Backend
data class BackendRoleArgs(val applicationObjectId: Output<String>? = null, val azureGroups: Output<List<BackendRoleAzureGroupArgs>>? = null, val azureRoles: Output<List<BackendRoleAzureRoleArgs>>? = null, val backend: Output<String>? = null, val description: Output<String>? = null, val explicitMaxTtl: Output<String>? = null, val maxTtl: Output<String>? = null, val namespace: Output<String>? = null, val permanentlyDelete: Output<Boolean>? = null, val role: Output<String>? = null, val signInAudience: Output<String>? = null, val tags: Output<List<String>>? = null, val ttl: Output<String>? = null) : ConvertibleToJava<BackendRoleArgs>
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";
const azure = new vault.azure.Backend("azure", {
subscriptionId: subscriptionId,
tenantId: tenantId,
clientSecret: clientSecret,
clientId: clientId,
});
const generatedRole = new vault.azure.BackendRole("generated_role", {
backend: azure.path,
role: "generated_role",
signInAudience: "AzureADMyOrg",
tags: [
"team:engineering",
"environment:development",
],
ttl: "300",
maxTtl: "600",
azureRoles: [{
roleName: "Reader",
scope: `/subscriptions/${subscriptionId}/resourceGroups/azure-vault-group`,
}],
});
const existingObjectId = new vault.azure.BackendRole("existing_object_id", {
backend: azure.path,
role: "existing_object_id",
applicationObjectId: "11111111-2222-3333-4444-44444444444",
ttl: "300",
maxTtl: "600",
});Content copied to clipboard
import pulumi
import pulumi_vault as vault
azure = vault.azure.Backend("azure",
subscription_id=subscription_id,
tenant_id=tenant_id,
client_secret=client_secret,
client_id=client_id)
generated_role = vault.azure.BackendRole("generated_role",
backend=azure.path,
role="generated_role",
sign_in_audience="AzureADMyOrg",
tags=[
"team:engineering",
"environment:development",
],
ttl="300",
max_ttl="600",
azure_roles=[{
"role_name": "Reader",
"scope": f"/subscriptions/{subscription_id}/resourceGroups/azure-vault-group",
}])
existing_object_id = vault.azure.BackendRole("existing_object_id",
backend=azure.path,
role="existing_object_id",
application_object_id="11111111-2222-3333-4444-44444444444",
ttl="300",
max_ttl="600")Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;
return await Deployment.RunAsync(() =>
{
var azure = new Vault.Azure.Backend("azure", new()
{
SubscriptionId = subscriptionId,
TenantId = tenantId,
ClientSecret = clientSecret,
ClientId = clientId,
});
var generatedRole = new Vault.Azure.BackendRole("generated_role", new()
{
Backend = azure.Path,
Role = "generated_role",
SignInAudience = "AzureADMyOrg",
Tags = new[]
{
"team:engineering",
"environment:development",
},
Ttl = "300",
MaxTtl = "600",
AzureRoles = new[]
{
new Vault.Azure.Inputs.BackendRoleAzureRoleArgs
{
RoleName = "Reader",
Scope = $"/subscriptions/{subscriptionId}/resourceGroups/azure-vault-group",
},
},
});
var existingObjectId = new Vault.Azure.BackendRole("existing_object_id", new()
{
Backend = azure.Path,
Role = "existing_object_id",
ApplicationObjectId = "11111111-2222-3333-4444-44444444444",
Ttl = "300",
MaxTtl = "600",
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/azure"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
azure, err := azure.NewBackend(ctx, "azure", &azure.BackendArgs{
SubscriptionId: pulumi.Any(subscriptionId),
TenantId: pulumi.Any(tenantId),
ClientSecret: pulumi.Any(clientSecret),
ClientId: pulumi.Any(clientId),
})
if err != nil {
return err
}
_, err = azure.NewBackendRole(ctx, "generated_role", &azure.BackendRoleArgs{
Backend: azure.Path,
Role: pulumi.String("generated_role"),
SignInAudience: pulumi.String("AzureADMyOrg"),
Tags: pulumi.StringArray{
pulumi.String("team:engineering"),
pulumi.String("environment:development"),
},
Ttl: pulumi.String("300"),
MaxTtl: pulumi.String("600"),
AzureRoles: azure.BackendRoleAzureRoleArray{
&azure.BackendRoleAzureRoleArgs{
