kubernetes

package
v6.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 20, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthBackendConfig 

type AuthBackendConfig struct {
	pulumi.CustomResourceState

	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrOutput `pulumi:"backend"`
	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation pulumi.BoolOutput `pulumi:"disableIssValidation"`
	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt pulumi.BoolOutput `pulumi:"disableLocalCaJwt"`
	// JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer pulumi.StringPtrOutput `pulumi:"issuer"`
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert pulumi.StringOutput `pulumi:"kubernetesCaCert"`
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost pulumi.StringOutput `pulumi:"kubernetesHost"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys pulumi.StringArrayOutput `pulumi:"pemKeys"`
	// A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
	TokenReviewerJwt pulumi.StringPtrOutput `pulumi:"tokenReviewerJwt"`
	// Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
	UseAnnotationsAsAliasMetadata pulumi.BoolOutput `pulumi:"useAnnotationsAsAliasMetadata"`
}

Manages an Kubernetes auth backend config in a Vault server. See the [Vault documentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more information.

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		kubernetes, err := vault.NewAuthBackend(ctx, "kubernetes", &vault.AuthBackendArgs{
			Type: pulumi.String("kubernetes"),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewAuthBackendConfig(ctx, "example", &kubernetes.AuthBackendConfigArgs{
			Backend:              kubernetes.Path,
			KubernetesHost:       pulumi.String("http://example.com:443"),
			KubernetesCaCert:     pulumi.String("-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----"),
			TokenReviewerJwt:     pulumi.String("ZXhhbXBsZQo="),
			Issuer:               pulumi.String("api"),
			DisableIssValidation: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Kubernetes authentication backend can be imported using the `path`, e.g.

```sh $ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config ```

func GetAuthBackendConfig 

func GetAuthBackendConfig(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AuthBackendConfigState, opts ...pulumi.ResourceOption) (*AuthBackendConfig, error)

GetAuthBackendConfig gets an existing AuthBackendConfig resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAuthBackendConfig 

func NewAuthBackendConfig(ctx *pulumi.Context,
	name string, args *AuthBackendConfigArgs, opts ...pulumi.ResourceOption) (*AuthBackendConfig, error)

NewAuthBackendConfig registers a new resource with the given unique name, arguments, and options.

func (*AuthBackendConfig) ElementType 

func (*AuthBackendConfig) ElementType() reflect.Type

func (*AuthBackendConfig) ToAuthBackendConfigOutput 

func (i *AuthBackendConfig) ToAuthBackendConfigOutput() AuthBackendConfigOutput

func (*AuthBackendConfig) ToAuthBackendConfigOutputWithContext 

func (i *AuthBackendConfig) ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput

type AuthBackendConfigArgs 

type AuthBackendConfigArgs struct {
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrInput
	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation pulumi.BoolPtrInput
	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt pulumi.BoolPtrInput
	// JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer pulumi.StringPtrInput
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert pulumi.StringPtrInput
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost pulumi.StringInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys pulumi.StringArrayInput
	// A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
	TokenReviewerJwt pulumi.StringPtrInput
	// Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
	UseAnnotationsAsAliasMetadata pulumi.BoolPtrInput
}

The set of arguments for constructing a AuthBackendConfig resource.

func (AuthBackendConfigArgs) ElementType 

func (AuthBackendConfigArgs) ElementType() reflect.Type

type AuthBackendConfigArray 

type AuthBackendConfigArray []AuthBackendConfigInput

func (AuthBackendConfigArray) ElementType 

func (AuthBackendConfigArray) ElementType() reflect.Type

func (AuthBackendConfigArray) ToAuthBackendConfigArrayOutput 

func (i AuthBackendConfigArray) ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput

func (AuthBackendConfigArray) ToAuthBackendConfigArrayOutputWithContext 

func (i AuthBackendConfigArray) ToAuthBackendConfigArrayOutputWithContext(ctx context.Context) AuthBackendConfigArrayOutput

type AuthBackendConfigArrayInput 

type AuthBackendConfigArrayInput interface {
	pulumi.Input

	ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput
	ToAuthBackendConfigArrayOutputWithContext(context.Context) AuthBackendConfigArrayOutput
}

AuthBackendConfigArrayInput is an input type that accepts AuthBackendConfigArray and AuthBackendConfigArrayOutput values. You can construct a concrete instance of `AuthBackendConfigArrayInput` via: 

AuthBackendConfigArray{ AuthBackendConfigArgs{...} }

type AuthBackendConfigArrayOutput 

type AuthBackendConfigArrayOutput struct{ *pulumi.OutputState }

func (AuthBackendConfigArrayOutput) ElementType 

func (AuthBackendConfigArrayOutput) ElementType() reflect.Type

func (AuthBackendConfigArrayOutput) Index 

func (o AuthBackendConfigArrayOutput) Index(i pulumi.IntInput) AuthBackendConfigOutput

func (AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutput 

func (o AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutput() AuthBackendConfigArrayOutput

func (AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutputWithContext 

func (o AuthBackendConfigArrayOutput) ToAuthBackendConfigArrayOutputWithContext(ctx context.Context) AuthBackendConfigArrayOutput

type AuthBackendConfigInput 

type AuthBackendConfigInput interface {
	pulumi.Input

	ToAuthBackendConfigOutput() AuthBackendConfigOutput
	ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput
}

type AuthBackendConfigMap 

type AuthBackendConfigMap map[string]AuthBackendConfigInput

func (AuthBackendConfigMap) ElementType 

func (AuthBackendConfigMap) ElementType() reflect.Type

func (AuthBackendConfigMap) ToAuthBackendConfigMapOutput 

func (i AuthBackendConfigMap) ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput

func (AuthBackendConfigMap) ToAuthBackendConfigMapOutputWithContext 

func (i AuthBackendConfigMap) ToAuthBackendConfigMapOutputWithContext(ctx context.Context) AuthBackendConfigMapOutput

type AuthBackendConfigMapInput 

type AuthBackendConfigMapInput interface {
	pulumi.Input

	ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput
	ToAuthBackendConfigMapOutputWithContext(context.Context) AuthBackendConfigMapOutput
}

AuthBackendConfigMapInput is an input type that accepts AuthBackendConfigMap and AuthBackendConfigMapOutput values. You can construct a concrete instance of `AuthBackendConfigMapInput` via: 

AuthBackendConfigMap{ "key": AuthBackendConfigArgs{...} }

type AuthBackendConfigMapOutput 

type AuthBackendConfigMapOutput struct{ *pulumi.OutputState }

func (AuthBackendConfigMapOutput) ElementType 

func (AuthBackendConfigMapOutput) ElementType() reflect.Type

func (AuthBackendConfigMapOutput) MapIndex 

func (o AuthBackendConfigMapOutput) MapIndex(k pulumi.StringInput) AuthBackendConfigOutput

func (AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutput 

func (o AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutput() AuthBackendConfigMapOutput

func (AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutputWithContext 

func (o AuthBackendConfigMapOutput) ToAuthBackendConfigMapOutputWithContext(ctx context.Context) AuthBackendConfigMapOutput

type AuthBackendConfigOutput 

type AuthBackendConfigOutput struct{ *pulumi.OutputState }

func (AuthBackendConfigOutput) Backend 

func (o AuthBackendConfigOutput) Backend() pulumi.StringPtrOutput

Unique name of the kubernetes backend to configure.

func (AuthBackendConfigOutput) DisableIssValidation 

func (o AuthBackendConfigOutput) DisableIssValidation() pulumi.BoolOutput

Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`

func (AuthBackendConfigOutput) DisableLocalCaJwt 

func (o AuthBackendConfigOutput) DisableLocalCaJwt() pulumi.BoolOutput

Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`

func (AuthBackendConfigOutput) ElementType 

func (AuthBackendConfigOutput) ElementType() reflect.Type

func (AuthBackendConfigOutput) Issuer 

func (o AuthBackendConfigOutput) Issuer() pulumi.StringPtrOutput

JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.

func (AuthBackendConfigOutput) KubernetesCaCert 

func (o AuthBackendConfigOutput) KubernetesCaCert() pulumi.StringOutput

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

func (AuthBackendConfigOutput) KubernetesHost 

func (o AuthBackendConfigOutput) KubernetesHost() pulumi.StringOutput

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

func (AuthBackendConfigOutput) Namespace 

func (o AuthBackendConfigOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured namespace. *Available only for Vault Enterprise*.

func (AuthBackendConfigOutput) PemKeys 

func (o AuthBackendConfigOutput) PemKeys() pulumi.StringArrayOutput

List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

func (AuthBackendConfigOutput) ToAuthBackendConfigOutput 

func (o AuthBackendConfigOutput) ToAuthBackendConfigOutput() AuthBackendConfigOutput

func (AuthBackendConfigOutput) ToAuthBackendConfigOutputWithContext 

func (o AuthBackendConfigOutput) ToAuthBackendConfigOutputWithContext(ctx context.Context) AuthBackendConfigOutput

func (AuthBackendConfigOutput) TokenReviewerJwt 

func (o AuthBackendConfigOutput) TokenReviewerJwt() pulumi.StringPtrOutput

A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

func (AuthBackendConfigOutput) UseAnnotationsAsAliasMetadata added in v6.4.0 

func (o AuthBackendConfigOutput) UseAnnotationsAsAliasMetadata() pulumi.BoolOutput

Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`

type AuthBackendConfigState 

type AuthBackendConfigState struct {
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrInput
	// Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation pulumi.BoolPtrInput
	// Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt pulumi.BoolPtrInput
	// JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer pulumi.StringPtrInput
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert pulumi.StringPtrInput
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost pulumi.StringPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys pulumi.StringArrayInput
	// A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
	TokenReviewerJwt pulumi.StringPtrInput
	// Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
	UseAnnotationsAsAliasMetadata pulumi.BoolPtrInput
}

func (AuthBackendConfigState) ElementType 

func (AuthBackendConfigState) ElementType() reflect.Type

type AuthBackendRole 

type AuthBackendRole struct {
	pulumi.CustomResourceState

	// Configures how identity aliases are generated.
	// Valid choices are: `serviceaccountUid`, `serviceaccountName`. (vault-1.9+)
	AliasNameSource pulumi.StringOutput `pulumi:"aliasNameSource"`
	// Audience claim to verify in the JWT.
	//
	// > Please see [aliasNameSource](https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)
	// before setting this to something other its default value. There are **important** security
	// implications to be aware of.
	Audience pulumi.StringPtrOutput `pulumi:"audience"`
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrOutput `pulumi:"backend"`
	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
	BoundServiceAccountNames pulumi.StringArrayOutput `pulumi:"boundServiceAccountNames"`
	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
	BoundServiceAccountNamespaces pulumi.StringArrayOutput `pulumi:"boundServiceAccountNamespaces"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// Name of the role.
	RoleName pulumi.StringOutput `pulumi:"roleName"`
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	TokenBoundCidrs pulumi.StringArrayOutput `pulumi:"tokenBoundCidrs"`
	// Generated Token's Explicit Maximum TTL in seconds
	TokenExplicitMaxTtl pulumi.IntPtrOutput `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime of the generated token
	TokenMaxTtl pulumi.IntPtrOutput `pulumi:"tokenMaxTtl"`
	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy pulumi.BoolPtrOutput `pulumi:"tokenNoDefaultPolicy"`
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses pulumi.IntPtrOutput `pulumi:"tokenNumUses"`
	// Generated Token's Period
	TokenPeriod pulumi.IntPtrOutput `pulumi:"tokenPeriod"`
	// Generated Token's Policies
	TokenPolicies pulumi.StringArrayOutput `pulumi:"tokenPolicies"`
	// The initial ttl of the token to generate in seconds
	TokenTtl pulumi.IntPtrOutput `pulumi:"tokenTtl"`
	// The type of token to generate, service or batch
	TokenType pulumi.StringPtrOutput `pulumi:"tokenType"`
}

Manages an Kubernetes auth backend role in a Vault server. See the [Vault documentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more information.

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		kubernetes, err := vault.NewAuthBackend(ctx, "kubernetes", &vault.AuthBackendArgs{
			Type: pulumi.String("kubernetes"),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewAuthBackendRole(ctx, "example", &kubernetes.AuthBackendRoleArgs{
			Backend:  kubernetes.Path,
			RoleName: pulumi.String("example-role"),
			BoundServiceAccountNames: pulumi.StringArray{
				pulumi.String("example"),
			},
			BoundServiceAccountNamespaces: pulumi.StringArray{
				pulumi.String("example"),
			},
			TokenTtl: pulumi.Int(3600),
			TokenPolicies: pulumi.StringArray{
				pulumi.String("default"),
				pulumi.String("dev"),
				pulumi.String("prod"),
			},
			Audience: pulumi.String("vault"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Kubernetes auth backend role can be imported using the `path`, e.g.

