kubernetes

package
v4.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 11, 2021 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthBackendConfig 

type AuthBackendConfig struct {
	pulumi.CustomResourceState

	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrOutput `pulumi:"backend"`
	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation pulumi.BoolOutput `pulumi:"disableIssValidation"`
	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt pulumi.BoolOutput `pulumi:"disableLocalCaJwt"`
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer pulumi.StringPtrOutput `pulumi:"issuer"`
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert pulumi.StringPtrOutput `pulumi:"kubernetesCaCert"`
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost pulumi.StringOutput `pulumi:"kubernetesHost"`
	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys pulumi.StringArrayOutput `pulumi:"pemKeys"`
	// A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
	TokenReviewerJwt pulumi.StringPtrOutput `pulumi:"tokenReviewerJwt"`
}

Manages an Kubernetes auth backend config in a Vault server. See the [Vault documentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more information.

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-vault/sdk/v4/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v4/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		kubernetes, err := vault.NewAuthBackend(ctx, "kubernetes", &vault.AuthBackendArgs{
			Type: pulumi.String("kubernetes"),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewAuthBackendConfig(ctx, "example", &kubernetes.AuthBackendConfigArgs{
			Backend:              kubernetes.Path,
			KubernetesHost:       pulumi.String("http://example.com:443"),
			KubernetesCaCert:     pulumi.String("-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----"),
			TokenReviewerJwt:     pulumi.String("ZXhhbXBsZQo="),
			Issuer:               pulumi.String("api"),
			DisableIssValidation: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Kubernetes authentication backend can be imported using the `path`, e.g.

```sh 

$ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config

```

func GetAuthBackendConfig 

func GetAuthBackendConfig(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AuthBackendConfigState, opts ...pulumi.ResourceOption) (*AuthBackendConfig, error)

GetAuthBackendConfig gets an existing AuthBackendConfig resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAuthBackendConfig 

func NewAuthBackendConfig(ctx *pulumi.Context,
	name string, args *AuthBackendConfigArgs, opts ...pulumi.ResourceOption) (*AuthBackendConfig, error)

NewAuthBackendConfig registers a new resource with the given unique name, arguments, and options.

func (*AuthBackendConfig) ElementType 

func (*AuthBackendConfig) ElementType() reflect.Type

func (*AuthBackendConfig) ToAuthBackendConfigOutput 

func (i *AuthBackendConfig) ToAuthBackendConfigOutput() AuthBackendConfigOutput

func (*AuthBackendConfig) ToAuthBackendConfigOutputWithContext 

func (i *AuthBackendConfig) ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput

func (*AuthBackendConfig) ToAuthBackendConfigPtrOutput 

func (i *AuthBackendConfig) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput

func (*AuthBackendConfig) ToAuthBackendConfigPtrOutputWithContext 

func (i *AuthBackendConfig) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput

type AuthBackendConfigArgs 

type AuthBackendConfigArgs struct {
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrInput
	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation pulumi.BoolPtrInput
	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt pulumi.BoolPtrInput
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer pulumi.StringPtrInput
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert pulumi.StringPtrInput
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost pulumi.StringInput
	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys pulumi.StringArrayInput
	// A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
	TokenReviewerJwt pulumi.StringPtrInput
}

The set of arguments for constructing a AuthBackendConfig resource.

func (AuthBackendConfigArgs) ElementType 

func (AuthBackendConfigArgs) ElementType() reflect.Type

type AuthBackendConfigArray 

type AuthBackendConfigArray []AuthBackendConfigInput

func (AuthBackendConfigArray) ElementType 

func (AuthBackendConfigArray) ElementType() reflect.Type

func (AuthBackendConfigArray) ToAuthBackendConfigArrayOutput 

func (i AuthBackendConfigArray) ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput

func (AuthBackendConfigArray) ToAuthBackendConfigArrayOutputWithContext 

func (i AuthBackendConfigArray) ToAuthBackendConfigArrayOutputWithContext(ctx context.Context) AuthBackendConfigArrayOutput

type AuthBackendConfigArrayInput 

type AuthBackendConfigArrayInput interface {
	pulumi.Input

	ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput
	ToAuthBackendConfigArrayOutputWithContext(context.Context) AuthBackendConfigArrayOutput
}