RoleName: pulumi.String("Reader"),
Scope: pulumi.Sprintf("/subscriptions/%v/resourceGroups/azure-vault-group", subscriptionId),
},
},
})
if err != nil {
return err
}
_, err = azure.NewBackendRole(ctx, "existing_object_id", &azure.BackendRoleArgs{
Backend: azure.Path,
Role: pulumi.String("existing_object_id"),
ApplicationObjectId: pulumi.String("11111111-2222-3333-4444-44444444444"),
Ttl: pulumi.String("300"),
MaxTtl: pulumi.String("600"),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.azure.Backend;
import com.pulumi.vault.azure.BackendArgs;
import com.pulumi.vault.azure.BackendRole;
import com.pulumi.vault.azure.BackendRoleArgs;
import com.pulumi.vault.azure.inputs.BackendRoleAzureRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var azure = new Backend("azure", BackendArgs.builder()
.subscriptionId(subscriptionId)
.tenantId(tenantId)
.clientSecret(clientSecret)
.clientId(clientId)
.build());
var generatedRole = new BackendRole("generatedRole", BackendRoleArgs.builder()
.backend(azure.path())
.role("generated_role")
.signInAudience("AzureADMyOrg")
.tags(
"team:engineering",
"environment:development")
.ttl("300")
.maxTtl("600")
.azureRoles(BackendRoleAzureRoleArgs.builder()
.roleName("Reader")
.scope(String.format("/subscriptions/%s/resourceGroups/azure-vault-group", subscriptionId))
.build())
.build());
var existingObjectId = new BackendRole("existingObjectId", BackendRoleArgs.builder()
.backend(azure.path())
.role("existing_object_id")
.applicationObjectId("11111111-2222-3333-4444-44444444444")
.ttl("300")
.maxTtl("600")
.build());
}
}Content copied to clipboard
resources:
azure:
type: vault:azure:Backend
properties:
subscriptionId: ${subscriptionId}
tenantId: ${tenantId}
clientSecret: ${clientSecret}
clientId: ${clientId}
generatedRole:
type: vault:azure:BackendRole
name: generated_role
properties:
backend: ${azure.path}
role: generated_role
signInAudience: AzureADMyOrg
tags:
- team:engineering
- environment:development
ttl: 300
maxTtl: 600
azureRoles:
- roleName: Reader
scope: /subscriptions/${subscriptionId}/resourceGroups/azure-vault-group
existingObjectId:
type: vault:azure:BackendRole
name: existing_object_id
properties:
backend: ${azure.path}
role: existing_object_id
applicationObjectId: 11111111-2222-3333-4444-44444444444
ttl: 300
maxTtl: 600Content copied to clipboard
Constructors
Link copied to clipboard
constructor(applicationObjectId: Output<String>? = null, azureGroups: Output<List<BackendRoleAzureGroupArgs>>? = null, azureRoles: Output<List<BackendRoleAzureRoleArgs>>? = null, backend: Output<String>? = null, description: Output<String>? = null, explicitMaxTtl: Output<String>? = null, maxTtl: Output<String>? = null, namespace: Output<String>? = null, permanentlyDelete: Output<Boolean>? = null, role: Output<String>? = null, signInAudience: Output<String>? = null, tags: Output<List<String>>? = null, ttl: Output<String>? = null)
Properties
Link copied to clipboard
Application Object ID for an existing service principal that will be used instead of creating dynamic service principals. If present, azure_roles and permanently_delete will be ignored.
Link copied to clipboard
List of Azure groups to be assigned to the generated service principal.
Link copied to clipboard
List of Azure roles to be assigned to the generated service principal.
Link copied to clipboard
Human-friendly description of the mount for the backend.
Link copied to clipboard
Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.
Link copied to clipboard
Indicates whether the applications and service principals created by Vault will be permanently deleted when the corresponding leases expire. Defaults to false. For Vault v1.12+.
Link copied to clipboard
Specifies the security principal types that are allowed to sign in to the application. Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.