vault.jwt.AuthBackend
Explore with Pulumi AI
Provides a resource for managing an JWT auth backend within Vault.
Example Usage
Manage JWT auth backend:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.jwt.AuthBackend("example", {
description: "Demonstration of the Terraform JWT auth backend",
path: "jwt",
oidcDiscoveryUrl: "https://myco.auth0.com/",
boundIssuer: "https://myco.auth0.com/",
});
import pulumi
import pulumi_vault as vault
example = vault.jwt.AuthBackend("example",
description="Demonstration of the Terraform JWT auth backend",
path="jwt",
oidc_discovery_url="https://myco.auth0.com/",
bound_issuer="https://myco.auth0.com/")
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
Description: pulumi.String("Demonstration of the Terraform JWT auth backend"),
Path: pulumi.String("jwt"),
OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
BoundIssuer: pulumi.String("https://myco.auth0.com/"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.Jwt.AuthBackend("example", new()
{
Description = "Demonstration of the Terraform JWT auth backend",
Path = "jwt",
OidcDiscoveryUrl = "https://myco.auth0.com/",
BoundIssuer = "https://myco.auth0.com/",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AuthBackend("example", AuthBackendArgs.builder()
.description("Demonstration of the Terraform JWT auth backend")
.path("jwt")
.oidcDiscoveryUrl("https://myco.auth0.com/")
.boundIssuer("https://myco.auth0.com/")
.build());
}
}
resources:
example:
type: vault:jwt:AuthBackend
properties:
description: Demonstration of the Terraform JWT auth backend
path: jwt
oidcDiscoveryUrl: https://myco.auth0.com/
boundIssuer: https://myco.auth0.com/
Manage OIDC auth backend:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const example = new vault.jwt.AuthBackend("example", {
description: "Demonstration of the Terraform JWT auth backend",
path: "oidc",
type: "oidc",
oidcDiscoveryUrl: "https://myco.auth0.com/",
oidcClientId: "1234567890",
oidcClientSecret: "secret123456",
boundIssuer: "https://myco.auth0.com/",
tune: {
listingVisibility: "unauth",
},
});
import pulumi
import pulumi_vault as vault
example = vault.jwt.AuthBackend("example",
description="Demonstration of the Terraform JWT auth backend",
path="oidc",
type="oidc",
oidc_discovery_url="https://myco.auth0.com/",
oidc_client_id="1234567890",
oidc_client_secret="secret123456",
bound_issuer="https://myco.auth0.com/",
tune={
"listing_visibility": "unauth",
})
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := jwt.NewAuthBackend(ctx, "example", &jwt.AuthBackendArgs{
Description: pulumi.String("Demonstration of the Terraform JWT auth backend"),
Path: pulumi.String("oidc"),
Type: pulumi.String("oidc"),
OidcDiscoveryUrl: pulumi.String("https://myco.auth0.com/"),
OidcClientId: pulumi.String("1234567890"),
OidcClientSecret: pulumi.String("secret123456"),
BoundIssuer: pulumi.String("https://myco.auth0.com/"),
Tune: &jwt.AuthBackendTuneArgs{
ListingVisibility: pulumi.String("unauth"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var example = new Vault.Jwt.AuthBackend("example", new()
{
Description = "Demonstration of the Terraform JWT auth backend",
Path = "oidc",
Type = "oidc",
OidcDiscoveryUrl = "https://myco.auth0.com/",
OidcClientId = "1234567890",
OidcClientSecret = "secret123456",
BoundIssuer = "https://myco.auth0.com/",
Tune = new Vault.Jwt.Inputs.AuthBackendTuneArgs
{
ListingVisibility = "unauth",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import com.pulumi.vault.jwt.inputs.AuthBackendTuneArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AuthBackend("example", AuthBackendArgs.builder()
.description("Demonstration of the Terraform JWT auth backend")
.path("oidc")
.type("oidc")
.oidcDiscoveryUrl("https://myco.auth0.com/")
.oidcClientId("1234567890")
.oidcClientSecret("secret123456")
.boundIssuer("https://myco.auth0.com/")
.tune(AuthBackendTuneArgs.builder()
.listingVisibility("unauth")
.build())
.build());
}
}
resources:
example:
type: vault:jwt:AuthBackend
properties:
description: Demonstration of the Terraform JWT auth backend
path: oidc
type: oidc
oidcDiscoveryUrl: https://myco.auth0.com/
oidcClientId: '1234567890'
oidcClientSecret: secret123456
boundIssuer: https://myco.auth0.com/
tune:
listingVisibility: unauth
Configuring the auth backend with a `provider_config:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const gsuite = new vault.jwt.AuthBackend("gsuite", {
description: "OIDC backend",
oidcDiscoveryUrl: "https://accounts.google.com",
path: "oidc",
type: "oidc",
providerConfig: {
provider: "gsuite",
fetch_groups: "true",
fetch_user_info: "true",
groups_recurse_max_depth: "1",
},
});
import pulumi
import pulumi_vault as vault
gsuite = vault.jwt.AuthBackend("gsuite",
description="OIDC backend",
oidc_discovery_url="https://accounts.google.com",
path="oidc",
type="oidc",
provider_config={
"provider": "gsuite",
"fetch_groups": "true",
"fetch_user_info": "true",
"groups_recurse_max_depth": "1",
})
package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := jwt.NewAuthBackend(ctx, "gsuite", &jwt.AuthBackendArgs{