```sh $ pulumi import vault:kubernetes/authBackendRole:AuthBackendRole foo auth/kubernetes/role/foo ```

func GetAuthBackendRole 

func GetAuthBackendRole(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AuthBackendRoleState, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)

GetAuthBackendRole gets an existing AuthBackendRole resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAuthBackendRole 

func NewAuthBackendRole(ctx *pulumi.Context,
	name string, args *AuthBackendRoleArgs, opts ...pulumi.ResourceOption) (*AuthBackendRole, error)

NewAuthBackendRole registers a new resource with the given unique name, arguments, and options.

func (*AuthBackendRole) ElementType 

func (*AuthBackendRole) ElementType() reflect.Type

func (*AuthBackendRole) ToAuthBackendRoleOutput 

func (i *AuthBackendRole) ToAuthBackendRoleOutput() AuthBackendRoleOutput

func (*AuthBackendRole) ToAuthBackendRoleOutputWithContext 

func (i *AuthBackendRole) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput

type AuthBackendRoleArgs 

type AuthBackendRoleArgs struct {
	// Configures how identity aliases are generated.
	// Valid choices are: `serviceaccountUid`, `serviceaccountName`. (vault-1.9+)
	AliasNameSource pulumi.StringPtrInput
	// Audience claim to verify in the JWT.
	//
	// > Please see [aliasNameSource](https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)
	// before setting this to something other its default value. There are **important** security
	// implications to be aware of.
	Audience pulumi.StringPtrInput
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrInput
	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
	BoundServiceAccountNames pulumi.StringArrayInput
	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
	BoundServiceAccountNamespaces pulumi.StringArrayInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Name of the role.
	RoleName pulumi.StringInput
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	TokenBoundCidrs pulumi.StringArrayInput
	// Generated Token's Explicit Maximum TTL in seconds
	TokenExplicitMaxTtl pulumi.IntPtrInput
	// The maximum lifetime of the generated token
	TokenMaxTtl pulumi.IntPtrInput
	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy pulumi.BoolPtrInput
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses pulumi.IntPtrInput
	// Generated Token's Period
	TokenPeriod pulumi.IntPtrInput
	// Generated Token's Policies
	TokenPolicies pulumi.StringArrayInput
	// The initial ttl of the token to generate in seconds
	TokenTtl pulumi.IntPtrInput
	// The type of token to generate, service or batch
	TokenType pulumi.StringPtrInput
}

The set of arguments for constructing a AuthBackendRole resource.

func (AuthBackendRoleArgs) ElementType 

func (AuthBackendRoleArgs) ElementType() reflect.Type

type AuthBackendRoleArray 

type AuthBackendRoleArray []AuthBackendRoleInput

func (AuthBackendRoleArray) ElementType 

func (AuthBackendRoleArray) ElementType() reflect.Type

func (AuthBackendRoleArray) ToAuthBackendRoleArrayOutput 

func (i AuthBackendRoleArray) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput

func (AuthBackendRoleArray) ToAuthBackendRoleArrayOutputWithContext 

func (i AuthBackendRoleArray) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput

type AuthBackendRoleArrayInput 

type AuthBackendRoleArrayInput interface {
	pulumi.Input

	ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput
	ToAuthBackendRoleArrayOutputWithContext(context.Context) AuthBackendRoleArrayOutput
}

AuthBackendRoleArrayInput is an input type that accepts AuthBackendRoleArray and AuthBackendRoleArrayOutput values. You can construct a concrete instance of `AuthBackendRoleArrayInput` via: 

AuthBackendRoleArray{ AuthBackendRoleArgs{...} }

type AuthBackendRoleArrayOutput 

type AuthBackendRoleArrayOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleArrayOutput) ElementType 

func (AuthBackendRoleArrayOutput) ElementType() reflect.Type

func (AuthBackendRoleArrayOutput) Index 

func (o AuthBackendRoleArrayOutput) Index(i pulumi.IntInput) AuthBackendRoleOutput

func (AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput 

func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutput() AuthBackendRoleArrayOutput

func (AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext 

func (o AuthBackendRoleArrayOutput) ToAuthBackendRoleArrayOutputWithContext(ctx context.Context) AuthBackendRoleArrayOutput

type AuthBackendRoleInput 

type AuthBackendRoleInput interface {
	pulumi.Input

	ToAuthBackendRoleOutput() AuthBackendRoleOutput
	ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput
}

type AuthBackendRoleMap 

type AuthBackendRoleMap map[string]AuthBackendRoleInput

func (AuthBackendRoleMap) ElementType 

func (AuthBackendRoleMap) ElementType() reflect.Type

func (AuthBackendRoleMap) ToAuthBackendRoleMapOutput 

func (i AuthBackendRoleMap) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput

func (AuthBackendRoleMap) ToAuthBackendRoleMapOutputWithContext 

func (i AuthBackendRoleMap) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput

type AuthBackendRoleMapInput 

type AuthBackendRoleMapInput interface {
	pulumi.Input

	ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput
	ToAuthBackendRoleMapOutputWithContext(context.Context) AuthBackendRoleMapOutput
}

AuthBackendRoleMapInput is an input type that accepts AuthBackendRoleMap and AuthBackendRoleMapOutput values. You can construct a concrete instance of `AuthBackendRoleMapInput` via: 

AuthBackendRoleMap{ "key": AuthBackendRoleArgs{...} }

type AuthBackendRoleMapOutput 

type AuthBackendRoleMapOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleMapOutput) ElementType 

func (AuthBackendRoleMapOutput) ElementType() reflect.Type

func (AuthBackendRoleMapOutput) MapIndex 

func (o AuthBackendRoleMapOutput) MapIndex(k pulumi.StringInput) AuthBackendRoleOutput

func (AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput 

func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutput() AuthBackendRoleMapOutput

func (AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext 

func (o AuthBackendRoleMapOutput) ToAuthBackendRoleMapOutputWithContext(ctx context.Context) AuthBackendRoleMapOutput

type AuthBackendRoleOutput 

type AuthBackendRoleOutput struct{ *pulumi.OutputState }

func (AuthBackendRoleOutput) AliasNameSource 

func (o AuthBackendRoleOutput) AliasNameSource() pulumi.StringOutput

Configures how identity aliases are generated. Valid choices are: `serviceaccountUid`, `serviceaccountName`. (vault-1.9+)

func (AuthBackendRoleOutput) Audience 

func (o AuthBackendRoleOutput) Audience() pulumi.StringPtrOutput

Audience claim to verify in the JWT.

> Please see [aliasNameSource](https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source) before setting this to something other its default value. There are **important** security implications to be aware of.

func (AuthBackendRoleOutput) Backend 

func (o AuthBackendRoleOutput) Backend() pulumi.StringPtrOutput

Unique name of the kubernetes backend to configure.

func (AuthBackendRoleOutput) BoundServiceAccountNames 

func (o AuthBackendRoleOutput) BoundServiceAccountNames() pulumi.StringArrayOutput

List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".

func (AuthBackendRoleOutput) BoundServiceAccountNamespaces 

func (o AuthBackendRoleOutput) BoundServiceAccountNamespaces() pulumi.StringArrayOutput

List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".

func (AuthBackendRoleOutput) ElementType 

func (AuthBackendRoleOutput) ElementType() reflect.Type

func (AuthBackendRoleOutput) Namespace 

func (o AuthBackendRoleOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*.

func (AuthBackendRoleOutput) RoleName 

func (o AuthBackendRoleOutput) RoleName() pulumi.StringOutput

Name of the role.

func (AuthBackendRoleOutput) ToAuthBackendRoleOutput 

func (o AuthBackendRoleOutput) ToAuthBackendRoleOutput() AuthBackendRoleOutput

func (AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext 

func (o AuthBackendRoleOutput) ToAuthBackendRoleOutputWithContext(ctx context.Context) AuthBackendRoleOutput

func (AuthBackendRoleOutput) TokenBoundCidrs 

func (o AuthBackendRoleOutput) TokenBoundCidrs() pulumi.StringArrayOutput

Specifies the blocks of IP addresses which are allowed to use the generated token

func (AuthBackendRoleOutput) TokenExplicitMaxTtl 

func (o AuthBackendRoleOutput) TokenExplicitMaxTtl() pulumi.IntPtrOutput

Generated Token's Explicit Maximum TTL in seconds

func (AuthBackendRoleOutput) TokenMaxTtl 

func (o AuthBackendRoleOutput) TokenMaxTtl() pulumi.IntPtrOutput

The maximum lifetime of the generated token

func (AuthBackendRoleOutput) TokenNoDefaultPolicy 

func (o AuthBackendRoleOutput) TokenNoDefaultPolicy() pulumi.BoolPtrOutput

If true, the 'default' policy will not automatically be added to generated tokens

