vault.gcp.AuthBackend
Explore with Pulumi AI
Provides a resource to configure the GCP auth backend within Vault.
Example Usage
You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const gcp = new vault.gcp.AuthBackend("gcp", {
identityTokenKey: "example-key",
identityTokenTtl: 1800,
identityTokenAudience: "<TOKEN_AUDIENCE>",
serviceAccountEmail: "<SERVICE_ACCOUNT_EMAIL>",
});
import pulumi
import pulumi_vault as vault
gcp = vault.gcp.AuthBackend("gcp",
identity_token_key="example-key",
identity_token_ttl=1800,
identity_token_audience="<TOKEN_AUDIENCE>",
service_account_email="<SERVICE_ACCOUNT_EMAIL>")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gcp.NewAuthBackend(ctx, "gcp", &gcp.AuthBackendArgs{
IdentityTokenKey: pulumi.String("example-key"),
IdentityTokenTtl: pulumi.Int(1800),
IdentityTokenAudience: pulumi.String("<TOKEN_AUDIENCE>"),
ServiceAccountEmail: pulumi.String("<SERVICE_ACCOUNT_EMAIL>"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gcp = new Vault.Gcp.AuthBackend("gcp", new()
{
IdentityTokenKey = "example-key",
IdentityTokenTtl = 1800,
IdentityTokenAudience = "<TOKEN_AUDIENCE>",
ServiceAccountEmail = "<SERVICE_ACCOUNT_EMAIL>",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.AuthBackend;
import com.pulumi.vault.gcp.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gcp = new AuthBackend("gcp", AuthBackendArgs.builder()
.identityTokenKey("example-key")
.identityTokenTtl(1800)
.identityTokenAudience("<TOKEN_AUDIENCE>")
.serviceAccountEmail("<SERVICE_ACCOUNT_EMAIL>")
.build());
}
}
resources:
gcp:
type: vault:gcp:AuthBackend
properties:
identityTokenKey: example-key
identityTokenTtl: 1800
identityTokenAudience: <TOKEN_AUDIENCE>
serviceAccountEmail: <SERVICE_ACCOUNT_EMAIL>
Create AuthBackend Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);
@overload
def AuthBackend(resource_name: str,
args: Optional[AuthBackendArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def AuthBackend(resource_name: str,
opts: Optional[ResourceOptions] = None,
client_email: Optional[str] = None,
client_id: Optional[str] = None,
credentials: Optional[str] = None,
custom_endpoint: Optional[AuthBackendCustomEndpointArgs] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
identity_token_audience: Optional[str] = None,
identity_token_key: Optional[str] = None,
identity_token_ttl: Optional[int] = None,
local: Optional[bool] = None,
namespace: Optional[str] = None,
path: Optional[str] = None,
private_key_id: Optional[str] = None,
project_id: Optional[str] = None,
service_account_email: Optional[str] = None,
tune: Optional[AuthBackendTuneArgs] = None)
func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)
public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)
public AuthBackend(String name, AuthBackendArgs args)
public AuthBackend(String name, AuthBackendArgs args, CustomResourceOptions options)
type: vault:gcp:AuthBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var authBackendResource = new Vault.Gcp.AuthBackend("authBackendResource", new()
{
ClientEmail = "string",
ClientId = "string",
Credentials = "string",
CustomEndpoint = new Vault.Gcp.Inputs.AuthBackendCustomEndpointArgs
{
Api = "string",
Compute = "string",
Crm = "string",
Iam = "string",
},
Description = "string",
DisableRemount = false,
IdentityTokenAudience = "string",
IdentityTokenKey = "string",
IdentityTokenTtl = 0,
Local = false,
Namespace = "string",
Path = "string",
PrivateKeyId = "string",
ProjectId = "string",
ServiceAccountEmail = "string",
Tune = new Vault.Gcp.Inputs.AuthBackendTuneArgs
{
AllowedResponseHeaders = new[]
{
"string",
},
AuditNonHmacRequestKeys = new[]
{
"string",
},
AuditNonHmacResponseKeys = new[]
{
"string",
},
DefaultLeaseTtl = "string",
ListingVisibility = "string",
MaxLeaseTtl = "string",
PassthroughRequestHeaders = new[]
{
"string",
},
TokenType = "string",
},
});
example, err := gcp.NewAuthBackend(ctx, "authBackendResource", &gcp.AuthBackendArgs{
ClientEmail: pulumi.String("string"),
ClientId: pulumi.String("string"),
Credentials: pulumi.String("string"),
CustomEndpoint: &gcp.AuthBackendCustomEndpointArgs{
Api: pulumi.String("string"),
Compute: pulumi.String("string"),
Crm: pulumi.String("string"),
Iam: pulumi.String("string"),
},
Description: pulumi.String("string"),
DisableRemount: pulumi.Bool(false),
IdentityTokenAudience: pulumi.String("string"),
IdentityTokenKey: pulumi.String("string"),
IdentityTokenTtl: pulumi.Int(0),
Local: pulumi.Bool(false),
Namespace: pulumi.String("string"),
Path: pulumi.String("string"),
PrivateKeyId: pulumi.String("string"),
ProjectId: pulumi.String("string"),
ServiceAccountEmail: pulumi.String("string"),
Tune: &gcp.AuthBackendTuneArgs{
