AuthBackend

Create a AuthBackend Resource

new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);

def AuthBackend(resource_name, opts=None, bound_issuer=None, default_role=None, description=None, jwks_ca_pem=None, jwks_url=None, jwt_supported_algs=None, jwt_validation_pubkeys=None, oidc_client_id=None, oidc_client_secret=None, oidc_discovery_ca_pem=None, oidc_discovery_url=None, path=None, tune=None, type=None, __props__=None);

func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)

public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args AuthBackendArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AuthBackendArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthBackendArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

AuthBackend Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The AuthBackend resource accepts the following input properties:

BoundIssuer string: The value against which to match the iss claim in a JWT
DefaultRole string: The default role to use if none is provided during login
Description string: The description of the auth backend
JwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
JwtSupportedAlgs List<string>: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys List<string>: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
OidcClientId string: Client ID used for OIDC backends
OidcClientSecret string: Client Secret used for OIDC backends
OidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
Path string: Path to mount the JWT/OIDC auth backend
Tune AuthBackendTuneArgs
Type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

BoundIssuer string: The value against which to match the iss claim in a JWT
DefaultRole string: The default role to use if none is provided during login
Description string: The description of the auth backend
JwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
JwtSupportedAlgs []string: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys []string: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
OidcClientId string: Client ID used for OIDC backends
OidcClientSecret string: Client Secret used for OIDC backends
OidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
Path string: Path to mount the JWT/OIDC auth backend
Tune AuthBackendTune
Type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

boundIssuer string: The value against which to match the iss claim in a JWT
defaultRole string: The default role to use if none is provided during login
description string: The description of the auth backend
jwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwtSupportedAlgs string[]: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys string[]: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidcClientId string: Client ID used for OIDC backends
oidcClientSecret string: Client Secret used for OIDC backends
oidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path string: Path to mount the JWT/OIDC auth backend
tune AuthBackendTune
type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

bound_issuer str: The value against which to match the iss claim in a JWT
default_role str: The default role to use if none is provided during login
description str: The description of the auth backend
jwks_ca_pem str: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwks_url str: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwt_supported_algs List[str]: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwt_validation_pubkeys List[str]: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidc_client_id str: Client ID used for OIDC backends
oidc_client_secret str: Client Secret used for OIDC backends
oidc_discovery_ca_pem str: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidc_discovery_url str: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path str: Path to mount the JWT/OIDC auth backend
tune Dict[AuthBackendTune]
type str: Type of auth backend. Should be one of jwt or oidc. Default - jwt

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:

Accessor string: The accessor of the JWT auth backend
Id string: The provider-assigned unique ID for this managed resource.

Accessor string: The accessor of the JWT auth backend
Id string: The provider-assigned unique ID for this managed resource.

accessor string: The accessor of the JWT auth backend
id string: The provider-assigned unique ID for this managed resource.

accessor str: The accessor of the JWT auth backend
id str: The provider-assigned unique ID for this managed resource.

Look up an Existing AuthBackend Resource

Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend

static get(resource_name, id, opts=None, accessor=None, bound_issuer=None, default_role=None, description=None, jwks_ca_pem=None, jwks_url=None, jwt_supported_algs=None, jwt_validation_pubkeys=None, oidc_client_id=None, oidc_client_secret=None, oidc_discovery_ca_pem=None, oidc_discovery_url=None, path=None, tune=None, type=None, __props__=None);

func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)

public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Accessor string: The accessor of the JWT auth backend
BoundIssuer string: The value against which to match the iss claim in a JWT
DefaultRole string: The default role to use if none is provided during login
Description string: The description of the auth backend
JwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
JwtSupportedAlgs List<string>: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys List<string>: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
OidcClientId string: Client ID used for OIDC backends
OidcClientSecret string: Client Secret used for OIDC backends
OidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
Path string: Path to mount the JWT/OIDC auth backend
Tune AuthBackendTuneArgs
Type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