func (AuthBackendRoleOutput) TokenNumUses 

func (o AuthBackendRoleOutput) TokenNumUses() pulumi.IntPtrOutput

The maximum number of times a token may be used, a value of zero means unlimited

func (AuthBackendRoleOutput) TokenPeriod 

func (o AuthBackendRoleOutput) TokenPeriod() pulumi.IntPtrOutput

Generated Token's Period

func (AuthBackendRoleOutput) TokenPolicies 

func (o AuthBackendRoleOutput) TokenPolicies() pulumi.StringArrayOutput

Generated Token's Policies

func (AuthBackendRoleOutput) TokenTtl 

func (o AuthBackendRoleOutput) TokenTtl() pulumi.IntPtrOutput

The initial ttl of the token to generate in seconds

func (AuthBackendRoleOutput) TokenType 

func (o AuthBackendRoleOutput) TokenType() pulumi.StringPtrOutput

The type of token to generate, service or batch

type AuthBackendRoleState 

type AuthBackendRoleState struct {
	// Configures how identity aliases are generated.
	// Valid choices are: `serviceaccountUid`, `serviceaccountName`. (vault-1.9+)
	AliasNameSource pulumi.StringPtrInput
	// Audience claim to verify in the JWT.
	//
	// > Please see [aliasNameSource](https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)
	// before setting this to something other its default value. There are **important** security
	// implications to be aware of.
	Audience pulumi.StringPtrInput
	// Unique name of the kubernetes backend to configure.
	Backend pulumi.StringPtrInput
	// List of service account names able to access this role. If set to `["*"]` all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
	BoundServiceAccountNames pulumi.StringArrayInput
	// List of namespaces allowed to access this role. If set to `["*"]` all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
	BoundServiceAccountNamespaces pulumi.StringArrayInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Name of the role.
	RoleName pulumi.StringPtrInput
	// Specifies the blocks of IP addresses which are allowed to use the generated token
	TokenBoundCidrs pulumi.StringArrayInput
	// Generated Token's Explicit Maximum TTL in seconds
	TokenExplicitMaxTtl pulumi.IntPtrInput
	// The maximum lifetime of the generated token
	TokenMaxTtl pulumi.IntPtrInput
	// If true, the 'default' policy will not automatically be added to generated tokens
	TokenNoDefaultPolicy pulumi.BoolPtrInput
	// The maximum number of times a token may be used, a value of zero means unlimited
	TokenNumUses pulumi.IntPtrInput
	// Generated Token's Period
	TokenPeriod pulumi.IntPtrInput
	// Generated Token's Policies
	TokenPolicies pulumi.StringArrayInput
	// The initial ttl of the token to generate in seconds
	TokenTtl pulumi.IntPtrInput
	// The type of token to generate, service or batch
	TokenType pulumi.StringPtrInput
}

func (AuthBackendRoleState) ElementType 

func (AuthBackendRoleState) ElementType() reflect.Type

type GetServiceAccountTokenArgs 

type GetServiceAccountTokenArgs struct {
	// The Kubernetes secret backend to generate service account
	// tokens from.
	Backend string `pulumi:"backend"`
	// If true, generate a ClusterRoleBinding to grant
	// permissions across the whole cluster instead of within a namespace.
	ClusterRoleBinding *bool `pulumi:"clusterRoleBinding"`
	// The name of the Kubernetes namespace in which to
	// generate the credentials.
	KubernetesNamespace string `pulumi:"kubernetesNamespace"`
	// The namespace of the target resource.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace *string `pulumi:"namespace"`
	// The name of the Kubernetes secret backend role to generate service
	// account tokens from.
	Role string `pulumi:"role"`
	// The TTL of the generated Kubernetes service account token, specified in
	// seconds or as a Go duration format string.
	Ttl *string `pulumi:"ttl"`
}

A collection of arguments for invoking getServiceAccountToken.

type GetServiceAccountTokenOutputArgs 

type GetServiceAccountTokenOutputArgs struct {
	// The Kubernetes secret backend to generate service account
	// tokens from.
	Backend pulumi.StringInput `pulumi:"backend"`
	// If true, generate a ClusterRoleBinding to grant
	// permissions across the whole cluster instead of within a namespace.
	ClusterRoleBinding pulumi.BoolPtrInput `pulumi:"clusterRoleBinding"`
	// The name of the Kubernetes namespace in which to
	// generate the credentials.
	KubernetesNamespace pulumi.StringInput `pulumi:"kubernetesNamespace"`
	// The namespace of the target resource.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput `pulumi:"namespace"`
	// The name of the Kubernetes secret backend role to generate service
	// account tokens from.
	Role pulumi.StringInput `pulumi:"role"`
	// The TTL of the generated Kubernetes service account token, specified in
	// seconds or as a Go duration format string.
	Ttl pulumi.StringPtrInput `pulumi:"ttl"`
}

A collection of arguments for invoking getServiceAccountToken.

func (GetServiceAccountTokenOutputArgs) ElementType 

func (GetServiceAccountTokenOutputArgs) ElementType() reflect.Type

type GetServiceAccountTokenResult 

type GetServiceAccountTokenResult struct {
	Backend            string `pulumi:"backend"`
	ClusterRoleBinding *bool  `pulumi:"clusterRoleBinding"`
	// The provider-assigned unique ID for this managed resource.
	Id                  string `pulumi:"id"`
	KubernetesNamespace string `pulumi:"kubernetesNamespace"`
	// The duration of the lease in seconds.
	LeaseDuration int `pulumi:"leaseDuration"`
	// The lease identifier assigned by Vault.
	LeaseId string `pulumi:"leaseId"`
	// True if the duration of this lease can be extended through renewal.
	LeaseRenewable bool    `pulumi:"leaseRenewable"`
	Namespace      *string `pulumi:"namespace"`
	Role           string  `pulumi:"role"`
	// The name of the service account associated with the token.
	ServiceAccountName string `pulumi:"serviceAccountName"`
	// The Kubernetes namespace that the service account resides in.
	ServiceAccountNamespace string `pulumi:"serviceAccountNamespace"`
	// The Kubernetes service account token.
	ServiceAccountToken string  `pulumi:"serviceAccountToken"`
	Ttl                 *string `pulumi:"ttl"`
}

A collection of values returned by getServiceAccountToken.

func GetServiceAccountToken 

func GetServiceAccountToken(ctx *pulumi.Context, args *GetServiceAccountTokenArgs, opts ...pulumi.InvokeOption) (*GetServiceAccountTokenResult, error)