Description: pulumi.String("OIDC backend"),
OidcDiscoveryUrl: pulumi.String("https://accounts.google.com"),
Path: pulumi.String("oidc"),
Type: pulumi.String("oidc"),
ProviderConfig: pulumi.StringMap{
"provider": pulumi.String("gsuite"),
"fetch_groups": pulumi.String("true"),
"fetch_user_info": pulumi.String("true"),
"groups_recurse_max_depth": pulumi.String("1"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var gsuite = new Vault.Jwt.AuthBackend("gsuite", new()
{
Description = "OIDC backend",
OidcDiscoveryUrl = "https://accounts.google.com",
Path = "oidc",
Type = "oidc",
ProviderConfig =
{
{ "provider", "gsuite" },
{ "fetch_groups", "true" },
{ "fetch_user_info", "true" },
{ "groups_recurse_max_depth", "1" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var gsuite = new AuthBackend("gsuite", AuthBackendArgs.builder()
.description("OIDC backend")
.oidcDiscoveryUrl("https://accounts.google.com")
.path("oidc")
.type("oidc")
.providerConfig(Map.ofEntries(
Map.entry("provider", "gsuite"),
Map.entry("fetch_groups", true),
Map.entry("fetch_user_info", true),
Map.entry("groups_recurse_max_depth", 1)
))
.build());
}
}
resources:
gsuite:
type: vault:jwt:AuthBackend
properties:
description: OIDC backend
oidcDiscoveryUrl: https://accounts.google.com
path: oidc
type: oidc
providerConfig:
provider: gsuite
fetch_groups: true
fetch_user_info: true
groups_recurse_max_depth: 1
Create AuthBackend Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AuthBackend(name: string, args?: AuthBackendArgs, opts?: CustomResourceOptions);
@overload
def AuthBackend(resource_name: str,
args: Optional[AuthBackendArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def AuthBackend(resource_name: str,
opts: Optional[ResourceOptions] = None,
bound_issuer: Optional[str] = None,
default_role: Optional[str] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
jwks_ca_pem: Optional[str] = None,
jwks_url: Optional[str] = None,
jwt_supported_algs: Optional[Sequence[str]] = None,
jwt_validation_pubkeys: Optional[Sequence[str]] = None,
local: Optional[bool] = None,
namespace: Optional[str] = None,
namespace_in_state: Optional[bool] = None,
oidc_client_id: Optional[str] = None,
oidc_client_secret: Optional[str] = None,
oidc_discovery_ca_pem: Optional[str] = None,
oidc_discovery_url: Optional[str] = None,
oidc_response_mode: Optional[str] = None,
oidc_response_types: Optional[Sequence[str]] = None,
path: Optional[str] = None,
provider_config: Optional[Mapping[str, str]] = None,
tune: Optional[AuthBackendTuneArgs] = None,
type: Optional[str] = None)
func NewAuthBackend(ctx *Context, name string, args *AuthBackendArgs, opts ...ResourceOption) (*AuthBackend, error)
public AuthBackend(string name, AuthBackendArgs? args = null, CustomResourceOptions? opts = null)
public AuthBackend(String name, AuthBackendArgs args)
public AuthBackend(String name, AuthBackendArgs args, CustomResourceOptions options)
type: vault:jwt:AuthBackend
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AuthBackendArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var exampleauthBackendResourceResourceFromJwtauthBackend = new Vault.Jwt.AuthBackend("exampleauthBackendResourceResourceFromJwtauthBackend", new()
{
BoundIssuer = "string",
DefaultRole = "string",
Description = "string",
DisableRemount = false,
JwksCaPem = "string",
JwksUrl = "string",
JwtSupportedAlgs = new[]
{
"string",
},
JwtValidationPubkeys = new[]
{
"string",
},
Local = false,
Namespace = "string",
NamespaceInState = false,
OidcClientId = "string",
OidcClientSecret = "string",
OidcDiscoveryCaPem = "string",
OidcDiscoveryUrl = "string",
OidcResponseMode = "string",
OidcResponseTypes = new[]
{
"string",
},
Path = "string",
ProviderConfig =
{
{ "string", "string" },
},
Tune = new Vault.Jwt.Inputs.AuthBackendTuneArgs
{
AllowedResponseHeaders = new[]
{
"string",
},
AuditNonHmacRequestKeys = new[]
{
"string",
},
AuditNonHmacResponseKeys = new[]
{
"string",
},
DefaultLeaseTtl = "string",
ListingVisibility = "string",
MaxLeaseTtl = "string",
PassthroughRequestHeaders = new[]
{
"string",
},
TokenType = "string",
},
Type = "string",
});
example, err := jwt.NewAuthBackend(ctx, "exampleauthBackendResourceResourceFromJwtauthBackend", &jwt.AuthBackendArgs{
BoundIssuer: pulumi.String("string"),
DefaultRole: pulumi.String("string"),
Description: pulumi.String("string"),
DisableRemount: pulumi.Bool(false),
JwksCaPem: pulumi.String("string"),
JwksUrl: pulumi.String("string"),
JwtSupportedAlgs: pulumi.StringArray{
pulumi.String("string"),
},
JwtValidationPubkeys: pulumi.StringArray{
pulumi.String("string"),
},
Local: pulumi.Bool(false),
Namespace: pulumi.String("string"),
NamespaceInState: pulumi.Bool(false),
OidcClientId: pulumi.String("string"),
OidcClientSecret: pulumi.String("string"),
OidcDiscoveryCaPem: pulumi.String("string"),
OidcDiscoveryUrl: pulumi.String("string"),
OidcResponseMode: pulumi.String("string"),
OidcResponseTypes: pulumi.StringArray{
pulumi.String("string"),
},
Path: pulumi.String("string"),
ProviderConfig: pulumi.StringMap{