AuthBackendConfigArrayInput is an input type that accepts AuthBackendConfigArray and AuthBackendConfigArrayOutput values. You can construct a concrete instance of `AuthBackendConfigArrayInput` via: 

AuthBackendConfigArray{ AuthBackendConfigArgs{...} }

type AuthBackendConfigArrayOutput 

type AuthBackendConfigArrayOutput struct{ *pulumi.OutputState }

func (AuthBackendConfigArrayOutput) ElementType 

func (AuthBackendConfigArrayOutput) ElementType() reflect.Type

func (AuthBackendConfigArrayOutput) Index 

func (o AuthBackendConfigArrayOutput) Index(i pulumi.IntInput) AuthBackendConfigOutput

func (AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutput 

func (o AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput

func (AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutputWithContext 

func (o AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutputWithContext(ctx context.Context) AuthBackendConfigArrayOutput

type AuthBackendConfigInput 

type AuthBackendConfigInput interface {
	pulumi.Input

	ToAuthBackendConfigOutput() AuthBackendConfigOutput
	ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput
}

type AuthBackendConfigMap 

type AuthBackendConfigMap map[string]AuthBackendConfigInput

func (AuthBackendConfigMap) ElementType 

func (AuthBackendConfigMap) ElementType() reflect.Type

func (AuthBackendConfigMap) ToAuthBackendConfigMapOutput 

func (i AuthBackendConfigMap) ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput

func (AuthBackendConfigMap) ToAuthBackendConfigMapOutputWithContext 

func (i AuthBackendConfigMap) ToAuthBackendConfigMapOutputWithContext(ctx context.Context) AuthBackendConfigMapOutput

type AuthBackendConfigMapInput 

type AuthBackendConfigMapInput interface {
	pulumi.Input

	ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput
	ToAuthBackendConfigMapOutputWithContext(context.Context) AuthBackendConfigMapOutput
}

AuthBackendConfigMapInput is an input type that accepts AuthBackendConfigMap and AuthBackendConfigMapOutput values. You can construct a concrete instance of `AuthBackendConfigMapInput` via: 

AuthBackendConfigMap{ "key": AuthBackendConfigArgs{...} }

type AuthBackendConfigMapOutput 

type AuthBackendConfigMapOutput struct{ *pulumi.OutputState }

func (AuthBackendConfigMapOutput) ElementType 

func (AuthBackendConfigMapOutput) ElementType() reflect.Type

func (AuthBackendConfigMapOutput) MapIndex 

func (o AuthBackendConfigMapOutput) MapIndex(k pulumi.StringInput) AuthBackendConfigOutput

func (AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutput 

func (o AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput

func (AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutputWithContext 

func (o AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutputWithContext(ctx context.Context) AuthBackendConfigMapOutput

type AuthBackendConfigOutput 

type AuthBackendConfigOutput struct{ *pulumi.OutputState }

func (AuthBackendConfigOutput) ElementType 

func (AuthBackendConfigOutput) ElementType() reflect.Type

func (AuthBackendConfigOutput) ToAuthBackendConfigOutput 

func (o AuthBackendConfigOutput) ToAuthBackendConfigOutput() AuthBackendConfigOutput

func (AuthBackendConfigOutput) ToAuthBackendConfigOutputWithContext 

func (o AuthBackendConfigOutput) ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput

func (AuthBackendConfigOutput) ToAuthBackendConfigPtrOutput 

func (o AuthBackendConfigOutput) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput

func (AuthBackendConfigOutput) ToAuthBackendConfigPtrOutputWithContext 

func (o AuthBackendConfigOutput) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput

type AuthBackendConfigPtrInput 

type AuthBackendConfigPtrInput interface {
	pulumi.Input

	ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput
	ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput
}

type AuthBackendConfigPtrOutput 

type AuthBackendConfigPtrOutput struct{ *pulumi.OutputState }

func (AuthBackendConfigPtrOutput) Elem added in v4.6.0 

func (o AuthBackendConfigPtrOutput) Elem() AuthBackendConfigOutput

func (AuthBackendConfigPtrOutput) ElementType 

func (AuthBackendConfigPtrOutput) ElementType() reflect.Type

func (AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutput 

func (o AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutput() AuthBackendConfigPtrOutput

func (AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutputWithContext 

func (o AuthBackendConfigPtrOutput) ToAuthBackendConfigPtrOutputWithContext(ctx context.Context) AuthBackendConfigPtrOutput

