Auth
Manages an JWT/OIDC auth backend role in a Vault server. See the [Vault
documentation](https://www.vaultproject.io/docs/auth/jwt.html) for more information.
Example Usage
Role for JWT backend:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const jwt = new vault.jwt.AuthBackend("jwt", {path: "jwt"});
const example = new vault.jwt.AuthBackendRole("example", {
backend: jwt.path,
roleName: "test-role",
tokenPolicies: [
"default",
"dev",
"prod",
],
boundAudiences: ["https://myco.test"],
boundClaims: {
color: "red,green,blue",
},
userClaim: "https://vault/user",
roleType: "jwt",
});import pulumi
import pulumi_vault as vault
jwt = vault.jwt.AuthBackend("jwt", path="jwt")
example = vault.jwt.AuthBackendRole("example",
backend=jwt.path,
role_name="test-role",
token_policies=[
"default",
"dev",
"prod",
],
bound_audiences=["https://myco.test"],
bound_claims={
"color": "red,green,blue",
},
user_claim="https://vault/user",
role_type="jwt")using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var jwt = new Vault.Jwt.AuthBackend("jwt", new()
{
Path = "jwt",
});
var example = new Vault.Jwt.AuthBackendRole("example", new()
{
Backend = jwt.Path,
RoleName = "test-role",
TokenPolicies = new[]
{
"default",
"dev",
"prod",
},
BoundAudiences = new[]
{
"https://myco.test",
},
BoundClaims =
{
{ "color", "red,green,blue" },
},
UserClaim = "https://vault/user",
RoleType = "jwt",
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
jwt, err := jwt.NewAuthBackend(ctx, "jwt", &jwt.AuthBackendArgs{
Path: pulumi.String("jwt"),
})
if err != nil {
return err
}
_, err = jwt.NewAuthBackendRole(ctx, "example", &jwt.AuthBackendRoleArgs{
Backend: jwt.Path,
RoleName: pulumi.String("test-role"),
TokenPolicies: pulumi.StringArray{
pulumi.String("default"),
pulumi.String("dev"),
pulumi.String("prod"),
},
BoundAudiences: pulumi.StringArray{
pulumi.String("https://myco.test"),
},
BoundClaims: pulumi.StringMap{
"color": pulumi.String("red,green,blue"),
},
UserClaim: pulumi.String("https://vault/user"),
RoleType: pulumi.String("jwt"),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import com.pulumi.vault.jwt.AuthBackendRole;
import com.pulumi.vault.jwt.AuthBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var jwt = new AuthBackend("jwt", AuthBackendArgs.builder()
.path("jwt")
.build());
var example = new AuthBackendRole("example", AuthBackendRoleArgs.builder()
.backend(jwt.path())
.roleName("test-role")
.tokenPolicies(
"default",
"dev",
"prod")
.boundAudiences("https://myco.test")
.boundClaims(Map.of("color", "red,green,blue"))
.userClaim("https://vault/user")
.roleType("jwt")
.build());
}
}resources:
jwt:
type: vault:jwt:AuthBackend
properties:
path: jwt
example:
type: vault:jwt:AuthBackendRole
properties:
backend: ${jwt.path}
roleName: test-role
tokenPolicies:
- default
- dev
- prod
boundAudiences:
- https://myco.test
boundClaims:
color: red,green,blue
userClaim: https://vault/user
roleType: jwtRole for OIDC backend:
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const oidc = new vault.jwt.AuthBackend("oidc", {
path: "oidc",
defaultRole: "test-role",
});
const example = new vault.jwt.AuthBackendRole("example", {
backend: oidc.path,
roleName: "test-role",
tokenPolicies: [
"default",
"dev",
"prod",
],
userClaim: "https://vault/user",
roleType: "oidc",
allowedRedirectUris: ["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"],
});import pulumi
import pulumi_vault as vault
oidc = vault.jwt.AuthBackend("oidc",
path="oidc",
default_role="test-role")
example = vault.jwt.AuthBackendRole("example",
backend=oidc.path,
role_name="test-role",
token_policies=[
"default",
"dev",
"prod",
],
user_claim="https://vault/user",
role_type="oidc",
allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var oidc = new Vault.Jwt.AuthBackend("oidc", new()
{
Path = "oidc",
DefaultRole = "test-role",
});
var example = new Vault.Jwt.AuthBackendRole("example", new()
{
Backend = oidc.Path,
RoleName = "test-role",
TokenPolicies = new[]
{
"default",
"dev",
"prod",
},
UserClaim = "https://vault/user",
RoleType = "oidc",
AllowedRedirectUris = new[]
{
"http://localhost:8200/ui/vault/auth/oidc/oidc/callback",
},
});
});package main
import (
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
oidc, err := jwt.NewAuthBackend(ctx, "oidc", &jwt.AuthBackendArgs{
Path: pulumi.String("oidc"),
DefaultRole: pulumi.String("test-role"),
})
if err != nil {
return err
}
_, err = jwt.NewAuthBackendRole(ctx, "example", &jwt.AuthBackendRoleArgs{
Backend: oidc.Path,
RoleName: pulumi.String("test-role"),
TokenPolicies: pulumi.StringArray{
pulumi.String("default"),
pulumi.String("dev"),
pulumi.String("prod"),
},
UserClaim: pulumi.String("https://vault/user"),
RoleType: pulumi.String("oidc"),
AllowedRedirectUris: pulumi.StringArray{
pulumi.String("http://localhost:8200/ui/vault/auth/oidc/oidc/callback"),
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.jwt.AuthBackend;
import com.pulumi.vault.jwt.AuthBackendArgs;
import com.pulumi.vault.jwt.AuthBackendRole;
import com.pulumi.vault.jwt.AuthBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var oidc = new AuthBackend("oidc", AuthBackendArgs.builder()
.path("oidc")
.defaultRole("test-role")
.build());
var example = new AuthBackendRole("example", AuthBackendRoleArgs.builder()
.backend(oidc.path())
.roleName("test-role")
.tokenPolicies(
"default",
"dev",
"prod")
.userClaim("https://vault/user")
.roleType("oidc")
.allowedRedirectUris("http://localhost:8200/ui/vault/auth/oidc/oidc/callback")
.build());
}
}resources:
oidc:
type: vault:jwt:AuthBackend
properties:
path: oidc
defaultRole: test-role
example:
type: vault:jwt:AuthBackendRole
properties:
backend: ${oidc.path}
roleName: test-role
tokenPolicies:
- default
- dev
- prod
userClaim: https://vault/user
roleType: oidc
allowedRedirectUris:
- http://localhost:8200/ui/vault/auth/oidc/oidc/callbackImport
JWT authentication backend roles can be imported using the path, e.g.
$ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-roleConstructors
Properties
The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles
(Required for roles of type jwt, optional for roles of type oidc) List of aud claims to match against. Any match is sufficient.
If set, a map of claims to values to match against. A claim's value must be a string, which may contain one value or multiple comma-separated values, e.g. "red" or "red,green,blue".
How to interpret values in the claims/values map (bound_claims): can be either string (exact match) or glob (wildcard match). Requires Vault 1.4.0 or above.
If set, requires that the sub claim matches this value.
If set, a map of claims (keys) to be copied to specified metadata fields (values).
The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles.
Disable bound claim value parsing. Useful when values contain commas.
The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles.
The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 150 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles.
If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
Specifies the blocks of IP addresses which are allowed to use the generated token
Generated Token's Explicit Maximum TTL in seconds
The maximum lifetime of the generated token
If true, the 'default' policy will not automatically be added to generated tokens
The maximum number of times a token may be used, a value of zero means unlimited
Generated Token's Period
Generated Token's Policies
Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer. Requires Vault 1.11+.
Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.