AllowedResponseHeaders: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacRequestKeys: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacResponseKeys: pulumi.StringArray{
pulumi.String("string"),
},
DefaultLeaseTtl: pulumi.String("string"),
ListingVisibility: pulumi.String("string"),
MaxLeaseTtl: pulumi.String("string"),
PassthroughRequestHeaders: pulumi.StringArray{
pulumi.String("string"),
},
TokenType: pulumi.String("string"),
},
})
var authBackendResource = new AuthBackend("authBackendResource", AuthBackendArgs.builder()
.clientEmail("string")
.clientId("string")
.credentials("string")
.customEndpoint(AuthBackendCustomEndpointArgs.builder()
.api("string")
.compute("string")
.crm("string")
.iam("string")
.build())
.description("string")
.disableRemount(false)
.identityTokenAudience("string")
.identityTokenKey("string")
.identityTokenTtl(0)
.local(false)
.namespace("string")
.path("string")
.privateKeyId("string")
.projectId("string")
.serviceAccountEmail("string")
.tune(AuthBackendTuneArgs.builder()
.allowedResponseHeaders("string")
.auditNonHmacRequestKeys("string")
.auditNonHmacResponseKeys("string")
.defaultLeaseTtl("string")
.listingVisibility("string")
.maxLeaseTtl("string")
.passthroughRequestHeaders("string")
.tokenType("string")
.build())
.build());
auth_backend_resource = vault.gcp.AuthBackend("authBackendResource",
client_email="string",
client_id="string",
credentials="string",
custom_endpoint={
"api": "string",
"compute": "string",
"crm": "string",
"iam": "string",
},
description="string",
disable_remount=False,
identity_token_audience="string",
identity_token_key="string",
identity_token_ttl=0,
local=False,
namespace="string",
path="string",
private_key_id="string",
project_id="string",
service_account_email="string",
tune={
"allowed_response_headers": ["string"],
"audit_non_hmac_request_keys": ["string"],
"audit_non_hmac_response_keys": ["string"],
"default_lease_ttl": "string",
"listing_visibility": "string",
"max_lease_ttl": "string",
"passthrough_request_headers": ["string"],
"token_type": "string",
})
const authBackendResource = new vault.gcp.AuthBackend("authBackendResource", {
clientEmail: "string",
clientId: "string",
credentials: "string",
customEndpoint: {
api: "string",
compute: "string",
crm: "string",
iam: "string",
},
description: "string",
disableRemount: false,
identityTokenAudience: "string",
identityTokenKey: "string",
identityTokenTtl: 0,
local: false,
namespace: "string",
path: "string",
privateKeyId: "string",
projectId: "string",
serviceAccountEmail: "string",
tune: {
allowedResponseHeaders: ["string"],
auditNonHmacRequestKeys: ["string"],
auditNonHmacResponseKeys: ["string"],
defaultLeaseTtl: "string",
listingVisibility: "string",
maxLeaseTtl: "string",
passthroughRequestHeaders: ["string"],
tokenType: "string",
},
});
type: vault:gcp:AuthBackend
properties:
clientEmail: string
clientId: string
credentials: string
customEndpoint:
api: string
compute: string
crm: string
iam: string
description: string
disableRemount: false
identityTokenAudience: string
identityTokenKey: string
identityTokenTtl: 0
local: false
namespace: string
path: string
privateKeyId: string
projectId: string
serviceAccountEmail: string
tune:
allowedResponseHeaders:
- string
auditNonHmacRequestKeys:
- string
auditNonHmacResponseKeys:
- string
defaultLeaseTtl: string
listingVisibility: string
maxLeaseTtl: string
passthroughRequestHeaders:
- string
tokenType: string
AuthBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AuthBackend resource accepts the following input properties:
- Client
Email string - The clients email associated with the credentials
- Client
Id string - The Client ID of the credentials
- Credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- Custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- Description string
- A description of the auth method.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Identity
Token stringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - Identity
Token stringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- Identity
Token intTtl - The TTL of generated tokens.
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Path string
- The path to mount the auth method — this defaults to 'gcp'.
- Private
Key stringId - The ID of the private key from the credentials
- Project
Id string - The GCP Project ID
- Service
Account stringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - Tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- Client
Email string - The clients email associated with the credentials
- Client
Id string - The Client ID of the credentials
- Credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- Custom
Endpoint AuthBackend Custom Endpoint Args Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- Description string
