jwt¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-vault repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-vault repo.

class pulumi_vault.jwt.AuthBackend(resource_name, opts=None, bound_issuer=None, default_role=None, description=None, jwks_ca_pem=None, jwks_url=None, jwt_supported_algs=None, jwt_validation_pubkeys=None, oidc_client_id=None, oidc_client_secret=None, oidc_discovery_ca_pem=None, oidc_discovery_url=None, path=None, tune=None, type=None, __props__=None, __name__=None, __opts__=None)¶

Create a AuthBackend resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] bound_issuer: The value against which to match the iss claim in a JWT :param pulumi.Input[str] default_role: The default role to use if none is provided during login :param pulumi.Input[str] description: The description of the auth backend :param pulumi.Input[str] jwks_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used. :param pulumi.Input[str] jwks_url: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”. :param pulumi.Input[list] jwt_supported_algs: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ :param pulumi.Input[list] jwt_validation_pubkeys: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url :param pulumi.Input[str] oidc_client_id: Client ID used for OIDC backends :param pulumi.Input[str] oidc_client_secret: Client Secret used for OIDC backends :param pulumi.Input[str] oidc_discovery_ca_pem: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used :param pulumi.Input[str] oidc_discovery_url: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys :param pulumi.Input[str] path: Path to mount the JWT/OIDC auth backend :param pulumi.Input[str] type: Type of auth backend. Should be one of jwt or oidc. Default - jwt

The tune object supports the following:

allowedResponseHeaders (pulumi.Input[list]) - List of headers to whitelist and allowing a plugin to include them in the response.
auditNonHmacRequestKeys (pulumi.Input[list]) - Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
auditNonHmacResponseKeys (pulumi.Input[list]) - Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
defaultLeaseTtl (pulumi.Input[str]) - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listing_visibility (pulumi.Input[str]) - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
maxLeaseTtl (pulumi.Input[str]) - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthroughRequestHeaders (pulumi.Input[list]) - List of headers to whitelist and pass from the request to the backend.
token_type (pulumi.Input[str]) - Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.

accessor: pulumi.Output[str] = None¶: The accessor of the JWT auth backend

bound_issuer: pulumi.Output[str] = None¶: The value against which to match the iss claim in a JWT

default_role: pulumi.Output[str] = None¶: The default role to use if none is provided during login

description: pulumi.Output[str] = None¶: The description of the auth backend

jwks_ca_pem: pulumi.Output[str] = None¶: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.

jwks_url: pulumi.Output[str] = None¶: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.

jwt_supported_algs: pulumi.Output[list] = None¶: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ

jwt_validation_pubkeys: pulumi.Output[list] = None¶: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url

oidc_client_id: pulumi.Output[str] = None¶: Client ID used for OIDC backends

oidc_client_secret: pulumi.Output[str] = None¶: Client Secret used for OIDC backends

oidc_discovery_ca_pem: pulumi.Output[str] = None¶: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used

oidc_discovery_url: pulumi.Output[str] = None¶: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys

path: pulumi.Output[str] = None¶: Path to mount the JWT/OIDC auth backend

type: pulumi.Output[str] = None¶: Type of auth backend. Should be one of jwt or oidc. Default - jwt

static get(resource_name, id, opts=None, accessor=None, bound_issuer=None, default_role=None, description=None, jwks_ca_pem=None, jwks_url=None, jwt_supported_algs=None, jwt_validation_pubkeys=None, oidc_client_id=None, oidc_client_secret=None, oidc_discovery_ca_pem=None, oidc_discovery_url=None, path=None, tune=None, type=None)¶

Get an existing AuthBackend resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
accessor (pulumi.Input[str]) – The accessor of the JWT auth backend
bound_issuer (pulumi.Input[str]) – The value against which to match the iss claim in a JWT
default_role (pulumi.Input[str]) – The default role to use if none is provided during login
description (pulumi.Input[str]) – The description of the auth backend
jwks_ca_pem (pulumi.Input[str]) – The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwks_url (pulumi.Input[str]) – JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwt_supported_algs (pulumi.Input[list]) – A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwt_validation_pubkeys (pulumi.Input[list]) – A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidc_client_id (pulumi.Input[str]) – Client ID used for OIDC backends
oidc_client_secret (pulumi.Input[str]) – Client Secret used for OIDC backends
oidc_discovery_ca_pem (pulumi.Input[str]) – The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidc_discovery_url (pulumi.Input[str]) – The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path (pulumi.Input[str]) – Path to mount the JWT/OIDC auth backend
type (pulumi.Input[str]) – Type of auth backend. Should be one of jwt or oidc. Default - jwt

