uses instead if you are running Vault >= 1.2
numUses?: pulumi.Input<number>;

If set, puts a use-count limitation on the issued token.

property oidcScopes

oidcScopes?: pulumi.Input<pulumi.Input<string>[]>;

If set, a list of OIDC scopes to be used with an OIDC role. The standard scope “openid” is automatically included and need not be specified.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2
period?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2
policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleName

roleName?: pulumi.Input<string>;

The name of the role.

property roleType

roleType?: pulumi.Input<string>;

Type of role, either “oidc” (default) or “jwt”.

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

DEPRECATED use token_ttl instead if you are running Vault >= 1.2
ttl?: pulumi.Input<number>;

The TTL period of tokens issued using this role, provided as a number of seconds.

property userClaim

userClaim?: pulumi.Input<string>;

The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.

property verboseOidcLogging

verboseOidcLogging?: pulumi.Input<boolean>;

Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.

interface AuthBackendState

interface AuthBackendState

Input properties used for looking up and filtering AuthBackend resources.

property accessor

accessor?: pulumi.Input<string>;

The accessor of the JWT auth backend

property boundIssuer

boundIssuer?: pulumi.Input<string>;

The value against which to match the iss claim in a JWT

property defaultRole

defaultRole?: pulumi.Input<string>;

The default role to use if none is provided during login

property description

description?: pulumi.Input<string>;

The description of the auth backend

property jwksCaPem

jwksCaPem?: pulumi.Input<string>;

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

property jwksUrl

jwksUrl?: pulumi.Input<string>;

JWKS URL to use to authenticate signatures. Cannot be used with “oidcDiscoveryUrl” or “jwtValidationPubkeys”.

property jwtSupportedAlgs

jwtSupportedAlgs?: pulumi.Input<pulumi.Input<string>[]>;

A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

property jwtValidationPubkeys

jwtValidationPubkeys?: pulumi.Input<pulumi.Input<string>[]>;

A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidcDiscoveryUrl

property oidcClientId

oidcClientId?: pulumi.Input<string>;

Client ID used for OIDC backends

property oidcClientSecret

oidcClientSecret?: pulumi.Input<string>;

Client Secret used for OIDC backends

property oidcDiscoveryCaPem

oidcDiscoveryCaPem?: pulumi.Input<string>;

The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

property oidcDiscoveryUrl

oidcDiscoveryUrl?: pulumi.Input<string>;

The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwtValidationPubkeys

property path

path?: pulumi.Input<string>;

Path to mount the JWT/OIDC auth backend

property tune

tune?: pulumi.Input<AuthBackendTune>;

property type

type?: pulumi.Input<string>;

Type of auth backend. Should be one of jwt or oidc. Default - jwt