gcp

package
v6.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthBackend 

type AuthBackend struct {
	pulumi.CustomResourceState

	// The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).
	Accessor pulumi.StringOutput `pulumi:"accessor"`
	// The clients email associated with the credentials
	ClientEmail pulumi.StringOutput `pulumi:"clientEmail"`
	// The Client ID of the credentials
	ClientId pulumi.StringOutput `pulumi:"clientId"`
	// A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
	Credentials pulumi.StringPtrOutput `pulumi:"credentials"`
	// Specifies overrides to
	// [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
	// used when making API requests. This allows specific requests made during authentication
	// to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
	// environments. Requires Vault 1.11+.
	//
	// Overrides are set at the subdomain level using the following keys:
	CustomEndpoint AuthBackendCustomEndpointPtrOutput `pulumi:"customEndpoint"`
	// A description of the auth method.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// If set, opts out of mount migration on path updates.
	// See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
	DisableRemount pulumi.BoolPtrOutput `pulumi:"disableRemount"`
	// Specifies if the auth method is local only.
	Local pulumi.BoolPtrOutput `pulumi:"local"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// The path to mount the auth method — this defaults to 'gcp'.
	Path pulumi.StringPtrOutput `pulumi:"path"`
	// The ID of the private key from the credentials
	PrivateKeyId pulumi.StringOutput `pulumi:"privateKeyId"`
	// The GCP Project ID
	ProjectId pulumi.StringOutput `pulumi:"projectId"`
	// Extra configuration block. Structure is documented below.
	//
	// The `tune` block is used to tune the auth backend:
	Tune AuthBackendTuneOutput `pulumi:"tune"`
}

Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).

## Example Usage

<!--Start PulumiCodeChooser --> ```go package main

import ( 

"os"

"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := gcp.NewAuthBackend(ctx, "gcp", &gcp.AuthBackendArgs{
			Credentials: readFileOrPanic("vault-gcp-credentials.json"),
			CustomEndpoint: &gcp.AuthBackendCustomEndpointArgs{
				Api:     pulumi.String("www.googleapis.com"),
				Iam:     pulumi.String("iam.googleapis.com"),
				Crm:     pulumi.String("cloudresourcemanager.googleapis.com"),
				Compute: pulumi.String("compute.googleapis.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` <!--End PulumiCodeChooser -->

## Import

GCP authentication backends can be imported using the backend name, e.g.

```sh $ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp ```

func GetAuthBackend 

func GetAuthBackend(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AuthBackendState, opts ...pulumi.ResourceOption) (*AuthBackend, error)

GetAuthBackend gets an existing AuthBackend resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAuthBackend 

func NewAuthBackend(ctx *pulumi.Context,
	name string, args *AuthBackendArgs, opts ...pulumi.ResourceOption) (*AuthBackend, error)

NewAuthBackend registers a new resource with the given unique name, arguments, and options.

func (*AuthBackend) ElementType 

func (*AuthBackend) ElementType() reflect.Type

func (*AuthBackend) ToAuthBackendOutput 

func (i *AuthBackend) ToAuthBackendOutput() AuthBackendOutput

func (*AuthBackend) ToAuthBackendOutputWithContext 

func (i *AuthBackend) ToAuthBackendOutputWithContext(ctx context.Context) AuthBackendOutput

type AuthBackendArgs 

type AuthBackendArgs struct {
	// The clients email associated with the credentials
	ClientEmail pulumi.StringPtrInput
	// The Client ID of the credentials
	ClientId pulumi.StringPtrInput
	// A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
	Credentials pulumi.StringPtrInput
	// Specifies overrides to
	// [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
	// used when making API requests. This allows specific requests made during authentication
	// to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
	// environments. Requires Vault 1.11+.
	//
	// Overrides are set at the subdomain level using the following keys:
	CustomEndpoint AuthBackendCustomEndpointPtrInput
	// A description of the auth method.
	Description pulumi.StringPtrInput
	// If set, opts out of mount migration on path updates.
	// See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
	DisableRemount pulumi.BoolPtrInput
	// Specifies if the auth method is local only.
	Local pulumi.BoolPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// The path to mount the auth method — this defaults to 'gcp'.
	Path pulumi.StringPtrInput
	// The ID of the private key from the credentials
	PrivateKeyId pulumi.StringPtrInput
	// The GCP Project ID
	ProjectId pulumi.StringPtrInput
	// Extra configuration block. Structure is documented below.
	//
	// The `tune` block is used to tune the auth backend:
	Tune AuthBackendTunePtrInput
}

The set of arguments for constructing a AuthBackend resource.

func (AuthBackendArgs) ElementType 

func (AuthBackendArgs) ElementType() reflect.Type

type AuthBackendArray 

type AuthBackendArray []AuthBackendInput

func (AuthBackendArray) ElementType 

func (AuthBackendArray) ElementType() reflect.Type

func (AuthBackendArray) ToAuthBackendArrayOutput 

func (i AuthBackendArray) ToAuthBackendArrayOutput() AuthBackendArrayOutput

func (AuthBackendArray) ToAuthBackendArrayOutputWithContext 

func (i AuthBackendArray) ToAuthBackendArrayOutputWithContext(ctx context.Context) AuthBackendArrayOutput

type AuthBackendArrayInput 

type AuthBackendArrayInput interface {
	pulumi.Input

	ToAuthBackendArrayOutput() AuthBackendArrayOutput
	ToAuthBackendArrayOutputWithContext(context.Context) AuthBackendArrayOutput
}

AuthBackendArrayInput is an input type that accepts AuthBackendArray and AuthBackendArrayOutput values. You can construct a concrete instance of `AuthBackendArrayInput` via: 

AuthBackendArray{ AuthBackendArgs{...} }

type AuthBackendArrayOutput 

type AuthBackendArrayOutput struct{ *pulumi.OutputState }

func (AuthBackendArrayOutput) ElementType 

func (AuthBackendArrayOutput) ElementType() reflect.Type

func (AuthBackendArrayOutput) Index 

func (o AuthBackendArrayOutput) Index(i pulumi.IntInput) AuthBackendOutput

func (AuthBackendArrayOutput) ToAuthBackendArrayOutput 

func (o AuthBackendArrayOutput) ToAuthBackendArrayOutput() AuthBackendArrayOutput

func (AuthBackendArrayOutput) ToAuthBackendArrayOutputWithContext 

func (o AuthBackendArrayOutput) ToAuthBackendArrayOutputWithContext(ctx context.Context) AuthBackendArrayOutput

type AuthBackendCustomEndpoint 

type AuthBackendCustomEndpoint struct {
	// Replaces the service endpoint used in API requests to `https://www.googleapis.com`.
	Api *string `pulumi:"api"`
	// Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.
	//
	// The endpoint value provided for a given key has the form of `scheme://host:port`.
	// The `scheme://` and `:port` portions of the endpoint value are optional.
	Compute *string `pulumi:"compute"`
	// Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.
	Crm *string `pulumi:"crm"`
	// Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.
	Iam *string `pulumi:"iam"`
}

type AuthBackendCustomEndpointArgs 

type AuthBackendCustomEndpointArgs struct {
	// Replaces the service endpoint used in API requests to `https://www.googleapis.com`.
	Api pulumi.StringPtrInput `pulumi:"api"`
	// Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.
	//
	// The endpoint value provided for a given key has the form of `scheme://host:port`.
	// The `scheme://` and `:port` portions of the endpoint value are optional.
	Compute pulumi.StringPtrInput `pulumi:"compute"`
	// Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.
	Crm pulumi.StringPtrInput `pulumi:"crm"`
	// Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.
	Iam pulumi.StringPtrInput `pulumi:"iam"`
}

func (AuthBackendCustomEndpointArgs) ElementType 

func (AuthBackendCustomEndpointArgs) ElementType() reflect.Type

func (AuthBackendCustomEndpointArgs) ToAuthBackendCustomEndpointOutput 

func (i AuthBackendCustomEndpointArgs) ToAuthBackendCustomEndpointOutput() AuthBackendCustomEndpointOutput

func (AuthBackendCustomEndpointArgs) ToAuthBackendCustomEndpointOutputWithContext 

func (i AuthBackendCustomEndpointArgs) ToAuthBackendCustomEndpointOutputWithContext(ctx context.Context) AuthBackendCustomEndpointOutput

func (AuthBackendCustomEndpointArgs) ToAuthBackendCustomEndpointPtrOutput 

func (i AuthBackendCustomEndpointArgs) ToAuthBackendCustomEndpointPtrOutput() AuthBackendCustomEndpointPtrOutput

func (AuthBackendCustomEndpointArgs) ToAuthBackendCustomEndpointPtrOutputWithContext 

func (i AuthBackendCustomEndpointArgs) ToAuthBackendCustomEndpointPtrOutputWithContext(ctx context.Context) AuthBackendCustomEndpointPtrOutput

type AuthBackendCustomEndpointInput 

type AuthBackendCustomEndpointInput interface {
	pulumi.Input

	ToAuthBackendCustomEndpointOutput() AuthBackendCustomEndpointOutput
	ToAuthBackendCustomEndpointOutputWithContext(context.Context) AuthBackendCustomEndpointOutput
}

AuthBackendCustomEndpointInput is an input type that accepts AuthBackendCustomEndpointArgs and AuthBackendCustomEndpointOutput values. You can construct a concrete instance of `AuthBackendCustomEndpointInput` via: 

AuthBackendCustomEndpointArgs{...}

type AuthBackendCustomEndpointOutput 

type AuthBackendCustomEndpointOutput struct{ *pulumi.OutputState }

func (AuthBackendCustomEndpointOutput) Api 

func (o AuthBackendCustomEndpointOutput) Api() pulumi.StringPtrOutput

Replaces the service endpoint used in API requests to `https://www.googleapis.com`.

func (AuthBackendCustomEndpointOutput) Compute 

func (o AuthBackendCustomEndpointOutput) Compute() pulumi.StringPtrOutput

Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.

The endpoint value provided for a given key has the form of `scheme://host:port`. The `scheme://` and `:port` portions of the endpoint value are optional.

func (AuthBackendCustomEndpointOutput) Crm 

func (o AuthBackendCustomEndpointOutput) Crm() pulumi.StringPtrOutput

Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.

func (AuthBackendCustomEndpointOutput) ElementType 

func (AuthBackendCustomEndpointOutput) ElementType() reflect.Type

func (AuthBackendCustomEndpointOutput) Iam 

func (o AuthBackendCustomEndpointOutput) Iam() pulumi.StringPtrOutput

Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.

func (AuthBackendCustomEndpointOutput) ToAuthBackendCustomEndpointOutput 

func (o AuthBackendCustomEndpointOutput) ToAuthBackendCustomEndpointOutput() AuthBackendCustomEndpointOutput

func (AuthBackendCustomEndpointOutput) ToAuthBackendCustomEndpointOutputWithContext 

func (o AuthBackendCustomEndpointOutput) ToAuthBackendCustomEndpointOutputWithContext(ctx context.Context) AuthBackendCustomEndpointOutput

func (AuthBackendCustomEndpointOutput) ToAuthBackendCustomEndpointPtrOutput 

func (o AuthBackendCustomEndpointOutput) ToAuthBackendCustomEndpointPtrOutput() AuthBackendCustomEndpointPtrOutput

func (AuthBackendCustomEndpointOutput) ToAuthBackendCustomEndpointPtrOutputWithContext 

func (o AuthBackendCustomEndpointOutput) ToAuthBackendCustomEndpointPtrOutputWithContext(ctx context.Context) AuthBackendCustomEndpointPtrOutput

type AuthBackendCustomEndpointPtrInput 

type AuthBackendCustomEndpointPtrInput interface {
	pulumi.Input

	ToAuthBackendCustomEndpointPtrOutput() AuthBackendCustomEndpointPtrOutput
	ToAuthBackendCustomEndpointPtrOutputWithContext(context.Context) AuthBackendCustomEndpointPtrOutput
}

AuthBackendCustomEndpointPtrInput is an input type that accepts AuthBackendCustomEndpointArgs, AuthBackendCustomEndpointPtr and AuthBackendCustomEndpointPtrOutput values. You can construct a concrete instance of `AuthBackendCustomEndpointPtrInput` via: 

        AuthBackendCustomEndpointArgs{...}

or:

        nil

func AuthBackendCustomEndpointPtr 

func AuthBackendCustomEndpointPtr(v *AuthBackendCustomEndpointArgs) AuthBackendCustomEndpointPtrInput

type AuthBackendCustomEndpointPtrOutput 

type AuthBackendCustomEndpointPtrOutput struct{ *pulumi.OutputState }

func (AuthBackendCustomEndpointPtrOutput) Api 

func (o AuthBackendCustomEndpointPtrOutput) Api() pulumi.StringPtrOutput

Replaces the service endpoint used in API requests to `https://www.googleapis.com`.

func (AuthBackendCustomEndpointPtrOutput) Compute 

func (o AuthBackendCustomEndpointPtrOutput) Compute() pulumi.StringPtrOutput

Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.

The endpoint value provided for a given key has the form of `scheme://host:port`. The `scheme://` and `:port` portions of the endpoint value are optional.

func (AuthBackendCustomEndpointPtrOutput) Crm 

func (o AuthBackendCustomEndpointPtrOutput) Crm() pulumi.StringPtrOutput

Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.

func (AuthBackendCustomEndpointPtrOutput) Elem 

func (o AuthBackendCustomEndpointPtrOutput) Elem() AuthBackendCustomEndpointOutput

func (AuthBackendCustomEndpointPtrOutput) ElementType 

func (AuthBackendCustomEndpointPtrOutput) ElementType() reflect.Type

func (AuthBackendCustomEndpointPtrOutput) Iam 

func (o AuthBackendCustomEndpointPtrOutput) Iam() pulumi.StringPtrOutput

Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.

func (AuthBackendCustomEndpointPtrOutput) ToAuthBackendCustomEndpointPtrOutput 

func (o AuthBackendCustomEndpointPtrOutput) ToAuthBackendCustomEndpointPtrOutput() AuthBackendCustomEndpointPtrOutput

func (AuthBackendCustomEndpointPtrOutput) ToAuthBackendCustomEndpointPtrOutputWithContext 

func (o AuthBackendCustomEndpointPtrOutput) ToAuthBackendCustomEndpointPtrOutputWithContext(ctx context.Context) AuthBackendCustomEndpointPtrOutput

type AuthBackendInput 

type AuthBackendInput interface {
	pulumi.Input

	ToAuthBackendOutput() AuthBackendOutput
	ToAuthBackendOutputWithContext(ctx context.Context) AuthBackendOutput
}

type AuthBackendMap 

type AuthBackendMap map[string]AuthBackendInput

func (AuthBackendMap) ElementType 

func (AuthBackendMap) ElementType() reflect.Type

func (AuthBackendMap) ToAuthBackendMapOutput 

func (i AuthBackendMap) ToAuthBackendMapOutput() AuthBackendMapOutput

func (AuthBackendMap) ToAuthBackendMapOutputWithContext 

func (i AuthBackendMap) ToAuthBackendMapOutputWithContext(ctx context.Context) AuthBackendMapOutput

type AuthBackendMapInput 

type AuthBackendMapInput interface {
	pulumi.Input

	ToAuthBackendMapOutput() AuthBackendMapOutput
	ToAuthBackendMapOutputWithContext(context.Context) AuthBackendMapOutput
}

AuthBackendMapInput is an input type that accepts AuthBackendMap and AuthBackendMapOutput values. You can construct a concrete instance of `AuthBackendMapInput` via: 

AuthBackendMap{ "key": AuthBackendArgs{...} }

type AuthBackendMapOutput 

type AuthBackendMapOutput struct{ *pulumi.OutputState }

func (AuthBackendMapOutput) ElementType 

func (AuthBackendMapOutput) ElementType() reflect.Type

func (AuthBackendMapOutput) MapIndex 

func (o AuthBackendMapOutput) MapIndex(k pulumi.StringInput) AuthBackendOutput

func (AuthBackendMapOutput) ToAuthBackendMapOutput 

func (o AuthBackendMapOutput) ToAuthBackendMapOutput() AuthBackendMapOutput

func (AuthBackendMapOutput) ToAuthBackendMapOutputWithContext 

func (o AuthBackendMapOutput) ToAuthBackendMapOutputWithContext(ctx context.Context) AuthBackendMapOutput

type AuthBackendOutput 

type AuthBackendOutput struct{ *pulumi.OutputState }

func (AuthBackendOutput) Accessor 

func (o AuthBackendOutput) Accessor() pulumi.StringOutput

The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).

func (AuthBackendOutput) ClientEmail 

func (o AuthBackendOutput) ClientEmail() pulumi.StringOutput

The clients email associated with the credentials

func (AuthBackendOutput) ClientId 

func (o AuthBackendOutput) ClientId() pulumi.StringOutput

The Client ID of the credentials

func (AuthBackendOutput) Credentials 

func (o AuthBackendOutput) Credentials() pulumi.StringPtrOutput

A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.

func (AuthBackendOutput) CustomEndpoint 

func (o AuthBackendOutput) CustomEndpoint() AuthBackendCustomEndpointPtrOutput

Specifies overrides to [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint) used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access) environments. Requires Vault 1.11+.

Overrides are set at the subdomain level using the following keys:

func (AuthBackendOutput) Description 

func (o AuthBackendOutput) Description() pulumi.StringPtrOutput

A description of the auth method.

func (AuthBackendOutput) DisableRemount 

func (o AuthBackendOutput) DisableRemount() pulumi.BoolPtrOutput

If set, opts out of mount migration on path updates. See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)

func (AuthBackendOutput) ElementType 

func (AuthBackendOutput) ElementType() reflect.Type

func (AuthBackendOutput) Local 

func (o AuthBackendOutput) Local() pulumi.BoolPtrOutput

Specifies if the auth method is local only.

func (AuthBackendOutput) Namespace 

func (o AuthBackendOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*.

func (AuthBackendOutput) Path 

func (o AuthBackendOutput) Path() pulumi.StringPtrOutput

The path to mount the auth method — this defaults to 'gcp'.

func (AuthBackendOutput) PrivateKeyId 

func (o AuthBackendOutput) PrivateKeyId() pulumi.StringOutput

The ID of the private key from the credentials

func (AuthBackendOutput) ProjectId 

func (o AuthBackendOutput) ProjectId() pulumi.StringOutput

The GCP Project ID

func (AuthBackendOutput) ToAuthBackendOutput 

func (o AuthBackendOutput) ToAuthBackendOutput() AuthBackendOutput

func (AuthBackendOutput) ToAuthBackendOutputWithContext 

func (o AuthBackendOutput) ToAuthBackendOutputWithContext(ctx context.Context) AuthBackendOutput

func (AuthBackendOutput) Tune 

func (o AuthBackendOutput) Tune() AuthBackendTuneOutput

Extra configuration block. Structure is documented below.

The `tune` block is used to tune the auth backend:

type AuthBackendRole 

type AuthBackendRole struct {
	pulumi.CustomResourceState

	AddGroupAliases pulumi.BoolOutput `pulumi:"addGroupAliases"`
	// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
	AllowGceInference pulumi.BoolOutput `pulumi:"allowGceInference"`
	// Path to the mounted GCP auth backend
	Backend pulumi.StringPtrOutput `pulumi:"backend"`
	// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `boundZones` or `boundRegions` must be set too.
	BoundInstanceGroups pulumi.StringArrayOutput `pulumi:"boundInstanceGroups"`
	// A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
	BoundLabels pulumi.StringArrayOutput `pulumi:"boundLabels"`
	// An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
	BoundProjects pulumi.StringArrayOutput `pulumi:"boundProjects"`
	// The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.
	BoundRegions pulumi.StringArrayOutput `pulumi:"boundRegions"`
	// GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
	BoundServiceAccounts pulumi.StringArrayOutput `pulumi:"boundServiceAccounts"`
	// The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.
	BoundZones pulumi.StringArrayOutput `pulumi:"boundZones"`
	// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
	MaxJwtExp pulumi.StringOutput `pulumi:"maxJwtExp"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// Name of the GCP role
	Role pulumi.StringOutput `pulumi:"role"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayOutput `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrOutput `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrOutput `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrOutput `pulumi:"tokenNoDefaultPolicy"`
	// The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	TokenNumUses pulumi.IntPtrOutput `pulumi:"tokenNumUses"`
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrOutput `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayOutput `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrOutput `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrOutput `pulumi:"tokenType"`
	// Type of GCP authentication role (either `gce` or `iam`)
	Type pulumi.StringOutput `pulumi:"type"`
}

Provides a resource to create a role in an [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).

## Example Usage

<!--Start PulumiCodeChooser --> ```go package main

import ( 

"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		gcp, err := vault.NewAuthBackend(ctx, "gcp", &vault.AuthBackendArgs{
			Path: pulumi.String("gcp"),
			Type: pulumi.String("gcp"),
		})
		if err != nil {
			return err
		}
		_, err = gcp.NewAuthBackendRole(ctx, "test", &gcp.AuthBackendRoleArgs{
			Backend: gcp.Path,
			Role:    pulumi.String("test"),
			Type:    pulumi.String("iam"),
			BoundServiceAccounts: pulumi.StringArray{
				pulumi.String("test"),
			},
			BoundProjects: pulumi.StringArray{
				pulumi.String("test"),
			},
			TokenTtl:    pulumi.Int(300),
			TokenMaxTtl: pulumi.Int(600),
			TokenPolicies: pulumi.StringArray{
				pulumi.String("policy_a"),
				pulumi.String("policy_b"),
			},
			AddGroupAliases: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` <!--End PulumiCodeChooser -->

## Import

GCP authentication roles can be imported using the `path`, e.g.

