1. Docs
  2. Reference
  3. API
  4. @pulumi/vault
  5. kubernetes

Module kubernetes

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

Resources

Functions

Others

Resources

Resource AuthBackendConfig

class AuthBackendConfig extends CustomResource

Manages an Kubernetes auth backend config in a Vault server. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const kubernetes = new vault.AuthBackend("kubernetes", {
    type: "kubernetes",
});
const example = new vault.kubernetes.AuthBackendConfig("example", {
    backend: kubernetes.path,
    issuer: "api",
    kubernetesCaCert: `-----BEGIN CERTIFICATE-----
example
-----END CERTIFICATE-----`,
    kubernetesHost: "http://example.com:443",
    tokenReviewerJwt: "ZXhhbXBsZQo=",
});

constructor

new AuthBackendConfig(name: string, args: AuthBackendConfigArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendConfig resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendConfigState, opts?: pulumi.CustomResourceOptions): AuthBackendConfig

Get an existing AuthBackendConfig resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendConfig

Returns true if the given object is an instance of AuthBackendConfig. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property backend

public backend: pulumi.Output<string | undefined>;

Unique name of the kubernetes backend to configure.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property issuer

public issuer: pulumi.Output<string | undefined>;

Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.

property kubernetesCaCert

public kubernetesCaCert: pulumi.Output<string | undefined>;

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

property kubernetesHost

public kubernetesHost: pulumi.Output<string>;

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

property pemKeys

public pemKeys: pulumi.Output<string[] | undefined>;

List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

property tokenReviewerJwt

public tokenReviewerJwt: pulumi.Output<string | undefined>;

A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AuthBackendRole

class AuthBackendRole extends CustomResource

Manages an Kubernetes auth backend role in a Vault server. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const kubernetes = new vault.AuthBackend("kubernetes", {type: "kubernetes"});
const example = new vault.kubernetes.AuthBackendRole("example", {
    backend: kubernetes.path,
    roleName: "example-role",
    boundServiceAccountNames: ["example"],
    boundServiceAccountNamespaces: ["example"],
    tokenTtl: 3600,
    tokenPolicies: [
        "default",
        "dev",
        "prod",
    ],
    audience: "vault",
});

constructor

new AuthBackendRole(name: string, args: AuthBackendRoleArgs, opts?: pulumi.CustomResourceOptions)

Create a AuthBackendRole resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthBackendRoleState, opts?: pulumi.CustomResourceOptions): AuthBackendRole

Get an existing AuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AuthBackendRole

Returns true if the given object is an instance of AuthBackendRole. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property audience

public audience: pulumi.Output<string | undefined>;

Audience claim to verify in the JWT.

property backend

public backend: pulumi.Output<string | undefined>;

Unique name of the kubernetes backend to configure.

property boundCidrs

public boundCidrs: pulumi.Output<string[] | undefined>;

If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.

property boundServiceAccountNames

public boundServiceAccountNames: pulumi.Output<string[]>;

List of service account names able to access this role. If set to ["*"] all names are allowed, both this and boundServiceAccountNamespaces can not be “*“.

property boundServiceAccountNamespaces

public boundServiceAccountNamespaces: pulumi.Output<string[]>;

List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and boundServiceAccountNames can not be set to “*“.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property maxTtl

public maxTtl: pulumi.Output<number | undefined>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property numUses

public numUses: pulumi.Output<number | undefined>;

If set, puts a use-count limitation on the issued token.

property period

public period: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

public policies: pulumi.Output<string[] | undefined>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleName

public roleName: pulumi.Output<string>;

Name of the role.

property tokenBoundCidrs

public tokenBoundCidrs: pulumi.Output<string[] | undefined>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

public tokenExplicitMaxTtl: pulumi.Output<number | undefined>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

public tokenMaxTtl: pulumi.Output<number | undefined>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

public tokenNoDefaultPolicy: pulumi.Output<boolean | undefined>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

public tokenNumUses: pulumi.Output<number | undefined>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

public tokenPeriod: pulumi.Output<number | undefined>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

public tokenPolicies: pulumi.Output<string[] | undefined>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

public tokenTtl: pulumi.Output<number | undefined>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

public tokenType: pulumi.Output<string | undefined>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

public ttl: pulumi.Output<number | undefined>;

The TTL period of tokens issued using this role, provided as a number of seconds.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getAuthBackendConfig

getAuthBackendConfig(args?: GetAuthBackendConfigArgs, opts?: pulumi.InvokeOptions): Promise<GetAuthBackendConfigResult>