The tune object supports the following:

allowedResponseHeaders (pulumi.Input[list]) - List of headers to whitelist and allowing a plugin to include them in the response.
auditNonHmacRequestKeys (pulumi.Input[list]) - Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
auditNonHmacResponseKeys (pulumi.Input[list]) - Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
defaultLeaseTtl (pulumi.Input[str]) - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listing_visibility (pulumi.Input[str]) - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
maxLeaseTtl (pulumi.Input[str]) - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthroughRequestHeaders (pulumi.Input[list]) - List of headers to whitelist and pass from the request to the backend.
token_type (pulumi.Input[str]) - Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_vault.jwt.AuthBackendRole(resource_name, opts=None, allowed_redirect_uris=None, backend=None, bound_audiences=None, bound_cidrs=None, bound_claims=None, bound_subject=None, claim_mappings=None, clock_skew_leeway=None, expiration_leeway=None, groups_claim=None, groups_claim_delimiter_pattern=None, max_ttl=None, not_before_leeway=None, num_uses=None, oidc_scopes=None, period=None, policies=None, role_name=None, role_type=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None, user_claim=None, verbose_oidc_logging=None, __props__=None, __name__=None, __opts__=None)¶

Manages an JWT/OIDC auth backend role in a Vault server. See the Vault documentation for more information.

import pulumi
import pulumi_vault as vault

jwt = vault.jwt.AuthBackend("jwt", path="jwt")
example = vault.jwt.AuthBackendRole("example",
    backend=jwt.path,
    role_name="test-role",
    token_policies=[
        "default",
        "dev",
        "prod",
    ],
    bound_audiences=["https://myco.test"],
    user_claim="https://vault/user",
    role_type="jwt")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
allowed_redirect_uris (pulumi.Input[list]) – The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles
backend (pulumi.Input[str]) – The unique name of the auth backend to configure. Defaults to jwt.
bound_audiences (pulumi.Input[list]) – (Required for roles of type jwt, optional for roles of type oidc) List of aud claims to match against. Any match is sufficient.
bound_cidrs (pulumi.Input[list]) – If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.
bound_claims (pulumi.Input[dict]) – If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.
bound_subject (pulumi.Input[str]) – If set, requires that the sub claim matches this value.
claim_mappings (pulumi.Input[dict]) – If set, a map of claims (keys) to be copied to specified metadata fields (values).
clock_skew_leeway (pulumi.Input[float]) – The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.
expiration_leeway (pulumi.Input[float]) – The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.
groups_claim (pulumi.Input[str]) – The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
groups_claim_delimiter_pattern (pulumi.Input[str]) – (Optional; Deprecated. This field has been removed since Vault 1.1. If the groups claim is not at the top level, it can now be specified as a JSONPointer.) A pattern of delimiters used to allow the groups_claim to live outside of the top-level JWT structure. For instance, a groups_claim of meta/user.name/groups with this field set to // will expect nested structures named meta, user.name, and groups. If this field was set to /./ the groups information would expect to be via nested structures of meta, user, name, and groups.
max_ttl (pulumi.Input[float]) – The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.
not_before_leeway (pulumi.Input[float]) – The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.
num_uses (pulumi.Input[float]) – If set, puts a use-count limitation on the issued token.
oidc_scopes (pulumi.Input[list]) – If set, a list of OIDC scopes to be used with an OIDC role. The standard scope “openid” is automatically included and need not be specified.
period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
policies (pulumi.Input[list]) – An array of strings specifying the policies to be set on tokens issued using this role.
role_name (pulumi.Input[str]) – The name of the role.
role_type (pulumi.Input[str]) – Type of role, either “oidc” (default) or “jwt”.
token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
token_explicit_max_ttl (pulumi.Input[float]) – If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.
token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
token_num_uses (pulumi.Input[float]) – The period, if any, in number of seconds to set on the token.
token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_type (pulumi.Input[str]) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.
ttl (pulumi.Input[float]) – The TTL period of tokens issued using this role, provided as a number of seconds.
user_claim (pulumi.Input[str]) – The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
verbose_oidc_logging (pulumi.Input[bool]) – Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.

allowed_redirect_uris: pulumi.Output[list] = None¶: The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles

backend: pulumi.Output[str] = None¶: The unique name of the auth backend to configure. Defaults to jwt.

bound_audiences: pulumi.Output[list] = None¶: (Required for roles of type jwt, optional for roles of type oidc) List of aud claims to match against. Any match is sufficient.

bound_cidrs: pulumi.Output[list] = None¶: If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.

bound_claims: pulumi.Output[dict] = None¶: If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.

bound_subject: pulumi.Output[str] = None¶: If set, requires that the sub claim matches this value.

claim_mappings: pulumi.Output[dict] = None¶: If set, a map of claims (keys) to be copied to specified metadata fields (values).

clock_skew_leeway: pulumi.Output[float] = None¶: The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

expiration_leeway: pulumi.Output[float] = None¶: The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

groups_claim: pulumi.Output[str] = None¶: The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.

groups_claim_delimiter_pattern: pulumi.Output[str] = None¶: (Optional; Deprecated. This field has been removed since Vault 1.1. If the groups claim is not at the top level, it can now be specified as a JSONPointer.) A pattern of delimiters used to allow the groups_claim to live outside of the top-level JWT structure. For instance, a groups_claim of meta/user.name/groups with this field set to // will expect nested structures named meta, user.name, and groups. If this field was set to /./ the groups information would expect to be via nested structures of meta, user, name, and groups.

max_ttl: pulumi.Output[float] = None¶: The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.

not_before_leeway: pulumi.Output[float] = None¶: The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.