"string": pulumi.String("string"),
},
Tune: &jwt.AuthBackendTuneArgs{
AllowedResponseHeaders: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacRequestKeys: pulumi.StringArray{
pulumi.String("string"),
},
AuditNonHmacResponseKeys: pulumi.StringArray{
pulumi.String("string"),
},
DefaultLeaseTtl: pulumi.String("string"),
ListingVisibility: pulumi.String("string"),
MaxLeaseTtl: pulumi.String("string"),
PassthroughRequestHeaders: pulumi.StringArray{
pulumi.String("string"),
},
TokenType: pulumi.String("string"),
},
Type: pulumi.String("string"),
})
var exampleauthBackendResourceResourceFromJwtauthBackend = new AuthBackend("exampleauthBackendResourceResourceFromJwtauthBackend", AuthBackendArgs.builder()
.boundIssuer("string")
.defaultRole("string")
.description("string")
.disableRemount(false)
.jwksCaPem("string")
.jwksUrl("string")
.jwtSupportedAlgs("string")
.jwtValidationPubkeys("string")
.local(false)
.namespace("string")
.namespaceInState(false)
.oidcClientId("string")
.oidcClientSecret("string")
.oidcDiscoveryCaPem("string")
.oidcDiscoveryUrl("string")
.oidcResponseMode("string")
.oidcResponseTypes("string")
.path("string")
.providerConfig(Map.of("string", "string"))
.tune(AuthBackendTuneArgs.builder()
.allowedResponseHeaders("string")
.auditNonHmacRequestKeys("string")
.auditNonHmacResponseKeys("string")
.defaultLeaseTtl("string")
.listingVisibility("string")
.maxLeaseTtl("string")
.passthroughRequestHeaders("string")
.tokenType("string")
.build())
.type("string")
.build());
exampleauth_backend_resource_resource_from_jwtauth_backend = vault.jwt.AuthBackend("exampleauthBackendResourceResourceFromJwtauthBackend",
bound_issuer="string",
default_role="string",
description="string",
disable_remount=False,
jwks_ca_pem="string",
jwks_url="string",
jwt_supported_algs=["string"],
jwt_validation_pubkeys=["string"],
local=False,
namespace="string",
namespace_in_state=False,
oidc_client_id="string",
oidc_client_secret="string",
oidc_discovery_ca_pem="string",
oidc_discovery_url="string",
oidc_response_mode="string",
oidc_response_types=["string"],
path="string",
provider_config={
"string": "string",
},
tune={
"allowed_response_headers": ["string"],
"audit_non_hmac_request_keys": ["string"],
"audit_non_hmac_response_keys": ["string"],
"default_lease_ttl": "string",
"listing_visibility": "string",
"max_lease_ttl": "string",
"passthrough_request_headers": ["string"],
"token_type": "string",
},
type="string")
const exampleauthBackendResourceResourceFromJwtauthBackend = new vault.jwt.AuthBackend("exampleauthBackendResourceResourceFromJwtauthBackend", {
boundIssuer: "string",
defaultRole: "string",
description: "string",
disableRemount: false,
jwksCaPem: "string",
jwksUrl: "string",
jwtSupportedAlgs: ["string"],
jwtValidationPubkeys: ["string"],
local: false,
namespace: "string",
namespaceInState: false,
oidcClientId: "string",
oidcClientSecret: "string",
oidcDiscoveryCaPem: "string",
oidcDiscoveryUrl: "string",
oidcResponseMode: "string",
oidcResponseTypes: ["string"],
path: "string",
providerConfig: {
string: "string",
},
tune: {
allowedResponseHeaders: ["string"],
auditNonHmacRequestKeys: ["string"],
auditNonHmacResponseKeys: ["string"],
defaultLeaseTtl: "string",
listingVisibility: "string",
maxLeaseTtl: "string",
passthroughRequestHeaders: ["string"],
tokenType: "string",
},
type: "string",
});
type: vault:jwt:AuthBackend
properties:
boundIssuer: string
defaultRole: string
description: string
disableRemount: false
jwksCaPem: string
jwksUrl: string
jwtSupportedAlgs:
- string
jwtValidationPubkeys:
- string
local: false
namespace: string
namespaceInState: false
oidcClientId: string
oidcClientSecret: string
oidcDiscoveryCaPem: string
oidcDiscoveryUrl: string
oidcResponseMode: string
oidcResponseTypes:
- string
path: string
providerConfig:
string: string
tune:
allowedResponseHeaders:
- string
auditNonHmacRequestKeys:
- string
auditNonHmacResponseKeys:
- string
defaultLeaseTtl: string
listingVisibility: string
maxLeaseTtl: string
passthroughRequestHeaders:
- string
tokenType: string
type: string
AuthBackend Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AuthBackend resource accepts the following input properties:
- Bound
Issuer string - The value against which to match the iss claim in a JWT
- Default
Role string - The default role to use if none is provided during login
- Description string
- The description of the auth backend
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Jwks
Ca stringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- Jwks
Url string - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- Jwt
Supported List<string>Algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- Jwt
Validation List<string>Pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Namespace
In boolState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- Oidc
Client stringId - Client ID used for OIDC backends
- Oidc
Client stringSecret - Client Secret used for OIDC backends
- Oidc
Discovery stringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- Oidc
