Documentation ¶
Index ¶
- type AuthBackendConfig
- func (*AuthBackendConfig) ElementType() reflect.Type
- func (i *AuthBackendConfig) ToAuthBackendConfigOutput() AuthBackendConfigOutput
- func (i *AuthBackendConfig) ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput
- func (i *AuthBackendConfig) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput
- func (i *AuthBackendConfig) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput
- type AuthBackendConfigArgs
- type AuthBackendConfigArray
- type AuthBackendConfigArrayInput
- type AuthBackendConfigArrayOutput
- func (AuthBackendConfigArrayOutput) ElementType() reflect.Type
- func (o AuthBackendConfigArrayOutput) Index(i pulumi.IntInput) AuthBackendConfigOutput
- func (o AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput
- func (o AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutputWithContext(ctx context.Context) AuthBackendConfigArrayOutput
- type AuthBackendConfigInput
- type AuthBackendConfigMap
- type AuthBackendConfigMapInput
- type AuthBackendConfigMapOutput
- func (AuthBackendConfigMapOutput) ElementType() reflect.Type
- func (o AuthBackendConfigMapOutput) MapIndex(k pulumi.StringInput) AuthBackendConfigOutput
- func (o AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput
- func (o AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutputWithContext(ctx context.Context) AuthBackendConfigMapOutput
- type AuthBackendConfigOutput
- func (AuthBackendConfigOutput) ElementType() reflect.Type
- func (o AuthBackendConfigOutput) ToAuthBackendConfigOutput() AuthBackendConfigOutput
- func (o AuthBackendConfigOutput) ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput
- func (o AuthBackendConfigOutput) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput
- func (o AuthBackendConfigOutput) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput
- type AuthBackendConfigPtrInput
- type AuthBackendConfigPtrOutput
- func (o AuthBackendConfigPtrOutput) Elem() AuthBackendConfigOutput
- func (AuthBackendConfigPtrOutput) ElementType() reflect.Type
- func (o AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput
- func (o AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput
- type AuthBackendConfigState
- type AuthBackendRole
- func (*AuthBackendRole) ElementType() reflect.Type
- func (i *AuthBackendRole) ToAuthBackendRoleOutput() AuthBackendRoleOutput
- func (i *AuthBackendRole) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput
- func (i *AuthBackendRole) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput
- func (i *AuthBackendRole) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput
- type AuthBackendRoleArgs
- type AuthBackendRoleArray
- type AuthBackendRoleArrayInput
- type AuthBackendRoleArrayOutput
- func (AuthBackendRoleArrayOutput) ElementType() reflect.Type
- func (o AuthBackendRoleArrayOutput) Index(i pulumi.IntInput) AuthBackendRoleOutput
- func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput
- func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput
- type AuthBackendRoleInput
- type AuthBackendRoleMap
- type AuthBackendRoleMapInput
- type AuthBackendRoleMapOutput
- func (AuthBackendRoleMapOutput) ElementType() reflect.Type
- func (o AuthBackendRoleMapOutput) MapIndex(k pulumi.StringInput) AuthBackendRoleOutput
- func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput
- func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput
- type AuthBackendRoleOutput
- func (AuthBackendRoleOutput) ElementType() reflect.Type
- func (o AuthBackendRoleOutput) ToAuthBackendRoleOutput() AuthBackendRoleOutput
- func (o AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput
- func (o AuthBackendRoleOutput) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput
- func (o AuthBackendRoleOutput) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput
- type AuthBackendRolePtrInput
- type AuthBackendRolePtrOutput
- func (o AuthBackendRolePtrOutput) Elem() AuthBackendRoleOutput
- func (AuthBackendRolePtrOutput) ElementType() reflect.Type
- func (o AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput
- func (o AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput
- type AuthBackendRoleState
- type LookupAuthBackendConfigArgs
- type LookupAuthBackendConfigOutputArgs
- type LookupAuthBackendConfigResult
- type LookupAuthBackendConfigResultOutput
- func (o LookupAuthBackendConfigResultOutput) Backend() pulumi.StringPtrOutput
- func (o LookupAuthBackendConfigResultOutput) DisableIssValidation() pulumi.BoolOutput
- func (o LookupAuthBackendConfigResultOutput) DisableLocalCaJwt() pulumi.BoolOutput
- func (LookupAuthBackendConfigResultOutput) ElementType() reflect.Type
- func (o LookupAuthBackendConfigResultOutput) Id() pulumi.StringOutput
- func (o LookupAuthBackendConfigResultOutput) Issuer() pulumi.StringOutput
- func (o LookupAuthBackendConfigResultOutput) KubernetesCaCert() pulumi.StringOutput
- func (o LookupAuthBackendConfigResultOutput) KubernetesHost() pulumi.StringOutput
- func (o LookupAuthBackendConfigResultOutput) PemKeys() pulumi.StringArrayOutput
- func (o LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutput() LookupAuthBackendConfigResultOutput
- func (o LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutputWithContext(ctx context.Context) LookupAuthBackendConfigResultOutput
- type LookupAuthBackendRoleArgs
- type LookupAuthBackendRoleOutputArgs
- type LookupAuthBackendRoleResult
- type LookupAuthBackendRoleResultOutput
- func (o LookupAuthBackendRoleResultOutput) Audience() pulumi.StringPtrOutput
- func (o LookupAuthBackendRoleResultOutput) Backend() pulumi.StringPtrOutput
- func (o LookupAuthBackendRoleResultOutput) BoundCidrs() pulumi.StringArrayOutputdeprecated
- func (o LookupAuthBackendRoleResultOutput) BoundServiceAccountNames() pulumi.StringArrayOutput
- func (o LookupAuthBackendRoleResultOutput) BoundServiceAccountNamespaces() pulumi.StringArrayOutput
