pulumi-vault-kotlin/com.pulumi.vault.gcp.kotlin/AuthBackendArgs

AuthBackendArgs

data class AuthBackendArgs(val clientEmail: Output<String>? = null, val clientId: Output<String>? = null, val credentials: Output<String>? = null, val customEndpoint: Output<AuthBackendCustomEndpointArgs>? = null, val description: Output<String>? = null, val disableAutomatedRotation: Output<Boolean>? = null, val disableRemount: Output<Boolean>? = null, val identityTokenAudience: Output<String>? = null, val identityTokenKey: Output<String>? = null, val identityTokenTtl: Output<Int>? = null, val local: Output<Boolean>? = null, val namespace: Output<String>? = null, val path: Output<String>? = null, val privateKeyId: Output<String>? = null, val projectId: Output<String>? = null, val rotationPeriod: Output<Int>? = null, val rotationSchedule: Output<String>? = null, val rotationWindow: Output<Int>? = null, val serviceAccountEmail: Output<String>? = null, val tune: Output<AuthBackendTuneArgs>? = null) : ConvertibleToJava<AuthBackendArgs>

Provides a resource to configure the GCP auth backend within Vault.

Example Usage

You can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:

import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const gcp = new vault.gcp.AuthBackend("gcp", {
    identityTokenKey: "example-key",
    identityTokenTtl: 1800,
    identityTokenAudience: "<TOKEN_AUDIENCE>",
    serviceAccountEmail: "<SERVICE_ACCOUNT_EMAIL>",
    rotationSchedule: "0 * * * SAT",
    rotationWindow: 3600,
});
Content copied to clipboard
import pulumi
import pulumi_vault as vault
gcp = vault.gcp.AuthBackend("gcp",
    identity_token_key="example-key",
    identity_token_ttl=1800,
    identity_token_audience="<TOKEN_AUDIENCE>",
    service_account_email="<SERVICE_ACCOUNT_EMAIL>",
    rotation_schedule="0 * * * SAT",
    rotation_window=3600)
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
    var gcp = new Vault.Gcp.AuthBackend("gcp", new()
    {
        IdentityTokenKey = "example-key",
        IdentityTokenTtl = 1800,
        IdentityTokenAudience = "<TOKEN_AUDIENCE>",
        ServiceAccountEmail = "<SERVICE_ACCOUNT_EMAIL>",
        RotationSchedule = "0 * * * SAT",
        RotationWindow = 3600,
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/gcp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := gcp.NewAuthBackend(ctx, "gcp", &gcp.AuthBackendArgs{
			IdentityTokenKey:      pulumi.String("example-key"),
			IdentityTokenTtl:      pulumi.Int(1800),
			IdentityTokenAudience: pulumi.String("<TOKEN_AUDIENCE>"),
			ServiceAccountEmail:   pulumi.String("<SERVICE_ACCOUNT_EMAIL>"),
			RotationSchedule:      pulumi.String("0 * * * SAT"),
			RotationWindow:        pulumi.Int(3600),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.gcp.AuthBackend;
import com.pulumi.vault.gcp.AuthBackendArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var gcp = new AuthBackend("gcp", AuthBackendArgs.builder()
            .identityTokenKey("example-key")
            .identityTokenTtl(1800)
            .identityTokenAudience("<TOKEN_AUDIENCE>")
            .serviceAccountEmail("<SERVICE_ACCOUNT_EMAIL>")
            .rotationSchedule("0 * * * SAT")
            .rotationWindow(3600)
            .build());
    }
}
Content copied to clipboard
resources:
  gcp:
    type: vault:gcp:AuthBackend
    properties:
      identityTokenKey: example-key
      identityTokenTtl: 1800
      identityTokenAudience: <TOKEN_AUDIENCE>
      serviceAccountEmail: <SERVICE_ACCOUNT_EMAIL>
      rotationSchedule: 0 * * * SAT
      rotationWindow: 3600
Content copied to clipboard

Import

GCP authentication backends can be imported using the backend name, e.g.

$ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(clientEmail: Output<String>? = null, clientId: Output<String>? = null, credentials: Output<String>? = null, customEndpoint: Output<AuthBackendCustomEndpointArgs>? = null, description: Output<String>? = null, disableAutomatedRotation: Output<Boolean>? = null, disableRemount: Output<Boolean>? = null, identityTokenAudience: Output<String>? = null, identityTokenKey: Output<String>? = null, identityTokenTtl: Output<Int>? = null, local: Output<Boolean>? = null, namespace: Output<String>? = null, path: Output<String>? = null, privateKeyId: Output<String>? = null, projectId: Output<String>? = null, rotationPeriod: Output<Int>? = null, rotationSchedule: Output<String>? = null, rotationWindow: Output<Int>? = null, serviceAccountEmail: Output<String>? = null, tune: Output<AuthBackendTuneArgs>? = null)

Properties

Link copied to clipboard
val clientEmail: Output<String>? = null

The clients email associated with the credentials

Link copied to clipboard
val clientId: Output<String>? = null

The Client ID of the credentials

Link copied to clipboard
val credentials: Output<String>? = null

A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.

Link copied to clipboard
val customEndpoint: Output<AuthBackendCustomEndpointArgs>? = null

Specifies overrides to service endpoints used when making API requests. This allows specific requests made during authentication to target alternative service endpoints for use in Private Google Access environments. Requires Vault 1.11+. Overrides are set at the subdomain level using the following keys:

Link copied to clipboard
val description: Output<String>? = null

A description of the auth method.

Link copied to clipboard
val disableAutomatedRotation: Output<Boolean>? = null

Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.

Link copied to clipboard
val disableRemount: Output<Boolean>? = null

If set, opts out of mount migration on path updates. See here for more info on Mount Migration

Link copied to clipboard
val identityTokenAudience: Output<String>? = null

The audience claim value for plugin identity tokens. Must match an allowed audience configured for the target Workload Identity Pool. Mutually exclusive with credentials. Requires Vault 1.17+. Available only for Vault Enterprise.

Link copied to clipboard
val identityTokenKey: Output<String>? = null

The key to use for signing plugin identity tokens. Requires Vault 1.17+. Available only for Vault Enterprise.

Link copied to clipboard
val identityTokenTtl: Output<Int>? = null

The TTL of generated tokens.

Link copied to clipboard
val local: Output<Boolean>? = null

Specifies if the auth method is local only.

Link copied to clipboard
val namespace: Output<String>? = null

The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.

Link copied to clipboard
val path: Output<String>? = null

The path to mount the auth method — this defaults to 'gcp'.

Link copied to clipboard
val privateKeyId: Output<String>? = null

The ID of the private key from the credentials

Link copied to clipboard
val projectId: Output<String>? = null

The GCP Project ID

Link copied to clipboard
val rotationPeriod: Output<Int>? = null

The amount of time in seconds Vault should wait before rotating the root credential. A zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.

Link copied to clipboard
val rotationSchedule: Output<String>? = null

The schedule, in cron-style time format, defining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.

Link copied to clipboard
val rotationWindow: Output<Int>? = null

The maximum amount of time in seconds allowed to complete a rotation when a scheduled token rotation occurs. The default rotation window is unbound and the minimum allowable window is 3600. Requires Vault Enterprise 1.19+.

Link copied to clipboard
val serviceAccountEmail: Output<String>? = null

Service Account to impersonate for plugin workload identity federation. Required with identity_token_audience. Requires Vault 1.17+. Available only for Vault Enterprise.

Link copied to clipboard
val tune: Output<AuthBackendTuneArgs>? = null

Extra configuration block. Structure is documented below. The tune block is used to tune the auth backend:

Functions

Link copied to clipboard
open override fun toJava(): AuthBackendArgs