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:              pulumi.String("kubernetes"),
			Description:       pulumi.String("kubernetes secrets engine description"),
			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:  pulumi.String(invokeFile.Result),
			ServiceAccountJwt: pulumi.String(invokeFile1.Result),
			DisableLocalCaJwt: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		role, err := kubernetes.NewSecretBackendRole(ctx, "role", &kubernetes.SecretBackendRoleArgs{
			Backend: config.Path,
			Name:    pulumi.String("service-account-name-role"),
			AllowedKubernetesNamespaces: pulumi.StringArray{
				pulumi.String("*"),
			},
			TokenMaxTtl:        pulumi.Int(43200),
			TokenDefaultTtl:    pulumi.Int(21600),
			ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
			ExtraLabels: pulumi.StringMap{
				"id":   pulumi.String("abc123"),
				"name": pulumi.String("some_name"),
			},
			ExtraAnnotations: pulumi.StringMap{
				"env":      pulumi.String("development"),
				"location": pulumi.String("earth"),
			},
		})
		if err != nil {
			return err
		}
		_ = kubernetes.GetServiceAccountTokenOutput(ctx, kubernetes.GetServiceAccountTokenOutputArgs{
			Backend:             config.Path,
			Role:                role.Name,
			KubernetesNamespace: pulumi.String("test"),
			ClusterRoleBinding:  pulumi.Bool(false),
			Ttl:                 pulumi.String("1h"),
		}, nil)
		return nil
	})
}

```

type GetServiceAccountTokenResultOutput 

type GetServiceAccountTokenResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getServiceAccountToken.

func GetServiceAccountTokenOutput 

func GetServiceAccountTokenOutput(ctx *pulumi.Context, args GetServiceAccountTokenOutputArgs, opts ...pulumi.InvokeOption) GetServiceAccountTokenResultOutput

func (GetServiceAccountTokenResultOutput) Backend 

func (o GetServiceAccountTokenResultOutput) Backend() pulumi.StringOutput

func (GetServiceAccountTokenResultOutput) ClusterRoleBinding 

func (o GetServiceAccountTokenResultOutput) ClusterRoleBinding() pulumi.BoolPtrOutput

func (GetServiceAccountTokenResultOutput) ElementType 

func (GetServiceAccountTokenResultOutput) ElementType() reflect.Type

func (GetServiceAccountTokenResultOutput) Id 

func (o GetServiceAccountTokenResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (GetServiceAccountTokenResultOutput) KubernetesNamespace 

func (o GetServiceAccountTokenResultOutput) KubernetesNamespace() pulumi.StringOutput

func (GetServiceAccountTokenResultOutput) LeaseDuration 

func (o GetServiceAccountTokenResultOutput) LeaseDuration() pulumi.IntOutput

The duration of the lease in seconds.

func (GetServiceAccountTokenResultOutput) LeaseId 

func (o GetServiceAccountTokenResultOutput) LeaseId() pulumi.StringOutput

The lease identifier assigned by Vault.

func (GetServiceAccountTokenResultOutput) LeaseRenewable 

func (o GetServiceAccountTokenResultOutput) LeaseRenewable() pulumi.BoolOutput

True if the duration of this lease can be extended through renewal.

func (GetServiceAccountTokenResultOutput) Namespace 

func (o GetServiceAccountTokenResultOutput) Namespace() pulumi.StringPtrOutput

func (GetServiceAccountTokenResultOutput) Role 

func (o GetServiceAccountTokenResultOutput) Role() pulumi.StringOutput

func (GetServiceAccountTokenResultOutput) ServiceAccountName 

func (o GetServiceAccountTokenResultOutput) ServiceAccountName() pulumi.StringOutput

The name of the service account associated with the token.

func (GetServiceAccountTokenResultOutput) ServiceAccountNamespace 

func (o GetServiceAccountTokenResultOutput) ServiceAccountNamespace() pulumi.StringOutput

The Kubernetes namespace that the service account resides in.

func (GetServiceAccountTokenResultOutput) ServiceAccountToken 

func (o GetServiceAccountTokenResultOutput) ServiceAccountToken() pulumi.StringOutput

The Kubernetes service account token.

func (GetServiceAccountTokenResultOutput) ToGetServiceAccountTokenResultOutput 

func (o GetServiceAccountTokenResultOutput) ToGetServiceAccountTokenResultOutput() GetServiceAccountTokenResultOutput

func (GetServiceAccountTokenResultOutput) ToGetServiceAccountTokenResultOutputWithContext 

func (o GetServiceAccountTokenResultOutput) ToGetServiceAccountTokenResultOutputWithContext(ctx context.Context) GetServiceAccountTokenResultOutput

func (GetServiceAccountTokenResultOutput) Ttl 

func (o GetServiceAccountTokenResultOutput) Ttl() pulumi.StringPtrOutput

type LookupAuthBackendConfigArgs 

type LookupAuthBackendConfigArgs struct {
	// The unique name for the Kubernetes backend the config to
	// retrieve Role attributes for resides in. Defaults to "kubernetes".
	Backend *string `pulumi:"backend"`
	// (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation *bool `pulumi:"disableIssValidation"`
	// (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt *bool `pulumi:"disableLocalCaJwt"`
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer *string `pulumi:"issuer"`
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert *string `pulumi:"kubernetesCaCert"`
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost *string `pulumi:"kubernetesHost"`
	// The namespace of the target resource.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace *string `pulumi:"namespace"`
	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys []string `pulumi:"pemKeys"`
	// (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
	UseAnnotationsAsAliasMetadata *bool `pulumi:"useAnnotationsAsAliasMetadata"`
}

A collection of arguments for invoking getAuthBackendConfig.

type LookupAuthBackendConfigOutputArgs 

type LookupAuthBackendConfigOutputArgs struct {
	// The unique name for the Kubernetes backend the config to
	// retrieve Role attributes for resides in. Defaults to "kubernetes".
	Backend pulumi.StringPtrInput `pulumi:"backend"`
	// (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation pulumi.BoolPtrInput `pulumi:"disableIssValidation"`
	// (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt pulumi.BoolPtrInput `pulumi:"disableLocalCaJwt"`
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer pulumi.StringPtrInput `pulumi:"issuer"`
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert pulumi.StringPtrInput `pulumi:"kubernetesCaCert"`
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost pulumi.StringPtrInput `pulumi:"kubernetesHost"`
	// The namespace of the target resource.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput `pulumi:"namespace"`
	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys pulumi.StringArrayInput `pulumi:"pemKeys"`
	// (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
	UseAnnotationsAsAliasMetadata pulumi.BoolPtrInput `pulumi:"useAnnotationsAsAliasMetadata"`
}

A collection of arguments for invoking getAuthBackendConfig.

func (LookupAuthBackendConfigOutputArgs) ElementType 

func (LookupAuthBackendConfigOutputArgs) ElementType() reflect.Type

type LookupAuthBackendConfigResult 

type LookupAuthBackendConfigResult struct {
	Backend *string `pulumi:"backend"`
	// (Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableIssValidation bool `pulumi:"disableIssValidation"`
	// (Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`
	DisableLocalCaJwt bool `pulumi:"disableLocalCaJwt"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.
	Issuer string `pulumi:"issuer"`
	// PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.
	KubernetesCaCert string `pulumi:"kubernetesCaCert"`
	// Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.
	KubernetesHost string  `pulumi:"kubernetesHost"`
	Namespace      *string `pulumi:"namespace"`
	// Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.
	PemKeys []string `pulumi:"pemKeys"`
	// (Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`
	UseAnnotationsAsAliasMetadata bool `pulumi:"useAnnotationsAsAliasMetadata"`
}

A collection of values returned by getAuthBackendConfig.

func LookupAuthBackendConfig 

func LookupAuthBackendConfig(ctx *pulumi.Context, args *LookupAuthBackendConfigArgs, opts ...pulumi.InvokeOption) (*LookupAuthBackendConfigResult, error)

Reads the Role of an Kubernetes from a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-config) for more information.

type LookupAuthBackendConfigResultOutput 

type LookupAuthBackendConfigResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAuthBackendConfig.

func LookupAuthBackendConfigOutput 

func LookupAuthBackendConfigOutput(ctx *pulumi.Context, args LookupAuthBackendConfigOutputArgs, opts ...pulumi.InvokeOption) LookupAuthBackendConfigResultOutput

func (LookupAuthBackendConfigResultOutput) Backend 

func (o LookupAuthBackendConfigResultOutput) Backend() pulumi.StringPtrOutput

func (LookupAuthBackendConfigResultOutput) DisableIssValidation 

func (o LookupAuthBackendConfigResultOutput) DisableIssValidation() pulumi.BoolOutput

(Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`

func (LookupAuthBackendConfigResultOutput) DisableLocalCaJwt 

func (o LookupAuthBackendConfigResultOutput) DisableLocalCaJwt() pulumi.BoolOutput

(Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`

func (LookupAuthBackendConfigResultOutput) ElementType 

func (LookupAuthBackendConfigResultOutput) ElementType() reflect.Type

func (LookupAuthBackendConfigResultOutput) Id 

func (o LookupAuthBackendConfigResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupAuthBackendConfigResultOutput) Issuer 

func (o LookupAuthBackendConfigResultOutput) Issuer() pulumi.StringOutput

Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.

func (LookupAuthBackendConfigResultOutput) KubernetesCaCert 

func (o LookupAuthBackendConfigResultOutput) KubernetesCaCert() pulumi.StringOutput

PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.

func (LookupAuthBackendConfigResultOutput) KubernetesHost 

func (o LookupAuthBackendConfigResultOutput) KubernetesHost() pulumi.StringOutput

Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.

func (LookupAuthBackendConfigResultOutput) Namespace 

func (o LookupAuthBackendConfigResultOutput) Namespace() pulumi.StringPtrOutput

func (LookupAuthBackendConfigResultOutput) PemKeys 

func (o LookupAuthBackendConfigResultOutput) PemKeys() pulumi.StringArrayOutput

Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.

func (LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutput 

func (o LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutput() LookupAuthBackendConfigResultOutput

func (LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutputWithContext 

func (o LookupAuthBackendConfigResultOutput) ToLookupAuthBackendConfigResultOutputWithContext(ctx context.Context) LookupAuthBackendConfigResultOutput

func (LookupAuthBackendConfigResultOutput) UseAnnotationsAsAliasMetadata added in v6.4.0 

func (o LookupAuthBackendConfigResultOutput) UseAnnotationsAsAliasMetadata() pulumi.BoolOutput

(Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`

type LookupAuthBackendRoleArgs 

type LookupAuthBackendRoleArgs struct {
	// Audience claim to verify in the JWT.
	Audience *string `pulumi:"audience"`
	// The unique name for the Kubernetes backend the role to
	// retrieve Role attributes for resides in. Defaults to "kubernetes".
	Backend *string `pulumi:"backend"`
	// The namespace of the target resource.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace *string `pulumi:"namespace"`
	// The name of the role to retrieve the Role attributes for.
	RoleName string `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs []string `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl *int `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl *int `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy *bool `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses *int `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod *int `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies []string `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl *int `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType *string `pulumi:"tokenType"`
}

A collection of arguments for invoking getAuthBackendRole.

type LookupAuthBackendRoleOutputArgs 

type LookupAuthBackendRoleOutputArgs struct {
	// Audience claim to verify in the JWT.
	Audience pulumi.StringPtrInput `pulumi:"audience"`
	// The unique name for the Kubernetes backend the role to
	// retrieve Role attributes for resides in. Defaults to "kubernetes".
	Backend pulumi.StringPtrInput `pulumi:"backend"`
	// The namespace of the target resource.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured namespace.
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput `pulumi:"namespace"`
	// The name of the role to retrieve the Role attributes for.
	RoleName pulumi.StringInput `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs pulumi.StringArrayInput `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl pulumi.IntPtrInput `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl pulumi.IntPtrInput `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy pulumi.BoolPtrInput `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses pulumi.IntPtrInput `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod pulumi.IntPtrInput `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies pulumi.StringArrayInput `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl pulumi.IntPtrInput `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType pulumi.StringPtrInput `pulumi:"tokenType"`
}

A collection of arguments for invoking getAuthBackendRole.

func (LookupAuthBackendRoleOutputArgs) ElementType 

func (LookupAuthBackendRoleOutputArgs) ElementType() reflect.Type

type LookupAuthBackendRoleResult 

type LookupAuthBackendRoleResult struct {
	// Method used for generating identity aliases. (vault-1.9+)
	AliasNameSource string `pulumi:"aliasNameSource"`
	// Audience claim to verify in the JWT.
	Audience *string `pulumi:"audience"`
	Backend  *string `pulumi:"backend"`
	// List of service account names able to access this role. If set to "*" all names are allowed, both this and boundServiceAccountNamespaces can not be "*".
	BoundServiceAccountNames []string `pulumi:"boundServiceAccountNames"`
	// List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".
	BoundServiceAccountNamespaces []string `pulumi:"boundServiceAccountNamespaces"`
	// The provider-assigned unique ID for this managed resource.
	Id        string  `pulumi:"id"`
	Namespace *string `pulumi:"namespace"`
	RoleName  string  `pulumi:"roleName"`
	// List of CIDR blocks; if set, specifies blocks of IP
	// addresses which can authenticate successfully, and ties the resulting token to these blocks
	// as well.
	TokenBoundCidrs []string `pulumi:"tokenBoundCidrs"`
	// If set, will encode an
	// [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
	// onto the token in number of seconds. This is a hard cap even if `tokenTtl` and
	// `tokenMaxTtl` would otherwise allow a renewal.
	TokenExplicitMaxTtl *int `pulumi:"tokenExplicitMaxTtl"`
	// The maximum lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenMaxTtl *int `pulumi:"tokenMaxTtl"`
	// If set, the default policy will not be set on
	// generated tokens; otherwise it will be added to the policies set in token_policies.
	TokenNoDefaultPolicy *bool `pulumi:"tokenNoDefaultPolicy"`
	// The
	// [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),
	// if any, in number of seconds to set on the token.
	TokenNumUses *int `pulumi:"tokenNumUses"`
	// (Optional) If set, indicates that the
	// token generated using this role should never expire. The token should be renewed within the
	// duration specified by this value. At each renewal, the token's TTL will be set to the
	// value of this field. Specified in seconds.
	TokenPeriod *int `pulumi:"tokenPeriod"`
	// List of policies to encode onto generated tokens. Depending
	// on the auth method, this list may be supplemented by user/group/other values.
	TokenPolicies []string `pulumi:"tokenPolicies"`
	// The incremental lifetime for generated tokens in number of seconds.
	// Its current value will be referenced at renewal time.
	TokenTtl *int `pulumi:"tokenTtl"`
	// The type of token that should be generated. Can be `service`,
	// `batch`, or `default` to use the mount's tuned default (which unless changed will be
	// `service` tokens). For token store roles, there are two additional possibilities:
	// `default-service` and `default-batch` which specify the type to return unless the client
	// requests a different type at generation time.
	TokenType *string `pulumi:"tokenType"`
}

A collection of values returned by getAuthBackendRole.

func LookupAuthBackendRole 

func LookupAuthBackendRole(ctx *pulumi.Context, args *LookupAuthBackendRoleArgs, opts ...pulumi.InvokeOption) (*LookupAuthBackendRoleResult, error)

Reads the Role of an Kubernetes from a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-role) for more information.

type LookupAuthBackendRoleResultOutput 

type LookupAuthBackendRoleResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAuthBackendRole.

func LookupAuthBackendRoleOutput 

func LookupAuthBackendRoleOutput(ctx *pulumi.Context, args LookupAuthBackendRoleOutputArgs, opts ...pulumi.InvokeOption) LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) AliasNameSource 

func (o LookupAuthBackendRoleResultOutput) AliasNameSource() pulumi.StringOutput

Method used for generating identity aliases. (vault-1.9+)

func (LookupAuthBackendRoleResultOutput) Audience 

func (o LookupAuthBackendRoleResultOutput) Audience() pulumi.StringPtrOutput

Audience claim to verify in the JWT.

func (LookupAuthBackendRoleResultOutput) Backend 

func (o LookupAuthBackendRoleResultOutput) Backend() pulumi.StringPtrOutput

func (LookupAuthBackendRoleResultOutput) BoundServiceAccountNames 

func (o LookupAuthBackendRoleResultOutput) BoundServiceAccountNames() pulumi.StringArrayOutput

List of service account names able to access this role. If set to "*" all names are allowed, both this and boundServiceAccountNamespaces can not be "*".

func (LookupAuthBackendRoleResultOutput) BoundServiceAccountNamespaces 

func (o LookupAuthBackendRoleResultOutput) BoundServiceAccountNamespaces() pulumi.StringArrayOutput

List of namespaces allowed to access this role. If set to "*" all namespaces are allowed, both this and boundServiceAccountNames can not be set to "*".

func (LookupAuthBackendRoleResultOutput) ElementType 

func (LookupAuthBackendRoleResultOutput) ElementType() reflect.Type

func (LookupAuthBackendRoleResultOutput) Id 

func (o LookupAuthBackendRoleResultOutput) Id() pulumi.StringOutput

The provider-assigned unique ID for this managed resource.

func (LookupAuthBackendRoleResultOutput) Namespace 

func (o LookupAuthBackendRoleResultOutput) Namespace() pulumi.StringPtrOutput

func (LookupAuthBackendRoleResultOutput) RoleName 

func (o LookupAuthBackendRoleResultOutput) RoleName() pulumi.StringOutput

func (LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput 

func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutput() LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext 

func (o LookupAuthBackendRoleResultOutput) ToLookupAuthBackendRoleResultOutputWithContext(ctx context.Context) LookupAuthBackendRoleResultOutput

func (LookupAuthBackendRoleResultOutput) TokenBoundCidrs 

func (o LookupAuthBackendRoleResultOutput) TokenBoundCidrs() pulumi.StringArrayOutput

List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.

func (LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl 

func (o LookupAuthBackendRoleResultOutput) TokenExplicitMaxTtl() pulumi.IntPtrOutput

If set, will encode an [explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls) onto the token in number of seconds. This is a hard cap even if `tokenTtl` and `tokenMaxTtl` would otherwise allow a renewal.

func (LookupAuthBackendRoleResultOutput) TokenMaxTtl 

func (o LookupAuthBackendRoleResultOutput) TokenMaxTtl() pulumi.IntPtrOutput

The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

func (LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy 

func (o LookupAuthBackendRoleResultOutput) TokenNoDefaultPolicy() pulumi.BoolPtrOutput

If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.

func (LookupAuthBackendRoleResultOutput) TokenNumUses 

func (o LookupAuthBackendRoleResultOutput) TokenNumUses() pulumi.IntPtrOutput

The [period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls), if any, in number of seconds to set on the token.

func (LookupAuthBackendRoleResultOutput) TokenPeriod 

func (o LookupAuthBackendRoleResultOutput) TokenPeriod() pulumi.IntPtrOutput

(Optional) If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds.

func (LookupAuthBackendRoleResultOutput) TokenPolicies 

func (o LookupAuthBackendRoleResultOutput) TokenPolicies() pulumi.StringArrayOutput

List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.

func (LookupAuthBackendRoleResultOutput) TokenTtl 

func (o LookupAuthBackendRoleResultOutput) TokenTtl() pulumi.IntPtrOutput

The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time.

func (LookupAuthBackendRoleResultOutput) TokenType 

func (o LookupAuthBackendRoleResultOutput) TokenType() pulumi.StringPtrOutput

The type of token that should be generated. Can be `service`, `batch`, or `default` to use the mount's tuned default (which unless changed will be `service` tokens). For token store roles, there are two additional possibilities: `default-service` and `default-batch` which specify the type to return unless the client requests a different type at generation time.

type SecretBackend 

type SecretBackend struct {
	pulumi.CustomResourceState

	// Accessor of the mount
	Accessor pulumi.StringOutput `pulumi:"accessor"`
	// List of managed key registry entry names that the mount in question is allowed to access
	AllowedManagedKeys pulumi.StringArrayOutput `pulumi:"allowedManagedKeys"`
	// List of headers to allow and pass from the request to the plugin
	AllowedResponseHeaders pulumi.StringArrayOutput `pulumi:"allowedResponseHeaders"`
	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
	AuditNonHmacRequestKeys pulumi.StringArrayOutput `pulumi:"auditNonHmacRequestKeys"`
	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
	AuditNonHmacResponseKeys pulumi.StringArrayOutput `pulumi:"auditNonHmacResponseKeys"`
	// Default lease duration for tokens and secrets in seconds
	DefaultLeaseTtlSeconds pulumi.IntOutput `pulumi:"defaultLeaseTtlSeconds"`
	// List of headers to allow and pass from the request to the plugin
	DelegatedAuthAccessors pulumi.StringArrayOutput `pulumi:"delegatedAuthAccessors"`
	// Human-friendly description of the mount
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// Disable defaulting to the local CA certificate and
	// service account JWT when Vault is running in a Kubernetes pod.
	DisableLocalCaJwt pulumi.BoolPtrOutput `pulumi:"disableLocalCaJwt"`
	// Enable the secrets engine to access Vault's external entropy source
	ExternalEntropyAccess pulumi.BoolPtrOutput `pulumi:"externalEntropyAccess"`
	// The key to use for signing plugin workload identity tokens
	IdentityTokenKey pulumi.StringPtrOutput `pulumi:"identityTokenKey"`
	// A PEM-encoded CA certificate used by the
	// secrets engine to verify the Kubernetes API server certificate. Defaults to the local
	// pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
	// Vault is running.
	KubernetesCaCert pulumi.StringPtrOutput `pulumi:"kubernetesCaCert"`
	// The Kubernetes API URL to connect to. Required if the
	// standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
	// are not set on the host that Vault is running on.
	KubernetesHost pulumi.StringPtrOutput `pulumi:"kubernetesHost"`
	// Specifies whether to show this mount in the UI-specific listing endpoint
	ListingVisibility pulumi.StringPtrOutput `pulumi:"listingVisibility"`
	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
	Local pulumi.BoolPtrOutput `pulumi:"local"`
	// Maximum possible lease duration for tokens and secrets in seconds
	MaxLeaseTtlSeconds pulumi.IntOutput `pulumi:"maxLeaseTtlSeconds"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// Specifies mount type specific options that are passed to the backend
	Options pulumi.StringMapOutput `pulumi:"options"`
	// List of headers to allow and pass from the request to the plugin
	PassthroughRequestHeaders pulumi.StringArrayOutput `pulumi:"passthroughRequestHeaders"`
	// Where the secret backend will be mounted
	Path pulumi.StringOutput `pulumi:"path"`
	// Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
	PluginVersion pulumi.StringPtrOutput `pulumi:"pluginVersion"`
	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
	SealWrap pulumi.BoolOutput `pulumi:"sealWrap"`
	// The JSON web token of the service account used by the
	// secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
	// is running in Kubernetes.
	ServiceAccountJwt pulumi.StringPtrOutput `pulumi:"serviceAccountJwt"`
}

## Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		_, err = kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:                   pulumi.String("kubernetes"),
			Description:            pulumi.String("kubernetes secrets engine description"),
			DefaultLeaseTtlSeconds: pulumi.Int(43200),
			MaxLeaseTtlSeconds:     pulumi.Int(86400),
			KubernetesHost:         pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:       pulumi.String(invokeFile.Result),
			ServiceAccountJwt:      pulumi.String(invokeFile1.Result),
			DisableLocalCaJwt:      pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

The Kubernetes secret backend can be imported using its `path` e.g.