- A description of the auth method.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Identity
Token stringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - Identity
Token stringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- Identity
Token intTtl - The TTL of generated tokens.
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Path string
- The path to mount the auth method — this defaults to 'gcp'.
- Private
Key stringId - The ID of the private key from the credentials
- Project
Id string - The GCP Project ID
- Service
Account stringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - Tune
Auth
Backend Tune Args Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- client
Email String - The clients email associated with the credentials
- client
Id String - The Client ID of the credentials
- credentials String
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description String
- A description of the auth method.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- identity
Token StringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - identity
Token StringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- identity
Token IntegerTtl - The TTL of generated tokens.
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path String
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key StringId - The ID of the private key from the credentials
- project
Id String - The GCP Project ID
- service
Account StringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- client
Email string - The clients email associated with the credentials
- client
Id string - The Client ID of the credentials
- credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description string
- A description of the auth method.
- disable
Remount boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- identity
Token stringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - identity
Token stringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- identity
Token numberTtl - The TTL of generated tokens.
- local boolean
- Specifies if the auth method is local only.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path string
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key stringId - The ID of the private key from the credentials
- project
Id string - The GCP Project ID
- service
Account stringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- client_
email str - The clients email associated with the credentials
- client_
id str - The Client ID of the credentials
- credentials str
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom_
endpoint AuthBackend Custom Endpoint Args Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description str
- A description of the auth method.
- disable_
remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- identity_
token_ straudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - identity_
token_ strkey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- identity_
token_ intttl - The TTL of generated tokens.
- local bool
- Specifies if the auth method is local only.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path str
- The path to mount the auth method — this defaults to 'gcp'.
- private_
key_ strid - The ID of the private key from the credentials
- project_
id str - The GCP Project ID
- service_
account_ stremail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - tune
Auth
Backend Tune Args Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- client
Email String - The clients email associated with the credentials
- client
Id String - The Client ID of the credentials
- credentials String
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint Property Map Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description String
- A description of the auth method.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- identity
Token StringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - identity
Token StringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- identity
Token NumberTtl - The TTL of generated tokens.
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path String
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key StringId - The ID of the private key from the credentials
- project
Id String - The GCP Project ID
- service
Account StringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - tune Property Map
Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
Outputs
All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:
- Accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- Id string
- The provider-assigned unique ID for this managed resource.
- Accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- Id string
- The provider-assigned unique ID for this managed resource.