type AuthBackendConfigState 

type AuthBackendConfigState struct {
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrInput
	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation pulumi.BoolPtrInput
	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt pulumi.BoolPtrInput
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer pulumi.StringPtrInput
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert pulumi.StringPtrInput
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost pulumi.StringPtrInput
	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys pulumi.StringArrayInput
	// A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
	TokenReviewerJwt pulumi.StringPtrInput
}

func (AuthBackendConfigState) ElementType 

func (AuthBackendConfigState) ElementType() reflect.Type

type AuthBackendRole 

type AuthBackendRole struct {
	pulumi.CustomResourceState

	// Audience claim to verify in the JWT.
	Audience pulumi.StringPtrOutput `pulumi:"audience"`
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrOutput `pulumi:"backend"`
	// If set, a list of
	// CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.
	//
	// Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2
	BoundCidrs pulumi.StringArrayOutput `pulumi:"boundCidrs"`
	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
	BoundServiceAccountNames pulumi.StringArrayOutput `pulumi:"boundServiceAccountNames"`
	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
	BoundServiceAccountNamespaces pulumi.StringArrayOutput `pulumi:"boundServiceAccountNamespaces"`
	// The maximum allowed lifetime of tokens
	// issued using this role, provided as a number of seconds.
	//
	// Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2
	MaxTtl pulumi.IntPtrOutput `pulumi:"maxTtl"`
	// If set, puts a use-count
	// limitation on the issued token.
	//
	// Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2
	NumUses pulumi.IntPtrOutput `pulumi:"numUses"`
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	//
	// Deprecated: use `token_period` instead if you are running Vault >= 1.2
	Period pulumi.IntPtrOutput `pulumi:"period"`
	// An array of strings
	// specifying the policies to be set on tokens issued using this role.
	//
	// Deprecated: use `token_policies` instead if you are running Vault >= 1.2
	Policies pulumi.StringArrayOutput `pulumi:"policies"`
	// Name of the role.
	RoleName pulumi.StringOutput `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayOutput `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrOutput `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrOutput `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrOutput `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses pulumi.IntPtrOutput `pulumi:"tokenNumUses"`
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrOutput `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayOutput `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrOutput `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrOutput `pulumi:"tokenType"`
	// The TTL period of tokens issued
	// using this role, provided as a number of seconds.
	//
	// Deprecated: use `token_ttl` instead if you are running Vault >= 1.2
	Ttl pulumi.IntPtrOutput `pulumi:"ttl"`
}

Manages an Kubernetes auth backend role in a Vault server. See the [Vault documentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more information.

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-vault/sdk/v4/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v4/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		kubernetes, err := vault.NewAuthBackend(ctx, "kubernetes", &vault.AuthBackendArgs{
			Type: pulumi.String("kubernetes"),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewAuthBackendRole(ctx, "example", &kubernetes.AuthBackendRoleArgs{
			Backend:  kubernetes.Path,
			RoleName: pulumi.String("example-role"),
			BoundServiceAccountNames: pulumi.StringArray{
				pulumi.String("example"),
			},
			BoundServiceAccountNamespaces: pulumi.StringArray{
				pulumi.String("example"),
			},
			TokenTtl: pulumi.Int(3600),
			TokenPolicies: pulumi.StringArray{
				pulumi.String("default"),
				pulumi.String("dev"),
				pulumi.String("prod"),
			},
			Audience: pulumi.String("vault"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Kubernetes auth backend role can be imported using the `path`, e.g.

```sh 

$ pulumi import vault:kubernetes/authBackendRole:AuthBackendRole foo auth/kubernetes/role/foo

```

func GetAuthBackendRole 

func GetAuthBackendRole(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AuthBackendRoleState, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)

GetAuthBackendRole gets an existing AuthBackendRole resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAuthBackendRole 

func NewAuthBackendRole(ctx *pulumi.Context,
	name string, args *AuthBackendRoleArgs, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)

NewAuthBackendRole registers a new resource with the given unique name, arguments, and options.