```sh $ pulumi import vault:gcp/authBackendRole:AuthBackendRole my_role auth/gcp/role/my_role ```

func GetAuthBackendRole 

func GetAuthBackendRole(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AuthBackendRoleState, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)

GetAuthBackendRole gets an existing AuthBackendRole resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAuthBackendRole 

func NewAuthBackendRole(ctx *pulumi.Context,
	name string, args *AuthBackendRoleArgs, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)

NewAuthBackendRole registers a new resource with the given unique name, arguments, and options.

func (*AuthBackendRole) ElementType 

func (*AuthBackendRole) ElementType() reflect.Type

func (*AuthBackendRole) ToAuthBackendRoleOutput 

func (i *AuthBackendRole) ToAuthBackendRoleOutput() AuthBackendRoleOutput

func (*AuthBackendRole) ToAuthBackendRoleOutputWithContext 

func (i *AuthBackendRole) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput

type AuthBackendRoleArgs 

type AuthBackendRoleArgs struct {
	AddGroupAliases pulumi.BoolPtrInput
	// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
	AllowGceInference pulumi.BoolPtrInput
	// Path to the mounted GCP auth backend
	Backend pulumi.StringPtrInput
	// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `boundZones` or `boundRegions` must be set too.
	BoundInstanceGroups pulumi.StringArrayInput
	// A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
	BoundLabels pulumi.StringArrayInput
	// An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
	BoundProjects pulumi.StringArrayInput
	// The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.
	BoundRegions pulumi.StringArrayInput
	// GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
	BoundServiceAccounts pulumi.StringArrayInput
	// The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.
	BoundZones pulumi.StringArrayInput
	// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
	MaxJwtExp pulumi.StringPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Name of the GCP role
	Role pulumi.StringInput
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayInput
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrInput
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrInput
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrInput
	// The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	TokenNumUses pulumi.IntPtrInput
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrInput
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayInput
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrInput
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrInput
	// Type of GCP authentication role (either `gce` or `iam`)
	Type pulumi.StringInput
}

The set of arguments for constructing a AuthBackendRole resource.

func (AuthBackendRoleArgs) ElementType 

func (AuthBackendRoleArgs) ElementType() reflect.Type

type AuthBackendRoleArray 

type AuthBackendRoleArray []AuthBackendRoleInput

func (AuthBackendRoleArray) ElementType 

func (AuthBackendRoleArray) ElementType() reflect.Type

func (AuthBackendRoleArray) ToAuthBackendRoleArrayOutput 

func (i AuthBackendRoleArray) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput

func (AuthBackendRoleArray) ToAuthBackendRoleArrayOutputWithContext 

func (i AuthBackendRoleArray) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput

type AuthBackendRoleArrayInput 

type AuthBackendRoleArrayInput interface {
	pulumi.Input

	ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput
	ToAuthBackendRoleArrayOutputWithContext(context.Context) AuthBackendRoleArrayOutput
}

AuthBackendRoleArrayInput is an input type that accepts AuthBackendRoleArray and AuthBackendRoleArrayOutput values. You can construct a concrete instance of `AuthBackendRoleArrayInput` via: 

AuthBackendRoleArray{ AuthBackendRoleArgs{...} }

type AuthBackendRoleArrayOutput 

type AuthBackendRoleArrayOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleArrayOutput) ElementType 

func (AuthBackendRoleArrayOutput) ElementType() reflect.Type

func (AuthBackendRoleArrayOutput) Index 

func (o AuthBackendRoleArrayOutput) Index(i pulumi.IntInput) AuthBackendRoleOutput

func (AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput 

func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput

func (AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext 

func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput

type AuthBackendRoleInput 

type AuthBackendRoleInput interface {
	pulumi.Input

	ToAuthBackendRoleOutput() AuthBackendRoleOutput
	ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput
}

type AuthBackendRoleMap 

type AuthBackendRoleMap map[string]AuthBackendRoleInput

func (AuthBackendRoleMap) ElementType 

func (AuthBackendRoleMap) ElementType() reflect.Type

func (AuthBackendRoleMap) ToAuthBackendRoleMapOutput 

func (i AuthBackendRoleMap) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput

func (AuthBackendRoleMap) ToAuthBackendRoleMapOutputWithContext 

func (i AuthBackendRoleMap) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput

type AuthBackendRoleMapInput 

type AuthBackendRoleMapInput interface {
	pulumi.Input

	ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput
	ToAuthBackendRoleMapOutputWithContext(context.Context) AuthBackendRoleMapOutput
}

AuthBackendRoleMapInput is an input type that accepts AuthBackendRoleMap and AuthBackendRoleMapOutput values. You can construct a concrete instance of `AuthBackendRoleMapInput` via: 

AuthBackendRoleMap{ "key": AuthBackendRoleArgs{...} }

type AuthBackendRoleMapOutput 

type AuthBackendRoleMapOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleMapOutput) ElementType 

func (AuthBackendRoleMapOutput) ElementType() reflect.Type

func (AuthBackendRoleMapOutput) MapIndex 

func (o AuthBackendRoleMapOutput) MapIndex(k pulumi.StringInput) AuthBackendRoleOutput

func (AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput 

func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput

func (AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext 

func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput

type AuthBackendRoleOutput 

type AuthBackendRoleOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleOutput) AddGroupAliases 

func (o AuthBackendRoleOutput) AddGroupAliases() pulumi.BoolOutput

func (AuthBackendRoleOutput) AllowGceInference 

func (o AuthBackendRoleOutput) AllowGceInference() pulumi.BoolOutput

A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.