num_uses: pulumi.Output[float] = None¶: If set, puts a use-count limitation on the issued token.

oidc_scopes: pulumi.Output[list] = None¶: If set, a list of OIDC scopes to be used with an OIDC role. The standard scope “openid” is automatically included and need not be specified.

period: pulumi.Output[float] = None¶: If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

policies: pulumi.Output[list] = None¶: An array of strings specifying the policies to be set on tokens issued using this role.

role_name: pulumi.Output[str] = None¶: The name of the role.

role_type: pulumi.Output[str] = None¶: Type of role, either “oidc” (default) or “jwt”.

token_bound_cidrs: pulumi.Output[list] = None¶: List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

token_explicit_max_ttl: pulumi.Output[float] = None¶: If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.

token_max_ttl: pulumi.Output[float] = None¶: The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_no_default_policy: pulumi.Output[bool] = None¶: If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

token_num_uses: pulumi.Output[float] = None¶: The period, if any, in number of seconds to set on the token.

token_period: pulumi.Output[float] = None¶: If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.

token_policies: pulumi.Output[list] = None¶: List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

token_ttl: pulumi.Output[float] = None¶: The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

token_type: pulumi.Output[str] = None¶: The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.

ttl: pulumi.Output[float] = None¶: The TTL period of tokens issued using this role, provided as a number of seconds.

user_claim: pulumi.Output[str] = None¶: The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.

verbose_oidc_logging: pulumi.Output[bool] = None¶: Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.

static get(resource_name, id, opts=None, allowed_redirect_uris=None, backend=None, bound_audiences=None, bound_cidrs=None, bound_claims=None, bound_subject=None, claim_mappings=None, clock_skew_leeway=None, expiration_leeway=None, groups_claim=None, groups_claim_delimiter_pattern=None, max_ttl=None, not_before_leeway=None, num_uses=None, oidc_scopes=None, period=None, policies=None, role_name=None, role_type=None, token_bound_cidrs=None, token_explicit_max_ttl=None, token_max_ttl=None, token_no_default_policy=None, token_num_uses=None, token_period=None, token_policies=None, token_ttl=None, token_type=None, ttl=None, user_claim=None, verbose_oidc_logging=None)¶

Get an existing AuthBackendRole resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
allowed_redirect_uris (pulumi.Input[list]) – The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles
backend (pulumi.Input[str]) – The unique name of the auth backend to configure. Defaults to jwt.
bound_audiences (pulumi.Input[list]) – (Required for roles of type jwt, optional for roles of type oidc) List of aud claims to match against. Any match is sufficient.
bound_cidrs (pulumi.Input[list]) – If set, a list of CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.
bound_claims (pulumi.Input[dict]) – If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.
bound_subject (pulumi.Input[str]) – If set, requires that the sub claim matches this value.
claim_mappings (pulumi.Input[dict]) – If set, a map of claims (keys) to be copied to specified metadata fields (values).
clock_skew_leeway (pulumi.Input[float]) – The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.
expiration_leeway (pulumi.Input[float]) – The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.
groups_claim (pulumi.Input[str]) – The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
groups_claim_delimiter_pattern (pulumi.Input[str]) –
(Optional; Deprecated. This field has been removed since Vault 1.1. If the groups claim is not at the top level, it can now be specified as a JSONPointer.) A pattern of delimiters used to allow the groups_claim to live outside of the top-level JWT structure. For instance, a groups_claim of meta/user.name/groups with this field set to // will expect nested structures named meta, user.name, and groups. If this field was set to /./ the groups information would expect to be via nested structures of meta, user, name, and groups.
max_ttl (pulumi.Input[float]) – The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds.
not_before_leeway (pulumi.Input[float]) – The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with “jwt” roles.
num_uses (pulumi.Input[float]) – If set, puts a use-count limitation on the issued token.
oidc_scopes (pulumi.Input[list]) – If set, a list of OIDC scopes to be used with an OIDC role. The standard scope “openid” is automatically included and need not be specified.
period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
policies (pulumi.Input[list]) – An array of strings specifying the policies to be set on tokens issued using this role.
role_name (pulumi.Input[str]) – The name of the role.
role_type (pulumi.Input[str]) – Type of role, either “oidc” (default) or “jwt”.
token_bound_cidrs (pulumi.Input[list]) – List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
token_explicit_max_ttl (pulumi.Input[float]) –
If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.
token_max_ttl (pulumi.Input[float]) – The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_no_default_policy (pulumi.Input[bool]) – If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
token_num_uses (pulumi.Input[float]) –
The period, if any, in number of seconds to set on the token.
token_period (pulumi.Input[float]) – If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token’s TTL will be set to the value of this field. Specified in seconds.
token_policies (pulumi.Input[list]) – List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
token_ttl (pulumi.Input[float]) – The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
token_type (pulumi.Input[str]) – The type of token that should be generated. Can be service, batch, or default to use the mount’s tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time.
ttl (pulumi.Input[float]) – The TTL period of tokens issued using this role, provided as a number of seconds.
user_claim (pulumi.Input[str]) – The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login.
verbose_oidc_logging (pulumi.Input[bool]) – Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

jwt¶

On This Page