func (*AuthBackendRole) ElementType 

func (*AuthBackendRole) ElementType() reflect.Type

func (*AuthBackendRole) ToAuthBackendRoleOutput 

func (i *AuthBackendRole) ToAuthBackendRoleOutput() AuthBackendRoleOutput

func (*AuthBackendRole) ToAuthBackendRoleOutputWithContext 

func (i *AuthBackendRole) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput

func (*AuthBackendRole) ToAuthBackendRolePtrOutput 

func (i *AuthBackendRole) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput

func (*AuthBackendRole) ToAuthBackendRolePtrOutputWithContext 

func (i *AuthBackendRole) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput

type AuthBackendRoleArgs 

type AuthBackendRoleArgs struct {
	// Audience claim to verify in the JWT.
	Audience pulumi.StringPtrInput
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrInput
	// If set, a list of
	// CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.
	//
	// Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2
	BoundCidrs pulumi.StringArrayInput
	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
	BoundServiceAccountNames pulumi.StringArrayInput
	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
	BoundServiceAccountNamespaces pulumi.StringArrayInput
	// The maximum allowed lifetime of tokens
	// issued using this role, provided as a number of seconds.
	//
	// Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2
	MaxTtl pulumi.IntPtrInput
	// If set, puts a use-count
	// limitation on the issued token.
	//
	// Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2
	NumUses pulumi.IntPtrInput
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	//
	// Deprecated: use `token_period` instead if you are running Vault >= 1.2
	Period pulumi.IntPtrInput
	// An array of strings
	// specifying the policies to be set on tokens issued using this role.
	//
	// Deprecated: use `token_policies` instead if you are running Vault >= 1.2
	Policies pulumi.StringArrayInput
	// Name of the role.
	RoleName pulumi.StringInput
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayInput
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrInput
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrInput
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrInput
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses pulumi.IntPtrInput
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrInput
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayInput
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrInput
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrInput
	// The TTL period of tokens issued
	// using this role, provided as a number of seconds.
	//
	// Deprecated: use `token_ttl` instead if you are running Vault >= 1.2
	Ttl pulumi.IntPtrInput
}

The set of arguments for constructing a AuthBackendRole resource.

func (AuthBackendRoleArgs) ElementType 

func (AuthBackendRoleArgs) ElementType() reflect.Type

type AuthBackendRoleArray 

type AuthBackendRoleArray []AuthBackendRoleInput

func (AuthBackendRoleArray) ElementType 

func (AuthBackendRoleArray) ElementType() reflect.Type

func (AuthBackendRoleArray) ToAuthBackendRoleArrayOutput 

func (i AuthBackendRoleArray) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput

func (AuthBackendRoleArray) ToAuthBackendRoleArrayOutputWithContext 

func (i AuthBackendRoleArray) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput

type AuthBackendRoleArrayInput 

type AuthBackendRoleArrayInput interface {
	pulumi.Input

	ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput
	ToAuthBackendRoleArrayOutputWithContext(context.Context) AuthBackendRoleArrayOutput
}

AuthBackendRoleArrayInput is an input type that accepts AuthBackendRoleArray and AuthBackendRoleArrayOutput values. You can construct a concrete instance of `AuthBackendRoleArrayInput` via: 

AuthBackendRoleArray{ AuthBackendRoleArgs{...} }

type AuthBackendRoleArrayOutput 

type AuthBackendRoleArrayOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleArrayOutput) ElementType 

func (AuthBackendRoleArrayOutput) ElementType() reflect.Type

func (AuthBackendRoleArrayOutput) Index 

func (o AuthBackendRoleArrayOutput) Index(i pulumi.IntInput) AuthBackendRoleOutput

func (AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput 

func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput

func (AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext 

func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput

type AuthBackendRoleInput 

type AuthBackendRoleInput interface {
	pulumi.Input

	ToAuthBackendRoleOutput() AuthBackendRoleOutput
	ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput
}

type AuthBackendRoleMap 

type AuthBackendRoleMap map[string]AuthBackendRoleInput

func (AuthBackendRoleMap) ElementType 

func (AuthBackendRoleMap) ElementType() reflect.Type

func (AuthBackendRoleMap) ToAuthBackendRoleMapOutput 

func (i AuthBackendRoleMap) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput

func (AuthBackendRoleMap) ToAuthBackendRoleMapOutputWithContext 

func (i AuthBackendRoleMap) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput

type AuthBackendRoleMapInput 

type AuthBackendRoleMapInput interface {
	pulumi.Input

	ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput
	ToAuthBackendRoleMapOutputWithContext(context.Context) AuthBackendRoleMapOutput
}