func (AuthBackendRoleOutput) Backend 

func (o AuthBackendRoleOutput) Backend() pulumi.StringPtrOutput

Path to the mounted GCP auth backend

func (AuthBackendRoleOutput) BoundInstanceGroups 

func (o AuthBackendRoleOutput) BoundInstanceGroups() pulumi.StringArrayOutput

The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `boundZones` or `boundRegions` must be set too.

func (AuthBackendRoleOutput) BoundLabels 

func (o AuthBackendRoleOutput) BoundLabels() pulumi.StringArrayOutput

A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.

func (AuthBackendRoleOutput) BoundProjects 

func (o AuthBackendRoleOutput) BoundProjects() pulumi.StringArrayOutput

An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.

func (AuthBackendRoleOutput) BoundRegions 

func (o AuthBackendRoleOutput) BoundRegions() pulumi.StringArrayOutput

The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.

func (AuthBackendRoleOutput) BoundServiceAccounts 

func (o AuthBackendRoleOutput) BoundServiceAccounts() pulumi.StringArrayOutput

GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)

func (AuthBackendRoleOutput) BoundZones 

func (o AuthBackendRoleOutput) BoundZones() pulumi.StringArrayOutput

The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.

func (AuthBackendRoleOutput) ElementType 

func (AuthBackendRoleOutput) ElementType() reflect.Type

func (AuthBackendRoleOutput) MaxJwtExp 

func (o AuthBackendRoleOutput) MaxJwtExp() pulumi.StringOutput

The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.

func (AuthBackendRoleOutput) Namespace 

func (o AuthBackendRoleOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*.

func (AuthBackendRoleOutput) Role 

func (o AuthBackendRoleOutput) Role() pulumi.StringOutput

Name of the GCP role

func (AuthBackendRoleOutput) ToAuthBackendRoleOutput 

func (o AuthBackendRoleOutput) ToAuthBackendRoleOutput() AuthBackendRoleOutput

func (AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext 

func (o AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput

func (AuthBackendRoleOutput) TokenBoundCidrs 

func (o AuthBackendRoleOutput) TokenBoundCidrs() pulumi.StringArrayOutput

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

func (AuthBackendRoleOutput) TokenExplicitMaxTtl 

func (o AuthBackendRoleOutput) TokenExplicitMaxTtl() pulumi.IntPtrOutput

If set, will encode an [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) onto the token in number of seconds. This is a hard cap even if `tokenTtl` and `tokenMaxTtl` would otherwise allow a renewal.

func (AuthBackendRoleOutput) TokenMaxTtl 

func (o AuthBackendRoleOutput) TokenMaxTtl() pulumi.IntPtrOutput

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

func (AuthBackendRoleOutput) TokenNoDefaultPolicy 

func (o AuthBackendRoleOutput) TokenNoDefaultPolicy() pulumi.BoolPtrOutput

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

func (AuthBackendRoleOutput) TokenNumUses 

func (o AuthBackendRoleOutput) TokenNumUses() pulumi.IntPtrOutput

The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses) of times a generated token may be used (within its lifetime); 0 means unlimited.

func (AuthBackendRoleOutput) TokenPeriod 

func (o AuthBackendRoleOutput) TokenPeriod() pulumi.IntPtrOutput

If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.

func (AuthBackendRoleOutput) TokenPolicies 

func (o AuthBackendRoleOutput) TokenPolicies() pulumi.StringArrayOutput

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

func (AuthBackendRoleOutput) TokenTtl 

func (o AuthBackendRoleOutput) TokenTtl() pulumi.IntPtrOutput

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

func (AuthBackendRoleOutput) TokenType 

func (o AuthBackendRoleOutput) TokenType() pulumi.StringPtrOutput

The type of token that should be generated. Can be `service`, `batch`, or `default` to use the mount's tuned default (which unless changed will be `service` tokens). For token store roles, there are two additional possibilities: `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time.

func (AuthBackendRoleOutput) Type 

func (o AuthBackendRoleOutput) Type() pulumi.StringOutput

Type of GCP authentication role (either `gce` or `iam`)

type AuthBackendRoleState 

type AuthBackendRoleState struct {
	AddGroupAliases pulumi.BoolPtrInput
	// A flag to determine if this role should allow GCE instances to authenticate by inferring service accounts from the GCE identity metadata token.
	AllowGceInference pulumi.BoolPtrInput
	// Path to the mounted GCP auth backend
	Backend pulumi.StringPtrInput
	// The instance groups that an authorized instance must belong to in order to be authenticated. If specified, either `boundZones` or `boundRegions` must be set too.
	BoundInstanceGroups pulumi.StringArrayInput
	// A comma-separated list of GCP labels formatted as `"key:value"` strings that must be set on authorized GCE instances. Because GCP labels are not currently ACL'd, we recommend that this be used in conjunction with other restrictions.
	BoundLabels pulumi.StringArrayInput
	// An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.
	BoundProjects pulumi.StringArrayInput
	// The list of regions that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a regional group and the group must belong to this region. If boundZones are provided, this attribute is ignored.
	BoundRegions pulumi.StringArrayInput
	// GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is `iam`)
	BoundServiceAccounts pulumi.StringArrayInput
	// The list of zones that a GCE instance must belong to in order to be authenticated. If boundInstanceGroups is provided, it is assumed to be a zonal group and the group must belong to this zone.
	BoundZones pulumi.StringArrayInput
	// The number of seconds past the time of authentication that the login param JWT must expire within. For example, if a user attempts to login with a token that expires within an hour and this is set to 15 minutes, Vault will return an error prompting the user to create a new signed JWT with a shorter `exp`. The GCE metadata tokens currently do not allow the `exp` claim to be customized.
	MaxJwtExp pulumi.StringPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Name of the GCP role
	Role pulumi.StringPtrInput
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayInput
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrInput
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrInput
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrInput
	// The [maximum number](https://www.vaultproject.io/api-docs/gcp#token_num_uses)
	// of times a generated token may be used (within its lifetime); 0 means unlimited.
	TokenNumUses pulumi.IntPtrInput
	// If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrInput
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayInput
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrInput
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrInput
	// Type of GCP authentication role (either `gce` or `iam`)
	Type pulumi.StringPtrInput
}

func (AuthBackendRoleState) ElementType 

func (AuthBackendRoleState) ElementType() reflect.Type

type AuthBackendState 

type AuthBackendState struct {
	// The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).
	Accessor pulumi.StringPtrInput
	// The clients email associated with the credentials
	ClientEmail pulumi.StringPtrInput
	// The Client ID of the credentials
	ClientId pulumi.StringPtrInput
	// A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.
	Credentials pulumi.StringPtrInput
	// Specifies overrides to
	// [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
	// used when making API requests. This allows specific requests made during authentication
	// to target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)
	// environments. Requires Vault 1.11+.
	//
	// Overrides are set at the subdomain level using the following keys:
	CustomEndpoint AuthBackendCustomEndpointPtrInput
	// A description of the auth method.
	Description pulumi.StringPtrInput
	// If set, opts out of mount migration on path updates.
	// See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
	DisableRemount pulumi.BoolPtrInput
	// Specifies if the auth method is local only.
	Local pulumi.BoolPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// The path to mount the auth method — this defaults to 'gcp'.
	Path pulumi.StringPtrInput
	// The ID of the private key from the credentials
	PrivateKeyId pulumi.StringPtrInput
	// The GCP Project ID
	ProjectId pulumi.StringPtrInput
	// Extra configuration block. Structure is documented below.
	//
	// The `tune` block is used to tune the auth backend:
	Tune AuthBackendTunePtrInput
}

func (AuthBackendState) ElementType 

func (AuthBackendState) ElementType() reflect.Type

type AuthBackendTune 

type AuthBackendTune struct {
	// List of headers to whitelist and allowing
	// a plugin to include them in the response.
	AllowedResponseHeaders []string `pulumi:"allowedResponseHeaders"`
	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the request data object.
	AuditNonHmacRequestKeys []string `pulumi:"auditNonHmacRequestKeys"`
	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the response data object.
	AuditNonHmacResponseKeys []string `pulumi:"auditNonHmacResponseKeys"`
	// Specifies the default time-to-live.
	// If set, this overrides the global default.
	// Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)
	DefaultLeaseTtl *string `pulumi:"defaultLeaseTtl"`
	// Specifies whether to show this mount in
	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
	ListingVisibility *string `pulumi:"listingVisibility"`
	// Specifies the maximum time-to-live.
	// If set, this overrides the global default.
	// Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)
	MaxLeaseTtl *string `pulumi:"maxLeaseTtl"`
	// List of headers to whitelist and
	// pass from the request to the backend.
	PassthroughRequestHeaders []string `pulumi:"passthroughRequestHeaders"`
	// Specifies the type of tokens that should be returned by
	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
	//
	// For more details on the usage of each argument consult the [Vault GCP API documentation](https://www.vaultproject.io/api-docs/auth/gcp#configure).
	TokenType *string `pulumi:"tokenType"`
}

type AuthBackendTuneArgs 

type AuthBackendTuneArgs struct {
	// List of headers to whitelist and allowing
	// a plugin to include them in the response.
	AllowedResponseHeaders pulumi.StringArrayInput `pulumi:"allowedResponseHeaders"`
	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the request data object.
	AuditNonHmacRequestKeys pulumi.StringArrayInput `pulumi:"auditNonHmacRequestKeys"`
	// Specifies the list of keys that will
	// not be HMAC'd by audit devices in the response data object.
	AuditNonHmacResponseKeys pulumi.StringArrayInput `pulumi:"auditNonHmacResponseKeys"`
	// Specifies the default time-to-live.
	// If set, this overrides the global default.
	// Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)
	DefaultLeaseTtl pulumi.StringPtrInput `pulumi:"defaultLeaseTtl"`
	// Specifies whether to show this mount in
	// the UI-specific listing endpoint. Valid values are "unauth" or "hidden".
	ListingVisibility pulumi.StringPtrInput `pulumi:"listingVisibility"`
	// Specifies the maximum time-to-live.
	// If set, this overrides the global default.
	// Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)
	MaxLeaseTtl pulumi.StringPtrInput `pulumi:"maxLeaseTtl"`
	// List of headers to whitelist and
	// pass from the request to the backend.
	PassthroughRequestHeaders pulumi.StringArrayInput `pulumi:"passthroughRequestHeaders"`
	// Specifies the type of tokens that should be returned by
	// the mount. Valid values are "default-service", "default-batch", "service", "batch".
	//
	// For more details on the usage of each argument consult the [Vault GCP API documentation](https://www.vaultproject.io/api-docs/auth/gcp#configure).
	TokenType pulumi.StringPtrInput `pulumi:"tokenType"`
}

func (AuthBackendTuneArgs) ElementType 

func (AuthBackendTuneArgs) ElementType() reflect.Type

func (AuthBackendTuneArgs) ToAuthBackendTuneOutput 

func (i AuthBackendTuneArgs) ToAuthBackendTuneOutput() AuthBackendTuneOutput

func (AuthBackendTuneArgs) ToAuthBackendTuneOutputWithContext 

func (i AuthBackendTuneArgs) ToAuthBackendTuneOutputWithContext(ctx context.Context) AuthBackendTuneOutput

func (AuthBackendTuneArgs) ToAuthBackendTunePtrOutput 

func (i AuthBackendTuneArgs) ToAuthBackendTunePtrOutput() AuthBackendTunePtrOutput

func (AuthBackendTuneArgs) ToAuthBackendTunePtrOutputWithContext 

func (i AuthBackendTuneArgs) ToAuthBackendTunePtrOutputWithContext(ctx context.Context) AuthBackendTunePtrOutput

type AuthBackendTuneInput 

type AuthBackendTuneInput interface {
	pulumi.Input

	ToAuthBackendTuneOutput() AuthBackendTuneOutput
	ToAuthBackendTuneOutputWithContext(context.Context) AuthBackendTuneOutput
}

AuthBackendTuneInput is an input type that accepts AuthBackendTuneArgs and AuthBackendTuneOutput values. You can construct a concrete instance of `AuthBackendTuneInput` via: 

AuthBackendTuneArgs{...}

type AuthBackendTuneOutput 

type AuthBackendTuneOutput struct{ *pulumi.OutputState }

func (AuthBackendTuneOutput) AllowedResponseHeaders 

func (o AuthBackendTuneOutput) AllowedResponseHeaders() pulumi.StringArrayOutput

List of headers to whitelist and allowing a plugin to include them in the response.

func (AuthBackendTuneOutput) AuditNonHmacRequestKeys 

func (o AuthBackendTuneOutput) AuditNonHmacRequestKeys() pulumi.StringArrayOutput

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

func (AuthBackendTuneOutput) AuditNonHmacResponseKeys 

func (o AuthBackendTuneOutput) AuditNonHmacResponseKeys() pulumi.StringArrayOutput

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

func (AuthBackendTuneOutput) DefaultLeaseTtl 

func (o AuthBackendTuneOutput) DefaultLeaseTtl() pulumi.StringPtrOutput

Specifies the default time-to-live. If set, this overrides the global default. Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)

func (AuthBackendTuneOutput) ElementType 

func (AuthBackendTuneOutput) ElementType() reflect.Type

func (AuthBackendTuneOutput) ListingVisibility 

func (o AuthBackendTuneOutput) ListingVisibility() pulumi.StringPtrOutput

Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

func (AuthBackendTuneOutput) MaxLeaseTtl 

func (o AuthBackendTuneOutput) MaxLeaseTtl() pulumi.StringPtrOutput

Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)

func (AuthBackendTuneOutput) PassthroughRequestHeaders 

func (o AuthBackendTuneOutput) PassthroughRequestHeaders() pulumi.StringArrayOutput

