Auth
Manages an Azure auth backend role in a Vault server. Roles constrain the instances or principals that can perform the login operation against the backend. See the [Vault
documentation](https://www.vaultproject.io/docs/auth/azure.html) for more information.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const azure = new vault.AuthBackend("azure", {type: "azure"});
const example = new vault.azure.AuthBackendRole("example", {
backend: azure.path,
role: "test-role",
boundSubscriptionIds: ["11111111-2222-3333-4444-555555555555"],
boundResourceGroups: ["123456789012"],
tokenTtl: 60,
tokenMaxTtl: 120,
tokenPolicies: [
"default",
"dev",
"prod",
],
});import pulumi
import pulumi_vault as vault
azure = vault.AuthBackend("azure", type="azure")
example = vault.azure.AuthBackendRole("example",
backend=azure.path,
role="test-role",
bound_subscription_ids=["11111111-2222-3333-4444-555555555555"],
bound_resource_groups=["123456789012"],
token_ttl=60,
token_max_ttl=120,
token_policies=[
"default",
"dev",
"prod",
])using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var azure = new Vault.AuthBackend("azure", new()
{
Type = "azure",
});
var example = new Vault.Azure.AuthBackendRole("example", new()
{
Backend = azure.Path,
Role = "test-role",
BoundSubscriptionIds = new[]
{
"11111111-2222-3333-4444-555555555555",
},
BoundResourceGroups = new[]
{
"123456789012",
},
TokenTtl = 60,
TokenMaxTtl = 120,
TokenPolicies = new[]
{
"default",
"dev",
"prod",
},
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/azure"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
azure, err := vault.NewAuthBackend(ctx, "azure", &vault.AuthBackendArgs{
Type: pulumi.String("azure"),
})
if err != nil {
return err
}
_, err = azure.NewAuthBackendRole(ctx, "example", &azure.AuthBackendRoleArgs{
Backend: azure.Path,
Role: pulumi.String("test-role"),
BoundSubscriptionIds: pulumi.StringArray{
pulumi.String("11111111-2222-3333-4444-555555555555"),
},
BoundResourceGroups: pulumi.StringArray{
pulumi.String("123456789012"),
},
TokenTtl: pulumi.Int(60),
TokenMaxTtl: pulumi.Int(120),
TokenPolicies: pulumi.StringArray{
pulumi.String("default"),
pulumi.String("dev"),
pulumi.String("prod"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.azure.AuthBackendRole;
import com.pulumi.vault.azure.AuthBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azure = new AuthBackend("azure", AuthBackendArgs.builder()
.type("azure")
.build());
var example = new AuthBackendRole("example", AuthBackendRoleArgs.builder()
.backend(azure.path())
.role("test-role")
.boundSubscriptionIds("11111111-2222-3333-4444-555555555555")
.boundResourceGroups("123456789012")
.tokenTtl(60)
.tokenMaxTtl(120)
.tokenPolicies(
"default",
"dev",
"prod")
.build());
}
}resources:
azure:
type: vault:AuthBackend
properties:
type: azure
example:
type: vault:azure:AuthBackendRole
properties:
backend: ${azure.path}
role: test-role
boundSubscriptionIds:
- 11111111-2222-3333-4444-555555555555
boundResourceGroups:
- '123456789012'
tokenTtl: 60
tokenMaxTtl: 120
tokenPolicies:
- default
- dev
- prodImport
Azure auth backend roles can be imported using auth/, the backend path, /role/, and the role name e.g.
$ pulumi import vault:azure/authBackendRole:AuthBackendRole example auth/azure/role/test-roleProperties
If set, defines a constraint on the groups that can perform the login operation that they should be using the group ID specified by this field.
If set, defines a constraint on the virtual machines that can perform the login operation that the location in their identity document must match the one specified by this field.
If set, defines a constraint on the virtual machines that can perform the login operation that they be associated with the resource group that matches the value specified by this field.
If set, defines a constraint on the virtual machines that can perform the login operation that they must match the scale set specified by this field.
If set, defines a constraint on the service principals that can perform the login operation that they should be possess the ids specified by this field.
If set, defines a constraint on the subscriptions that can perform the login operation to ones which matches the value specified by this field.
Specifies the blocks of IP addresses which are allowed to use the generated token
Generated Token's Explicit Maximum TTL in seconds
The maximum lifetime of the generated token
If true, the 'default' policy will not automatically be added to generated tokens
The maximum number of times a token may be used, a value of zero means unlimited
Generated Token's Period
Generated Token's Policies