AuthBackendRoleMapInput is an input type that accepts AuthBackendRoleMap and AuthBackendRoleMapOutput values. You can construct a concrete instance of `AuthBackendRoleMapInput` via: 

AuthBackendRoleMap{ "key": AuthBackendRoleArgs{...} }

type AuthBackendRoleMapOutput 

type AuthBackendRoleMapOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleMapOutput) ElementType 

func (AuthBackendRoleMapOutput) ElementType() reflect.Type

func (AuthBackendRoleMapOutput) MapIndex 

func (o AuthBackendRoleMapOutput) MapIndex(k pulumi.StringInput) AuthBackendRoleOutput

func (AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput 

func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput

func (AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext 

func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput

type AuthBackendRoleOutput 

type AuthBackendRoleOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleOutput) ElementType 

func (AuthBackendRoleOutput) ElementType() reflect.Type

func (AuthBackendRoleOutput) ToAuthBackendRoleOutput 

func (o AuthBackendRoleOutput) ToAuthBackendRoleOutput() AuthBackendRoleOutput

func (AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext 

func (o AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput

func (AuthBackendRoleOutput) ToAuthBackendRolePtrOutput 

func (o AuthBackendRoleOutput) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput

func (AuthBackendRoleOutput) ToAuthBackendRolePtrOutputWithContext 

func (o AuthBackendRoleOutput) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput

type AuthBackendRolePtrInput 

type AuthBackendRolePtrInput interface {
	pulumi.Input

	ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput
	ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput
}

type AuthBackendRolePtrOutput 

type AuthBackendRolePtrOutput struct{ *pulumi.OutputState }

func (AuthBackendRolePtrOutput) Elem added in v4.6.0 

func (o AuthBackendRolePtrOutput) Elem() AuthBackendRoleOutput

func (AuthBackendRolePtrOutput) ElementType 

func (AuthBackendRolePtrOutput) ElementType() reflect.Type

func (AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutput 

func (o AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutput() AuthBackendRolePtrOutput

func (AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutputWithContext 

func (o AuthBackendRolePtrOutput) ToAuthBackendRolePtrOutputWithContext(ctx context.Context) AuthBackendRolePtrOutput

type AuthBackendRoleState 

type AuthBackendRoleState struct {
	// Audience claim to verify in the JWT.
	Audience pulumi.StringPtrInput
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrInput
	// If set, a list of
	// CIDRs valid as the source address for login requests. This value is also encoded into any resulting token.
	//
	// Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2
	BoundCidrs pulumi.StringArrayInput
	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
	BoundServiceAccountNames pulumi.StringArrayInput
	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
	BoundServiceAccountNamespaces pulumi.StringArrayInput
	// The maximum allowed lifetime of tokens
	// issued using this role, provided as a number of seconds.
	//
	// Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2
	MaxTtl pulumi.IntPtrInput
	// If set, puts a use-count
	// limitation on the issued token.
	//
	// Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2
	NumUses pulumi.IntPtrInput
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	//
	// Deprecated: use `token_period` instead if you are running Vault >= 1.2
	Period pulumi.IntPtrInput
	// An array of strings
	// specifying the policies to be set on tokens issued using this role.
	//
	// Deprecated: use `token_policies` instead if you are running Vault >= 1.2
	Policies pulumi.StringArrayInput
	// Name of the role.
	RoleName pulumi.StringPtrInput
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayInput
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrInput
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrInput
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrInput
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses pulumi.IntPtrInput
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrInput
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayInput
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrInput
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrInput
	// The TTL period of tokens issued
	// using this role, provided as a number of seconds.
	//
	// Deprecated: use `token_ttl` instead if you are running Vault >= 1.2
	Ttl pulumi.IntPtrInput
}

func (AuthBackendRoleState) ElementType 

func (AuthBackendRoleState) ElementType() reflect.Type

type LookupAuthBackendConfigArgs 

type LookupAuthBackendConfigArgs struct {
	// The unique name for the Kubernetes backend the config to
	// retrieve Role attributes for resides in. Defaults to "kubernetes".
	Backend              *string `pulumi:"backend"`
	DisableIssValidation *bool   `pulumi:"disableIssValidation"`
	DisableLocalCaJwt    *bool   `pulumi:"disableLocalCaJwt"`
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer *string `pulumi:"issuer"`
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert *string `pulumi:"kubernetesCaCert"`
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost *string `pulumi:"kubernetesHost"`
	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys []string `pulumi:"pemKeys"`
}