List of headers to whitelist and pass from the request to the backend.

func (AuthBackendTuneOutput) ToAuthBackendTuneOutput 

func (o AuthBackendTuneOutput) ToAuthBackendTuneOutput() AuthBackendTuneOutput

func (AuthBackendTuneOutput) ToAuthBackendTuneOutputWithContext 

func (o AuthBackendTuneOutput) ToAuthBackendTuneOutputWithContext(ctx context.Context) AuthBackendTuneOutput

func (AuthBackendTuneOutput) ToAuthBackendTunePtrOutput 

func (o AuthBackendTuneOutput) ToAuthBackendTunePtrOutput() AuthBackendTunePtrOutput

func (AuthBackendTuneOutput) ToAuthBackendTunePtrOutputWithContext 

func (o AuthBackendTuneOutput) ToAuthBackendTunePtrOutputWithContext(ctx context.Context) AuthBackendTunePtrOutput

func (AuthBackendTuneOutput) TokenType 

func (o AuthBackendTuneOutput) TokenType() pulumi.StringPtrOutput

Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

For more details on the usage of each argument consult the [Vault GCP API documentation](https://www.vaultproject.io/api-docs/auth/gcp#configure).

type AuthBackendTunePtrInput 

type AuthBackendTunePtrInput interface {
	pulumi.Input

	ToAuthBackendTunePtrOutput() AuthBackendTunePtrOutput
	ToAuthBackendTunePtrOutputWithContext(context.Context) AuthBackendTunePtrOutput
}

AuthBackendTunePtrInput is an input type that accepts AuthBackendTuneArgs, AuthBackendTunePtr and AuthBackendTunePtrOutput values. You can construct a concrete instance of `AuthBackendTunePtrInput` via: 

        AuthBackendTuneArgs{...}

or:

        nil

func AuthBackendTunePtr 

func AuthBackendTunePtr(v *AuthBackendTuneArgs) AuthBackendTunePtrInput

type AuthBackendTunePtrOutput 

type AuthBackendTunePtrOutput struct{ *pulumi.OutputState }

func (AuthBackendTunePtrOutput) AllowedResponseHeaders 

func (o AuthBackendTunePtrOutput) AllowedResponseHeaders() pulumi.StringArrayOutput

List of headers to whitelist and allowing a plugin to include them in the response.

func (AuthBackendTunePtrOutput) AuditNonHmacRequestKeys 

func (o AuthBackendTunePtrOutput) AuditNonHmacRequestKeys() pulumi.StringArrayOutput

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

func (AuthBackendTunePtrOutput) AuditNonHmacResponseKeys 

func (o AuthBackendTunePtrOutput) AuditNonHmacResponseKeys() pulumi.StringArrayOutput

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

func (AuthBackendTunePtrOutput) DefaultLeaseTtl 

func (o AuthBackendTunePtrOutput) DefaultLeaseTtl() pulumi.StringPtrOutput

Specifies the default time-to-live. If set, this overrides the global default. Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)

func (AuthBackendTunePtrOutput) Elem 

func (o AuthBackendTunePtrOutput) Elem() AuthBackendTuneOutput

func (AuthBackendTunePtrOutput) ElementType 

func (AuthBackendTunePtrOutput) ElementType() reflect.Type

func (AuthBackendTunePtrOutput) ListingVisibility 

func (o AuthBackendTunePtrOutput) ListingVisibility() pulumi.StringPtrOutput

Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are "unauth" or "hidden".

func (AuthBackendTunePtrOutput) MaxLeaseTtl 

func (o AuthBackendTunePtrOutput) MaxLeaseTtl() pulumi.StringPtrOutput

Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)

func (AuthBackendTunePtrOutput) PassthroughRequestHeaders 

func (o AuthBackendTunePtrOutput) PassthroughRequestHeaders() pulumi.StringArrayOutput

List of headers to whitelist and pass from the request to the backend.

func (AuthBackendTunePtrOutput) ToAuthBackendTunePtrOutput 

func (o AuthBackendTunePtrOutput) ToAuthBackendTunePtrOutput() AuthBackendTunePtrOutput

func (AuthBackendTunePtrOutput) ToAuthBackendTunePtrOutputWithContext 

func (o AuthBackendTunePtrOutput) ToAuthBackendTunePtrOutputWithContext(ctx context.Context) AuthBackendTunePtrOutput

func (AuthBackendTunePtrOutput) TokenType 

func (o AuthBackendTunePtrOutput) TokenType() pulumi.StringPtrOutput

Specifies the type of tokens that should be returned by the mount. Valid values are "default-service", "default-batch", "service", "batch".

For more details on the usage of each argument consult the [Vault GCP API documentation](https://www.vaultproject.io/api-docs/auth/gcp#configure).

type LookupAuthBackendRoleArgs 

type LookupAuthBackendRoleArgs struct {
	// The unique name for the GCP backend from which to fetch the role. Defaults to "gcp".
	Backend *string `pulumi:"backend"`
	// The namespace of the target resource.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace *string `pulumi:"namespace"`
	// The name of the role to retrieve the Role ID for.
	RoleName string `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs []string `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl *int `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl *int `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy *bool `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses *int `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod *int `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies []string `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl *int `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType *string `pulumi:"tokenType"`
}

A collection of arguments for invoking getAuthBackendRole.

type LookupAuthBackendRoleOutputArgs 

type LookupAuthBackendRoleOutputArgs struct {
	// The unique name for the GCP backend from which to fetch the role. Defaults to "gcp".
	Backend pulumi.StringPtrInput `pulumi:"backend"`
	// The namespace of the target resource.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput `pulumi:"namespace"`
	// The name of the role to retrieve the Role ID for.
	RoleName pulumi.StringInput `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayInput `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrInput `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrInput `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrInput `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses pulumi.IntPtrInput `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrInput `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayInput `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrInput `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrInput `pulumi:"tokenType"`
}

A collection of arguments for invoking getAuthBackendRole.

func (LookupAuthBackendRoleOutputArgs) ElementType 

func (LookupAuthBackendRoleOutputArgs) ElementType() reflect.Type

type LookupAuthBackendRoleResult 

type LookupAuthBackendRoleResult struct {
	Backend *string `pulumi:"backend"`
	// GCP regions bound to the role. Returned when `type` is `gce`.
	BoundInstanceGroups []string `pulumi:"boundInstanceGroups"`
	// GCP labels bound to the role. Returned when `type` is `gce`.
	BoundLabels []string `pulumi:"boundLabels"`
	// GCP projects bound to the role.
	BoundProjects []string `pulumi:"boundProjects"`
	// GCP regions bound to the role. Returned when `type` is `gce`.
	BoundRegions []string `pulumi:"boundRegions"`
	// GCP service accounts bound to the role. Returned when `type` is `iam`.
	BoundServiceAccounts []string `pulumi:"boundServiceAccounts"`
	// GCP zones bound to the role. Returned when `type` is `gce`.
	BoundZones []string `pulumi:"boundZones"`
	// The provider-assigned unique ID for this managed resource.
	Id        string  `pulumi:"id"`
	Namespace *string `pulumi:"namespace"`
	// The RoleID of the GCP role.
	RoleId   string `pulumi:"roleId"`
	RoleName string `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs []string `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl *int `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl *int `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy *bool `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses *int `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod *int `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies []string `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl *int `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType *string `pulumi:"tokenType"`
	// Type of GCP role. Expected values are `iam` or `gce`.
	Type string `pulumi:"type"`
}

A collection of values returned by getAuthBackendRole.

func LookupAuthBackendRole 

func LookupAuthBackendRole(ctx *pulumi.Context, args *LookupAuthBackendRoleArgs, opts ...pulumi.InvokeOption) (*LookupAuthBackendRoleResult, error)

Reads a GCP auth role from a Vault server.