Reads the Role of an Kubernetes from a Vault server. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const config = pulumi.output(vault.kubernetes.getAuthBackendConfig({
    backend: "my-kubernetes-backend",
}, { async: true }));

export const tokenReviewerJwt = config.tokenReviewerJwt;

Function getAuthBackendRole

getAuthBackendRole(args: GetAuthBackendRoleArgs, opts?: pulumi.InvokeOptions): Promise<GetAuthBackendRoleResult>

Reads the Role of an Kubernetes from a Vault server. See the Vault documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const role = pulumi.output(vault.kubernetes.getAuthBackendRole({
    backend: "my-kubernetes-backend",
    roleName: "my-role",
}, { async: true }));

export const policies = role.policies!;

Others

interface AuthBackendConfigArgs

interface AuthBackendConfigArgs

The set of arguments for constructing a AuthBackendConfig resource.

property backend

backend?: pulumi.Input<string>;

Unique name of the kubernetes backend to configure.

property issuer

issuer?: pulumi.Input<string>;

Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.

property kubernetesCaCert

kubernetesCaCert?: pulumi.Input<string>;

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

property kubernetesHost

kubernetesHost: pulumi.Input<string>;

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

property pemKeys

pemKeys?: pulumi.Input<pulumi.Input<string>[]>;

List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

property tokenReviewerJwt

tokenReviewerJwt?: pulumi.Input<string>;

A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

interface AuthBackendConfigState

interface AuthBackendConfigState

Input properties used for looking up and filtering AuthBackendConfig resources.

property backend

backend?: pulumi.Input<string>;

Unique name of the kubernetes backend to configure.

property issuer

issuer?: pulumi.Input<string>;

Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.

property kubernetesCaCert

kubernetesCaCert?: pulumi.Input<string>;

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

property kubernetesHost

kubernetesHost?: pulumi.Input<string>;

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

property pemKeys

pemKeys?: pulumi.Input<pulumi.Input<string>[]>;

List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

property tokenReviewerJwt

tokenReviewerJwt?: pulumi.Input<string>;

A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

interface AuthBackendRoleArgs

interface AuthBackendRoleArgs

The set of arguments for constructing a AuthBackendRole resource.

property audience

audience?: pulumi.Input<string>;

Audience claim to verify in the JWT.

property backend

backend?: pulumi.Input<string>;

Unique name of the kubernetes backend to configure.

property boundCidrs

DEPRECATED use token_bound_cidrs instead if you are running Vault >= 1.2
boundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.

property boundServiceAccountNames

boundServiceAccountNames: pulumi.Input<pulumi.Input<string>[]>;

List of service account names able to access this role. If set to ["*"] all names are allowed, both this and boundServiceAccountNamespaces can not be “*“.

property boundServiceAccountNamespaces

boundServiceAccountNamespaces: pulumi.Input<pulumi.Input<string>[]>;

List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and boundServiceAccountNames can not be set to “*“.

property maxTtl

DEPRECATED use token_max_ttl instead if you are running Vault >= 1.2
maxTtl?: pulumi.Input<number>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property numUses

DEPRECATED use token_num_uses instead if you are running Vault >= 1.2
numUses?: pulumi.Input<number>;

If set, puts a use-count limitation on the issued token.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2
period?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2
policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleName

roleName: pulumi.Input<string>;

Name of the role.

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

DEPRECATED use token_ttl instead if you are running Vault >= 1.2
ttl?: pulumi.Input<number>;

The TTL period of tokens issued using this role, provided as a number of seconds.

interface AuthBackendRoleState

interface AuthBackendRoleState

Input properties used for looking up and filtering AuthBackendRole resources.

property audience

audience?: pulumi.Input<string>;

Audience claim to verify in the JWT.

property backend

backend?: pulumi.Input<string>;

Unique name of the kubernetes backend to configure.

property boundCidrs

DEPRECATED use token_bound_cidrs instead if you are running Vault >= 1.2
boundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.

property boundServiceAccountNames

boundServiceAccountNames?: pulumi.Input<pulumi.Input<string>[]>;

List of service account names able to access this role. If set to ["*"] all names are allowed, both this and boundServiceAccountNamespaces can not be “*“.

property boundServiceAccountNamespaces

boundServiceAccountNamespaces?: pulumi.Input<pulumi.Input<string>[]>;

List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and boundServiceAccountNames can not be set to “*“.

property maxTtl

DEPRECATED use token_max_ttl instead if you are running Vault >= 1.2
maxTtl?: pulumi.Input<number>;

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

property numUses

DEPRECATED use token_num_uses instead if you are running Vault >= 1.2
numUses?: pulumi.Input<number>;

If set, puts a use-count limitation on the issued token.