Discovery stringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- Oidc
Response stringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - Oidc
Response List<string>Types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - Path string
- Path to mount the JWT/OIDC auth backend
- Provider
Config Dictionary<string, string> - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- Tune
Auth
Backend Tune - Type string
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- Bound
Issuer string - The value against which to match the iss claim in a JWT
- Default
Role string - The default role to use if none is provided during login
- Description string
- The description of the auth backend
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Jwks
Ca stringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- Jwks
Url string - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- Jwt
Supported []stringAlgs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- Jwt
Validation []stringPubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Namespace
In boolState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- Oidc
Client stringId - Client ID used for OIDC backends
- Oidc
Client stringSecret - Client Secret used for OIDC backends
- Oidc
Discovery stringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- Oidc
Discovery stringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- Oidc
Response stringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - Oidc
Response []stringTypes - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - Path string
- Path to mount the JWT/OIDC auth backend
- Provider
Config map[string]string - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- Tune
Auth
Backend Tune Args - Type string
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- bound
Issuer String - The value against which to match the iss claim in a JWT
- default
Role String - The default role to use if none is provided during login
- description String
- The description of the auth backend
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca StringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url String - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported List<String>Algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation List<String>Pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - namespace
In BooleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- oidc
Client StringId - Client ID used for OIDC backends
- oidc
Client StringSecret - Client Secret used for OIDC backends
- oidc
Discovery StringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery StringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response StringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - oidc
Response List<String>Types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - path String
- Path to mount the JWT/OIDC auth backend
- provider
Config Map<String,String> - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune - type String
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- bound
Issuer string - The value against which to match the iss claim in a JWT
- default
Role string - The default role to use if none is provided during login
- description string
- The description of the auth backend
- disable
Remount boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca stringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url string - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported string[]Algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation string[]Pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local boolean
- Specifies if the auth method is local only.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - namespace
In booleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- oidc
Client stringId - Client ID used for OIDC backends
- oidc
Client stringSecret - Client Secret used for OIDC backends
- oidc
Discovery stringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery stringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response stringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - oidc
Response string[]Types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - path string
- Path to mount the JWT/OIDC auth backend
- provider
Config {[key: string]: string} - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune - type string
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- bound_
issuer str - The value against which to match the iss claim in a JWT
- default_
role str - The default role to use if none is provided during login
- description str
- The description of the auth backend
- disable_
remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks_
ca_ strpem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks_
url str - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt_
supported_ Sequence[str]algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt_
validation_ Sequence[str]pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local bool