## Example Usage

<!--Start PulumiCodeChooser --> ```go package main

import ( 

"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		role, err := gcp.LookupAuthBackendRole(ctx, &gcp.LookupAuthBackendRoleArgs{
			Backend:  pulumi.StringRef("my-gcp-backend"),
			RoleName: "my-role",
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("role-id", role.RoleId)
		return nil
	})
}

``` <!--End PulumiCodeChooser -->

type LookupAuthBackendRoleResultOutput 

type LookupAuthBackendRoleResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAuthBackendRole.

func LookupAuthBackendRoleOutput 

func LookupAuthBackendRoleOutput(ctx *pulumi.Context, args LookupAuthBackendRoleOutputArgs, opts ...pulumi.InvokeOption) LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) Backend 

func (o LookupAuthBackendRoleResultOutput) Backend() pulumi.StringPtrOutput

func (LookupAuthBackendRoleResultOutput) BoundInstanceGroups 

func (o LookupAuthBackendRoleResultOutput) BoundInstanceGroups() pulumi.StringArrayOutput

GCP regions bound to the role. Returned when `type` is `gce`.

func (LookupAuthBackendRoleResultOutput) BoundLabels 

func (o LookupAuthBackendRoleResultOutput) BoundLabels() pulumi.StringArrayOutput

GCP labels bound to the role. Returned when `type` is `gce`.

func (LookupAuthBackendRoleResultOutput) BoundProjects 

func (o LookupAuthBackendRoleResultOutput) BoundProjects() pulumi.StringArrayOutput

GCP projects bound to the role.

func (LookupAuthBackendRoleResultOutput) BoundRegions 

func (o LookupAuthBackendRoleResultOutput) BoundRegions() pulumi.StringArrayOutput

GCP regions bound to the role. Returned when `type` is `gce`.

func (LookupAuthBackendRoleResultOutput) BoundServiceAccounts 

func (o LookupAuthBackendRoleResultOutput) BoundServiceAccounts() pulumi.StringArrayOutput

GCP service accounts bound to the role. Returned when `type` is `iam`.

func (LookupAuthBackendRoleResultOutput) BoundZones 

func (o LookupAuthBackendRoleResultOutput) BoundZones() pulumi.StringArrayOutput

GCP zones bound to the role. Returned when `type` is `gce`.

func (LookupAuthBackendRoleResultOutput) ElementType 

func (LookupAuthBackendRoleResultOutput) ElementType() reflect.Type

func (LookupAuthBackendRoleResultOutput) Id 

func (o LookupAuthBackendRoleResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupAuthBackendRoleResultOutput) Namespace 

func (o LookupAuthBackendRoleResultOutput) Namespace() pulumi.StringPtrOutput

func (LookupAuthBackendRoleResultOutput) RoleId 

func (o LookupAuthBackendRoleResultOutput) RoleId() pulumi.StringOutput

The RoleID of the GCP role.

func (LookupAuthBackendRoleResultOutput) RoleName 

func (o LookupAuthBackendRoleResultOutput) RoleName() pulumi.StringOutput

func (LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput 

func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput() LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext 

func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext(ctx context.Context) LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) TokenBoundCidrs 

func (o LookupAuthBackendRoleResultOutput) TokenBoundCidrs() pulumi.StringArrayOutput

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

func (LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl 

func (o LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl() pulumi.IntPtrOutput

If set, will encode an [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) onto the token in number of seconds. This is a hard cap even if `tokenTtl` and `tokenMaxTtl` would otherwise allow a renewal.

func (LookupAuthBackendRoleResultOutput) TokenMaxTtl 

func (o LookupAuthBackendRoleResultOutput) TokenMaxTtl() pulumi.IntPtrOutput

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

func (LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy 

func (o LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy() pulumi.BoolPtrOutput

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

func (LookupAuthBackendRoleResultOutput) TokenNumUses 

func (o LookupAuthBackendRoleResultOutput) TokenNumUses() pulumi.IntPtrOutput

The [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), if any, in number of seconds to set on the token.

func (LookupAuthBackendRoleResultOutput) TokenPeriod 

func (o LookupAuthBackendRoleResultOutput) TokenPeriod() pulumi.IntPtrOutput

(Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.

func (LookupAuthBackendRoleResultOutput) TokenPolicies 

func (o LookupAuthBackendRoleResultOutput) TokenPolicies() pulumi.StringArrayOutput

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

func (LookupAuthBackendRoleResultOutput) TokenTtl 

func (o LookupAuthBackendRoleResultOutput) TokenTtl() pulumi.IntPtrOutput

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

func (LookupAuthBackendRoleResultOutput) TokenType 

func (o LookupAuthBackendRoleResultOutput) TokenType() pulumi.StringPtrOutput

The type of token that should be generated. Can be `service`, `batch`, or `default` to use the mount's tuned default (which unless changed will be `service` tokens). For token store roles, there are two additional possibilities: `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time.

func (LookupAuthBackendRoleResultOutput) Type 

func (o LookupAuthBackendRoleResultOutput) Type() pulumi.StringOutput

Type of GCP role. Expected values are `iam` or `gce`.

type SecretBackend 

type SecretBackend struct {
	pulumi.CustomResourceState

	// JSON-encoded credentials to use to connect to GCP
	Credentials pulumi.StringPtrOutput `pulumi:"credentials"`
	// The default TTL for credentials
	// issued by this backend. Defaults to '0'.
	DefaultLeaseTtlSeconds pulumi.IntPtrOutput `pulumi:"defaultLeaseTtlSeconds"`
	// A human-friendly description for this backend.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// If set, opts out of mount migration on path updates.
	// See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
	DisableRemount pulumi.BoolPtrOutput `pulumi:"disableRemount"`
	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
	Local pulumi.BoolPtrOutput `pulumi:"local"`
	// The maximum TTL that can be requested
	// for credentials issued by this backend. Defaults to '0'.
	MaxLeaseTtlSeconds pulumi.IntPtrOutput `pulumi:"maxLeaseTtlSeconds"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// The unique path this backend should be mounted at. Must
	// not begin or end with a `/`. Defaults to `gcp`.
	Path pulumi.StringPtrOutput `pulumi:"path"`
}

## Example Usage

<!--Start PulumiCodeChooser --> ```go package main

import ( 

"os"

"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
			Credentials: readFileOrPanic("credentials.json"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` <!--End PulumiCodeChooser -->

func GetSecretBackend 

func GetSecretBackend(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *SecretBackendState, opts ...pulumi.ResourceOption) (*SecretBackend, error)

GetSecretBackend gets an existing SecretBackend resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewSecretBackend 

func NewSecretBackend(ctx *pulumi.Context,
	name string, args *SecretBackendArgs, opts ...pulumi.ResourceOption) (*SecretBackend, error)

NewSecretBackend registers a new resource with the given unique name, arguments, and options.

func (*SecretBackend) ElementType 

func (*SecretBackend) ElementType() reflect.Type

func (*SecretBackend) ToSecretBackendOutput 

func (i *SecretBackend) ToSecretBackendOutput() SecretBackendOutput

func (*SecretBackend) ToSecretBackendOutputWithContext 

func (i *SecretBackend) ToSecretBackendOutputWithContext(ctx context.Context) SecretBackendOutput

type SecretBackendArgs 

type SecretBackendArgs struct {
	// JSON-encoded credentials to use to connect to GCP
	Credentials pulumi.StringPtrInput
	// The default TTL for credentials
	// issued by this backend. Defaults to '0'.
	DefaultLeaseTtlSeconds pulumi.IntPtrInput
	// A human-friendly description for this backend.
	Description pulumi.StringPtrInput
	// If set, opts out of mount migration on path updates.
	// See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
	DisableRemount pulumi.BoolPtrInput
	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
	Local pulumi.BoolPtrInput
	// The maximum TTL that can be requested
	// for credentials issued by this backend. Defaults to '0'.
	MaxLeaseTtlSeconds pulumi.IntPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// The unique path this backend should be mounted at. Must
	// not begin or end with a `/`. Defaults to `gcp`.
	Path pulumi.StringPtrInput
}

The set of arguments for constructing a SecretBackend resource.

func (SecretBackendArgs) ElementType 

func (SecretBackendArgs) ElementType() reflect.Type

type SecretBackendArray 

type SecretBackendArray []SecretBackendInput

func (SecretBackendArray) ElementType 

func (SecretBackendArray) ElementType() reflect.Type

func (SecretBackendArray) ToSecretBackendArrayOutput 

func (i SecretBackendArray) ToSecretBackendArrayOutput() SecretBackendArrayOutput

func (SecretBackendArray) ToSecretBackendArrayOutputWithContext 

func (i SecretBackendArray) ToSecretBackendArrayOutputWithContext(ctx context.Context) SecretBackendArrayOutput

type SecretBackendArrayInput 

type SecretBackendArrayInput interface {
	pulumi.Input

	ToSecretBackendArrayOutput() SecretBackendArrayOutput
	ToSecretBackendArrayOutputWithContext(context.Context) SecretBackendArrayOutput
}

SecretBackendArrayInput is an input type that accepts SecretBackendArray and SecretBackendArrayOutput values. You can construct a concrete instance of `SecretBackendArrayInput` via: 

SecretBackendArray{ SecretBackendArgs{...} }

type SecretBackendArrayOutput 

type SecretBackendArrayOutput struct{ *pulumi.OutputState }

func (SecretBackendArrayOutput) ElementType 

func (SecretBackendArrayOutput) ElementType() reflect.Type

func (SecretBackendArrayOutput) Index 

func (o SecretBackendArrayOutput) Index(i pulumi.IntInput) SecretBackendOutput

func (SecretBackendArrayOutput) ToSecretBackendArrayOutput 

func (o SecretBackendArrayOutput) ToSecretBackendArrayOutput() SecretBackendArrayOutput

func (SecretBackendArrayOutput) ToSecretBackendArrayOutputWithContext 

func (o SecretBackendArrayOutput) ToSecretBackendArrayOutputWithContext(ctx context.Context) SecretBackendArrayOutput

type SecretBackendInput 

type SecretBackendInput interface {
	pulumi.Input

	ToSecretBackendOutput() SecretBackendOutput
	ToSecretBackendOutputWithContext(ctx context.Context) SecretBackendOutput
}

type SecretBackendMap 

type SecretBackendMap map[string]SecretBackendInput

func (SecretBackendMap) ElementType 

func (SecretBackendMap) ElementType() reflect.Type

func (SecretBackendMap) ToSecretBackendMapOutput 

func (i SecretBackendMap) ToSecretBackendMapOutput() SecretBackendMapOutput

func (SecretBackendMap) ToSecretBackendMapOutputWithContext 

func (i SecretBackendMap) ToSecretBackendMapOutputWithContext(ctx context.Context) SecretBackendMapOutput

type SecretBackendMapInput 

type SecretBackendMapInput interface {
	pulumi.Input

	ToSecretBackendMapOutput() SecretBackendMapOutput
	ToSecretBackendMapOutputWithContext(context.Context) SecretBackendMapOutput
}

SecretBackendMapInput is an input type that accepts SecretBackendMap and SecretBackendMapOutput values. You can construct a concrete instance of `SecretBackendMapInput` via: 

SecretBackendMap{ "key": SecretBackendArgs{...} }

type SecretBackendMapOutput 

type SecretBackendMapOutput struct{ *pulumi.OutputState }

func (SecretBackendMapOutput) ElementType 

func (SecretBackendMapOutput) ElementType() reflect.Type

func (SecretBackendMapOutput) MapIndex 

func (o SecretBackendMapOutput) MapIndex(k pulumi.StringInput) SecretBackendOutput

func (SecretBackendMapOutput) ToSecretBackendMapOutput 

func (o SecretBackendMapOutput) ToSecretBackendMapOutput() SecretBackendMapOutput

func (SecretBackendMapOutput) ToSecretBackendMapOutputWithContext 

func (o SecretBackendMapOutput) ToSecretBackendMapOutputWithContext(ctx context.Context) SecretBackendMapOutput

type SecretBackendOutput 

type SecretBackendOutput struct{ *pulumi.OutputState }

func (SecretBackendOutput) Credentials 

func (o SecretBackendOutput) Credentials() pulumi.StringPtrOutput

JSON-encoded credentials to use to connect to GCP

func (SecretBackendOutput) DefaultLeaseTtlSeconds 

func (o SecretBackendOutput) DefaultLeaseTtlSeconds() pulumi.IntPtrOutput

The default TTL for credentials issued by this backend. Defaults to '0'.

func (SecretBackendOutput) Description 

func (o SecretBackendOutput) Description() pulumi.StringPtrOutput

A human-friendly description for this backend.

func (SecretBackendOutput) DisableRemount 

func (o SecretBackendOutput) DisableRemount() pulumi.BoolPtrOutput

If set, opts out of mount migration on path updates. See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)

func (SecretBackendOutput) ElementType 

func (SecretBackendOutput) ElementType() reflect.Type

func (SecretBackendOutput) Local 

func (o SecretBackendOutput) Local() pulumi.BoolPtrOutput

Boolean flag that can be explicitly set to true to enforce local mount in HA environment

func (SecretBackendOutput) MaxLeaseTtlSeconds 

func (o SecretBackendOutput) MaxLeaseTtlSeconds() pulumi.IntPtrOutput

The maximum TTL that can be requested for credentials issued by this backend. Defaults to '0'.

func (SecretBackendOutput) Namespace 

func (o SecretBackendOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*.

func (SecretBackendOutput) Path 

func (o SecretBackendOutput) Path() pulumi.StringPtrOutput

The unique path this backend should be mounted at. Must not begin or end with a `/`. Defaults to `gcp`.

func (SecretBackendOutput) ToSecretBackendOutput 

func (o SecretBackendOutput) ToSecretBackendOutput() SecretBackendOutput

func (SecretBackendOutput) ToSecretBackendOutputWithContext 

func (o SecretBackendOutput) ToSecretBackendOutputWithContext(ctx context.Context) SecretBackendOutput

type SecretBackendState 

type SecretBackendState struct {
	// JSON-encoded credentials to use to connect to GCP
	Credentials pulumi.StringPtrInput
	// The default TTL for credentials
	// issued by this backend. Defaults to '0'.
	DefaultLeaseTtlSeconds pulumi.IntPtrInput
	// A human-friendly description for this backend.
	Description pulumi.StringPtrInput
	// If set, opts out of mount migration on path updates.
	// See here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)
	DisableRemount pulumi.BoolPtrInput
	// Boolean flag that can be explicitly set to true to enforce local mount in HA environment
	Local pulumi.BoolPtrInput
	// The maximum TTL that can be requested
	// for credentials issued by this backend. Defaults to '0'.
	MaxLeaseTtlSeconds pulumi.IntPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// The unique path this backend should be mounted at. Must
	// not begin or end with a `/`. Defaults to `gcp`.
	Path pulumi.StringPtrInput
}

func (SecretBackendState) ElementType 

func (SecretBackendState) ElementType() reflect.Type

type SecretImpersonatedAccount 

type SecretImpersonatedAccount struct {
	pulumi.CustomResourceState

	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringOutput `pulumi:"backend"`
	// Name of the Impersonated Account to create
	ImpersonatedAccount pulumi.StringOutput `pulumi:"impersonatedAccount"`
	// Target namespace. (requires Enterprise)
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// Email of the GCP service account to impersonate.
	ServiceAccountEmail pulumi.StringOutput `pulumi:"serviceAccountEmail"`
	// Project the service account belongs to.
	ServiceAccountProject pulumi.StringOutput `pulumi:"serviceAccountProject"`
	// List of OAuth scopes to assign to access tokens generated under this impersonated account.
	TokenScopes pulumi.StringArrayOutput `pulumi:"tokenScopes"`
}

Creates a Impersonated Account in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault.

Each [impersonated account](https://www.vaultproject.io/docs/secrets/gcp/index.html#impersonated-accounts) is tied to a separately managed Service Account.

## Example Usage

<!--Start PulumiCodeChooser --> ```go package main

import ( 

"os"

"github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/serviceAccount"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		this, err := serviceAccount.NewAccount(ctx, "this", &serviceAccount.AccountArgs{
			AccountId: pulumi.String("my-awesome-account"),
		})
		if err != nil {
			return err
		}
		gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
			Path:        pulumi.String("gcp"),
			Credentials: readFileOrPanic("credentials.json"),
		})
		if err != nil {
			return err
		}
		_, err = gcp.NewSecretImpersonatedAccount(ctx, "impersonatedAccount", &gcp.SecretImpersonatedAccountArgs{
			Backend:             gcp.Path,
			ImpersonatedAccount: pulumi.String("this"),
			ServiceAccountEmail: this.Email,
			TokenScopes: pulumi.StringArray{
				pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` <!--End PulumiCodeChooser -->

## Import

A impersonated account can be imported using its Vault Path. For example, referencing the example above,

```sh $ pulumi import vault:gcp/secretImpersonatedAccount:SecretImpersonatedAccount impersonated_account gcp/impersonated-account/project_viewer ```

func GetSecretImpersonatedAccount 

func GetSecretImpersonatedAccount(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *SecretImpersonatedAccountState, opts ...pulumi.ResourceOption) (*SecretImpersonatedAccount, error)

GetSecretImpersonatedAccount gets an existing SecretImpersonatedAccount resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewSecretImpersonatedAccount 

func NewSecretImpersonatedAccount(ctx *pulumi.Context,
	name string, args *SecretImpersonatedAccountArgs, opts ...pulumi.ResourceOption) (*SecretImpersonatedAccount, error)

NewSecretImpersonatedAccount registers a new resource with the given unique name, arguments, and options.

func (*SecretImpersonatedAccount) ElementType 

func (*SecretImpersonatedAccount) ElementType() reflect.Type

func (*SecretImpersonatedAccount) ToSecretImpersonatedAccountOutput 

func (i *SecretImpersonatedAccount) ToSecretImpersonatedAccountOutput() SecretImpersonatedAccountOutput

func (*SecretImpersonatedAccount) ToSecretImpersonatedAccountOutputWithContext 

func (i *SecretImpersonatedAccount) ToSecretImpersonatedAccountOutputWithContext(ctx context.Context) SecretImpersonatedAccountOutput

type SecretImpersonatedAccountArgs 

type SecretImpersonatedAccountArgs struct {
	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringInput
	// Name of the Impersonated Account to create
	ImpersonatedAccount pulumi.StringInput
	// Target namespace. (requires Enterprise)
	Namespace pulumi.StringPtrInput
	// Email of the GCP service account to impersonate.
	ServiceAccountEmail pulumi.StringInput
	// List of OAuth scopes to assign to access tokens generated under this impersonated account.
	TokenScopes pulumi.StringArrayInput
}

The set of arguments for constructing a SecretImpersonatedAccount resource.