A collection of arguments for invoking getAuthBackendConfig.

type LookupAuthBackendConfigOutputArgs added in v4.6.0 

type LookupAuthBackendConfigOutputArgs struct {
	// The unique name for the Kubernetes backend the config to
	// retrieve Role attributes for resides in. Defaults to "kubernetes".
	Backend              pulumi.StringPtrInput `pulumi:"backend"`
	DisableIssValidation pulumi.BoolPtrInput   `pulumi:"disableIssValidation"`
	DisableLocalCaJwt    pulumi.BoolPtrInput   `pulumi:"disableLocalCaJwt"`
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer pulumi.StringPtrInput `pulumi:"issuer"`
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert pulumi.StringPtrInput `pulumi:"kubernetesCaCert"`
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost pulumi.StringPtrInput `pulumi:"kubernetesHost"`
	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys pulumi.StringArrayInput `pulumi:"pemKeys"`
}

A collection of arguments for invoking getAuthBackendConfig.

func (LookupAuthBackendConfigOutputArgs) ElementType added in v4.6.0 

func (LookupAuthBackendConfigOutputArgs) ElementType() reflect.Type

type LookupAuthBackendConfigResult 

type LookupAuthBackendConfigResult struct {
	Backend              *string `pulumi:"backend"`
	DisableIssValidation bool    `pulumi:"disableIssValidation"`
	DisableLocalCaJwt    bool    `pulumi:"disableLocalCaJwt"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer string `pulumi:"issuer"`
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert string `pulumi:"kubernetesCaCert"`
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost string `pulumi:"kubernetesHost"`
	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys []string `pulumi:"pemKeys"`
}

A collection of values returned by getAuthBackendConfig.

func LookupAuthBackendConfig 

func LookupAuthBackendConfig(ctx *pulumi.Context, args *LookupAuthBackendConfigArgs, opts ...pulumi.InvokeOption) (*LookupAuthBackendConfigResult, error)

Reads the Role of an Kubernetes from a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-config) for more information.

type LookupAuthBackendConfigResultOutput added in v4.6.0 

type LookupAuthBackendConfigResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAuthBackendConfig.

func LookupAuthBackendConfigOutput added in v4.6.0 

func LookupAuthBackendConfigOutput(ctx *pulumi.Context, args LookupAuthBackendConfigOutputArgs, opts ...pulumi.InvokeOption) LookupAuthBackendConfigResultOutput

func (LookupAuthBackendConfigResultOutput) Backend added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) Backend() pulumi.StringPtrOutput

func (LookupAuthBackendConfigResultOutput) DisableIssValidation added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) DisableIssValidation() pulumi.BoolOutput

func (LookupAuthBackendConfigResultOutput) DisableLocalCaJwt added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) DisableLocalCaJwt() pulumi.BoolOutput

func (LookupAuthBackendConfigResultOutput) ElementType added in v4.6.0 

func (LookupAuthBackendConfigResultOutput) ElementType() reflect.Type

func (LookupAuthBackendConfigResultOutput) Id added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupAuthBackendConfigResultOutput) Issuer added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) Issuer() pulumi.StringOutput

Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.

func (LookupAuthBackendConfigResultOutput) KubernetesCaCert added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) KubernetesCaCert() pulumi.StringOutput

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

func (LookupAuthBackendConfigResultOutput) KubernetesHost added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) KubernetesHost() pulumi.StringOutput

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

func (LookupAuthBackendConfigResultOutput) PemKeys added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) PemKeys() pulumi.StringArrayOutput

Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

func (LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutput added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutput() LookupAuthBackendConfigResultOutput

func (LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutputWithContext added in v4.6.0 

func (o LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutputWithContext(ctx context.Context) LookupAuthBackendConfigResultOutput

type LookupAuthBackendRoleArgs 

type LookupAuthBackendRoleArgs struct {
	// (Optional) Audience claim to verify in the JWT.
	Audience *string `pulumi:"audience"`
	// The unique name for the Kubernetes backend the role to
	// retrieve Role attributes for resides in. Defaults to "kubernetes".
	Backend *string `pulumi:"backend"`
	// Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2
	BoundCidrs []string `pulumi:"boundCidrs"`
	// Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2
	MaxTtl *int `pulumi:"maxTtl"`
	// Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2
	NumUses *int `pulumi:"numUses"`
	// Deprecated: use `token_period` instead if you are running Vault >= 1.2
	Period *int `pulumi:"period"`
	// Deprecated: use `token_policies` instead if you are running Vault >= 1.2
	Policies []string `pulumi:"policies"`
	// The name of the role to retrieve the Role attributes for.
	RoleName string `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs []string `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl *int `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl *int `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy *bool `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses *int `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod *int `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies []string `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl *int `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType *string `pulumi:"tokenType"`
	// Deprecated: use `token_ttl` instead if you are running Vault >= 1.2
	Ttl *int `pulumi:"ttl"`
}

A collection of arguments for invoking getAuthBackendRole.

type LookupAuthBackendRoleOutputArgs added in v4.6.0 

type LookupAuthBackendRoleOutputArgs struct {
	// (Optional) Audience claim to verify in the JWT.
	Audience pulumi.StringPtrInput `pulumi:"audience"`
	// The unique name for the Kubernetes backend the role to
	// retrieve Role attributes for resides in. Defaults to "kubernetes".
	Backend pulumi.StringPtrInput `pulumi:"backend"`
	// Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2
	BoundCidrs pulumi.StringArrayInput `pulumi:"boundCidrs"`
	// Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2
	MaxTtl pulumi.IntPtrInput `pulumi:"maxTtl"`
	// Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2
	NumUses pulumi.IntPtrInput `pulumi:"numUses"`
	// Deprecated: use `token_period` instead if you are running Vault >= 1.2
	Period pulumi.IntPtrInput `pulumi:"period"`
	// Deprecated: use `token_policies` instead if you are running Vault >= 1.2
	Policies pulumi.StringArrayInput `pulumi:"policies"`
	// The name of the role to retrieve the Role attributes for.
	RoleName pulumi.StringInput `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayInput `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrInput `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrInput `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrInput `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses pulumi.IntPtrInput `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrInput `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayInput `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrInput `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrInput `pulumi:"tokenType"`
	// Deprecated: use `token_ttl` instead if you are running Vault >= 1.2
	Ttl pulumi.IntPtrInput `pulumi:"ttl"`
}

A collection of arguments for invoking getAuthBackendRole.

func (LookupAuthBackendRoleOutputArgs) ElementType added in v4.6.0 

func (LookupAuthBackendRoleOutputArgs) ElementType() reflect.Type

type LookupAuthBackendRoleResult 

type LookupAuthBackendRoleResult struct {
	// (Optional) Audience claim to verify in the JWT.
	Audience *string `pulumi:"audience"`
	Backend  *string `pulumi:"backend"`
	// Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2
	BoundCidrs []string `pulumi:"boundCidrs"`
	// List of service account names able to access this role. If set to "*" all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
	BoundServiceAccountNames []string `pulumi:"boundServiceAccountNames"`
	// List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
	BoundServiceAccountNamespaces []string `pulumi:"boundServiceAccountNamespaces"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2
	MaxTtl *int `pulumi:"maxTtl"`
	// Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2
	NumUses *int `pulumi:"numUses"`
	// Deprecated: use `token_period` instead if you are running Vault >= 1.2
	Period *int `pulumi:"period"`
	// Deprecated: use `token_policies` instead if you are running Vault >= 1.2
	Policies []string `pulumi:"policies"`
	RoleName string   `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs []string `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl *int `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl *int `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy *bool `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses *int `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod *int `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies []string `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl *int `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType *string `pulumi:"tokenType"`
	// Deprecated: use `token_ttl` instead if you are running Vault >= 1.2
	Ttl *int `pulumi:"ttl"`
}

A collection of values returned by getAuthBackendRole.

func LookupAuthBackendRole 

func LookupAuthBackendRole(ctx *pulumi.Context, args *LookupAuthBackendRoleArgs, opts ...pulumi.InvokeOption) (*LookupAuthBackendRoleResult, error)

Reads the Role of an Kubernetes from a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-role) for more information.