- accessor String
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- id String
- The provider-assigned unique ID for this managed resource.
- accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- id string
- The provider-assigned unique ID for this managed resource.
- accessor str
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- id str
- The provider-assigned unique ID for this managed resource.
- accessor String
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AuthBackend Resource
Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessor: Optional[str] = None,
client_email: Optional[str] = None,
client_id: Optional[str] = None,
credentials: Optional[str] = None,
custom_endpoint: Optional[AuthBackendCustomEndpointArgs] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
identity_token_audience: Optional[str] = None,
identity_token_key: Optional[str] = None,
identity_token_ttl: Optional[int] = None,
local: Optional[bool] = None,
namespace: Optional[str] = None,
path: Optional[str] = None,
private_key_id: Optional[str] = None,
project_id: Optional[str] = None,
service_account_email: Optional[str] = None,
tune: Optional[AuthBackendTuneArgs] = None) -> AuthBackend
func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)
public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)
public static AuthBackend get(String name, Output<String> id, AuthBackendState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- Client
Email string - The clients email associated with the credentials
- Client
Id string - The Client ID of the credentials
- Credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- Custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- Description string
- A description of the auth method.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Identity
Token stringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - Identity
Token stringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- Identity
Token intTtl - The TTL of generated tokens.
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Path string
- The path to mount the auth method — this defaults to 'gcp'.
- Private
Key stringId - The ID of the private key from the credentials
- Project
Id string - The GCP Project ID
- Service
Account stringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - Tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- Accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- Client
Email string - The clients email associated with the credentials
- Client
Id string - The Client ID of the credentials
- Credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- Custom
Endpoint AuthBackend Custom Endpoint Args Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- Description string
- A description of the auth method.
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Identity
Token stringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - Identity
Token stringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- Identity
Token intTtl - The TTL of generated tokens.
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Path string
- The path to mount the auth method — this defaults to 'gcp'.
- Private
Key stringId - The ID of the private key from the credentials
- Project
Id string - The GCP Project ID
- Service
Account stringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - Tune
Auth
Backend Tune Args Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- accessor String
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- client
Email String - The clients email associated with the credentials
- client
Id String - The Client ID of the credentials
- credentials String
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description String
- A description of the auth method.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- identity
Token StringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - identity
Token StringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- identity
Token IntegerTtl - The TTL of generated tokens.
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path String
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key StringId - The ID of the private key from the credentials
- project
Id String - The GCP Project ID
- service
Account StringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- accessor string
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- client
Email string - The clients email associated with the credentials
- client
Id string - The Client ID of the credentials
- credentials string
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint AuthBackend Custom Endpoint Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description string
- A description of the auth method.
- disable
Remount boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- identity
Token stringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - identity
Token stringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- identity
Token numberTtl - The TTL of generated tokens.
- local boolean
- Specifies if the auth method is local only.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path string
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key stringId - The ID of the private key from the credentials
- project
Id string - The GCP Project ID
- service
Account stringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - tune
Auth
Backend Tune Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- accessor str
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- client_
email str - The clients email associated with the credentials
- client_
id str - The Client ID of the credentials
- credentials str
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom_
endpoint AuthBackend Custom Endpoint Args Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description str
- A description of the auth method.
- disable_
remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- identity_
token_ straudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - identity_
token_ strkey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- identity_
token_ intttl - The TTL of generated tokens.
- local bool
- Specifies if the auth method is local only.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path str
- The path to mount the auth method — this defaults to 'gcp'.
- private_
key_ strid - The ID of the private key from the credentials
- project_
id str - The GCP Project ID
- service_
account_ stremail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - tune
Auth
Backend Tune Args Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
- accessor String
- The mount accessor related to the auth mount. It is useful for integration with Identity Secrets Engine.
- client
Email String - The clients email associated with the credentials
- client
Id String - The Client ID of the credentials
- credentials String
- A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
- custom
Endpoint Property Map Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+.
Overrides are set at the subdomain level using the following keys:
- description String
- A description of the auth method.