func (SecretImpersonatedAccountArgs) ElementType 

func (SecretImpersonatedAccountArgs) ElementType() reflect.Type

type SecretImpersonatedAccountArray 

type SecretImpersonatedAccountArray []SecretImpersonatedAccountInput

func (SecretImpersonatedAccountArray) ElementType 

func (SecretImpersonatedAccountArray) ElementType() reflect.Type

func (SecretImpersonatedAccountArray) ToSecretImpersonatedAccountArrayOutput 

func (i SecretImpersonatedAccountArray) ToSecretImpersonatedAccountArrayOutput() SecretImpersonatedAccountArrayOutput

func (SecretImpersonatedAccountArray) ToSecretImpersonatedAccountArrayOutputWithContext 

func (i SecretImpersonatedAccountArray) ToSecretImpersonatedAccountArrayOutputWithContext(ctx context.Context) SecretImpersonatedAccountArrayOutput

type SecretImpersonatedAccountArrayInput 

type SecretImpersonatedAccountArrayInput interface {
	pulumi.Input

	ToSecretImpersonatedAccountArrayOutput() SecretImpersonatedAccountArrayOutput
	ToSecretImpersonatedAccountArrayOutputWithContext(context.Context) SecretImpersonatedAccountArrayOutput
}

SecretImpersonatedAccountArrayInput is an input type that accepts SecretImpersonatedAccountArray and SecretImpersonatedAccountArrayOutput values. You can construct a concrete instance of `SecretImpersonatedAccountArrayInput` via: 

SecretImpersonatedAccountArray{ SecretImpersonatedAccountArgs{...} }

type SecretImpersonatedAccountArrayOutput 

type SecretImpersonatedAccountArrayOutput struct{ *pulumi.OutputState }

func (SecretImpersonatedAccountArrayOutput) ElementType 

func (SecretImpersonatedAccountArrayOutput) ElementType() reflect.Type

func (SecretImpersonatedAccountArrayOutput) Index 

func (o SecretImpersonatedAccountArrayOutput) Index(i pulumi.IntInput) SecretImpersonatedAccountOutput

func (SecretImpersonatedAccountArrayOutput) ToSecretImpersonatedAccountArrayOutput 

func (o SecretImpersonatedAccountArrayOutput) ToSecretImpersonatedAccountArrayOutput() SecretImpersonatedAccountArrayOutput

func (SecretImpersonatedAccountArrayOutput) ToSecretImpersonatedAccountArrayOutputWithContext 

func (o SecretImpersonatedAccountArrayOutput) ToSecretImpersonatedAccountArrayOutputWithContext(ctx context.Context) SecretImpersonatedAccountArrayOutput

type SecretImpersonatedAccountInput 

type SecretImpersonatedAccountInput interface {
	pulumi.Input

	ToSecretImpersonatedAccountOutput() SecretImpersonatedAccountOutput
	ToSecretImpersonatedAccountOutputWithContext(ctx context.Context) SecretImpersonatedAccountOutput
}

type SecretImpersonatedAccountMap 

type SecretImpersonatedAccountMap map[string]SecretImpersonatedAccountInput

func (SecretImpersonatedAccountMap) ElementType 

func (SecretImpersonatedAccountMap) ElementType() reflect.Type

func (SecretImpersonatedAccountMap) ToSecretImpersonatedAccountMapOutput 

func (i SecretImpersonatedAccountMap) ToSecretImpersonatedAccountMapOutput() SecretImpersonatedAccountMapOutput

func (SecretImpersonatedAccountMap) ToSecretImpersonatedAccountMapOutputWithContext 

func (i SecretImpersonatedAccountMap) ToSecretImpersonatedAccountMapOutputWithContext(ctx context.Context) SecretImpersonatedAccountMapOutput

type SecretImpersonatedAccountMapInput 

type SecretImpersonatedAccountMapInput interface {
	pulumi.Input

	ToSecretImpersonatedAccountMapOutput() SecretImpersonatedAccountMapOutput
	ToSecretImpersonatedAccountMapOutputWithContext(context.Context) SecretImpersonatedAccountMapOutput
}

SecretImpersonatedAccountMapInput is an input type that accepts SecretImpersonatedAccountMap and SecretImpersonatedAccountMapOutput values. You can construct a concrete instance of `SecretImpersonatedAccountMapInput` via: 

SecretImpersonatedAccountMap{ "key": SecretImpersonatedAccountArgs{...} }

type SecretImpersonatedAccountMapOutput 

type SecretImpersonatedAccountMapOutput struct{ *pulumi.OutputState }

func (SecretImpersonatedAccountMapOutput) ElementType 

func (SecretImpersonatedAccountMapOutput) ElementType() reflect.Type

func (SecretImpersonatedAccountMapOutput) MapIndex 

func (o SecretImpersonatedAccountMapOutput) MapIndex(k pulumi.StringInput) SecretImpersonatedAccountOutput

func (SecretImpersonatedAccountMapOutput) ToSecretImpersonatedAccountMapOutput 

func (o SecretImpersonatedAccountMapOutput) ToSecretImpersonatedAccountMapOutput() SecretImpersonatedAccountMapOutput

func (SecretImpersonatedAccountMapOutput) ToSecretImpersonatedAccountMapOutputWithContext 

func (o SecretImpersonatedAccountMapOutput) ToSecretImpersonatedAccountMapOutputWithContext(ctx context.Context) SecretImpersonatedAccountMapOutput

type SecretImpersonatedAccountOutput 

type SecretImpersonatedAccountOutput struct{ *pulumi.OutputState }

func (SecretImpersonatedAccountOutput) Backend 

func (o SecretImpersonatedAccountOutput) Backend() pulumi.StringOutput

Path where the GCP Secrets Engine is mounted

func (SecretImpersonatedAccountOutput) ElementType 

func (SecretImpersonatedAccountOutput) ElementType() reflect.Type

func (SecretImpersonatedAccountOutput) ImpersonatedAccount 

func (o SecretImpersonatedAccountOutput) ImpersonatedAccount() pulumi.StringOutput

Name of the Impersonated Account to create

func (SecretImpersonatedAccountOutput) Namespace 

func (o SecretImpersonatedAccountOutput) Namespace() pulumi.StringPtrOutput

Target namespace. (requires Enterprise)

func (SecretImpersonatedAccountOutput) ServiceAccountEmail 

func (o SecretImpersonatedAccountOutput) ServiceAccountEmail() pulumi.StringOutput

Email of the GCP service account to impersonate.

func (SecretImpersonatedAccountOutput) ServiceAccountProject 

func (o SecretImpersonatedAccountOutput) ServiceAccountProject() pulumi.StringOutput

Project the service account belongs to.

func (SecretImpersonatedAccountOutput) ToSecretImpersonatedAccountOutput 

func (o SecretImpersonatedAccountOutput) ToSecretImpersonatedAccountOutput() SecretImpersonatedAccountOutput

func (SecretImpersonatedAccountOutput) ToSecretImpersonatedAccountOutputWithContext 

func (o SecretImpersonatedAccountOutput) ToSecretImpersonatedAccountOutputWithContext(ctx context.Context) SecretImpersonatedAccountOutput

func (SecretImpersonatedAccountOutput) TokenScopes 

func (o SecretImpersonatedAccountOutput) TokenScopes() pulumi.StringArrayOutput

List of OAuth scopes to assign to access tokens generated under this impersonated account.

type SecretImpersonatedAccountState 

type SecretImpersonatedAccountState struct {
	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringPtrInput
	// Name of the Impersonated Account to create
	ImpersonatedAccount pulumi.StringPtrInput
	// Target namespace. (requires Enterprise)
	Namespace pulumi.StringPtrInput
	// Email of the GCP service account to impersonate.
	ServiceAccountEmail pulumi.StringPtrInput
	// Project the service account belongs to.
	ServiceAccountProject pulumi.StringPtrInput
	// List of OAuth scopes to assign to access tokens generated under this impersonated account.
	TokenScopes pulumi.StringArrayInput
}

func (SecretImpersonatedAccountState) ElementType 

func (SecretImpersonatedAccountState) ElementType() reflect.Type

type SecretRoleset 

type SecretRoleset struct {
	pulumi.CustomResourceState

	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringOutput `pulumi:"backend"`
	// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
	Bindings SecretRolesetBindingArrayOutput `pulumi:"bindings"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// Name of the GCP project that this roleset's service account will belong to.
	Project pulumi.StringOutput `pulumi:"project"`
	// Name of the Roleset to create
	Roleset pulumi.StringOutput `pulumi:"roleset"`
	// Type of secret generated for this role set. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
	SecretType pulumi.StringOutput `pulumi:"secretType"`
	// Email of the service account created by Vault for this Roleset.
	ServiceAccountEmail pulumi.StringOutput `pulumi:"serviceAccountEmail"`
	// List of OAuth scopes to assign to `accessToken` secrets generated under this role set (`accessToken` role sets only).
	TokenScopes pulumi.StringArrayOutput `pulumi:"tokenScopes"`
}

Creates a Roleset in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault.

Each Roleset is [tied](https://www.vaultproject.io/docs/secrets/gcp/index.html#service-accounts-are-tied-to-rolesets) to a Service Account, and can have one or more [bindings](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings) associated with it.

## Example Usage

<!--Start PulumiCodeChooser --> ```go package main

import ( 

"fmt"
"os"

"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		project := "my-awesome-project"
		gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
			Path:        pulumi.String("gcp"),
			Credentials: readFileOrPanic("credentials.json"),
		})
		if err != nil {
			return err
		}
		_, err = gcp.NewSecretRoleset(ctx, "roleset", &gcp.SecretRolesetArgs{
			Backend:    gcp.Path,
			Roleset:    pulumi.String("project_viewer"),
			SecretType: pulumi.String("access_token"),
			Project:    pulumi.String(project),
			TokenScopes: pulumi.StringArray{
				pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
			},
			Bindings: gcp.SecretRolesetBindingArray{
				&gcp.SecretRolesetBindingArgs{
					Resource: pulumi.String(fmt.Sprintf("//cloudresourcemanager.googleapis.com/projects/%v", project)),
					Roles: pulumi.StringArray{
						pulumi.String("roles/viewer"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` <!--End PulumiCodeChooser -->