```sh $ pulumi import vault:kubernetes/secretBackend:SecretBackend config kubernetes ```

func GetSecretBackend 

func GetSecretBackend(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *SecretBackendState, opts ...pulumi.ResourceOption) (*SecretBackend, error)

GetSecretBackend gets an existing SecretBackend resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewSecretBackend 

func NewSecretBackend(ctx *pulumi.Context,
	name string, args *SecretBackendArgs, opts ...pulumi.ResourceOption) (*SecretBackend, error)

NewSecretBackend registers a new resource with the given unique name, arguments, and options.

func (*SecretBackend) ElementType 

func (*SecretBackend) ElementType() reflect.Type

func (*SecretBackend) ToSecretBackendOutput 

func (i *SecretBackend) ToSecretBackendOutput() SecretBackendOutput

func (*SecretBackend) ToSecretBackendOutputWithContext 

func (i *SecretBackend) ToSecretBackendOutputWithContext(ctx context.Context) SecretBackendOutput

type SecretBackendArgs 

type SecretBackendArgs struct {
	// List of managed key registry entry names that the mount in question is allowed to access
	AllowedManagedKeys pulumi.StringArrayInput
	// List of headers to allow and pass from the request to the plugin
	AllowedResponseHeaders pulumi.StringArrayInput
	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
	AuditNonHmacRequestKeys pulumi.StringArrayInput
	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
	AuditNonHmacResponseKeys pulumi.StringArrayInput
	// Default lease duration for tokens and secrets in seconds
	DefaultLeaseTtlSeconds pulumi.IntPtrInput
	// List of headers to allow and pass from the request to the plugin
	DelegatedAuthAccessors pulumi.StringArrayInput
	// Human-friendly description of the mount
	Description pulumi.StringPtrInput
	// Disable defaulting to the local CA certificate and
	// service account JWT when Vault is running in a Kubernetes pod.
	DisableLocalCaJwt pulumi.BoolPtrInput
	// Enable the secrets engine to access Vault's external entropy source
	ExternalEntropyAccess pulumi.BoolPtrInput
	// The key to use for signing plugin workload identity tokens
	IdentityTokenKey pulumi.StringPtrInput
	// A PEM-encoded CA certificate used by the
	// secrets engine to verify the Kubernetes API server certificate. Defaults to the local
	// pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
	// Vault is running.
	KubernetesCaCert pulumi.StringPtrInput
	// The Kubernetes API URL to connect to. Required if the
	// standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
	// are not set on the host that Vault is running on.
	KubernetesHost pulumi.StringPtrInput
	// Specifies whether to show this mount in the UI-specific listing endpoint
	ListingVisibility pulumi.StringPtrInput
	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
	Local pulumi.BoolPtrInput
	// Maximum possible lease duration for tokens and secrets in seconds
	MaxLeaseTtlSeconds pulumi.IntPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Specifies mount type specific options that are passed to the backend
	Options pulumi.StringMapInput
	// List of headers to allow and pass from the request to the plugin
	PassthroughRequestHeaders pulumi.StringArrayInput
	// Where the secret backend will be mounted
	Path pulumi.StringInput
	// Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
	PluginVersion pulumi.StringPtrInput
	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
	SealWrap pulumi.BoolPtrInput
	// The JSON web token of the service account used by the
	// secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
	// is running in Kubernetes.
	ServiceAccountJwt pulumi.StringPtrInput
}

The set of arguments for constructing a SecretBackend resource.

func (SecretBackendArgs) ElementType 

func (SecretBackendArgs) ElementType() reflect.Type

type SecretBackendArray 

type SecretBackendArray []SecretBackendInput

func (SecretBackendArray) ElementType 

func (SecretBackendArray) ElementType() reflect.Type

func (SecretBackendArray) ToSecretBackendArrayOutput 

func (i SecretBackendArray) ToSecretBackendArrayOutput() SecretBackendArrayOutput

func (SecretBackendArray) ToSecretBackendArrayOutputWithContext 

func (i SecretBackendArray) ToSecretBackendArrayOutputWithContext(ctx context.Context) SecretBackendArrayOutput

type SecretBackendArrayInput 

type SecretBackendArrayInput interface {
	pulumi.Input

	ToSecretBackendArrayOutput() SecretBackendArrayOutput
	ToSecretBackendArrayOutputWithContext(context.Context) SecretBackendArrayOutput
}