- func (LookupAuthBackendRoleResultOutput) ElementType() reflect.Type
- func (o LookupAuthBackendRoleResultOutput) Id() pulumi.StringOutput
- func (o LookupAuthBackendRoleResultOutput) MaxTtl() pulumi.IntPtrOutputdeprecated
- func (o LookupAuthBackendRoleResultOutput) NumUses() pulumi.IntPtrOutputdeprecated
- func (o LookupAuthBackendRoleResultOutput) Period() pulumi.IntPtrOutputdeprecated
- func (o LookupAuthBackendRoleResultOutput) Policies() pulumi.StringArrayOutputdeprecated
- func (o LookupAuthBackendRoleResultOutput) RoleName() pulumi.StringOutput
- func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput() LookupAuthBackendRoleResultOutput
- func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext(ctx context.Context) LookupAuthBackendRoleResultOutput
- func (o LookupAuthBackendRoleResultOutput) TokenBoundCidrs() pulumi.StringArrayOutput
- func (o LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl() pulumi.IntPtrOutput
- func (o LookupAuthBackendRoleResultOutput) TokenMaxTtl() pulumi.IntPtrOutput
- func (o LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy() pulumi.BoolPtrOutput
- func (o LookupAuthBackendRoleResultOutput) TokenNumUses() pulumi.IntPtrOutput
- func (o LookupAuthBackendRoleResultOutput) TokenPeriod() pulumi.IntPtrOutput
- func (o LookupAuthBackendRoleResultOutput) TokenPolicies() pulumi.StringArrayOutput
- func (o LookupAuthBackendRoleResultOutput) TokenTtl() pulumi.IntPtrOutput
- func (o LookupAuthBackendRoleResultOutput) TokenType() pulumi.StringPtrOutput
- func (o LookupAuthBackendRoleResultOutput) Ttl() pulumi.IntPtrOutputdeprecated
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthBackendConfig ¶
type AuthBackendConfig struct { pulumi.CustomResourceState // Unique name of the kubernetes backend to configure. Backend pulumi.StringPtrOutput `pulumi:"backend"` // Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` DisableIssValidation pulumi.BoolOutput `pulumi:"disableIssValidation"` // Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` DisableLocalCaJwt pulumi.BoolOutput `pulumi:"disableLocalCaJwt"` // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. Issuer pulumi.StringPtrOutput `pulumi:"issuer"` // PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. KubernetesCaCert pulumi.StringPtrOutput `pulumi:"kubernetesCaCert"` // Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. KubernetesHost pulumi.StringOutput `pulumi:"kubernetesHost"` // List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys pulumi.StringArrayOutput `pulumi:"pemKeys"` // A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. TokenReviewerJwt pulumi.StringPtrOutput `pulumi:"tokenReviewerJwt"` }
Manages an Kubernetes auth backend config in a Vault server. See the [Vault documentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more information.
## Example Usage
```go package main
import (
"github.com/pulumi/pulumi-vault/sdk/v4/go/vault" "github.com/pulumi/pulumi-vault/sdk/v4/go/vault/kubernetes" "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() { pulumi.Run(func(ctx *pulumi.Context) error { kubernetes, err := vault.NewAuthBackend(ctx, "kubernetes", &vault.AuthBackendArgs{ Type: pulumi.String("kubernetes"), }) if err != nil { return err } _, err = kubernetes.NewAuthBackendConfig(ctx, "example", &kubernetes.AuthBackendConfigArgs{ Backend: kubernetes.Path, KubernetesHost: pulumi.String("http://example.com:443"), KubernetesCaCert: pulumi.String("-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----"), TokenReviewerJwt: pulumi.String("ZXhhbXBsZQo="), Issuer: pulumi.String("api"), DisableIssValidation: pulumi.Bool(true), }) if err != nil { return err } return nil }) }
```
## Import
Kubernetes authentication backend can be imported using the `path`, e.g.
```sh
$ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config
```
func GetAuthBackendConfig ¶
func GetAuthBackendConfig(ctx *pulumi.Context, name string, id pulumi.IDInput, state *AuthBackendConfigState, opts ...pulumi.ResourceOption) (*AuthBackendConfig, error)
GetAuthBackendConfig gets an existing AuthBackendConfig resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewAuthBackendConfig ¶
func NewAuthBackendConfig(ctx *pulumi.Context, name string, args *AuthBackendConfigArgs, opts ...pulumi.ResourceOption) (*AuthBackendConfig, error)
NewAuthBackendConfig registers a new resource with the given unique name, arguments, and options.
func (*AuthBackendConfig) ElementType ¶
func (*AuthBackendConfig) ElementType() reflect.Type
func (*AuthBackendConfig) ToAuthBackendConfigOutput ¶
func (i *AuthBackendConfig) ToAuthBackendConfigOutput() AuthBackendConfigOutput
func (*AuthBackendConfig) ToAuthBackendConfigOutputWithContext ¶
func (i *AuthBackendConfig) ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput
func (*AuthBackendConfig) ToAuthBackendConfigPtrOutput ¶
func (i *AuthBackendConfig) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput
func (*AuthBackendConfig) ToAuthBackendConfigPtrOutputWithContext ¶
func (i *AuthBackendConfig) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput
type AuthBackendConfigArgs ¶
type AuthBackendConfigArgs struct { // Unique name of the kubernetes backend to configure. Backend pulumi.StringPtrInput // Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` DisableIssValidation pulumi.BoolPtrInput // Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` DisableLocalCaJwt pulumi.BoolPtrInput // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. Issuer pulumi.StringPtrInput // PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. KubernetesCaCert pulumi.StringPtrInput // Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. KubernetesHost pulumi.StringInput // List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys pulumi.StringArrayInput // A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. TokenReviewerJwt pulumi.StringPtrInput }
The set of arguments for constructing a AuthBackendConfig resource.