## Import

A roleset can be imported using its Vault Path. For example, referencing the example above,

```sh $ pulumi import vault:gcp/secretRoleset:SecretRoleset roleset gcp/roleset/project_viewer ```

func GetSecretRoleset 

func GetSecretRoleset(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *SecretRolesetState, opts ...pulumi.ResourceOption) (*SecretRoleset, error)

GetSecretRoleset gets an existing SecretRoleset resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewSecretRoleset 

func NewSecretRoleset(ctx *pulumi.Context,
	name string, args *SecretRolesetArgs, opts ...pulumi.ResourceOption) (*SecretRoleset, error)

NewSecretRoleset registers a new resource with the given unique name, arguments, and options.

func (*SecretRoleset) ElementType 

func (*SecretRoleset) ElementType() reflect.Type

func (*SecretRoleset) ToSecretRolesetOutput 

func (i *SecretRoleset) ToSecretRolesetOutput() SecretRolesetOutput

func (*SecretRoleset) ToSecretRolesetOutputWithContext 

func (i *SecretRoleset) ToSecretRolesetOutputWithContext(ctx context.Context) SecretRolesetOutput

type SecretRolesetArgs 

type SecretRolesetArgs struct {
	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringInput
	// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
	Bindings SecretRolesetBindingArrayInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Name of the GCP project that this roleset's service account will belong to.
	Project pulumi.StringInput
	// Name of the Roleset to create
	Roleset pulumi.StringInput
	// Type of secret generated for this role set. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
	SecretType pulumi.StringPtrInput
	// List of OAuth scopes to assign to `accessToken` secrets generated under this role set (`accessToken` role sets only).
	TokenScopes pulumi.StringArrayInput
}

The set of arguments for constructing a SecretRoleset resource.

func (SecretRolesetArgs) ElementType 

func (SecretRolesetArgs) ElementType() reflect.Type

type SecretRolesetArray 

type SecretRolesetArray []SecretRolesetInput

func (SecretRolesetArray) ElementType 

func (SecretRolesetArray) ElementType() reflect.Type

func (SecretRolesetArray) ToSecretRolesetArrayOutput 

func (i SecretRolesetArray) ToSecretRolesetArrayOutput() SecretRolesetArrayOutput

func (SecretRolesetArray) ToSecretRolesetArrayOutputWithContext 

func (i SecretRolesetArray) ToSecretRolesetArrayOutputWithContext(ctx context.Context) SecretRolesetArrayOutput

type SecretRolesetArrayInput 

type SecretRolesetArrayInput interface {
	pulumi.Input

	ToSecretRolesetArrayOutput() SecretRolesetArrayOutput
	ToSecretRolesetArrayOutputWithContext(context.Context) SecretRolesetArrayOutput
}

SecretRolesetArrayInput is an input type that accepts SecretRolesetArray and SecretRolesetArrayOutput values. You can construct a concrete instance of `SecretRolesetArrayInput` via: 

SecretRolesetArray{ SecretRolesetArgs{...} }

type SecretRolesetArrayOutput 

type SecretRolesetArrayOutput struct{ *pulumi.OutputState }

func (SecretRolesetArrayOutput) ElementType 

func (SecretRolesetArrayOutput) ElementType() reflect.Type

func (SecretRolesetArrayOutput) Index 

func (o SecretRolesetArrayOutput) Index(i pulumi.IntInput) SecretRolesetOutput

func (SecretRolesetArrayOutput) ToSecretRolesetArrayOutput 

func (o SecretRolesetArrayOutput) ToSecretRolesetArrayOutput() SecretRolesetArrayOutput

func (SecretRolesetArrayOutput) ToSecretRolesetArrayOutputWithContext 

func (o SecretRolesetArrayOutput) ToSecretRolesetArrayOutputWithContext(ctx context.Context) SecretRolesetArrayOutput

type SecretRolesetBinding 

type SecretRolesetBinding struct {
	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings).
	Resource string `pulumi:"resource"`
	// List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.
	Roles []string `pulumi:"roles"`
}

type SecretRolesetBindingArgs 

type SecretRolesetBindingArgs struct {
	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings).
	Resource pulumi.StringInput `pulumi:"resource"`
	// List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.
	Roles pulumi.StringArrayInput `pulumi:"roles"`
}

func (SecretRolesetBindingArgs) ElementType 

func (SecretRolesetBindingArgs) ElementType() reflect.Type

func (SecretRolesetBindingArgs) ToSecretRolesetBindingOutput 

func (i SecretRolesetBindingArgs) ToSecretRolesetBindingOutput() SecretRolesetBindingOutput

func (SecretRolesetBindingArgs) ToSecretRolesetBindingOutputWithContext 

func (i SecretRolesetBindingArgs) ToSecretRolesetBindingOutputWithContext(ctx context.Context) SecretRolesetBindingOutput

type SecretRolesetBindingArray 

type SecretRolesetBindingArray []SecretRolesetBindingInput

func (SecretRolesetBindingArray) ElementType 

func (SecretRolesetBindingArray) ElementType() reflect.Type

func (SecretRolesetBindingArray) ToSecretRolesetBindingArrayOutput 

func (i SecretRolesetBindingArray) ToSecretRolesetBindingArrayOutput() SecretRolesetBindingArrayOutput

func (SecretRolesetBindingArray) ToSecretRolesetBindingArrayOutputWithContext 

func (i SecretRolesetBindingArray) ToSecretRolesetBindingArrayOutputWithContext(ctx context.Context) SecretRolesetBindingArrayOutput

type SecretRolesetBindingArrayInput 

type SecretRolesetBindingArrayInput interface {
	pulumi.Input

	ToSecretRolesetBindingArrayOutput() SecretRolesetBindingArrayOutput
	ToSecretRolesetBindingArrayOutputWithContext(context.Context) SecretRolesetBindingArrayOutput
}

SecretRolesetBindingArrayInput is an input type that accepts SecretRolesetBindingArray and SecretRolesetBindingArrayOutput values. You can construct a concrete instance of `SecretRolesetBindingArrayInput` via: 

SecretRolesetBindingArray{ SecretRolesetBindingArgs{...} }

type SecretRolesetBindingArrayOutput 

type SecretRolesetBindingArrayOutput struct{ *pulumi.OutputState }

func (SecretRolesetBindingArrayOutput) ElementType 

func (SecretRolesetBindingArrayOutput) ElementType() reflect.Type

func (SecretRolesetBindingArrayOutput) Index 

func (o SecretRolesetBindingArrayOutput) Index(i pulumi.IntInput) SecretRolesetBindingOutput

func (SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutput 

func (o SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutput() SecretRolesetBindingArrayOutput

func (SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutputWithContext 

func (o SecretRolesetBindingArrayOutput) ToSecretRolesetBindingArrayOutputWithContext(ctx context.Context) SecretRolesetBindingArrayOutput

type SecretRolesetBindingInput 

type SecretRolesetBindingInput interface {
	pulumi.Input

	ToSecretRolesetBindingOutput() SecretRolesetBindingOutput
	ToSecretRolesetBindingOutputWithContext(context.Context) SecretRolesetBindingOutput
}

SecretRolesetBindingInput is an input type that accepts SecretRolesetBindingArgs and SecretRolesetBindingOutput values. You can construct a concrete instance of `SecretRolesetBindingInput` via: 

SecretRolesetBindingArgs{...}

type SecretRolesetBindingOutput 

type SecretRolesetBindingOutput struct{ *pulumi.OutputState }

func (SecretRolesetBindingOutput) ElementType 

func (SecretRolesetBindingOutput) ElementType() reflect.Type

func (SecretRolesetBindingOutput) Resource 

func (o SecretRolesetBindingOutput) Resource() pulumi.StringOutput

Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings).

func (SecretRolesetBindingOutput) Roles 

func (o SecretRolesetBindingOutput) Roles() pulumi.StringArrayOutput

List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.

func (SecretRolesetBindingOutput) ToSecretRolesetBindingOutput 

func (o SecretRolesetBindingOutput) ToSecretRolesetBindingOutput() SecretRolesetBindingOutput

func (SecretRolesetBindingOutput) ToSecretRolesetBindingOutputWithContext 

func (o SecretRolesetBindingOutput) ToSecretRolesetBindingOutputWithContext(ctx context.Context) SecretRolesetBindingOutput

type SecretRolesetInput 

type SecretRolesetInput interface {
	pulumi.Input

	ToSecretRolesetOutput() SecretRolesetOutput
	ToSecretRolesetOutputWithContext(ctx context.Context) SecretRolesetOutput
}

type SecretRolesetMap 

type SecretRolesetMap map[string]SecretRolesetInput

func (SecretRolesetMap) ElementType 

func (SecretRolesetMap) ElementType() reflect.Type

func (SecretRolesetMap) ToSecretRolesetMapOutput 

func (i SecretRolesetMap) ToSecretRolesetMapOutput() SecretRolesetMapOutput

func (SecretRolesetMap) ToSecretRolesetMapOutputWithContext 

func (i SecretRolesetMap) ToSecretRolesetMapOutputWithContext(ctx context.Context) SecretRolesetMapOutput

type SecretRolesetMapInput 

type SecretRolesetMapInput interface {
	pulumi.Input

	ToSecretRolesetMapOutput() SecretRolesetMapOutput
	ToSecretRolesetMapOutputWithContext(context.Context) SecretRolesetMapOutput
}

SecretRolesetMapInput is an input type that accepts SecretRolesetMap and SecretRolesetMapOutput values. You can construct a concrete instance of `SecretRolesetMapInput` via: 

SecretRolesetMap{ "key": SecretRolesetArgs{...} }

type SecretRolesetMapOutput 

type SecretRolesetMapOutput struct{ *pulumi.OutputState }

func (SecretRolesetMapOutput) ElementType 

func (SecretRolesetMapOutput) ElementType() reflect.Type

func (SecretRolesetMapOutput) MapIndex 

func (o SecretRolesetMapOutput) MapIndex(k pulumi.StringInput) SecretRolesetOutput

func (SecretRolesetMapOutput) ToSecretRolesetMapOutput 

func (o SecretRolesetMapOutput) ToSecretRolesetMapOutput() SecretRolesetMapOutput

func (SecretRolesetMapOutput) ToSecretRolesetMapOutputWithContext 

func (o SecretRolesetMapOutput) ToSecretRolesetMapOutputWithContext(ctx context.Context) SecretRolesetMapOutput

type SecretRolesetOutput 

type SecretRolesetOutput struct{ *pulumi.OutputState }

func (SecretRolesetOutput) Backend 

func (o SecretRolesetOutput) Backend() pulumi.StringOutput

Path where the GCP Secrets Engine is mounted

func (SecretRolesetOutput) Bindings 

func (o SecretRolesetOutput) Bindings() SecretRolesetBindingArrayOutput

Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.

func (SecretRolesetOutput) ElementType 

func (SecretRolesetOutput) ElementType() reflect.Type

func (SecretRolesetOutput) Namespace 

func (o SecretRolesetOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*.

func (SecretRolesetOutput) Project 

func (o SecretRolesetOutput) Project() pulumi.StringOutput

Name of the GCP project that this roleset's service account will belong to.

func (SecretRolesetOutput) Roleset 

func (o SecretRolesetOutput) Roleset() pulumi.StringOutput

Name of the Roleset to create

func (SecretRolesetOutput) SecretType 

func (o SecretRolesetOutput) SecretType() pulumi.StringOutput

Type of secret generated for this role set. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.

func (SecretRolesetOutput) ServiceAccountEmail 

func (o SecretRolesetOutput) ServiceAccountEmail() pulumi.StringOutput

Email of the service account created by Vault for this Roleset.

func (SecretRolesetOutput) ToSecretRolesetOutput 

func (o SecretRolesetOutput) ToSecretRolesetOutput() SecretRolesetOutput

func (SecretRolesetOutput) ToSecretRolesetOutputWithContext 

func (o SecretRolesetOutput) ToSecretRolesetOutputWithContext(ctx context.Context) SecretRolesetOutput

func (SecretRolesetOutput) TokenScopes 

func (o SecretRolesetOutput) TokenScopes() pulumi.StringArrayOutput

List of OAuth scopes to assign to `accessToken` secrets generated under this role set (`accessToken` role sets only).

type SecretRolesetState 

type SecretRolesetState struct {
	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringPtrInput
	// Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.
	Bindings SecretRolesetBindingArrayInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Name of the GCP project that this roleset's service account will belong to.
	Project pulumi.StringPtrInput
	// Name of the Roleset to create
	Roleset pulumi.StringPtrInput
	// Type of secret generated for this role set. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
	SecretType pulumi.StringPtrInput
	// Email of the service account created by Vault for this Roleset.
	ServiceAccountEmail pulumi.StringPtrInput
	// List of OAuth scopes to assign to `accessToken` secrets generated under this role set (`accessToken` role sets only).
	TokenScopes pulumi.StringArrayInput
}

func (SecretRolesetState) ElementType 

func (SecretRolesetState) ElementType() reflect.Type

type SecretStaticAccount 

type SecretStaticAccount struct {
	pulumi.CustomResourceState

	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringOutput `pulumi:"backend"`
	// Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
	Bindings SecretStaticAccountBindingArrayOutput `pulumi:"bindings"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// Type of secret generated for this static account. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
	SecretType pulumi.StringOutput `pulumi:"secretType"`
	// Email of the GCP service account to manage.
	ServiceAccountEmail pulumi.StringOutput `pulumi:"serviceAccountEmail"`
	// Project the service account belongs to.
	ServiceAccountProject pulumi.StringOutput `pulumi:"serviceAccountProject"`
	// Name of the Static Account to create
	StaticAccount pulumi.StringOutput `pulumi:"staticAccount"`
	// List of OAuth scopes to assign to `accessToken` secrets generated under this static account (`accessToken` static accounts only).
	TokenScopes pulumi.StringArrayOutput `pulumi:"tokenScopes"`
}

Creates a Static Account in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault.

Each [static account](https://www.vaultproject.io/docs/secrets/gcp/index.html#static-accounts) is tied to a separately managed Service Account, and can have one or more [bindings](https://www.vaultproject.io/docs/secrets/gcp/index.html#bindings) associated with it.

## Example Usage

<!--Start PulumiCodeChooser --> ```go package main

import ( 

"fmt"
"os"

"github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/serviceAccount"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		this, err := serviceAccount.NewAccount(ctx, "this", &serviceAccount.AccountArgs{
			AccountId: pulumi.String("my-awesome-account"),
		})
		if err != nil {
			return err
		}
		gcp, err := gcp.NewSecretBackend(ctx, "gcp", &gcp.SecretBackendArgs{
			Path:        pulumi.String("gcp"),
			Credentials: readFileOrPanic("credentials.json"),
		})
		if err != nil {
			return err
		}
		_, err = gcp.NewSecretStaticAccount(ctx, "staticAccount", &gcp.SecretStaticAccountArgs{
			Backend:       gcp.Path,
			StaticAccount: pulumi.String("project_viewer"),
			SecretType:    pulumi.String("access_token"),
			TokenScopes: pulumi.StringArray{
				pulumi.String("https://www.googleapis.com/auth/cloud-platform"),
			},
			ServiceAccountEmail: this.Email,
			Bindings: gcp.SecretStaticAccountBindingArray{
				&gcp.SecretStaticAccountBindingArgs{
					Resource: this.Project.ApplyT(func(project string) (string, error) {
						return fmt.Sprintf("//cloudresourcemanager.googleapis.com/projects/%v", project), nil
					}).(pulumi.StringOutput),
					Roles: pulumi.StringArray{
						pulumi.String("roles/viewer"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` <!--End PulumiCodeChooser -->

## Import

A static account can be imported using its Vault Path. For example, referencing the example above,

```sh $ pulumi import vault:gcp/secretStaticAccount:SecretStaticAccount static_account gcp/static-account/project_viewer ```

func GetSecretStaticAccount 

func GetSecretStaticAccount(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *SecretStaticAccountState, opts ...pulumi.ResourceOption) (*SecretStaticAccount, error)

GetSecretStaticAccount gets an existing SecretStaticAccount resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewSecretStaticAccount 

func NewSecretStaticAccount(ctx *pulumi.Context,
	name string, args *SecretStaticAccountArgs, opts ...pulumi.ResourceOption) (*SecretStaticAccount, error)

NewSecretStaticAccount registers a new resource with the given unique name, arguments, and options.