SecretBackendArrayInput is an input type that accepts SecretBackendArray and SecretBackendArrayOutput values. You can construct a concrete instance of `SecretBackendArrayInput` via: 

SecretBackendArray{ SecretBackendArgs{...} }

type SecretBackendArrayOutput 

type SecretBackendArrayOutput struct{ *pulumi.OutputState }

func (SecretBackendArrayOutput) ElementType 

func (SecretBackendArrayOutput) ElementType() reflect.Type

func (SecretBackendArrayOutput) Index 

func (o SecretBackendArrayOutput) Index(i pulumi.IntInput) SecretBackendOutput

func (SecretBackendArrayOutput) ToSecretBackendArrayOutput 

func (o SecretBackendArrayOutput) ToSecretBackendArrayOutput() SecretBackendArrayOutput

func (SecretBackendArrayOutput) ToSecretBackendArrayOutputWithContext 

func (o SecretBackendArrayOutput) ToSecretBackendArrayOutputWithContext(ctx context.Context) SecretBackendArrayOutput

type SecretBackendInput 

type SecretBackendInput interface {
	pulumi.Input

	ToSecretBackendOutput() SecretBackendOutput
	ToSecretBackendOutputWithContext(ctx context.Context) SecretBackendOutput
}

type SecretBackendMap 

type SecretBackendMap map[string]SecretBackendInput

func (SecretBackendMap) ElementType 

func (SecretBackendMap) ElementType() reflect.Type

func (SecretBackendMap) ToSecretBackendMapOutput 

func (i SecretBackendMap) ToSecretBackendMapOutput() SecretBackendMapOutput

func (SecretBackendMap) ToSecretBackendMapOutputWithContext 

func (i SecretBackendMap) ToSecretBackendMapOutputWithContext(ctx context.Context) SecretBackendMapOutput

type SecretBackendMapInput 

type SecretBackendMapInput interface {
	pulumi.Input

	ToSecretBackendMapOutput() SecretBackendMapOutput
	ToSecretBackendMapOutputWithContext(context.Context) SecretBackendMapOutput
}

SecretBackendMapInput is an input type that accepts SecretBackendMap and SecretBackendMapOutput values. You can construct a concrete instance of `SecretBackendMapInput` via: 

SecretBackendMap{ "key": SecretBackendArgs{...} }

type SecretBackendMapOutput 

type SecretBackendMapOutput struct{ *pulumi.OutputState }

func (SecretBackendMapOutput) ElementType 

func (SecretBackendMapOutput) ElementType() reflect.Type

func (SecretBackendMapOutput) MapIndex 

func (o SecretBackendMapOutput) MapIndex(k pulumi.StringInput) SecretBackendOutput

func (SecretBackendMapOutput) ToSecretBackendMapOutput 

func (o SecretBackendMapOutput) ToSecretBackendMapOutput() SecretBackendMapOutput

func (SecretBackendMapOutput) ToSecretBackendMapOutputWithContext 

func (o SecretBackendMapOutput) ToSecretBackendMapOutputWithContext(ctx context.Context) SecretBackendMapOutput

type SecretBackendOutput 

type SecretBackendOutput struct{ *pulumi.OutputState }

func (SecretBackendOutput) Accessor 

func (o SecretBackendOutput) Accessor() pulumi.StringOutput

Accessor of the mount

func (SecretBackendOutput) AllowedManagedKeys 

func (o SecretBackendOutput) AllowedManagedKeys() pulumi.StringArrayOutput

List of managed key registry entry names that the mount in question is allowed to access

func (SecretBackendOutput) AllowedResponseHeaders added in v6.2.0 

func (o SecretBackendOutput) AllowedResponseHeaders() pulumi.StringArrayOutput

List of headers to allow and pass from the request to the plugin

func (SecretBackendOutput) AuditNonHmacRequestKeys 

func (o SecretBackendOutput) AuditNonHmacRequestKeys() pulumi.StringArrayOutput

Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.

func (SecretBackendOutput) AuditNonHmacResponseKeys 

func (o SecretBackendOutput) AuditNonHmacResponseKeys() pulumi.StringArrayOutput

Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.

func (SecretBackendOutput) DefaultLeaseTtlSeconds 

func (o SecretBackendOutput) DefaultLeaseTtlSeconds() pulumi.IntOutput

Default lease duration for tokens and secrets in seconds

func (SecretBackendOutput) DelegatedAuthAccessors added in v6.2.0 

func (o SecretBackendOutput) DelegatedAuthAccessors() pulumi.StringArrayOutput

List of headers to allow and pass from the request to the plugin

func (SecretBackendOutput) Description 

func (o SecretBackendOutput) Description() pulumi.StringPtrOutput

Human-friendly description of the mount

func (SecretBackendOutput) DisableLocalCaJwt 

func (o SecretBackendOutput) DisableLocalCaJwt() pulumi.BoolPtrOutput

Disable defaulting to the local CA certificate and service account JWT when Vault is running in a Kubernetes pod.

func (SecretBackendOutput) ElementType 

func (SecretBackendOutput) ElementType() reflect.Type

func (SecretBackendOutput) ExternalEntropyAccess 

func (o SecretBackendOutput) ExternalEntropyAccess() pulumi.BoolPtrOutput

Enable the secrets engine to access Vault's external entropy source

func (SecretBackendOutput) IdentityTokenKey added in v6.2.0 

func (o SecretBackendOutput) IdentityTokenKey() pulumi.StringPtrOutput

The key to use for signing plugin workload identity tokens

func (SecretBackendOutput) KubernetesCaCert 

func (o SecretBackendOutput) KubernetesCaCert() pulumi.StringPtrOutput

A PEM-encoded CA certificate used by the secrets engine to verify the Kubernetes API server certificate. Defaults to the local pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where Vault is running.

func (SecretBackendOutput) KubernetesHost 

func (o SecretBackendOutput) KubernetesHost() pulumi.StringPtrOutput

The Kubernetes API URL to connect to. Required if the standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT` are not set on the host that Vault is running on.

func (SecretBackendOutput) ListingVisibility added in v6.2.0 

func (o SecretBackendOutput) ListingVisibility() pulumi.StringPtrOutput

Specifies whether to show this mount in the UI-specific listing endpoint

func (SecretBackendOutput) Local 

func (o SecretBackendOutput) Local() pulumi.BoolPtrOutput

Local mount flag that can be explicitly set to true to enforce local mount in HA environment

func (SecretBackendOutput) MaxLeaseTtlSeconds 

func (o SecretBackendOutput) MaxLeaseTtlSeconds() pulumi.IntOutput

Maximum possible lease duration for tokens and secrets in seconds

func (SecretBackendOutput) Namespace 

func (o SecretBackendOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*.

func (SecretBackendOutput) Options 

func (o SecretBackendOutput) Options() pulumi.StringMapOutput

Specifies mount type specific options that are passed to the backend

func (SecretBackendOutput) PassthroughRequestHeaders added in v6.2.0 

func (o SecretBackendOutput) PassthroughRequestHeaders() pulumi.StringArrayOutput

List of headers to allow and pass from the request to the plugin

func (SecretBackendOutput) Path 

func (o SecretBackendOutput) Path() pulumi.StringOutput

Where the secret backend will be mounted

func (SecretBackendOutput) PluginVersion added in v6.2.0 

func (o SecretBackendOutput) PluginVersion() pulumi.StringPtrOutput

Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'

func (SecretBackendOutput) SealWrap 

func (o SecretBackendOutput) SealWrap() pulumi.BoolOutput

Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability

func (SecretBackendOutput) ServiceAccountJwt 

func (o SecretBackendOutput) ServiceAccountJwt() pulumi.StringPtrOutput

The JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault is running in Kubernetes.

func (SecretBackendOutput) ToSecretBackendOutput 

func (o SecretBackendOutput) ToSecretBackendOutput() SecretBackendOutput

func (SecretBackendOutput) ToSecretBackendOutputWithContext 

func (o SecretBackendOutput) ToSecretBackendOutputWithContext(ctx context.Context) SecretBackendOutput

type SecretBackendRole 

type SecretBackendRole struct {
	pulumi.CustomResourceState

	// A label selector for Kubernetes namespaces
	// in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
	// of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
	// If set with `allowedKubernetesNamespace`, the conditions are `OR`ed.
	AllowedKubernetesNamespaceSelector pulumi.StringPtrOutput `pulumi:"allowedKubernetesNamespaceSelector"`
	// The list of Kubernetes namespaces this role
	// can generate credentials for. If set to `*` all namespaces are allowed. If set with
	// `allowedKubernetesNamespaceSelector`, the conditions are `OR`ed.
	AllowedKubernetesNamespaces pulumi.StringArrayOutput `pulumi:"allowedKubernetesNamespaces"`
	// The path of the Kubernetes Secrets Engine backend mount to create
	// the role in.
	Backend pulumi.StringOutput `pulumi:"backend"`
	// Additional annotations to apply to all generated
	// Kubernetes objects.
	ExtraAnnotations pulumi.StringMapOutput `pulumi:"extraAnnotations"`
	// Additional labels to apply to all generated Kubernetes
	// objects.
	//
	// This resource also directly accepts all Mount fields.
	ExtraLabels pulumi.StringMapOutput `pulumi:"extraLabels"`
	// The Role or ClusterRole rules to use when generating
	// a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `serviceAccountName`
	// and `kubernetesRoleName`. If set, the entire chain of Kubernetes objects will be generated
	// when credentials are requested.
	GeneratedRoleRules pulumi.StringPtrOutput `pulumi:"generatedRoleRules"`
	// The pre-existing Role or ClusterRole to bind a
	// generated service account to. Mutually exclusive with `serviceAccountName` and
	// `generatedRoleRules`. If set, Kubernetes token, service account, and role
	// binding objects will be created when credentials are requested.
	KubernetesRoleName pulumi.StringPtrOutput `pulumi:"kubernetesRoleName"`
	// Specifies whether the Kubernetes role is a Role or
	// ClusterRole.
	KubernetesRoleType pulumi.StringPtrOutput `pulumi:"kubernetesRoleType"`
	// The name of the role.
	Name pulumi.StringOutput `pulumi:"name"`
	// The name template to use when generating service accounts,
	// roles and role bindings. If unset, a default template is used.
	NameTemplate pulumi.StringPtrOutput `pulumi:"nameTemplate"`
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrOutput `pulumi:"namespace"`
	// The pre-existing service account to generate tokens for.
	// Mutually exclusive with `kubernetesRoleName` and `generatedRoleRules`. If set, only a
	// Kubernetes token will be created when credentials are requested.
	ServiceAccountName pulumi.StringPtrOutput `pulumi:"serviceAccountName"`
	// The default TTL for generated Kubernetes tokens in seconds.
	TokenDefaultTtl pulumi.IntPtrOutput `pulumi:"tokenDefaultTtl"`
	// The maximum TTL for generated Kubernetes tokens in seconds.
	TokenMaxTtl pulumi.IntPtrOutput `pulumi:"tokenMaxTtl"`
}