func (AuthBackendConfigArgs) ElementType ¶
func (AuthBackendConfigArgs) ElementType() reflect.Type
type AuthBackendConfigArray ¶
type AuthBackendConfigArray []AuthBackendConfigInput
func (AuthBackendConfigArray) ElementType ¶
func (AuthBackendConfigArray) ElementType() reflect.Type
func (AuthBackendConfigArray) ToAuthBackendConfigArrayOutput ¶
func (i AuthBackendConfigArray) ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput
func (AuthBackendConfigArray) ToAuthBackendConfigArrayOutputWithContext ¶
func (i AuthBackendConfigArray) ToAuthBackendConfigArrayOutputWithContext(ctx context.Context) AuthBackendConfigArrayOutput
type AuthBackendConfigArrayInput ¶
type AuthBackendConfigArrayInput interface { pulumi.Input ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput ToAuthBackendConfigArrayOutputWithContext(context.Context) AuthBackendConfigArrayOutput }
AuthBackendConfigArrayInput is an input type that accepts AuthBackendConfigArray and AuthBackendConfigArrayOutput values. You can construct a concrete instance of `AuthBackendConfigArrayInput` via:
AuthBackendConfigArray{ AuthBackendConfigArgs{...} }
type AuthBackendConfigArrayOutput ¶
type AuthBackendConfigArrayOutput struct{ *pulumi.OutputState }
func (AuthBackendConfigArrayOutput) ElementType ¶
func (AuthBackendConfigArrayOutput) ElementType() reflect.Type
func (AuthBackendConfigArrayOutput) Index ¶
func (o AuthBackendConfigArrayOutput) Index(i pulumi.IntInput) AuthBackendConfigOutput
func (AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutput ¶
func (o AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput
func (AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutputWithContext ¶
func (o AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutputWithContext(ctx context.Context) AuthBackendConfigArrayOutput
type AuthBackendConfigInput ¶
type AuthBackendConfigInput interface { pulumi.Input ToAuthBackendConfigOutput() AuthBackendConfigOutput ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput }
type AuthBackendConfigMap ¶
type AuthBackendConfigMap map[string]AuthBackendConfigInput
func (AuthBackendConfigMap) ElementType ¶
func (AuthBackendConfigMap) ElementType() reflect.Type
func (AuthBackendConfigMap) ToAuthBackendConfigMapOutput ¶
func (i AuthBackendConfigMap) ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput
func (AuthBackendConfigMap) ToAuthBackendConfigMapOutputWithContext ¶
func (i AuthBackendConfigMap) ToAuthBackendConfigMapOutputWithContext(ctx context.Context) AuthBackendConfigMapOutput
type AuthBackendConfigMapInput ¶
type AuthBackendConfigMapInput interface { pulumi.Input ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput ToAuthBackendConfigMapOutputWithContext(context.Context) AuthBackendConfigMapOutput }
AuthBackendConfigMapInput is an input type that accepts AuthBackendConfigMap and AuthBackendConfigMapOutput values. You can construct a concrete instance of `AuthBackendConfigMapInput` via:
AuthBackendConfigMap{ "key": AuthBackendConfigArgs{...} }
type AuthBackendConfigMapOutput ¶
type AuthBackendConfigMapOutput struct{ *pulumi.OutputState }
func (AuthBackendConfigMapOutput) ElementType ¶
func (AuthBackendConfigMapOutput) ElementType() reflect.Type
func (AuthBackendConfigMapOutput) MapIndex ¶
func (o AuthBackendConfigMapOutput) MapIndex(k pulumi.StringInput) AuthBackendConfigOutput
func (AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutput ¶
func (o AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput
func (AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutputWithContext ¶
func (o AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutputWithContext(ctx context.Context) AuthBackendConfigMapOutput
type AuthBackendConfigOutput ¶
type AuthBackendConfigOutput struct{ *pulumi.OutputState }
func (AuthBackendConfigOutput) ElementType ¶
func (AuthBackendConfigOutput) ElementType() reflect.Type
func (AuthBackendConfigOutput) ToAuthBackendConfigOutput ¶
func (o AuthBackendConfigOutput) ToAuthBackendConfigOutput() AuthBackendConfigOutput
func (AuthBackendConfigOutput) ToAuthBackendConfigOutputWithContext ¶
func (o AuthBackendConfigOutput) ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput
func (AuthBackendConfigOutput) ToAuthBackendConfigPtrOutput ¶
func (o AuthBackendConfigOutput) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput
func (AuthBackendConfigOutput) ToAuthBackendConfigPtrOutputWithContext ¶
func (o AuthBackendConfigOutput) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput
type AuthBackendConfigPtrInput ¶
type AuthBackendConfigPtrInput interface { pulumi.Input ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput }
type AuthBackendConfigPtrOutput ¶
type AuthBackendConfigPtrOutput struct{ *pulumi.OutputState }
func (AuthBackendConfigPtrOutput) Elem ¶ added in v4.6.0
func (o AuthBackendConfigPtrOutput) Elem() AuthBackendConfigOutput
func (AuthBackendConfigPtrOutput) ElementType ¶
func (AuthBackendConfigPtrOutput) ElementType() reflect.Type
func (AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutput ¶
func (o AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput
func (AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutputWithContext ¶
func (o AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput
type AuthBackendConfigState ¶
type AuthBackendConfigState struct { // Unique name of the kubernetes backend to configure. Backend pulumi.StringPtrInput // Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` DisableIssValidation pulumi.BoolPtrInput // Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+` DisableLocalCaJwt pulumi.BoolPtrInput // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. Issuer pulumi.StringPtrInput // PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. KubernetesCaCert pulumi.StringPtrInput // Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. KubernetesHost pulumi.StringPtrInput // List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys pulumi.StringArrayInput // A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. TokenReviewerJwt pulumi.StringPtrInput }
func (AuthBackendConfigState) ElementType ¶
func (AuthBackendConfigState) ElementType() reflect.Type
type AuthBackendRole ¶
type AuthBackendRole struct { pulumi.CustomResourceState // Audience claim to verify in the JWT. Audience pulumi.StringPtrOutput `pulumi:"audience"` // Unique name of the kubernetes backend to configure. Backend pulumi.StringPtrOutput `pulumi:"backend"` // If set, a list of // CIDRs valid as the source address for login requests. This value is also encoded into any resulting token. // // Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2 BoundCidrs pulumi.StringArrayOutput `pulumi:"boundCidrs"` // List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*". BoundServiceAccountNames pulumi.StringArrayOutput `pulumi:"boundServiceAccountNames"` // List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*". BoundServiceAccountNamespaces pulumi.StringArrayOutput `pulumi:"boundServiceAccountNamespaces"` // The maximum allowed lifetime of tokens // issued using this role, provided as a number of seconds. // // Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2 MaxTtl pulumi.IntPtrOutput `pulumi:"maxTtl"` // If set, puts a use-count // limitation on the issued token. // // Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2 NumUses pulumi.IntPtrOutput `pulumi:"numUses"` // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. // // Deprecated: use `token_period` instead if you are running Vault >= 1.2 Period pulumi.IntPtrOutput `pulumi:"period"` // An array of strings // specifying the policies to be set on tokens issued using this role. // // Deprecated: use `token_policies` instead if you are running Vault >= 1.2 Policies pulumi.StringArrayOutput `pulumi:"policies"` // Name of the role. RoleName pulumi.StringOutput `pulumi:"roleName"` // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. TokenBoundCidrs pulumi.StringArrayOutput `pulumi:"tokenBoundCidrs"` // If set, will encode an // [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) // onto the token in number of seconds. This is a hard cap even if `tokenTtl` and // `tokenMaxTtl` would otherwise allow a renewal. TokenExplicitMaxTtl pulumi.IntPtrOutput `pulumi:"tokenExplicitMaxTtl"` // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenMaxTtl pulumi.IntPtrOutput `pulumi:"tokenMaxTtl"` // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. TokenNoDefaultPolicy pulumi.BoolPtrOutput `pulumi:"tokenNoDefaultPolicy"` // The // [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), // if any, in number of seconds to set on the token. TokenNumUses pulumi.IntPtrOutput `pulumi:"tokenNumUses"` // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. TokenPeriod pulumi.IntPtrOutput `pulumi:"tokenPeriod"` // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. TokenPolicies pulumi.StringArrayOutput `pulumi:"tokenPolicies"` // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenTtl pulumi.IntPtrOutput `pulumi:"tokenTtl"` // The type of token that should be generated. Can be `service`, // `batch`, or `default` to use the mount's tuned default (which unless changed will be // `service` tokens). For token store roles, there are two additional possibilities: // `default-service` and `default-batch` which specify the type to return unless the client // requests a different type at generation time. TokenType pulumi.StringPtrOutput `pulumi:"tokenType"` // The TTL period of tokens issued // using this role, provided as a number of seconds. // // Deprecated: use `token_ttl` instead if you are running Vault >= 1.2 Ttl pulumi.IntPtrOutput `pulumi:"ttl"` }
Manages an Kubernetes auth backend role in a Vault server. See the [Vault documentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more information.
