1. Docs
  2. Reference
  3. API
  4. pulumi_vault
  5. gcp

gcp

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

class pulumi_vault.gcp.AuthBackend(resource_name, opts=None, client_email=None, client_id=None, credentials=None, description=None, path=None, private_key_id=None, project_id=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to configure the GCP auth backend within Vault.

import pulumi
import pulumi_vault as vault

gcp = vault.gcp.AuthBackend("gcp", credentials=(lambda path: open(path).read())("vault-gcp-credentials.json"))
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • client_email (pulumi.Input[str]) – The clients email associated with the credentials

  • client_id (pulumi.Input[str]) – The Client ID of the credentials

  • credentials (pulumi.Input[str]) – A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.

  • private_key_id (pulumi.Input[str]) – The ID of the private key from the credentials

  • project_id (pulumi.Input[str]) – The GCP Project ID

client_email: pulumi.Output[str] = None

The clients email associated with the credentials

client_id: pulumi.Output[str] = None

The Client ID of the credentials

credentials: pulumi.Output[str] = None

A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.

private_key_id: pulumi.Output[str] = None

The ID of the private key from the credentials

project_id: pulumi.Output[str] = None

The GCP Project ID

static get(resource_name, id, opts=None, client_email=None, client_id=None, credentials=None, description=None, path=None, private_key_id=None, project_id=None)

Get an existing AuthBackend resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • client_email (pulumi.Input[str]) – The clients email associated with the credentials

  • client_id (pulumi.Input[str]) – The Client ID of the credentials

  • credentials (pulumi.Input[str]) – A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.

  • private_key_id (pulumi.Input[str]) – The ID of the private key from the credentials

  • project_id (pulumi.Input[str]) – The GCP Project ID

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.gcp.AuthBackendRole(resource_name, opts=None, add_group_aliases=None, allow_gce_inference=None, backend=None, bound_instance_groups=None, bound_labels=None, bound_projects=None, bound_regions=None, bound_service_accounts=None, bound_zones=None, max_jwt_exp=None, max_ttl=None, period=None, policies=None, role=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None, type=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to create a role in an GCP auth backend within Vault.

import pulumi
import pulumi_vault as vault

gcp_auth_backend = vault.AuthBackend("gcpAuthBackend",
    path="gcp",
    type="gcp")
gcp_auth_backend_role = vault.gcp.AuthBackendRole("gcpAuthBackendRole",
    backend=gcp_auth_backend.path,
    project_id="foo-bar-baz",
    bound_service_accounts=["database-server@foo-bar-baz.iam.gserviceaccount.com"],
    token_policies=["database-server"])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_gce_inference (pulumi.Input[bool]) – A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.

  • backend (pulumi.Input[str]) – Path to the mounted GCP auth backend

  • bound_instance_groups (pulumi.Input[list]) – The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too.

  • bound_labels (pulumi.Input[list]) – A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL’d, we recommend that this be used in conjunction with other restrictions.

  • bound_projects (pulumi.Input[list]) – GCP Projects that the role exists within

  • bound_regions (pulumi.Input[list]) – The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.

  • bound_service_accounts (pulumi.Input[list]) – GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)

  • bound_zones (pulumi.Input[list]) – The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.

  • max_jwt_exp (pulumi.Input[str]) – The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.

  • max_ttl (pulumi.Input[str]) – The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

  • period (pulumi.Input[str]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • policies (pulumi.Input[list]) – An array of strings specifying the policies to be set on tokens issued using this role.

  • role (pulumi.Input[str]) – Name of the GCP role

  • token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

  • token_explicit_max_ttl (pulumi.Input[float]) – If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

  • token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

  • token_num_uses (pulumi.Input[float]) – The period, if any, in number of seconds to set on the token.

  • token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

  • token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_type (pulumi.Input[str]) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

  • ttl (pulumi.Input[str]) – The TTL period of tokens issued using this role, provided as a number of seconds.