- Specifies if the auth method is local only.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - namespace_
in_ boolstate Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- oidc_
client_ strid - Client ID used for OIDC backends
- oidc_
client_ strsecret - Client Secret used for OIDC backends
- oidc_
discovery_ strca_ pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc_
discovery_ strurl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc_
response_ strmode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - oidc_
response_ Sequence[str]types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - path str
- Path to mount the JWT/OIDC auth backend
- provider_
config Mapping[str, str] - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune Args - type str
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- bound
Issuer String - The value against which to match the iss claim in a JWT
- default
Role String - The default role to use if none is provided during login
- description String
- The description of the auth backend
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca StringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url String - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported List<String>Algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation List<String>Pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - namespace
In BooleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- oidc
Client StringId - Client ID used for OIDC backends
- oidc
Client StringSecret - Client Secret used for OIDC backends
- oidc
Discovery StringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery StringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response StringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - oidc
Response List<String>Types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - path String
- Path to mount the JWT/OIDC auth backend
- provider
Config Map<String> - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune Property Map
- type String
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
Outputs
All input properties are implicitly available as output properties. Additionally, the AuthBackend resource produces the following output properties:
Look up Existing AuthBackend Resource
Get an existing AuthBackend resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AuthBackendState, opts?: CustomResourceOptions): AuthBackend
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
accessor: Optional[str] = None,
bound_issuer: Optional[str] = None,
default_role: Optional[str] = None,
description: Optional[str] = None,
disable_remount: Optional[bool] = None,
jwks_ca_pem: Optional[str] = None,
jwks_url: Optional[str] = None,
jwt_supported_algs: Optional[Sequence[str]] = None,
jwt_validation_pubkeys: Optional[Sequence[str]] = None,
local: Optional[bool] = None,
namespace: Optional[str] = None,
namespace_in_state: Optional[bool] = None,
oidc_client_id: Optional[str] = None,
oidc_client_secret: Optional[str] = None,
oidc_discovery_ca_pem: Optional[str] = None,
oidc_discovery_url: Optional[str] = None,
oidc_response_mode: Optional[str] = None,
oidc_response_types: Optional[Sequence[str]] = None,
path: Optional[str] = None,
provider_config: Optional[Mapping[str, str]] = None,
tune: Optional[AuthBackendTuneArgs] = None,
type: Optional[str] = None) -> AuthBackend
func GetAuthBackend(ctx *Context, name string, id IDInput, state *AuthBackendState, opts ...ResourceOption) (*AuthBackend, error)
public static AuthBackend Get(string name, Input<string> id, AuthBackendState? state, CustomResourceOptions? opts = null)
public static AuthBackend get(String name, Output<String> id, AuthBackendState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Accessor string
- The accessor for this auth method
- Bound
Issuer string - The value against which to match the iss claim in a JWT
- Default
Role string - The default role to use if none is provided during login
- Description string
- The description of the auth backend
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Jwks
Ca stringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- Jwks
Url string - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- Jwt
Supported List<string>Algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- Jwt
Validation List<string>Pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Namespace
In boolState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- Oidc
Client stringId - Client ID used for OIDC backends
- Oidc
Client stringSecret - Client Secret used for OIDC backends
- Oidc
Discovery stringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- Oidc
Discovery stringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- Oidc
Response stringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - Oidc
Response List<string>Types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - Path string
- Path to mount the JWT/OIDC auth backend
- Provider
Config Dictionary<string, string> - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- Tune
Auth