## Example Usage

Example using `serviceAccountName` mode:

```go package main

import ( 

"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:              pulumi.String("kubernetes"),
			Description:       pulumi.String("kubernetes secrets engine description"),
			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:  pulumi.String(invokeFile.Result),
			ServiceAccountJwt: pulumi.String(invokeFile1.Result),
			DisableLocalCaJwt: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewSecretBackendRole(ctx, "sa-example", &kubernetes.SecretBackendRoleArgs{
			Backend: config.Path,
			Name:    pulumi.String("service-account-name-role"),
			AllowedKubernetesNamespaces: pulumi.StringArray{
				pulumi.String("*"),
			},
			TokenMaxTtl:        pulumi.Int(43200),
			TokenDefaultTtl:    pulumi.Int(21600),
			ServiceAccountName: pulumi.String("test-service-account-with-generated-token"),
			ExtraLabels: pulumi.StringMap{
				"id":   pulumi.String("abc123"),
				"name": pulumi.String("some_name"),
			},
			ExtraAnnotations: pulumi.StringMap{
				"env":      pulumi.String("development"),
				"location": pulumi.String("earth"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

Example using `kubernetesRoleName` mode:

```go package main

import ( 

"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:              pulumi.String("kubernetes"),
			Description:       pulumi.String("kubernetes secrets engine description"),
			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:  pulumi.String(invokeFile.Result),
			ServiceAccountJwt: pulumi.String(invokeFile1.Result),
			DisableLocalCaJwt: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewSecretBackendRole(ctx, "name-example", &kubernetes.SecretBackendRoleArgs{
			Backend: config.Path,
			Name:    pulumi.String("service-account-name-role"),
			AllowedKubernetesNamespaces: pulumi.StringArray{
				pulumi.String("*"),
			},
			TokenMaxTtl:        pulumi.Int(43200),
			TokenDefaultTtl:    pulumi.Int(21600),
			KubernetesRoleName: pulumi.String("vault-k8s-secrets-role"),
			ExtraLabels: pulumi.StringMap{
				"id":   pulumi.String("abc123"),
				"name": pulumi.String("some_name"),
			},
			ExtraAnnotations: pulumi.StringMap{
				"env":      pulumi.String("development"),
				"location": pulumi.String("earth"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

Example using `generatedRoleRules` mode:

```go package main

import ( 

"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/kubernetes"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		invokeFile, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/cert",
		}, nil)
		if err != nil {
			return err
		}
		invokeFile1, err := std.File(ctx, &std.FileArgs{
			Input: "/path/to/token",
		}, nil)
		if err != nil {
			return err
		}
		config, err := kubernetes.NewSecretBackend(ctx, "config", &kubernetes.SecretBackendArgs{
			Path:              pulumi.String("kubernetes"),
			Description:       pulumi.String("kubernetes secrets engine description"),
			KubernetesHost:    pulumi.String("https://127.0.0.1:61233"),
			KubernetesCaCert:  pulumi.String(invokeFile.Result),
			ServiceAccountJwt: pulumi.String(invokeFile1.Result),
			DisableLocalCaJwt: pulumi.Bool(false),
		})
		if err != nil {
			return err
		}
		_, err = kubernetes.NewSecretBackendRole(ctx, "rules-example", &kubernetes.SecretBackendRoleArgs{
			Backend: config.Path,
			Name:    pulumi.String("service-account-name-role"),
			AllowedKubernetesNamespaces: pulumi.StringArray{
				pulumi.String("*"),
			},
			TokenMaxTtl:        pulumi.Int(43200),
			TokenDefaultTtl:    pulumi.Int(21600),
			KubernetesRoleType: pulumi.String("Role"),
			GeneratedRoleRules: pulumi.String("rules:\n- apiGroups: [\"\"]\n  resources: [\"pods\"]\n  verbs: [\"list\"]\n"),
			ExtraLabels: pulumi.StringMap{
				"id":   pulumi.String("abc123"),
				"name": pulumi.String("some_name"),
			},
			ExtraAnnotations: pulumi.StringMap{
				"env":      pulumi.String("development"),
				"location": pulumi.String("earth"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

The Kubernetes secret backend role can be imported using the full path to the role

of the form: `<backend_path>/roles/<role_name>` e.g.

```sh $ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role ```

func GetSecretBackendRole 

func GetSecretBackendRole(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *SecretBackendRoleState, opts ...pulumi.ResourceOption) (*SecretBackendRole, error)

GetSecretBackendRole gets an existing SecretBackendRole resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewSecretBackendRole 

func NewSecretBackendRole(ctx *pulumi.Context,
	name string, args *SecretBackendRoleArgs, opts ...pulumi.ResourceOption) (*SecretBackendRole, error)

NewSecretBackendRole registers a new resource with the given unique name, arguments, and options.

func (*SecretBackendRole) ElementType 

func (*SecretBackendRole) ElementType() reflect.Type

func (*SecretBackendRole) ToSecretBackendRoleOutput 

func (i *SecretBackendRole) ToSecretBackendRoleOutput() SecretBackendRoleOutput

func (*SecretBackendRole) ToSecretBackendRoleOutputWithContext 

func (i *SecretBackendRole) ToSecretBackendRoleOutputWithContext(ctx context.Context) SecretBackendRoleOutput

type SecretBackendRoleArgs 

type SecretBackendRoleArgs struct {
	// A label selector for Kubernetes namespaces
	// in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
	// of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
	// If set with `allowedKubernetesNamespace`, the conditions are `OR`ed.
	AllowedKubernetesNamespaceSelector pulumi.StringPtrInput
	// The list of Kubernetes namespaces this role
	// can generate credentials for. If set to `*` all namespaces are allowed. If set with
	// `allowedKubernetesNamespaceSelector`, the conditions are `OR`ed.
	AllowedKubernetesNamespaces pulumi.StringArrayInput
	// The path of the Kubernetes Secrets Engine backend mount to create
	// the role in.
	Backend pulumi.StringInput
	// Additional annotations to apply to all generated
	// Kubernetes objects.
	ExtraAnnotations pulumi.StringMapInput
	// Additional labels to apply to all generated Kubernetes
	// objects.
	//
	// This resource also directly accepts all Mount fields.
	ExtraLabels pulumi.StringMapInput
	// The Role or ClusterRole rules to use when generating
	// a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `serviceAccountName`
	// and `kubernetesRoleName`. If set, the entire chain of Kubernetes objects will be generated
	// when credentials are requested.
	GeneratedRoleRules pulumi.StringPtrInput
	// The pre-existing Role or ClusterRole to bind a
	// generated service account to. Mutually exclusive with `serviceAccountName` and
	// `generatedRoleRules`. If set, Kubernetes token, service account, and role
	// binding objects will be created when credentials are requested.
	KubernetesRoleName pulumi.StringPtrInput
	// Specifies whether the Kubernetes role is a Role or
	// ClusterRole.
	KubernetesRoleType pulumi.StringPtrInput
	// The name of the role.
	Name pulumi.StringPtrInput
	// The name template to use when generating service accounts,
	// roles and role bindings. If unset, a default template is used.
	NameTemplate pulumi.StringPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// The pre-existing service account to generate tokens for.
	// Mutually exclusive with `kubernetesRoleName` and `generatedRoleRules`. If set, only a
	// Kubernetes token will be created when credentials are requested.
	ServiceAccountName pulumi.StringPtrInput
	// The default TTL for generated Kubernetes tokens in seconds.
	TokenDefaultTtl pulumi.IntPtrInput
	// The maximum TTL for generated Kubernetes tokens in seconds.
	TokenMaxTtl pulumi.IntPtrInput
}

The set of arguments for constructing a SecretBackendRole resource.

func (SecretBackendRoleArgs) ElementType 

func (SecretBackendRoleArgs) ElementType() reflect.Type

type SecretBackendRoleArray 

type SecretBackendRoleArray []SecretBackendRoleInput

func (SecretBackendRoleArray) ElementType 

func (SecretBackendRoleArray) ElementType() reflect.Type

func (SecretBackendRoleArray) ToSecretBackendRoleArrayOutput 

func (i SecretBackendRoleArray) ToSecretBackendRoleArrayOutput() SecretBackendRoleArrayOutput

func (SecretBackendRoleArray) ToSecretBackendRoleArrayOutputWithContext 

func (i SecretBackendRoleArray) ToSecretBackendRoleArrayOutputWithContext(ctx context.Context) SecretBackendRoleArrayOutput

type SecretBackendRoleArrayInput 

type SecretBackendRoleArrayInput interface {
	pulumi.Input

	ToSecretBackendRoleArrayOutput() SecretBackendRoleArrayOutput
	ToSecretBackendRoleArrayOutputWithContext(context.Context) SecretBackendRoleArrayOutput
}

SecretBackendRoleArrayInput is an input type that accepts SecretBackendRoleArray and SecretBackendRoleArrayOutput values. You can construct a concrete instance of `SecretBackendRoleArrayInput` via: 

SecretBackendRoleArray{ SecretBackendRoleArgs{...} }

type SecretBackendRoleArrayOutput 

type SecretBackendRoleArrayOutput struct{ *pulumi.OutputState }

func (SecretBackendRoleArrayOutput) ElementType 

func (SecretBackendRoleArrayOutput) ElementType() reflect.Type

func (SecretBackendRoleArrayOutput) Index 

func (o SecretBackendRoleArrayOutput) Index(i pulumi.IntInput) SecretBackendRoleOutput

func (SecretBackendRoleArrayOutput) ToSecretBackendRoleArrayOutput 

func (o SecretBackendRoleArrayOutput) ToSecretBackendRoleArrayOutput() SecretBackendRoleArrayOutput

func (SecretBackendRoleArrayOutput) ToSecretBackendRoleArrayOutputWithContext 

func (o SecretBackendRoleArrayOutput) ToSecretBackendRoleArrayOutputWithContext(ctx context.Context) SecretBackendRoleArrayOutput

type SecretBackendRoleInput 

type SecretBackendRoleInput interface {
	pulumi.Input

	ToSecretBackendRoleOutput() SecretBackendRoleOutput
	ToSecretBackendRoleOutputWithContext(ctx context.Context) SecretBackendRoleOutput
}

type SecretBackendRoleMap 

type SecretBackendRoleMap map[string]SecretBackendRoleInput

func (SecretBackendRoleMap) ElementType 

func (SecretBackendRoleMap) ElementType() reflect.Type

func (SecretBackendRoleMap) ToSecretBackendRoleMapOutput 

func (i SecretBackendRoleMap) ToSecretBackendRoleMapOutput() SecretBackendRoleMapOutput

func (SecretBackendRoleMap) ToSecretBackendRoleMapOutputWithContext 

func (i SecretBackendRoleMap) ToSecretBackendRoleMapOutputWithContext(ctx context.Context) SecretBackendRoleMapOutput

type SecretBackendRoleMapInput 

type SecretBackendRoleMapInput interface {
	pulumi.Input

	ToSecretBackendRoleMapOutput() SecretBackendRoleMapOutput
	ToSecretBackendRoleMapOutputWithContext(context.Context) SecretBackendRoleMapOutput
}