  • type (pulumi.Input[str]) – Type of GCP authentication role (either gce or iam)

allow_gce_inference: pulumi.Output[bool] = None

A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.

backend: pulumi.Output[str] = None

Path to the mounted GCP auth backend

bound_instance_groups: pulumi.Output[list] = None

The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too.

bound_labels: pulumi.Output[list] = None

A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL’d, we recommend that this be used in conjunction with other restrictions.

bound_projects: pulumi.Output[list] = None

GCP Projects that the role exists within

bound_regions: pulumi.Output[list] = None

The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.

bound_service_accounts: pulumi.Output[list] = None

GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)

bound_zones: pulumi.Output[list] = None

The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.

max_jwt_exp: pulumi.Output[str] = None

The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.

max_ttl: pulumi.Output[str] = None

The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

period: pulumi.Output[str] = None

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

policies: pulumi.Output[list] = None

An array of strings specifying the policies to be set on tokens issued using this role.

role: pulumi.Output[str] = None

Name of the GCP role

token_bound_cidrs: pulumi.Output[list] = None

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl: pulumi.Output[float] = None

If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_max_ttl: pulumi.Output[float] = None

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_no_default_policy: pulumi.Output[bool] = None

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses: pulumi.Output[float] = None

The period, if any, in number of seconds to set on the token.

token_period: pulumi.Output[float] = None

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

token_policies: pulumi.Output[list] = None

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_ttl: pulumi.Output[float] = None

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_type: pulumi.Output[str] = None

The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

ttl: pulumi.Output[str] = None

The TTL period of tokens issued using this role, provided as a number of seconds.

type: pulumi.Output[str] = None

Type of GCP authentication role (either gce or iam)

static get(resource_name, id, opts=None, add_group_aliases=None, allow_gce_inference=None, backend=None, bound_instance_groups=None, bound_labels=None, bound_projects=None, bound_regions=None, bound_service_accounts=None, bound_zones=None, max_jwt_exp=None, max_ttl=None, period=None, policies=None, role=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None, type=None)

Get an existing AuthBackendRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • allow_gce_inference (pulumi.Input[bool]) – A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.

  • backend (pulumi.Input[str]) – Path to the mounted GCP auth backend

  • bound_instance_groups (pulumi.Input[list]) – The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either bound_zones or bound_regions must be set too.

  • bound_labels (pulumi.Input[list]) – A comma-separated list of GCP labels formatted as "key:value" strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL’d, we recommend that this be used in conjunction with other restrictions.

  • bound_projects (pulumi.Input[list]) – GCP Projects that the role exists within

  • bound_regions (pulumi.Input[list]) – The list of regions that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a regional group and the group must belong to this region. If bound_zones are provided, this attribute is ignored.

  • bound_service_accounts (pulumi.Input[list]) – GCP Service Accounts allowed to issue tokens under this role. (Note: Required if role is iam)

  • bound_zones (pulumi.Input[list]) – The list of zones that a GCE instance must belong to in order to be authenticated. If bound_instance_groups is provided, it is assumed to be a zonal group and the group must belong to this zone.

  • max_jwt_exp (pulumi.Input[str]) – The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter exp. The GCE metadata tokens currently do not allow the exp claim to be customized.

  • max_ttl (pulumi.Input[str]) – The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

  • period (pulumi.Input[str]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • policies (pulumi.Input[list]) – An array of strings specifying the policies to be set on tokens issued using this role.

  • role (pulumi.Input[str]) – Name of the GCP role

  • token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

  • token_explicit_max_ttl (pulumi.Input[float]) –

    If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

  • token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

  • token_num_uses (pulumi.Input[float]) –

    The period, if any, in number of seconds to set on the token.

  • token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

  • token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

  • token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

  • token_type (pulumi.Input[str]) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

  • ttl (pulumi.Input[str]) – The TTL period of tokens issued using this role, provided as a number of seconds.

  • type (pulumi.Input[str]) – Type of GCP authentication role (either gce or iam)

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.gcp.SecretBackend(resource_name, opts=None, credentials=None, default_lease_ttl_seconds=None, description=None, max_lease_ttl_seconds=None, path=None, __props__=None, __name__=None, __opts__=None)

Create a SecretBackend resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] credentials: The GCP service account credentials in JSON format. :param pulumi.Input[float] default_lease_ttl_seconds: The default TTL for credentials

issued by this backend. Defaults to ‘0’.

Parameters

  • description (pulumi.Input[str]) – A human-friendly description for this backend.

  • max_lease_ttl_seconds (pulumi.Input[float]) – The maximum TTL that can be requested for credentials issued by this backend. Defaults to ‘0’.