func (*SecretStaticAccount) ElementType 

func (*SecretStaticAccount) ElementType() reflect.Type

func (*SecretStaticAccount) ToSecretStaticAccountOutput 

func (i *SecretStaticAccount) ToSecretStaticAccountOutput() SecretStaticAccountOutput

func (*SecretStaticAccount) ToSecretStaticAccountOutputWithContext 

func (i *SecretStaticAccount) ToSecretStaticAccountOutputWithContext(ctx context.Context) SecretStaticAccountOutput

type SecretStaticAccountArgs 

type SecretStaticAccountArgs struct {
	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringInput
	// Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
	Bindings SecretStaticAccountBindingArrayInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Type of secret generated for this static account. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
	SecretType pulumi.StringPtrInput
	// Email of the GCP service account to manage.
	ServiceAccountEmail pulumi.StringInput
	// Name of the Static Account to create
	StaticAccount pulumi.StringInput
	// List of OAuth scopes to assign to `accessToken` secrets generated under this static account (`accessToken` static accounts only).
	TokenScopes pulumi.StringArrayInput
}

The set of arguments for constructing a SecretStaticAccount resource.

func (SecretStaticAccountArgs) ElementType 

func (SecretStaticAccountArgs) ElementType() reflect.Type

type SecretStaticAccountArray 

type SecretStaticAccountArray []SecretStaticAccountInput

func (SecretStaticAccountArray) ElementType 

func (SecretStaticAccountArray) ElementType() reflect.Type

func (SecretStaticAccountArray) ToSecretStaticAccountArrayOutput 

func (i SecretStaticAccountArray) ToSecretStaticAccountArrayOutput() SecretStaticAccountArrayOutput

func (SecretStaticAccountArray) ToSecretStaticAccountArrayOutputWithContext 

func (i SecretStaticAccountArray) ToSecretStaticAccountArrayOutputWithContext(ctx context.Context) SecretStaticAccountArrayOutput

type SecretStaticAccountArrayInput 

type SecretStaticAccountArrayInput interface {
	pulumi.Input

	ToSecretStaticAccountArrayOutput() SecretStaticAccountArrayOutput
	ToSecretStaticAccountArrayOutputWithContext(context.Context) SecretStaticAccountArrayOutput
}

SecretStaticAccountArrayInput is an input type that accepts SecretStaticAccountArray and SecretStaticAccountArrayOutput values. You can construct a concrete instance of `SecretStaticAccountArrayInput` via: 

SecretStaticAccountArray{ SecretStaticAccountArgs{...} }

type SecretStaticAccountArrayOutput 

type SecretStaticAccountArrayOutput struct{ *pulumi.OutputState }

func (SecretStaticAccountArrayOutput) ElementType 

func (SecretStaticAccountArrayOutput) ElementType() reflect.Type

func (SecretStaticAccountArrayOutput) Index 

func (o SecretStaticAccountArrayOutput) Index(i pulumi.IntInput) SecretStaticAccountOutput

func (SecretStaticAccountArrayOutput) ToSecretStaticAccountArrayOutput 

func (o SecretStaticAccountArrayOutput) ToSecretStaticAccountArrayOutput() SecretStaticAccountArrayOutput

func (SecretStaticAccountArrayOutput) ToSecretStaticAccountArrayOutputWithContext 

func (o SecretStaticAccountArrayOutput) ToSecretStaticAccountArrayOutputWithContext(ctx context.Context) SecretStaticAccountArrayOutput

type SecretStaticAccountBinding 

type SecretStaticAccountBinding struct {
	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#bindings).
	Resource string `pulumi:"resource"`
	// List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.
	Roles []string `pulumi:"roles"`
}

type SecretStaticAccountBindingArgs 

type SecretStaticAccountBindingArgs struct {
	// Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#bindings).
	Resource pulumi.StringInput `pulumi:"resource"`
	// List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.
	Roles pulumi.StringArrayInput `pulumi:"roles"`
}

func (SecretStaticAccountBindingArgs) ElementType 

func (SecretStaticAccountBindingArgs) ElementType() reflect.Type

func (SecretStaticAccountBindingArgs) ToSecretStaticAccountBindingOutput 

func (i SecretStaticAccountBindingArgs) ToSecretStaticAccountBindingOutput() SecretStaticAccountBindingOutput

func (SecretStaticAccountBindingArgs) ToSecretStaticAccountBindingOutputWithContext 

func (i SecretStaticAccountBindingArgs) ToSecretStaticAccountBindingOutputWithContext(ctx context.Context) SecretStaticAccountBindingOutput

type SecretStaticAccountBindingArray 

type SecretStaticAccountBindingArray []SecretStaticAccountBindingInput

func (SecretStaticAccountBindingArray) ElementType 

func (SecretStaticAccountBindingArray) ElementType() reflect.Type

func (SecretStaticAccountBindingArray) ToSecretStaticAccountBindingArrayOutput 

func (i SecretStaticAccountBindingArray) ToSecretStaticAccountBindingArrayOutput() SecretStaticAccountBindingArrayOutput

func (SecretStaticAccountBindingArray) ToSecretStaticAccountBindingArrayOutputWithContext 

func (i SecretStaticAccountBindingArray) ToSecretStaticAccountBindingArrayOutputWithContext(ctx context.Context) SecretStaticAccountBindingArrayOutput

type SecretStaticAccountBindingArrayInput 

type SecretStaticAccountBindingArrayInput interface {
	pulumi.Input

	ToSecretStaticAccountBindingArrayOutput() SecretStaticAccountBindingArrayOutput
	ToSecretStaticAccountBindingArrayOutputWithContext(context.Context) SecretStaticAccountBindingArrayOutput
}

SecretStaticAccountBindingArrayInput is an input type that accepts SecretStaticAccountBindingArray and SecretStaticAccountBindingArrayOutput values. You can construct a concrete instance of `SecretStaticAccountBindingArrayInput` via: 

SecretStaticAccountBindingArray{ SecretStaticAccountBindingArgs{...} }

type SecretStaticAccountBindingArrayOutput 

type SecretStaticAccountBindingArrayOutput struct{ *pulumi.OutputState }

func (SecretStaticAccountBindingArrayOutput) ElementType 

func (SecretStaticAccountBindingArrayOutput) ElementType() reflect.Type

func (SecretStaticAccountBindingArrayOutput) Index 

func (o SecretStaticAccountBindingArrayOutput) Index(i pulumi.IntInput) SecretStaticAccountBindingOutput

func (SecretStaticAccountBindingArrayOutput) ToSecretStaticAccountBindingArrayOutput 

func (o SecretStaticAccountBindingArrayOutput) ToSecretStaticAccountBindingArrayOutput() SecretStaticAccountBindingArrayOutput

func (SecretStaticAccountBindingArrayOutput) ToSecretStaticAccountBindingArrayOutputWithContext 

func (o SecretStaticAccountBindingArrayOutput) ToSecretStaticAccountBindingArrayOutputWithContext(ctx context.Context) SecretStaticAccountBindingArrayOutput

type SecretStaticAccountBindingInput 

type SecretStaticAccountBindingInput interface {
	pulumi.Input

	ToSecretStaticAccountBindingOutput() SecretStaticAccountBindingOutput
	ToSecretStaticAccountBindingOutputWithContext(context.Context) SecretStaticAccountBindingOutput
}

SecretStaticAccountBindingInput is an input type that accepts SecretStaticAccountBindingArgs and SecretStaticAccountBindingOutput values. You can construct a concrete instance of `SecretStaticAccountBindingInput` via: 

SecretStaticAccountBindingArgs{...}

type SecretStaticAccountBindingOutput 

type SecretStaticAccountBindingOutput struct{ *pulumi.OutputState }

func (SecretStaticAccountBindingOutput) ElementType 

func (SecretStaticAccountBindingOutput) ElementType() reflect.Type

func (SecretStaticAccountBindingOutput) Resource 

func (o SecretStaticAccountBindingOutput) Resource() pulumi.StringOutput

Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#bindings).

func (SecretStaticAccountBindingOutput) Roles 

func (o SecretStaticAccountBindingOutput) Roles() pulumi.StringArrayOutput

List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.

func (SecretStaticAccountBindingOutput) ToSecretStaticAccountBindingOutput 

func (o SecretStaticAccountBindingOutput) ToSecretStaticAccountBindingOutput() SecretStaticAccountBindingOutput

func (SecretStaticAccountBindingOutput) ToSecretStaticAccountBindingOutputWithContext 

func (o SecretStaticAccountBindingOutput) ToSecretStaticAccountBindingOutputWithContext(ctx context.Context) SecretStaticAccountBindingOutput

type SecretStaticAccountInput 

type SecretStaticAccountInput interface {
	pulumi.Input

	ToSecretStaticAccountOutput() SecretStaticAccountOutput
	ToSecretStaticAccountOutputWithContext(ctx context.Context) SecretStaticAccountOutput
}

type SecretStaticAccountMap 

type SecretStaticAccountMap map[string]SecretStaticAccountInput

func (SecretStaticAccountMap) ElementType 

func (SecretStaticAccountMap) ElementType() reflect.Type

func (SecretStaticAccountMap) ToSecretStaticAccountMapOutput 

func (i SecretStaticAccountMap) ToSecretStaticAccountMapOutput() SecretStaticAccountMapOutput

func (SecretStaticAccountMap) ToSecretStaticAccountMapOutputWithContext 

func (i SecretStaticAccountMap) ToSecretStaticAccountMapOutputWithContext(ctx context.Context) SecretStaticAccountMapOutput

type SecretStaticAccountMapInput 

type SecretStaticAccountMapInput interface {
	pulumi.Input

	ToSecretStaticAccountMapOutput() SecretStaticAccountMapOutput
	ToSecretStaticAccountMapOutputWithContext(context.Context) SecretStaticAccountMapOutput
}

SecretStaticAccountMapInput is an input type that accepts SecretStaticAccountMap and SecretStaticAccountMapOutput values. You can construct a concrete instance of `SecretStaticAccountMapInput` via: 

SecretStaticAccountMap{ "key": SecretStaticAccountArgs{...} }

type SecretStaticAccountMapOutput 

type SecretStaticAccountMapOutput struct{ *pulumi.OutputState }

func (SecretStaticAccountMapOutput) ElementType 

func (SecretStaticAccountMapOutput) ElementType() reflect.Type

func (SecretStaticAccountMapOutput) MapIndex 

func (o SecretStaticAccountMapOutput) MapIndex(k pulumi.StringInput) SecretStaticAccountOutput

func (SecretStaticAccountMapOutput) ToSecretStaticAccountMapOutput 

func (o SecretStaticAccountMapOutput) ToSecretStaticAccountMapOutput() SecretStaticAccountMapOutput

func (SecretStaticAccountMapOutput) ToSecretStaticAccountMapOutputWithContext 

func (o SecretStaticAccountMapOutput) ToSecretStaticAccountMapOutputWithContext(ctx context.Context) SecretStaticAccountMapOutput

type SecretStaticAccountOutput 

type SecretStaticAccountOutput struct{ *pulumi.OutputState }

func (SecretStaticAccountOutput) Backend 

func (o SecretStaticAccountOutput) Backend() pulumi.StringOutput

Path where the GCP Secrets Engine is mounted

func (SecretStaticAccountOutput) Bindings 

func (o SecretStaticAccountOutput) Bindings() SecretStaticAccountBindingArrayOutput

Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.

func (SecretStaticAccountOutput) ElementType 

func (SecretStaticAccountOutput) ElementType() reflect.Type

func (SecretStaticAccountOutput) Namespace 

func (o SecretStaticAccountOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*.

func (SecretStaticAccountOutput) SecretType 

func (o SecretStaticAccountOutput) SecretType() pulumi.StringOutput

Type of secret generated for this static account. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.

func (SecretStaticAccountOutput) ServiceAccountEmail 

func (o SecretStaticAccountOutput) ServiceAccountEmail() pulumi.StringOutput

Email of the GCP service account to manage.

func (SecretStaticAccountOutput) ServiceAccountProject 

func (o SecretStaticAccountOutput) ServiceAccountProject() pulumi.StringOutput

Project the service account belongs to.

func (SecretStaticAccountOutput) StaticAccount 

func (o SecretStaticAccountOutput) StaticAccount() pulumi.StringOutput

Name of the Static Account to create

func (SecretStaticAccountOutput) ToSecretStaticAccountOutput 

func (o SecretStaticAccountOutput) ToSecretStaticAccountOutput() SecretStaticAccountOutput

func (SecretStaticAccountOutput) ToSecretStaticAccountOutputWithContext 

func (o SecretStaticAccountOutput) ToSecretStaticAccountOutputWithContext(ctx context.Context) SecretStaticAccountOutput

func (SecretStaticAccountOutput) TokenScopes 

func (o SecretStaticAccountOutput) TokenScopes() pulumi.StringArrayOutput

List of OAuth scopes to assign to `accessToken` secrets generated under this static account (`accessToken` static accounts only).

type SecretStaticAccountState 

type SecretStaticAccountState struct {
	// Path where the GCP Secrets Engine is mounted
	Backend pulumi.StringPtrInput
	// Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.
	Bindings SecretStaticAccountBindingArrayInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Type of secret generated for this static account. Accepted values: `accessToken`, `serviceAccountKey`. Defaults to `accessToken`.
	SecretType pulumi.StringPtrInput
	// Email of the GCP service account to manage.
	ServiceAccountEmail pulumi.StringPtrInput
	// Project the service account belongs to.
	ServiceAccountProject pulumi.StringPtrInput
	// Name of the Static Account to create
	StaticAccount pulumi.StringPtrInput
	// List of OAuth scopes to assign to `accessToken` secrets generated under this static account (`accessToken` static accounts only).
	TokenScopes pulumi.StringArrayInput
}

func (SecretStaticAccountState) ElementType 

func (SecretStaticAccountState) ElementType() reflect.Type

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.