## Example Usage
```go package main
import (
"github.com/pulumi/pulumi-vault/sdk/v4/go/vault" "github.com/pulumi/pulumi-vault/sdk/v4/go/vault/kubernetes" "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() { pulumi.Run(func(ctx *pulumi.Context) error { kubernetes, err := vault.NewAuthBackend(ctx, "kubernetes", &vault.AuthBackendArgs{ Type: pulumi.String("kubernetes"), }) if err != nil { return err } _, err = kubernetes.NewAuthBackendRole(ctx, "example", &kubernetes.AuthBackendRoleArgs{ Backend: kubernetes.Path, RoleName: pulumi.String("example-role"), BoundServiceAccountNames: pulumi.StringArray{ pulumi.String("example"), }, BoundServiceAccountNamespaces: pulumi.StringArray{ pulumi.String("example"), }, TokenTtl: pulumi.Int(3600), TokenPolicies: pulumi.StringArray{ pulumi.String("default"), pulumi.String("dev"), pulumi.String("prod"), }, Audience: pulumi.String("vault"), }) if err != nil { return err } return nil }) }
```
## Import
Kubernetes auth backend role can be imported using the `path`, e.g.
```sh
$ pulumi import vault:kubernetes/authBackendRole:AuthBackendRole foo auth/kubernetes/role/foo
```
func GetAuthBackendRole ¶
func GetAuthBackendRole(ctx *pulumi.Context, name string, id pulumi.IDInput, state *AuthBackendRoleState, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)
GetAuthBackendRole gets an existing AuthBackendRole resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewAuthBackendRole ¶
func NewAuthBackendRole(ctx *pulumi.Context, name string, args *AuthBackendRoleArgs, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)
NewAuthBackendRole registers a new resource with the given unique name, arguments, and options.
func (*AuthBackendRole) ElementType ¶
func (*AuthBackendRole) ElementType() reflect.Type
func (*AuthBackendRole) ToAuthBackendRoleOutput ¶
func (i *AuthBackendRole) ToAuthBackendRoleOutput() AuthBackendRoleOutput
func (*AuthBackendRole) ToAuthBackendRoleOutputWithContext ¶
func (i *AuthBackendRole) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput
func (*AuthBackendRole) ToAuthBackendRolePtrOutput ¶
func (i *AuthBackendRole) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput
func (*AuthBackendRole) ToAuthBackendRolePtrOutputWithContext ¶
func (i *AuthBackendRole) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput
type AuthBackendRoleArgs ¶
type AuthBackendRoleArgs struct { // Audience claim to verify in the JWT. Audience pulumi.StringPtrInput // Unique name of the kubernetes backend to configure. Backend pulumi.StringPtrInput // If set, a list of // CIDRs valid as the source address for login requests. This value is also encoded into any resulting token. // // Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2 BoundCidrs pulumi.StringArrayInput // List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*". BoundServiceAccountNames pulumi.StringArrayInput // List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*". BoundServiceAccountNamespaces pulumi.StringArrayInput // The maximum allowed lifetime of tokens // issued using this role, provided as a number of seconds. // // Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2 MaxTtl pulumi.IntPtrInput // If set, puts a use-count // limitation on the issued token. // // Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2 NumUses pulumi.IntPtrInput // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. // // Deprecated: use `token_period` instead if you are running Vault >= 1.2 Period pulumi.IntPtrInput // An array of strings // specifying the policies to be set on tokens issued using this role. // // Deprecated: use `token_policies` instead if you are running Vault >= 1.2 Policies pulumi.StringArrayInput // Name of the role. RoleName pulumi.StringInput // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. TokenBoundCidrs pulumi.StringArrayInput // If set, will encode an // [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) // onto the token in number of seconds. This is a hard cap even if `tokenTtl` and // `tokenMaxTtl` would otherwise allow a renewal. TokenExplicitMaxTtl pulumi.IntPtrInput // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenMaxTtl pulumi.IntPtrInput // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. TokenNoDefaultPolicy pulumi.BoolPtrInput // The // [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), // if any, in number of seconds to set on the token. TokenNumUses pulumi.IntPtrInput // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. TokenPeriod pulumi.IntPtrInput // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. TokenPolicies pulumi.StringArrayInput // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenTtl pulumi.IntPtrInput // The type of token that should be generated. Can be `service`, // `batch`, or `default` to use the mount's tuned default (which unless changed will be // `service` tokens). For token store roles, there are two additional possibilities: // `default-service` and `default-batch` which specify the type to return unless the client // requests a different type at generation time. TokenType pulumi.StringPtrInput // The TTL period of tokens issued // using this role, provided as a number of seconds. // // Deprecated: use `token_ttl` instead if you are running Vault >= 1.2 Ttl pulumi.IntPtrInput }
The set of arguments for constructing a AuthBackendRole resource.