  • path (pulumi.Input[str]) – The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp.

credentials: pulumi.Output[str] = None

The GCP service account credentials in JSON format.

default_lease_ttl_seconds: pulumi.Output[float] = None

The default TTL for credentials issued by this backend. Defaults to ‘0’.

description: pulumi.Output[str] = None

A human-friendly description for this backend.

max_lease_ttl_seconds: pulumi.Output[float] = None

The maximum TTL that can be requested for credentials issued by this backend. Defaults to ‘0’.

path: pulumi.Output[str] = None

The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp.

static get(resource_name, id, opts=None, credentials=None, default_lease_ttl_seconds=None, description=None, max_lease_ttl_seconds=None, path=None)

Get an existing SecretBackend resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • credentials (pulumi.Input[str]) – The GCP service account credentials in JSON format.

  • default_lease_ttl_seconds (pulumi.Input[float]) – The default TTL for credentials issued by this backend. Defaults to ‘0’.

  • description (pulumi.Input[str]) – A human-friendly description for this backend.

  • max_lease_ttl_seconds (pulumi.Input[float]) – The maximum TTL that can be requested for credentials issued by this backend. Defaults to ‘0’.

  • path (pulumi.Input[str]) – The unique path this backend should be mounted at. Must not begin or end with a /. Defaults to gcp.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_vault.gcp.SecretRoleset(resource_name, opts=None, backend=None, bindings=None, project=None, roleset=None, secret_type=None, token_scopes=None, __props__=None, __name__=None, __opts__=None)

Creates a Roleset in the GCP Secrets Engine for Vault.

Each Roleset is tied to a Service Account, and can have one or more bindings associated with it.

import pulumi
import pulumi_vault as vault

project = "my-awesome-project"
gcp = vault.gcp.SecretBackend("gcp",
    credentials=(lambda path: open(path).read())("credentials.json"),
    path="gcp")
roleset = vault.gcp.SecretRoleset("roleset",
    backend=gcp.path,
    bindings=[{
        "resource": f"//cloudresourcemanager.googleapis.com/projects/{project}",
        "roles": ["roles/viewer"],
    }],
    project=project,
    roleset="project_viewer",
    secret_type="access_token",
    token_scopes=["https://www.googleapis.com/auth/cloud-platform"])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – Path where the GCP Secrets Engine is mounted

  • bindings (pulumi.Input[list]) – Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.

  • project (pulumi.Input[str]) – Name of the GCP project that this roleset’s service account will belong to.

  • roleset (pulumi.Input[str]) – Name of the Roleset to create

  • secret_type (pulumi.Input[str]) – Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.

  • token_scopes (pulumi.Input[list]) – List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

The bindings object supports the following:

  • resource (pulumi.Input[str]) - Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.

  • roles (pulumi.Input[list]) - List of GCP IAM roles for the resource.

backend: pulumi.Output[str] = None

Path where the GCP Secrets Engine is mounted

bindings: pulumi.Output[list] = None

Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.

  • resource (str) - Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.

  • roles (list) - List of GCP IAM roles for the resource.

project: pulumi.Output[str] = None

Name of the GCP project that this roleset’s service account will belong to.

roleset: pulumi.Output[str] = None

Name of the Roleset to create

secret_type: pulumi.Output[str] = None

Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.

service_account_email: pulumi.Output[str] = None

Email of the service account created by Vault for this Roleset

token_scopes: pulumi.Output[list] = None

List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

static get(resource_name, id, opts=None, backend=None, bindings=None, project=None, roleset=None, secret_type=None, service_account_email=None, token_scopes=None)

Get an existing SecretRoleset resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • backend (pulumi.Input[str]) – Path where the GCP Secrets Engine is mounted

  • bindings (pulumi.Input[list]) – Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.

  • project (pulumi.Input[str]) – Name of the GCP project that this roleset’s service account will belong to.

  • roleset (pulumi.Input[str]) – Name of the Roleset to create

  • secret_type (pulumi.Input[str]) – Type of secret generated for this role set. Accepted values: access_token, service_account_key. Defaults to access_token.

  • service_account_email (pulumi.Input[str]) – Email of the service account created by Vault for this Roleset

  • token_scopes (pulumi.Input[list]) – List of OAuth scopes to assign to access_token secrets generated under this role set (access_token role sets only).

The bindings object supports the following:

  • resource (pulumi.Input[str]) - Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different formats.

  • roles (pulumi.Input[list]) - List of GCP IAM roles for the resource.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str