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-vault/sdk/v4/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		opt0 := "my-kubernetes-backend"
		role, err := kubernetes.LookupAuthBackendRole(ctx, &kubernetes.LookupAuthBackendRoleArgs{
			Backend:  &opt0,
			RoleName: "my-role",
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("policies", role.Policies)
		return nil
	})
}

```

type LookupAuthBackendRoleResultOutput added in v4.6.0 

type LookupAuthBackendRoleResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAuthBackendRole.

func LookupAuthBackendRoleOutput added in v4.6.0 

func LookupAuthBackendRoleOutput(ctx *pulumi.Context, args LookupAuthBackendRoleOutputArgs, opts ...pulumi.InvokeOption) LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) Audience added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) Audience() pulumi.StringPtrOutput

(Optional) Audience claim to verify in the JWT.

func (LookupAuthBackendRoleResultOutput) Backend added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) Backend() pulumi.StringPtrOutput

func (LookupAuthBackendRoleResultOutput) BoundCidrs deprecated added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) BoundCidrs() pulumi.StringArrayOutput

Deprecated: use `token_bound_cidrs` instead if you are running Vault >= 1.2

func (LookupAuthBackendRoleResultOutput) BoundServiceAccountNames added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) BoundServiceAccountNames() pulumi.StringArrayOutput

List of service account names able to access this role. If set to "*" all names are allowed, both this and boundServiceAccountNamespaces can not be "*".

func (LookupAuthBackendRoleResultOutput) BoundServiceAccountNamespaces added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) BoundServiceAccountNamespaces() pulumi.StringArrayOutput

List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".

func (LookupAuthBackendRoleResultOutput) ElementType added in v4.6.0 

func (LookupAuthBackendRoleResultOutput) ElementType() reflect.Type

func (LookupAuthBackendRoleResultOutput) Id added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupAuthBackendRoleResultOutput) MaxTtl deprecated added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) MaxTtl() pulumi.IntPtrOutput

Deprecated: use `token_max_ttl` instead if you are running Vault >= 1.2

func (LookupAuthBackendRoleResultOutput) NumUses deprecated added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) NumUses() pulumi.IntPtrOutput

Deprecated: use `token_num_uses` instead if you are running Vault >= 1.2

func (LookupAuthBackendRoleResultOutput) Period deprecated added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) Period() pulumi.IntPtrOutput

Deprecated: use `token_period` instead if you are running Vault >= 1.2

func (LookupAuthBackendRoleResultOutput) Policies deprecated added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) Policies() pulumi.StringArrayOutput

Deprecated: use `token_policies` instead if you are running Vault >= 1.2

func (LookupAuthBackendRoleResultOutput) RoleName added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) RoleName() pulumi.StringOutput

func (LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput() LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext(ctx context.Context) LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) TokenBoundCidrs added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenBoundCidrs() pulumi.StringArrayOutput

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

func (LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl() pulumi.IntPtrOutput

If set, will encode an [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) onto the token in number of seconds. This is a hard cap even if `tokenTtl` and `tokenMaxTtl` would otherwise allow a renewal.

func (LookupAuthBackendRoleResultOutput) TokenMaxTtl added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenMaxTtl() pulumi.IntPtrOutput

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

func (LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy() pulumi.BoolPtrOutput

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

func (LookupAuthBackendRoleResultOutput) TokenNumUses added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenNumUses() pulumi.IntPtrOutput

The [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), if any, in number of seconds to set on the token.

func (LookupAuthBackendRoleResultOutput) TokenPeriod added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenPeriod() pulumi.IntPtrOutput

(Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.

func (LookupAuthBackendRoleResultOutput) TokenPolicies added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenPolicies() pulumi.StringArrayOutput

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

func (LookupAuthBackendRoleResultOutput) TokenTtl added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenTtl() pulumi.IntPtrOutput

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

func (LookupAuthBackendRoleResultOutput) TokenType added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) TokenType() pulumi.StringPtrOutput

The type of token that should be generated. Can be `service`, `batch`, or `default` to use the mount's tuned default (which unless changed will be `service` tokens). For token store roles, there are two additional possibilities: `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time.

func (LookupAuthBackendRoleResultOutput) Ttl deprecated added in v4.6.0 

func (o LookupAuthBackendRoleResultOutput) Ttl() pulumi.IntPtrOutput

Deprecated: use `token_ttl` instead if you are running Vault >= 1.2

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.