func (AuthBackendRoleArgs) ElementType ¶
func (AuthBackendRoleArgs) ElementType() reflect.Type
type AuthBackendRoleArray ¶
type AuthBackendRoleArray []AuthBackendRoleInput
func (AuthBackendRoleArray) ElementType ¶
func (AuthBackendRoleArray) ElementType() reflect.Type
func (AuthBackendRoleArray) ToAuthBackendRoleArrayOutput ¶
func (i AuthBackendRoleArray) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput
func (AuthBackendRoleArray) ToAuthBackendRoleArrayOutputWithContext ¶
func (i AuthBackendRoleArray) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput
type AuthBackendRoleArrayInput ¶
type AuthBackendRoleArrayInput interface { pulumi.Input ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput ToAuthBackendRoleArrayOutputWithContext(context.Context) AuthBackendRoleArrayOutput }
AuthBackendRoleArrayInput is an input type that accepts AuthBackendRoleArray and AuthBackendRoleArrayOutput values. You can construct a concrete instance of `AuthBackendRoleArrayInput` via:
AuthBackendRoleArray{ AuthBackendRoleArgs{...} }
type AuthBackendRoleArrayOutput ¶
type AuthBackendRoleArrayOutput struct{ *pulumi.OutputState }
func (AuthBackendRoleArrayOutput) ElementType ¶
func (AuthBackendRoleArrayOutput) ElementType() reflect.Type
func (AuthBackendRoleArrayOutput) Index ¶
func (o AuthBackendRoleArrayOutput) Index(i pulumi.IntInput) AuthBackendRoleOutput
func (AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput ¶
func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput
func (AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext ¶
func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput
type AuthBackendRoleInput ¶
type AuthBackendRoleInput interface { pulumi.Input ToAuthBackendRoleOutput() AuthBackendRoleOutput ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput }
type AuthBackendRoleMap ¶
type AuthBackendRoleMap map[string]AuthBackendRoleInput
func (AuthBackendRoleMap) ElementType ¶
func (AuthBackendRoleMap) ElementType() reflect.Type
func (AuthBackendRoleMap) ToAuthBackendRoleMapOutput ¶
func (i AuthBackendRoleMap) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput
func (AuthBackendRoleMap) ToAuthBackendRoleMapOutputWithContext ¶
func (i AuthBackendRoleMap) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput
type AuthBackendRoleMapInput ¶
type AuthBackendRoleMapInput interface { pulumi.Input ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput ToAuthBackendRoleMapOutputWithContext(context.Context) AuthBackendRoleMapOutput }
AuthBackendRoleMapInput is an input type that accepts AuthBackendRoleMap and AuthBackendRoleMapOutput values. You can construct a concrete instance of `AuthBackendRoleMapInput` via:
AuthBackendRoleMap{ "key": AuthBackendRoleArgs{...} }
type AuthBackendRoleMapOutput ¶
type AuthBackendRoleMapOutput struct{ *pulumi.OutputState }
func (AuthBackendRoleMapOutput) ElementType ¶
func (AuthBackendRoleMapOutput) ElementType() reflect.Type
func (AuthBackendRoleMapOutput) MapIndex ¶
func (o AuthBackendRoleMapOutput) MapIndex(k pulumi.StringInput) AuthBackendRoleOutput
func (AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput ¶
func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput
func (AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext ¶
func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput
type AuthBackendRoleOutput ¶
type AuthBackendRoleOutput struct{ *pulumi.OutputState }
func (AuthBackendRoleOutput) ElementType ¶
func (AuthBackendRoleOutput) ElementType() reflect.Type
func (AuthBackendRoleOutput) ToAuthBackendRoleOutput ¶
func (o AuthBackendRoleOutput) ToAuthBackendRoleOutput() AuthBackendRoleOutput
func (AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext ¶
func (o AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput
func (AuthBackendRoleOutput) ToAuthBackendRolePtrOutput ¶
func (o AuthBackendRoleOutput) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput
func (AuthBackendRoleOutput) ToAuthBackendRolePtrOutputWithContext ¶
func (o AuthBackendRoleOutput) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput
type AuthBackendRolePtrInput ¶
type AuthBackendRolePtrInput interface { pulumi.Input ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput }
type AuthBackendRolePtrOutput ¶
type AuthBackendRolePtrOutput struct{ *pulumi.OutputState }
func (AuthBackendRolePtrOutput) Elem ¶ added in v4.6.0
func (o AuthBackendRolePtrOutput) Elem() AuthBackendRoleOutput
func (AuthBackendRolePtrOutput) ElementType ¶
func (AuthBackendRolePtrOutput) ElementType() reflect.Type
func (AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutput ¶
func (o AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput
func (AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutputWithContext ¶
func (o AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput
type AuthBackendRoleState ¶
type AuthBackendRoleState struct { // Audience claim to verify in the JWT. Audience pulumi.StringPtrInput // Unique name of the kubernetes backend to configure. Backend pulumi.StringPtrInput // If set, a list of // CIDRs valid as the source address for login requests. This value is also encoded into any resulting token. // // Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2 BoundCidrs pulumi.StringArrayInput // List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*". BoundServiceAccountNames pulumi.StringArrayInput // List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*". BoundServiceAccountNamespaces pulumi.StringArrayInput // The maximum allowed lifetime of tokens // issued using this role, provided as a number of seconds. // // Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2 MaxTtl pulumi.IntPtrInput // If set, puts a use-count // limitation on the issued token. // // Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2 NumUses pulumi.IntPtrInput // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. // // Deprecated: use `token_period` instead if you are running Vault >= 1.2 Period pulumi.IntPtrInput // An array of strings // specifying the policies to be set on tokens issued using this role. // // Deprecated: use `token_policies` instead if you are running Vault >= 1.2 Policies pulumi.StringArrayInput // Name of the role. RoleName pulumi.StringPtrInput // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. TokenBoundCidrs pulumi.StringArrayInput // If set, will encode an // [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) // onto the token in number of seconds. This is a hard cap even if `tokenTtl` and // `tokenMaxTtl` would otherwise allow a renewal. TokenExplicitMaxTtl pulumi.IntPtrInput // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenMaxTtl pulumi.IntPtrInput // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. TokenNoDefaultPolicy pulumi.BoolPtrInput // The // [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), // if any, in number of seconds to set on the token. TokenNumUses pulumi.IntPtrInput // If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. TokenPeriod pulumi.IntPtrInput // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. TokenPolicies pulumi.StringArrayInput // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenTtl pulumi.IntPtrInput // The type of token that should be generated. Can be `service`, // `batch`, or `default` to use the mount's tuned default (which unless changed will be // `service` tokens). For token store roles, there are two additional possibilities: // `default-service` and `default-batch` which specify the type to return unless the client // requests a different type at generation time. TokenType pulumi.StringPtrInput // The TTL period of tokens issued // using this role, provided as a number of seconds. // // Deprecated: use `token_ttl` instead if you are running Vault >= 1.2 Ttl pulumi.IntPtrInput }
func (AuthBackendRoleState) ElementType ¶
func (AuthBackendRoleState) ElementType() reflect.Type
type LookupAuthBackendConfigArgs ¶
type LookupAuthBackendConfigArgs struct { // The unique name for the Kubernetes backend the config to // retrieve Role attributes for resides in. Defaults to "kubernetes". Backend *string `pulumi:"backend"` DisableIssValidation *bool `pulumi:"disableIssValidation"` DisableLocalCaJwt *bool `pulumi:"disableLocalCaJwt"` // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. Issuer *string `pulumi:"issuer"` // PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. KubernetesCaCert *string `pulumi:"kubernetesCaCert"` // Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. KubernetesHost *string `pulumi:"kubernetesHost"` // Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys []string `pulumi:"pemKeys"` }
A collection of arguments for invoking getAuthBackendConfig.