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- identity
Token StringAudience - The audience claim value for plugin identity
tokens. Must match an allowed audience configured for the target Workload Identity Pool.
Mutually exclusive with
credentials
. Requires Vault 1.17+. Available only for Vault Enterprise. - identity
Token StringKey - The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.
- identity
Token NumberTtl - The TTL of generated tokens.
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - path String
- The path to mount the auth method — this defaults to 'gcp'.
- private
Key StringId - The ID of the private key from the credentials
- project
Id String - The GCP Project ID
- service
Account StringEmail - Service Account to impersonate for plugin workload identity federation.
Required with
identity_token_audience
. Requires Vault 1.17+. Available only for Vault Enterprise. - tune Property Map
Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:
Supporting Types
AuthBackendCustomEndpoint, AuthBackendCustomEndpointArgs
- Api string
- Replaces the service endpoint used in API requests to
https://www.googleapis.com
. - Compute string
Replaces the service endpoint used in API requests to
https://compute.googleapis.com
.The endpoint value provided for a given key has the form of
scheme://host:port
. Thescheme://
and:port
portions of the endpoint value are optional.- Crm string
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com
. - Iam string
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com
.
- Api string
- Replaces the service endpoint used in API requests to
https://www.googleapis.com
. - Compute string
Replaces the service endpoint used in API requests to
https://compute.googleapis.com
.The endpoint value provided for a given key has the form of
scheme://host:port
. Thescheme://
and:port
portions of the endpoint value are optional.- Crm string
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com
. - Iam string
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com
.
- api String
- Replaces the service endpoint used in API requests to
https://www.googleapis.com
. - compute String
Replaces the service endpoint used in API requests to
https://compute.googleapis.com
.The endpoint value provided for a given key has the form of
scheme://host:port
. Thescheme://
and:port
portions of the endpoint value are optional.- crm String
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com
. - iam String
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com
.
- api string
- Replaces the service endpoint used in API requests to
https://www.googleapis.com
. - compute string
Replaces the service endpoint used in API requests to
https://compute.googleapis.com
.The endpoint value provided for a given key has the form of
scheme://host:port
. Thescheme://
and:port
portions of the endpoint value are optional.- crm string
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com
. - iam string
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com
.
- api str
- Replaces the service endpoint used in API requests to
https://www.googleapis.com
. - compute str
Replaces the service endpoint used in API requests to
https://compute.googleapis.com
.The endpoint value provided for a given key has the form of
scheme://host:port
. Thescheme://
and:port
portions of the endpoint value are optional.- crm str
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com
. - iam str
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com
.
- api String
- Replaces the service endpoint used in API requests to
https://www.googleapis.com
. - compute String
Replaces the service endpoint used in API requests to
https://compute.googleapis.com
.The endpoint value provided for a given key has the form of
scheme://host:port
. Thescheme://
and:port
portions of the endpoint value are optional.- crm String
- Replaces the service endpoint used in API requests to
https://cloudresourcemanager.googleapis.com
. - iam String
- Replaces the service endpoint used in API requests to
https://iam.googleapis.com
.
AuthBackendTune, AuthBackendTuneArgs
- Allowed
Response List<string>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- Max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- Passthrough
Request List<string>Headers - List of headers to whitelist and pass from the request to the backend.
- Token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- Allowed
Response []stringHeaders - List of headers to whitelist and allowing a plugin to include them in the response.
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- Max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- Passthrough
Request []stringHeaders - List of headers to whitelist and pass from the request to the backend.
- Token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- allowed
Response List<String>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease StringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease StringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request List<String>Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type String Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- allowed
Response string[]Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request string[]Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type string Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- allowed_
response_ Sequence[str]headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default_
lease_ strttl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing_
visibility str - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max_
lease_ strttl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough_
request_ Sequence[str]headers - List of headers to whitelist and pass from the request to the backend.
- token_
type str Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
- allowed
Response List<String>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease StringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease StringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request List<String>Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type String Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
For more details on the usage of each argument consult the Vault GCP API documentation.
Import
GCP authentication backends can be imported using the backend name, e.g.
$ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.