Backend Tune - Type string
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- Accessor string
- The accessor for this auth method
- Bound
Issuer string - The value against which to match the iss claim in a JWT
- Default
Role string - The default role to use if none is provided during login
- Description string
- The description of the auth backend
- Disable
Remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- Jwks
Ca stringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- Jwks
Url string - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- Jwt
Supported []stringAlgs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- Jwt
Validation []stringPubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- Local bool
- Specifies if the auth method is local only.
- Namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - Namespace
In boolState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- Oidc
Client stringId - Client ID used for OIDC backends
- Oidc
Client stringSecret - Client Secret used for OIDC backends
- Oidc
Discovery stringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- Oidc
Discovery stringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- Oidc
Response stringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - Oidc
Response []stringTypes - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - Path string
- Path to mount the JWT/OIDC auth backend
- Provider
Config map[string]string - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- Tune
Auth
Backend Tune Args - Type string
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- accessor String
- The accessor for this auth method
- bound
Issuer String - The value against which to match the iss claim in a JWT
- default
Role String - The default role to use if none is provided during login
- description String
- The description of the auth backend
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca StringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url String - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported List<String>Algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation List<String>Pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - namespace
In BooleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- oidc
Client StringId - Client ID used for OIDC backends
- oidc
Client StringSecret - Client Secret used for OIDC backends
- oidc
Discovery StringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery StringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response StringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - oidc
Response List<String>Types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - path String
- Path to mount the JWT/OIDC auth backend
- provider
Config Map<String,String> - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune - type String
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- accessor string
- The accessor for this auth method
- bound
Issuer string - The value against which to match the iss claim in a JWT
- default
Role string - The default role to use if none is provided during login
- description string
- The description of the auth backend
- disable
Remount boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca stringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url string - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported string[]Algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation string[]Pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local boolean
- Specifies if the auth method is local only.
- namespace string
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - namespace
In booleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- oidc
Client stringId - Client ID used for OIDC backends
- oidc
Client stringSecret - Client Secret used for OIDC backends
- oidc
Discovery stringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery stringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response stringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - oidc
Response string[]Types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - path string
- Path to mount the JWT/OIDC auth backend
- provider
Config {[key: string]: string} - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune - type string
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- accessor str
- The accessor for this auth method
- bound_
issuer str - The value against which to match the iss claim in a JWT
- default_
role str - The default role to use if none is provided during login
- description str
- The description of the auth backend
- disable_
remount bool - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks_
ca_ strpem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks_
url str - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt_
supported_ Sequence[str]algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt_
validation_ Sequence[str]pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local bool
- Specifies if the auth method is local only.