type LookupAuthBackendConfigOutputArgs ¶ added in v4.6.0
type LookupAuthBackendConfigOutputArgs struct { // The unique name for the Kubernetes backend the config to // retrieve Role attributes for resides in. Defaults to "kubernetes". Backend pulumi.StringPtrInput `pulumi:"backend"` DisableIssValidation pulumi.BoolPtrInput `pulumi:"disableIssValidation"` DisableLocalCaJwt pulumi.BoolPtrInput `pulumi:"disableLocalCaJwt"` // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. Issuer pulumi.StringPtrInput `pulumi:"issuer"` // PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. KubernetesCaCert pulumi.StringPtrInput `pulumi:"kubernetesCaCert"` // Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. KubernetesHost pulumi.StringPtrInput `pulumi:"kubernetesHost"` // Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys pulumi.StringArrayInput `pulumi:"pemKeys"` }
A collection of arguments for invoking getAuthBackendConfig.
func (LookupAuthBackendConfigOutputArgs) ElementType ¶ added in v4.6.0
func (LookupAuthBackendConfigOutputArgs) ElementType() reflect.Type
type LookupAuthBackendConfigResult ¶
type LookupAuthBackendConfigResult struct { Backend *string `pulumi:"backend"` DisableIssValidation bool `pulumi:"disableIssValidation"` DisableLocalCaJwt bool `pulumi:"disableLocalCaJwt"` // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` // Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer. Issuer string `pulumi:"issuer"` // PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API. KubernetesCaCert string `pulumi:"kubernetesCaCert"` // Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. KubernetesHost string `pulumi:"kubernetesHost"` // Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys. PemKeys []string `pulumi:"pemKeys"` }
A collection of values returned by getAuthBackendConfig.
func LookupAuthBackendConfig ¶
func LookupAuthBackendConfig(ctx *pulumi.Context, args *LookupAuthBackendConfigArgs, opts ...pulumi.InvokeOption) (*LookupAuthBackendConfigResult, error)
Reads the Role of an Kubernetes from a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-config) for more information.
type LookupAuthBackendConfigResultOutput ¶ added in v4.6.0
type LookupAuthBackendConfigResultOutput struct{ *pulumi.OutputState }
A collection of values returned by getAuthBackendConfig.
func LookupAuthBackendConfigOutput ¶ added in v4.6.0
func LookupAuthBackendConfigOutput(ctx *pulumi.Context, args LookupAuthBackendConfigOutputArgs, opts ...pulumi.InvokeOption) LookupAuthBackendConfigResultOutput
func (LookupAuthBackendConfigResultOutput) Backend ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) Backend() pulumi.StringPtrOutput
func (LookupAuthBackendConfigResultOutput) DisableIssValidation ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) DisableIssValidation() pulumi.BoolOutput
func (LookupAuthBackendConfigResultOutput) DisableLocalCaJwt ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) DisableLocalCaJwt() pulumi.BoolOutput
func (LookupAuthBackendConfigResultOutput) ElementType ¶ added in v4.6.0
func (LookupAuthBackendConfigResultOutput) ElementType() reflect.Type
func (LookupAuthBackendConfigResultOutput) Id ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) Id() pulumi.StringOutput
The provider-assigned unique ID for this managed resource.