property period

DEPRECATED use token_period instead if you are running Vault >= 1.2
period?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property policies

DEPRECATED use token_policies instead if you are running Vault >= 1.2
policies?: pulumi.Input<pulumi.Input<string>[]>;

An array of strings specifying the policies to be set on tokens issued using this role.

property roleName

roleName?: pulumi.Input<string>;

Name of the role.

property tokenBoundCidrs

tokenBoundCidrs?: pulumi.Input<pulumi.Input<string>[]>;

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: pulumi.Input<number>;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: pulumi.Input<number>;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: pulumi.Input<boolean>;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: pulumi.Input<number>;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: pulumi.Input<number>;

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: pulumi.Input<pulumi.Input<string>[]>;

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: pulumi.Input<number>;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: pulumi.Input<string>;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

DEPRECATED use token_ttl instead if you are running Vault >= 1.2
ttl?: pulumi.Input<number>;

The TTL period of tokens issued using this role, provided as a number of seconds.

interface GetAuthBackendConfigArgs

interface GetAuthBackendConfigArgs

A collection of arguments for invoking getAuthBackendConfig.

property backend

backend?: undefined | string;

The unique name for the Kubernetes backend the config to retrieve Role attributes for resides in. Defaults to “kubernetes”.

property issuer

issuer?: undefined | string;

Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.

property kubernetesCaCert

kubernetesCaCert?: undefined | string;

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

property kubernetesHost

kubernetesHost?: undefined | string;

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

property pemKeys

pemKeys?: string[];

Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

interface GetAuthBackendConfigResult

interface GetAuthBackendConfigResult

A collection of values returned by getAuthBackendConfig.

property backend

backend?: undefined | string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property issuer

issuer: string;

Optional JWT issuer. If no issuer is specified, kubernetes.io/serviceaccount will be used as the default issuer.

property kubernetesCaCert

kubernetesCaCert: string;

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

property kubernetesHost

kubernetesHost: string;

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

property pemKeys

pemKeys: string[];

Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

interface GetAuthBackendRoleArgs

interface GetAuthBackendRoleArgs

A collection of arguments for invoking getAuthBackendRole.

property audience

audience?: undefined | string;

(Optional) Audience claim to verify in the JWT.

property backend

backend?: undefined | string;

The unique name for the Kubernetes backend the role to retrieve Role attributes for resides in. Defaults to “kubernetes”.

property boundCidrs

boundCidrs?: string[];

property maxTtl

maxTtl?: undefined | number;

property numUses

numUses?: undefined | number;

property period

period?: undefined | number;

property policies

policies?: string[];

property roleName

roleName: string;

The name of the role to retrieve the Role attributes for.

property tokenBoundCidrs

tokenBoundCidrs?: string[];

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: undefined | number;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: undefined | number;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: undefined | false | true;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: undefined | number;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: undefined | number;

(Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: string[];

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: undefined | number;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: undefined | string;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

ttl?: undefined | number;

interface GetAuthBackendRoleResult

interface GetAuthBackendRoleResult

A collection of values returned by getAuthBackendRole.

property audience

audience?: undefined | string;

(Optional) Audience claim to verify in the JWT.

property backend

backend?: undefined | string;

property boundCidrs

boundCidrs?: string[];

property boundServiceAccountNames

boundServiceAccountNames: string[];

List of service account names able to access this role. If set to “” all names are allowed, both this and boundServiceAccountNamespaces can not be “”.

property boundServiceAccountNamespaces

boundServiceAccountNamespaces: string[];

List of namespaces allowed to access this role. If set to “” all namespaces are allowed, both this and boundServiceAccountNames can not be set to “”.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property maxTtl

maxTtl?: undefined | number;

property numUses

numUses?: undefined | number;

property period

period?: undefined | number;

property policies

policies?: string[];

property roleName

roleName: string;

property tokenBoundCidrs

tokenBoundCidrs?: string[];

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

property tokenExplicitMaxTtl

tokenExplicitMaxTtl?: undefined | number;

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if tokenTtl and tokenMaxTtl would otherwise allow a renewal.

property tokenMaxTtl

tokenMaxTtl?: undefined | number;

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenNoDefaultPolicy

tokenNoDefaultPolicy?: undefined | false | true;

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

property tokenNumUses

tokenNumUses?: undefined | number;

The period, if any, in number of seconds to set on the token.

property tokenPeriod

tokenPeriod?: undefined | number;

(Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

property tokenPolicies

tokenPolicies?: string[];

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

property tokenTtl

tokenTtl?: undefined | number;

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

property tokenType

tokenType?: undefined | string;

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

property ttl

ttl?: undefined | number;