- namespace str
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - namespace_
in_ boolstate Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- oidc_
client_ strid - Client ID used for OIDC backends
- oidc_
client_ strsecret - Client Secret used for OIDC backends
- oidc_
discovery_ strca_ pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc_
discovery_ strurl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc_
response_ strmode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - oidc_
response_ Sequence[str]types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - path str
- Path to mount the JWT/OIDC auth backend
- provider_
config Mapping[str, str] - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune
Auth
Backend Tune Args - type str
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
- accessor String
- The accessor for this auth method
- bound
Issuer String - The value against which to match the iss claim in a JWT
- default
Role String - The default role to use if none is provided during login
- description String
- The description of the auth backend
- disable
Remount Boolean - If set, opts out of mount migration on path updates. See here for more info on Mount Migration
- jwks
Ca StringPem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.
- jwks
Url String - JWKS URL to use to authenticate signatures. Cannot be used with "oidc_discovery_url" or "jwt_validation_pubkeys".
- jwt
Supported List<String>Algs - A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
- jwt
Validation List<String>Pubkeys - A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with
oidc_discovery_url
- local Boolean
- Specifies if the auth method is local only.
- namespace String
- The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The
namespace
is always relative to the provider's configured namespace. Available only for Vault Enterprise. - namespace
In BooleanState Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
- tune - (Optional) Extra configuration block. Structure is documented below.
The
tune
block is used to tune the auth backend:- oidc
Client StringId - Client ID used for OIDC backends
- oidc
Client StringSecret - Client Secret used for OIDC backends
- oidc
Discovery StringCa Pem - The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
- oidc
Discovery StringUrl - The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with
jwt_validation_pubkeys
- oidc
Response StringMode - The response mode to be used in the OAuth2 request. Allowed values are
query
andform_post
. Defaults toquery
. If using Vault namespaces, andoidc_response_mode
isform_post
, thennamespace_in_state
should be set tofalse
. - oidc
Response List<String>Types - List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to
["code"]
. Note:id_token
may only be used ifoidc_response_mode
is set toform_post
. - path String
- Path to mount the JWT/OIDC auth backend
- provider
Config Map<String> - Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.
- tune Property Map
- type String
- Type of auth backend. Should be one of
jwt
oroidc
. Default -jwt
Supporting Types
AuthBackendTune, AuthBackendTuneArgs
- Allowed
Response List<string>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- Audit
Non List<string>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non List<string>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- Max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- Passthrough
Request List<string>Headers - List of headers to whitelist and pass from the request to the backend.
- Token
Type string - Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- Allowed
Response []stringHeaders - List of headers to whitelist and allowing a plugin to include them in the response.
- Audit
Non []stringHmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- Audit
Non []stringHmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- Default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- Listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- Max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- Passthrough
Request []stringHeaders - List of headers to whitelist and pass from the request to the backend.
- Token
Type string - Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- allowed
Response List<String>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease StringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease StringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request List<String>Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type String - Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- allowed
Response string[]Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non string[]Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non string[]Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease stringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility string - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease stringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request string[]Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type string - Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- allowed_
response_ Sequence[str]headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit_
non_ Sequence[str]hmac_ request_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit_
non_ Sequence[str]hmac_ response_ keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default_
lease_ strttl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing_
visibility str - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max_
lease_ strttl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough_
request_ Sequence[str]headers - List of headers to whitelist and pass from the request to the backend.
- token_
type str - Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
- allowed
Response List<String>Headers - List of headers to whitelist and allowing a plugin to include them in the response.
- audit
Non List<String>Hmac Request Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
- audit
Non List<String>Hmac Response Keys - Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
- default
Lease StringTtl - Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string
- listing
Visibility String - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
- max
Lease StringTtl - Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string
- passthrough
Request List<String>Headers - List of headers to whitelist and pass from the request to the backend.
- token
Type String - Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".
Import
JWT auth backend can be imported using the path
, e.g.
$ pulumi import vault:jwt/authBackend:AuthBackend oidc oidc
or
$ pulumi import vault:jwt/authBackend:AuthBackend jwt jwt
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Vault pulumi/pulumi-vault
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
vault
Terraform Provider.