func (LookupAuthBackendConfigResultOutput) Issuer ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) Issuer() pulumi.StringOutput
Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
func (LookupAuthBackendConfigResultOutput) KubernetesCaCert ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) KubernetesCaCert() pulumi.StringOutput
PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
func (LookupAuthBackendConfigResultOutput) KubernetesHost ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) KubernetesHost() pulumi.StringOutput
Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
func (LookupAuthBackendConfigResultOutput) PemKeys ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) PemKeys() pulumi.StringArrayOutput
Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
func (LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutput ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutput() LookupAuthBackendConfigResultOutput
func (LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutputWithContext ¶ added in v4.6.0
func (o LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutputWithContext(ctx context.Context) LookupAuthBackendConfigResultOutput
type LookupAuthBackendRoleArgs ¶
type LookupAuthBackendRoleArgs struct { // (Optional) Audience claim to verify in the JWT. Audience *string `pulumi:"audience"` // The unique name for the Kubernetes backend the role to // retrieve Role attributes for resides in. Defaults to "kubernetes". Backend *string `pulumi:"backend"` // Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2 BoundCidrs []string `pulumi:"boundCidrs"` // Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2 MaxTtl *int `pulumi:"maxTtl"` // Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2 NumUses *int `pulumi:"numUses"` // Deprecated: use `token_period` instead if you are running Vault >= 1.2 Period *int `pulumi:"period"` // Deprecated: use `token_policies` instead if you are running Vault >= 1.2 Policies []string `pulumi:"policies"` // The name of the role to retrieve the Role attributes for. RoleName string `pulumi:"roleName"` // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. TokenBoundCidrs []string `pulumi:"tokenBoundCidrs"` // If set, will encode an // [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) // onto the token in number of seconds. This is a hard cap even if `tokenTtl` and // `tokenMaxTtl` would otherwise allow a renewal. TokenExplicitMaxTtl *int `pulumi:"tokenExplicitMaxTtl"` // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenMaxTtl *int `pulumi:"tokenMaxTtl"` // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. TokenNoDefaultPolicy *bool `pulumi:"tokenNoDefaultPolicy"` // The // [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), // if any, in number of seconds to set on the token. TokenNumUses *int `pulumi:"tokenNumUses"` // (Optional) If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. TokenPeriod *int `pulumi:"tokenPeriod"` // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. TokenPolicies []string `pulumi:"tokenPolicies"` // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenTtl *int `pulumi:"tokenTtl"` // The type of token that should be generated. Can be `service`, // `batch`, or `default` to use the mount's tuned default (which unless changed will be // `service` tokens). For token store roles, there are two additional possibilities: // `default-service` and `default-batch` which specify the type to return unless the client // requests a different type at generation time. TokenType *string `pulumi:"tokenType"` // Deprecated: use `token_ttl` instead if you are running Vault >= 1.2 Ttl *int `pulumi:"ttl"` }
A collection of arguments for invoking getAuthBackendRole.
type LookupAuthBackendRoleOutputArgs ¶ added in v4.6.0
type LookupAuthBackendRoleOutputArgs struct { // (Optional) Audience claim to verify in the JWT. Audience pulumi.StringPtrInput `pulumi:"audience"` // The unique name for the Kubernetes backend the role to // retrieve Role attributes for resides in. Defaults to "kubernetes". Backend pulumi.StringPtrInput `pulumi:"backend"` // Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2 BoundCidrs pulumi.StringArrayInput `pulumi:"boundCidrs"` // Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2 MaxTtl pulumi.IntPtrInput `pulumi:"maxTtl"` // Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2 NumUses pulumi.IntPtrInput `pulumi:"numUses"` // Deprecated: use `token_period` instead if you are running Vault >= 1.2 Period pulumi.IntPtrInput `pulumi:"period"` // Deprecated: use `token_policies` instead if you are running Vault >= 1.2 Policies pulumi.StringArrayInput `pulumi:"policies"` // The name of the role to retrieve the Role attributes for. RoleName pulumi.StringInput `pulumi:"roleName"` // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. TokenBoundCidrs pulumi.StringArrayInput `pulumi:"tokenBoundCidrs"` // If set, will encode an // [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) // onto the token in number of seconds. This is a hard cap even if `tokenTtl` and // `tokenMaxTtl` would otherwise allow a renewal. TokenExplicitMaxTtl pulumi.IntPtrInput `pulumi:"tokenExplicitMaxTtl"` // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenMaxTtl pulumi.IntPtrInput `pulumi:"tokenMaxTtl"` // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. TokenNoDefaultPolicy pulumi.BoolPtrInput `pulumi:"tokenNoDefaultPolicy"` // The // [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), // if any, in number of seconds to set on the token. TokenNumUses pulumi.IntPtrInput `pulumi:"tokenNumUses"` // (Optional) If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. TokenPeriod pulumi.IntPtrInput `pulumi:"tokenPeriod"` // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. TokenPolicies pulumi.StringArrayInput `pulumi:"tokenPolicies"` // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenTtl pulumi.IntPtrInput `pulumi:"tokenTtl"` // The type of token that should be generated. Can be `service`, // `batch`, or `default` to use the mount's tuned default (which unless changed will be // `service` tokens). For token store roles, there are two additional possibilities: // `default-service` and `default-batch` which specify the type to return unless the client // requests a different type at generation time. TokenType pulumi.StringPtrInput `pulumi:"tokenType"` // Deprecated: use `token_ttl` instead if you are running Vault >= 1.2 Ttl pulumi.IntPtrInput `pulumi:"ttl"` }
A collection of arguments for invoking getAuthBackendRole.
func (LookupAuthBackendRoleOutputArgs) ElementType ¶ added in v4.6.0
func (LookupAuthBackendRoleOutputArgs) ElementType() reflect.Type
type LookupAuthBackendRoleResult ¶
type LookupAuthBackendRoleResult struct { // (Optional) Audience claim to verify in the JWT. Audience *string `pulumi:"audience"` Backend *string `pulumi:"backend"` // Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2 BoundCidrs []string `pulumi:"boundCidrs"` // List of service account names able to access this role. If set to "*" all names are allowed, both this and boundServiceAccountNamespaces can not be "*". BoundServiceAccountNames []string `pulumi:"boundServiceAccountNames"` // List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*". BoundServiceAccountNamespaces []string `pulumi:"boundServiceAccountNamespaces"` // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` // Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2 MaxTtl *int `pulumi:"maxTtl"` // Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2 NumUses *int `pulumi:"numUses"` // Deprecated: use `token_period` instead if you are running Vault >= 1.2 Period *int `pulumi:"period"` // Deprecated: use `token_policies` instead if you are running Vault >= 1.2 Policies []string `pulumi:"policies"` RoleName string `pulumi:"roleName"` // List of CIDR blocks; if set, specifies blocks of IP // addresses which can authenticate successfully, and ties the resulting token to these blocks // as well. TokenBoundCidrs []string `pulumi:"tokenBoundCidrs"` // If set, will encode an // [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) // onto the token in number of seconds. This is a hard cap even if `tokenTtl` and // `tokenMaxTtl` would otherwise allow a renewal. TokenExplicitMaxTtl *int `pulumi:"tokenExplicitMaxTtl"` // The maximum lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenMaxTtl *int `pulumi:"tokenMaxTtl"` // If set, the default policy will not be set on // generated tokens; otherwise it will be added to the policies set in token_policies. TokenNoDefaultPolicy *bool `pulumi:"tokenNoDefaultPolicy"` // The // [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), // if any, in number of seconds to set on the token. TokenNumUses *int `pulumi:"tokenNumUses"` // (Optional) If set, indicates that the // token generated using this role should never expire. The token should be renewed within the // duration specified by this value. At each renewal, the token's TTL will be set to the // value of this field. Specified in seconds. TokenPeriod *int `pulumi:"tokenPeriod"` // List of policies to encode onto generated tokens. Depending // on the auth method, this list may be supplemented by user/group/other values. TokenPolicies []string `pulumi:"tokenPolicies"` // The incremental lifetime for generated tokens in number of seconds. // Its current value will be referenced at renewal time. TokenTtl *int `pulumi:"tokenTtl"` // The type of token that should be generated. Can be `service`, // `batch`, or `default` to use the mount's tuned default (which unless changed will be // `service` tokens). For token store roles, there are two additional possibilities: // `default-service` and `default-batch` which specify the type to return unless the client // requests a different type at generation time. TokenType *string `pulumi:"tokenType"` // Deprecated: use `token_ttl` instead if you are running Vault >= 1.2 Ttl *int `pulumi:"ttl"` }
A collection of values returned by getAuthBackendRole.
func LookupAuthBackendRole ¶
func LookupAuthBackendRole(ctx *pulumi.Context, args *LookupAuthBackendRoleArgs, opts ...pulumi.InvokeOption) (*LookupAuthBackendRoleResult, error)
Reads the Role of an Kubernetes from a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-role) for more information.
## Example Usage
```go package main
import (
"github.com/pulumi/pulumi-vault/sdk/v4/go/vault/kubernetes" "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() { pulumi.Run(func(ctx *pulumi.Context) error { opt0 := "my-kubernetes-backend" role, err := kubernetes.LookupAuthBackendRole(ctx, &kubernetes.LookupAuthBackendRoleArgs{ Backend: &opt0, RoleName: "my-role", }, nil) if err != nil { return err } ctx.Export("policies", role.Policies) return nil }) }
```
type LookupAuthBackendRoleResultOutput ¶ added in v4.6.0
type LookupAuthBackendRoleResultOutput struct{ *pulumi.OutputState }
A collection of values returned by getAuthBackendRole.
func LookupAuthBackendRoleOutput ¶ added in v4.6.0
func LookupAuthBackendRoleOutput(ctx *pulumi.Context, args LookupAuthBackendRoleOutputArgs, opts ...pulumi.InvokeOption) LookupAuthBackendRoleResultOutput
func (LookupAuthBackendRoleResultOutput) Audience ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) Audience() pulumi.StringPtrOutput
(Optional) Audience claim to verify in the JWT.
func (LookupAuthBackendRoleResultOutput) Backend ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) Backend() pulumi.StringPtrOutput
func (LookupAuthBackendRoleResultOutput) BoundCidrs
deprecated
added in
v4.6.0
func (o LookupAuthBackendRoleResultOutput) BoundCidrs() pulumi.StringArrayOutput
Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2
func (LookupAuthBackendRoleResultOutput) BoundServiceAccountNames ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) BoundServiceAccountNames() pulumi.StringArrayOutput
List of service account names able to access this role. If set to "*" all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
func (LookupAuthBackendRoleResultOutput) BoundServiceAccountNamespaces ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) BoundServiceAccountNamespaces() pulumi.StringArrayOutput
List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
func (LookupAuthBackendRoleResultOutput) ElementType ¶ added in v4.6.0
func (LookupAuthBackendRoleResultOutput) ElementType() reflect.Type
func (LookupAuthBackendRoleResultOutput) Id ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) Id() pulumi.StringOutput
The provider-assigned unique ID for this managed resource.
func (LookupAuthBackendRoleResultOutput) MaxTtl
deprecated
added in
v4.6.0
func (o LookupAuthBackendRoleResultOutput) MaxTtl() pulumi.IntPtrOutput
Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2
func (LookupAuthBackendRoleResultOutput) NumUses
deprecated
added in
v4.6.0
func (o LookupAuthBackendRoleResultOutput) NumUses() pulumi.IntPtrOutput
Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2
func (LookupAuthBackendRoleResultOutput) Period
deprecated
added in
v4.6.0
func (o LookupAuthBackendRoleResultOutput) Period() pulumi.IntPtrOutput
Deprecated: use `token_period` instead if you are running Vault >= 1.2
func (LookupAuthBackendRoleResultOutput) Policies
deprecated
added in
v4.6.0
func (o LookupAuthBackendRoleResultOutput) Policies() pulumi.StringArrayOutput
Deprecated: use `token_policies` instead if you are running Vault >= 1.2
func (LookupAuthBackendRoleResultOutput) RoleName ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) RoleName() pulumi.StringOutput
func (LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput() LookupAuthBackendRoleResultOutput
func (LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext(ctx context.Context) LookupAuthBackendRoleResultOutput
func (LookupAuthBackendRoleResultOutput) TokenBoundCidrs ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenBoundCidrs() pulumi.StringArrayOutput
List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
func (LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl() pulumi.IntPtrOutput
If set, will encode an [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) onto the token in number of seconds. This is a hard cap even if `tokenTtl` and `tokenMaxTtl` would otherwise allow a renewal.
func (LookupAuthBackendRoleResultOutput) TokenMaxTtl ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenMaxTtl() pulumi.IntPtrOutput
The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
func (LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy() pulumi.BoolPtrOutput
If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
func (LookupAuthBackendRoleResultOutput) TokenNumUses ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenNumUses() pulumi.IntPtrOutput
The [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), if any, in number of seconds to set on the token.
func (LookupAuthBackendRoleResultOutput) TokenPeriod ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenPeriod() pulumi.IntPtrOutput
(Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.
func (LookupAuthBackendRoleResultOutput) TokenPolicies ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenPolicies() pulumi.StringArrayOutput
List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
func (LookupAuthBackendRoleResultOutput) TokenTtl ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenTtl() pulumi.IntPtrOutput
The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.
func (LookupAuthBackendRoleResultOutput) TokenType ¶ added in v4.6.0
func (o LookupAuthBackendRoleResultOutput) TokenType() pulumi.StringPtrOutput
The type of token that should be generated. Can be `service`, `batch`, or `default` to use the mount's tuned default (which unless changed will be `service` tokens). For token store roles, there are two additional possibilities: `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time.
func (LookupAuthBackendRoleResultOutput) Ttl
deprecated
added in
v4.6.0
func (o LookupAuthBackendRoleResultOutput) Ttl() pulumi.IntPtrOutput
Deprecated: use `token_ttl` instead if you are running Vault >= 1.2