SecretBackendRoleMapInput is an input type that accepts SecretBackendRoleMap and SecretBackendRoleMapOutput values. You can construct a concrete instance of `SecretBackendRoleMapInput` via: 

SecretBackendRoleMap{ "key": SecretBackendRoleArgs{...} }

type SecretBackendRoleMapOutput 

type SecretBackendRoleMapOutput struct{ *pulumi.OutputState }

func (SecretBackendRoleMapOutput) ElementType 

func (SecretBackendRoleMapOutput) ElementType() reflect.Type

func (SecretBackendRoleMapOutput) MapIndex 

func (o SecretBackendRoleMapOutput) MapIndex(k pulumi.StringInput) SecretBackendRoleOutput

func (SecretBackendRoleMapOutput) ToSecretBackendRoleMapOutput 

func (o SecretBackendRoleMapOutput) ToSecretBackendRoleMapOutput() SecretBackendRoleMapOutput

func (SecretBackendRoleMapOutput) ToSecretBackendRoleMapOutputWithContext 

func (o SecretBackendRoleMapOutput) ToSecretBackendRoleMapOutputWithContext(ctx context.Context) SecretBackendRoleMapOutput

type SecretBackendRoleOutput 

type SecretBackendRoleOutput struct{ *pulumi.OutputState }

func (SecretBackendRoleOutput) AllowedKubernetesNamespaceSelector added in v6.1.0 

func (o SecretBackendRoleOutput) AllowedKubernetesNamespaceSelector() pulumi.StringPtrOutput

A label selector for Kubernetes namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value should be of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta). If set with `allowedKubernetesNamespace`, the conditions are `OR`ed.

func (SecretBackendRoleOutput) AllowedKubernetesNamespaces 

func (o SecretBackendRoleOutput) AllowedKubernetesNamespaces() pulumi.StringArrayOutput

The list of Kubernetes namespaces this role can generate credentials for. If set to `*` all namespaces are allowed. If set with `allowedKubernetesNamespaceSelector`, the conditions are `OR`ed.

func (SecretBackendRoleOutput) Backend 

func (o SecretBackendRoleOutput) Backend() pulumi.StringOutput

The path of the Kubernetes Secrets Engine backend mount to create the role in.

func (SecretBackendRoleOutput) ElementType 

func (SecretBackendRoleOutput) ElementType() reflect.Type

func (SecretBackendRoleOutput) ExtraAnnotations 

func (o SecretBackendRoleOutput) ExtraAnnotations() pulumi.StringMapOutput

Additional annotations to apply to all generated Kubernetes objects.

func (SecretBackendRoleOutput) ExtraLabels 

func (o SecretBackendRoleOutput) ExtraLabels() pulumi.StringMapOutput

Additional labels to apply to all generated Kubernetes objects.

This resource also directly accepts all Mount fields.

func (SecretBackendRoleOutput) GeneratedRoleRules 

func (o SecretBackendRoleOutput) GeneratedRoleRules() pulumi.StringPtrOutput

The Role or ClusterRole rules to use when generating a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `serviceAccountName` and `kubernetesRoleName`. If set, the entire chain of Kubernetes objects will be generated when credentials are requested.

func (SecretBackendRoleOutput) KubernetesRoleName 

func (o SecretBackendRoleOutput) KubernetesRoleName() pulumi.StringPtrOutput

The pre-existing Role or ClusterRole to bind a generated service account to. Mutually exclusive with `serviceAccountName` and `generatedRoleRules`. If set, Kubernetes token, service account, and role binding objects will be created when credentials are requested.

func (SecretBackendRoleOutput) KubernetesRoleType 

func (o SecretBackendRoleOutput) KubernetesRoleType() pulumi.StringPtrOutput

Specifies whether the Kubernetes role is a Role or ClusterRole.

func (SecretBackendRoleOutput) Name 

func (o SecretBackendRoleOutput) Name() pulumi.StringOutput

The name of the role.

func (SecretBackendRoleOutput) NameTemplate 

func (o SecretBackendRoleOutput) NameTemplate() pulumi.StringPtrOutput

The name template to use when generating service accounts, roles and role bindings. If unset, a default template is used.

func (SecretBackendRoleOutput) Namespace 

func (o SecretBackendRoleOutput) Namespace() pulumi.StringPtrOutput

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace). *Available only for Vault Enterprise*.

func (SecretBackendRoleOutput) ServiceAccountName 

func (o SecretBackendRoleOutput) ServiceAccountName() pulumi.StringPtrOutput

The pre-existing service account to generate tokens for. Mutually exclusive with `kubernetesRoleName` and `generatedRoleRules`. If set, only a Kubernetes token will be created when credentials are requested.

func (SecretBackendRoleOutput) ToSecretBackendRoleOutput 

func (o SecretBackendRoleOutput) ToSecretBackendRoleOutput() SecretBackendRoleOutput

func (SecretBackendRoleOutput) ToSecretBackendRoleOutputWithContext 

func (o SecretBackendRoleOutput) ToSecretBackendRoleOutputWithContext(ctx context.Context) SecretBackendRoleOutput

func (SecretBackendRoleOutput) TokenDefaultTtl 

func (o SecretBackendRoleOutput) TokenDefaultTtl() pulumi.IntPtrOutput

The default TTL for generated Kubernetes tokens in seconds.

func (SecretBackendRoleOutput) TokenMaxTtl 

func (o SecretBackendRoleOutput) TokenMaxTtl() pulumi.IntPtrOutput

The maximum TTL for generated Kubernetes tokens in seconds.

type SecretBackendRoleState 

type SecretBackendRoleState struct {
	// A label selector for Kubernetes namespaces
	// in which credentials can be generated. Accepts either a JSON or YAML object. The value should be
	// of type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).
	// If set with `allowedKubernetesNamespace`, the conditions are `OR`ed.
	AllowedKubernetesNamespaceSelector pulumi.StringPtrInput
	// The list of Kubernetes namespaces this role
	// can generate credentials for. If set to `*` all namespaces are allowed. If set with
	// `allowedKubernetesNamespaceSelector`, the conditions are `OR`ed.
	AllowedKubernetesNamespaces pulumi.StringArrayInput
	// The path of the Kubernetes Secrets Engine backend mount to create
	// the role in.
	Backend pulumi.StringPtrInput
	// Additional annotations to apply to all generated
	// Kubernetes objects.
	ExtraAnnotations pulumi.StringMapInput
	// Additional labels to apply to all generated Kubernetes
	// objects.
	//
	// This resource also directly accepts all Mount fields.
	ExtraLabels pulumi.StringMapInput
	// The Role or ClusterRole rules to use when generating
	// a role. Accepts either JSON or YAML formatted rules. Mutually exclusive with `serviceAccountName`
	// and `kubernetesRoleName`. If set, the entire chain of Kubernetes objects will be generated
	// when credentials are requested.
	GeneratedRoleRules pulumi.StringPtrInput
	// The pre-existing Role or ClusterRole to bind a
	// generated service account to. Mutually exclusive with `serviceAccountName` and
	// `generatedRoleRules`. If set, Kubernetes token, service account, and role
	// binding objects will be created when credentials are requested.
	KubernetesRoleName pulumi.StringPtrInput
	// Specifies whether the Kubernetes role is a Role or
	// ClusterRole.
	KubernetesRoleType pulumi.StringPtrInput
	// The name of the role.
	Name pulumi.StringPtrInput
	// The name template to use when generating service accounts,
	// roles and role bindings. If unset, a default template is used.
	NameTemplate pulumi.StringPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// The pre-existing service account to generate tokens for.
	// Mutually exclusive with `kubernetesRoleName` and `generatedRoleRules`. If set, only a
	// Kubernetes token will be created when credentials are requested.
	ServiceAccountName pulumi.StringPtrInput
	// The default TTL for generated Kubernetes tokens in seconds.
	TokenDefaultTtl pulumi.IntPtrInput
	// The maximum TTL for generated Kubernetes tokens in seconds.
	TokenMaxTtl pulumi.IntPtrInput
}

func (SecretBackendRoleState) ElementType 

func (SecretBackendRoleState) ElementType() reflect.Type

type SecretBackendState 

type SecretBackendState struct {
	// Accessor of the mount
	Accessor pulumi.StringPtrInput
	// List of managed key registry entry names that the mount in question is allowed to access
	AllowedManagedKeys pulumi.StringArrayInput
	// List of headers to allow and pass from the request to the plugin
	AllowedResponseHeaders pulumi.StringArrayInput
	// Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
	AuditNonHmacRequestKeys pulumi.StringArrayInput
	// Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
	AuditNonHmacResponseKeys pulumi.StringArrayInput
	// Default lease duration for tokens and secrets in seconds
	DefaultLeaseTtlSeconds pulumi.IntPtrInput
	// List of headers to allow and pass from the request to the plugin
	DelegatedAuthAccessors pulumi.StringArrayInput
	// Human-friendly description of the mount
	Description pulumi.StringPtrInput
	// Disable defaulting to the local CA certificate and
	// service account JWT when Vault is running in a Kubernetes pod.
	DisableLocalCaJwt pulumi.BoolPtrInput
	// Enable the secrets engine to access Vault's external entropy source
	ExternalEntropyAccess pulumi.BoolPtrInput
	// The key to use for signing plugin workload identity tokens
	IdentityTokenKey pulumi.StringPtrInput
	// A PEM-encoded CA certificate used by the
	// secrets engine to verify the Kubernetes API server certificate. Defaults to the local
	// pod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where
	// Vault is running.
	KubernetesCaCert pulumi.StringPtrInput
	// The Kubernetes API URL to connect to. Required if the
	// standard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`
	// are not set on the host that Vault is running on.
	KubernetesHost pulumi.StringPtrInput
	// Specifies whether to show this mount in the UI-specific listing endpoint
	ListingVisibility pulumi.StringPtrInput
	// Local mount flag that can be explicitly set to true to enforce local mount in HA environment
	Local pulumi.BoolPtrInput
	// Maximum possible lease duration for tokens and secrets in seconds
	MaxLeaseTtlSeconds pulumi.IntPtrInput
	// The namespace to provision the resource in.
	// The value should not contain leading or trailing forward slashes.
	// The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
	// *Available only for Vault Enterprise*.
	Namespace pulumi.StringPtrInput
	// Specifies mount type specific options that are passed to the backend
	Options pulumi.StringMapInput
	// List of headers to allow and pass from the request to the plugin
	PassthroughRequestHeaders pulumi.StringArrayInput
	// Where the secret backend will be mounted
	Path pulumi.StringPtrInput
	// Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'
	PluginVersion pulumi.StringPtrInput
	// Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
	SealWrap pulumi.BoolPtrInput
	// The JSON web token of the service account used by the
	// secrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault
	// is running in Kubernetes.
	ServiceAccountJwt pulumi.StringPtrInput
}

func (SecretBackendState) ElementType 

func (SecretBackendState) ElementType() reflect.Type

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.