Accessor string: The accessor of the JWT auth backend
BoundIssuer string: The value against which to match the iss claim in a JWT
DefaultRole string: The default role to use if none is provided during login
Description string: The description of the auth backend
JwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
JwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
JwtSupportedAlgs []string: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
JwtValidationPubkeys []string: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
OidcClientId string: Client ID used for OIDC backends
OidcClientSecret string: Client Secret used for OIDC backends
OidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
OidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
Path string: Path to mount the JWT/OIDC auth backend
Tune AuthBackendTune
Type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor string: The accessor of the JWT auth backend
boundIssuer string: The value against which to match the iss claim in a JWT
defaultRole string: The default role to use if none is provided during login
description string: The description of the auth backend
jwksCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwksUrl string: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwtSupportedAlgs string[]: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwtValidationPubkeys string[]: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidcClientId string: Client ID used for OIDC backends
oidcClientSecret string: Client Secret used for OIDC backends
oidcDiscoveryCaPem string: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidcDiscoveryUrl string: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path string: Path to mount the JWT/OIDC auth backend
tune AuthBackendTune
type string: Type of auth backend. Should be one of jwt or oidc. Default - jwt

accessor str: The accessor of the JWT auth backend
bound_issuer str: The value against which to match the iss claim in a JWT
default_role str: The default role to use if none is provided during login
description str: The description of the auth backend
jwks_ca_pem str: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
jwks_url str: JWKS URL to use to authenticate signatures. Cannot be used with “oidc_discovery_url” or “jwt_validation_pubkeys”.
jwt_supported_algs List[str]: A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
jwt_validation_pubkeys List[str]: A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
oidc_client_id str: Client ID used for OIDC backends
oidc_client_secret str: Client Secret used for OIDC backends
oidc_discovery_ca_pem str: The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
oidc_discovery_url str: The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
path str: Path to mount the JWT/OIDC auth backend
tune Dict[AuthBackendTune]
type str: Type of auth backend. Should be one of jwt or oidc. Default - jwt

Supporting Types

AuthBackendTune

See the input and output API doc for this type.

AllowedResponseHeaders List<string>: List of headers to whitelist and allowing a plugin to include them in the response.
AuditNonHmacRequestKeys List<string>: Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
AuditNonHmacResponseKeys List<string>: Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
DefaultLeaseTtl string: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
ListingVisibility string: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
MaxLeaseTtl string: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
PassthroughRequestHeaders List<string>: List of headers to whitelist and pass from the request to the backend.
TokenType string: Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.

AllowedResponseHeaders []string: List of headers to whitelist and allowing a plugin to include them in the response.
AuditNonHmacRequestKeys []string: Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
AuditNonHmacResponseKeys []string: Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
DefaultLeaseTtl string: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
ListingVisibility string: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
MaxLeaseTtl string: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
PassthroughRequestHeaders []string: List of headers to whitelist and pass from the request to the backend.
TokenType string: Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.

allowedResponseHeaders string[]: List of headers to whitelist and allowing a plugin to include them in the response.
auditNonHmacRequestKeys string[]: Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
auditNonHmacResponseKeys string[]: Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
defaultLeaseTtl string: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listingVisibility string: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
maxLeaseTtl string: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthroughRequestHeaders string[]: List of headers to whitelist and pass from the request to the backend.
tokenType string: Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.

allowedResponseHeaders List[str]: List of headers to whitelist and allowing a plugin to include them in the response.
auditNonHmacRequestKeys List[str]: Specifies the list of keys that will not be HMAC’d by audit devices in the request data object.
auditNonHmacResponseKeys List[str]: Specifies the list of keys that will not be HMAC’d by audit devices in the response data object.
defaultLeaseTtl str: Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
listing_visibility str: Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are “unauth” or “hidden”.
maxLeaseTtl str: Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
passthroughRequestHeaders List[str]: List of headers to whitelist and pass from the request to the backend.
token_type str: Specifies the type of tokens that should be returned by the mount. Valid values are “default-service”, “default-batch”, “service”, “batch”.

Package Details

Repository: https://github.com/pulumi/pulumi-vault
License: Apache-2.0
Notes: This Pulumi package is based on the vault Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud