com.pulumi.vault.jwt.kotlin.AuthBackendRoleArgs.kt Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of pulumi-vault-kotlin Show documentation
Show all versions of pulumi-vault-kotlin Show documentation
Build cloud applications and infrastructure by combining the safety and reliability of infrastructure as code with the power of the Kotlin programming language.
@file:Suppress("NAME_SHADOWING", "DEPRECATION")
package com.pulumi.vault.jwt.kotlin
import com.pulumi.core.Output
import com.pulumi.core.Output.of
import com.pulumi.kotlin.ConvertibleToJava
import com.pulumi.kotlin.PulumiTagMarker
import com.pulumi.vault.jwt.AuthBackendRoleArgs.builder
import kotlin.Any
import kotlin.Boolean
import kotlin.Int
import kotlin.Pair
import kotlin.String
import kotlin.Suppress
import kotlin.collections.List
import kotlin.collections.Map
import kotlin.jvm.JvmName
/**
* Manages an JWT/OIDC auth backend role in a Vault server. See the [Vault
* documentation](https://www.vaultproject.io/docs/auth/jwt.html) for more
* information.
* ## Example Usage
* Role for JWT backend:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as vault from "@pulumi/vault";
* const jwt = new vault.jwt.AuthBackend("jwt", {path: "jwt"});
* const example = new vault.jwt.AuthBackendRole("example", {
* backend: jwt.path,
* roleName: "test-role",
* tokenPolicies: [
* "default",
* "dev",
* "prod",
* ],
* boundAudiences: ["https://myco.test"],
* boundClaims: {
* color: "red,green,blue",
* },
* userClaim: "https://vault/user",
* roleType: "jwt",
* });
* ```
* ```python
* import pulumi
* import pulumi_vault as vault
* jwt = vault.jwt.AuthBackend("jwt", path="jwt")
* example = vault.jwt.AuthBackendRole("example",
* backend=jwt.path,
* role_name="test-role",
* token_policies=[
* "default",
* "dev",
* "prod",
* ],
* bound_audiences=["https://myco.test"],
* bound_claims={
* "color": "red,green,blue",
* },
* user_claim="https://vault/user",
* role_type="jwt")
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Vault = Pulumi.Vault;
* return await Deployment.RunAsync(() =>
* {
* var jwt = new Vault.Jwt.AuthBackend("jwt", new()
* {
* Path = "jwt",
* });
* var example = new Vault.Jwt.AuthBackendRole("example", new()
* {
* Backend = jwt.Path,
* RoleName = "test-role",
* TokenPolicies = new[]
* {
* "default",
* "dev",
* "prod",
* },
* BoundAudiences = new[]
* {
* "https://myco.test",
* },
* BoundClaims =
* {
* { "color", "red,green,blue" },
* },
* UserClaim = "https://vault/user",
* RoleType = "jwt",
* });
* });
* ```
* ```go
* package main
* import (
* "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* jwt, err := jwt.NewAuthBackend(ctx, "jwt", &jwt.AuthBackendArgs{
* Path: pulumi.String("jwt"),
* })
* if err != nil {
* return err
* }
* _, err = jwt.NewAuthBackendRole(ctx, "example", &jwt.AuthBackendRoleArgs{
* Backend: jwt.Path,
* RoleName: pulumi.String("test-role"),
* TokenPolicies: pulumi.StringArray{
* pulumi.String("default"),
* pulumi.String("dev"),
* pulumi.String("prod"),
* },
* BoundAudiences: pulumi.StringArray{
* pulumi.String("https://myco.test"),
* },
* BoundClaims: pulumi.Map{
* "color": pulumi.Any("red,green,blue"),
* },
* UserClaim: pulumi.String("https://vault/user"),
* RoleType: pulumi.String("jwt"),
* })
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.vault.jwt.AuthBackend;
* import com.pulumi.vault.jwt.AuthBackendArgs;
* import com.pulumi.vault.jwt.AuthBackendRole;
* import com.pulumi.vault.jwt.AuthBackendRoleArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* var jwt = new AuthBackend("jwt", AuthBackendArgs.builder()
* .path("jwt")
* .build());
* var example = new AuthBackendRole("example", AuthBackendRoleArgs.builder()
* .backend(jwt.path())
* .roleName("test-role")
* .tokenPolicies(
* "default",
* "dev",
* "prod")
* .boundAudiences("https://myco.test")
* .boundClaims(Map.of("color", "red,green,blue"))
* .userClaim("https://vault/user")
* .roleType("jwt")
* .build());
* }
* }
* ```
* ```yaml
* resources:
* jwt:
* type: vault:jwt:AuthBackend
* properties:
* path: jwt
* example:
* type: vault:jwt:AuthBackendRole
* properties:
* backend: ${jwt.path}
* roleName: test-role
* tokenPolicies:
* - default
* - dev
* - prod
* boundAudiences:
* - https://myco.test
* boundClaims:
* color: red,green,blue
* userClaim: https://vault/user
* roleType: jwt
* ```
*
* Role for OIDC backend:
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as vault from "@pulumi/vault";
* const oidc = new vault.jwt.AuthBackend("oidc", {
* path: "oidc",
* defaultRole: "test-role",
* });
* const example = new vault.jwt.AuthBackendRole("example", {
* backend: oidc.path,
* roleName: "test-role",
* tokenPolicies: [
* "default",
* "dev",
* "prod",
* ],
* userClaim: "https://vault/user",
* roleType: "oidc",
* allowedRedirectUris: ["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"],
* });
* ```
* ```python
* import pulumi
* import pulumi_vault as vault
* oidc = vault.jwt.AuthBackend("oidc",
* path="oidc",
* default_role="test-role")
* example = vault.jwt.AuthBackendRole("example",
* backend=oidc.path,
* role_name="test-role",
* token_policies=[
* "default",
* "dev",
* "prod",
* ],
* user_claim="https://vault/user",
* role_type="oidc",
* allowed_redirect_uris=["http://localhost:8200/ui/vault/auth/oidc/oidc/callback"])
* ```
* ```csharp
* using System.Collections.Generic;
* using System.Linq;
* using Pulumi;
* using Vault = Pulumi.Vault;
* return await Deployment.RunAsync(() =>
* {
* var oidc = new Vault.Jwt.AuthBackend("oidc", new()
* {
* Path = "oidc",
* DefaultRole = "test-role",
* });
* var example = new Vault.Jwt.AuthBackendRole("example", new()
* {
* Backend = oidc.Path,
* RoleName = "test-role",
* TokenPolicies = new[]
* {
* "default",
* "dev",
* "prod",
* },
* UserClaim = "https://vault/user",
* RoleType = "oidc",
* AllowedRedirectUris = new[]
* {
* "http://localhost:8200/ui/vault/auth/oidc/oidc/callback",
* },
* });
* });
* ```
* ```go
* package main
* import (
* "github.com/pulumi/pulumi-vault/sdk/v6/go/vault/jwt"
* "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
* )
* func main() {
* pulumi.Run(func(ctx *pulumi.Context) error {
* oidc, err := jwt.NewAuthBackend(ctx, "oidc", &jwt.AuthBackendArgs{
* Path: pulumi.String("oidc"),
* DefaultRole: pulumi.String("test-role"),
* })
* if err != nil {
* return err
* }
* _, err = jwt.NewAuthBackendRole(ctx, "example", &jwt.AuthBackendRoleArgs{
* Backend: oidc.Path,
* RoleName: pulumi.String("test-role"),
* TokenPolicies: pulumi.StringArray{
* pulumi.String("default"),
* pulumi.String("dev"),
* pulumi.String("prod"),
* },
* UserClaim: pulumi.String("https://vault/user"),
* RoleType: pulumi.String("oidc"),
* AllowedRedirectUris: pulumi.StringArray{
* pulumi.String("http://localhost:8200/ui/vault/auth/oidc/oidc/callback"),
* },
* })
* if err != nil {
* return err
* }
* return nil
* })
* }
* ```
* ```java
* package generated_program;
* import com.pulumi.Context;
* import com.pulumi.Pulumi;
* import com.pulumi.core.Output;
* import com.pulumi.vault.jwt.AuthBackend;
* import com.pulumi.vault.jwt.AuthBackendArgs;
* import com.pulumi.vault.jwt.AuthBackendRole;
* import com.pulumi.vault.jwt.AuthBackendRoleArgs;
* import java.util.List;
* import java.util.ArrayList;
* import java.util.Map;
* import java.io.File;
* import java.nio.file.Files;
* import java.nio.file.Paths;
* public class App {
* public static void main(String[] args) {
* Pulumi.run(App::stack);
* }
* public static void stack(Context ctx) {
* var oidc = new AuthBackend("oidc", AuthBackendArgs.builder()
* .path("oidc")
* .defaultRole("test-role")
* .build());
* var example = new AuthBackendRole("example", AuthBackendRoleArgs.builder()
* .backend(oidc.path())
* .roleName("test-role")
* .tokenPolicies(
* "default",
* "dev",
* "prod")
* .userClaim("https://vault/user")
* .roleType("oidc")
* .allowedRedirectUris("http://localhost:8200/ui/vault/auth/oidc/oidc/callback")
* .build());
* }
* }
* ```
* ```yaml
* resources:
* oidc:
* type: vault:jwt:AuthBackend
* properties:
* path: oidc
* defaultRole: test-role
* example:
* type: vault:jwt:AuthBackendRole
* properties:
* backend: ${oidc.path}
* roleName: test-role
* tokenPolicies:
* - default
* - dev
* - prod
* userClaim: https://vault/user
* roleType: oidc
* allowedRedirectUris:
* - http://localhost:8200/ui/vault/auth/oidc/oidc/callback
* ```
*
* ## Import
* JWT authentication backend roles can be imported using the `path`, e.g.
* ```sh
* $ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-role
* ```
* @property allowedRedirectUris The list of allowed values for redirect_uri during OIDC logins.
* Required for OIDC roles
* @property backend The unique name of the auth backend to configure.
* Defaults to `jwt`.
* @property boundAudiences (Required for roles of type `jwt`, optional for roles of
* type `oidc`) List of `aud` claims to match against. Any match is sufficient.
* @property boundClaims If set, a map of claims to values to match against.
* A claim's value must be a string, which may contain one value or multiple
* comma-separated values, e.g. `"red"` or `"red,green,blue"`.
* @property boundClaimsType How to interpret values in the claims/values
* map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
* match). Requires Vault 1.4.0 or above.
* @property boundSubject If set, requires that the `sub` claim matches
* this value.
* @property claimMappings If set, a map of claims (keys) to be copied
* to specified metadata fields (values).
* @property clockSkewLeeway The amount of leeway to add to all claims to account for clock skew, in
* seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
* @property disableBoundClaimsParsing Disable bound claim value parsing. Useful when values contain commas.
* @property expirationLeeway The amount of leeway to add to expiration (`exp`) claims to account for
* clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
* @property groupsClaim The claim to use to uniquely identify
* the set of groups to which the user belongs; this will be used as the names
* for the Identity group aliases created due to a successful login. The claim
* value must be a list of strings.
* @property maxAge Specifies the allowable elapsed time in seconds since the last time
* the user was actively authenticated with the OIDC provider.
* @property namespace The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
* @property notBeforeLeeway The amount of leeway to add to not before (`nbf`) claims to account for
* clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
* @property oidcScopes If set, a list of OIDC scopes to be used with an OIDC role.
* The standard scope "openid" is automatically included and need not be specified.
* @property roleName The name of the role.
* @property roleType Type of role, either "oidc" (default) or "jwt".
* @property tokenBoundCidrs Specifies the blocks of IP addresses which are allowed to use the generated token
* @property tokenExplicitMaxTtl Generated Token's Explicit Maximum TTL in seconds
* @property tokenMaxTtl The maximum lifetime of the generated token
* @property tokenNoDefaultPolicy If true, the 'default' policy will not automatically be added to generated tokens
* @property tokenNumUses The maximum number of times a token may be used, a value of zero means unlimited
* @property tokenPeriod Generated Token's Period
* @property tokenPolicies Generated Token's Policies
* @property tokenTtl The initial ttl of the token to generate in seconds
* @property tokenType The type of token to generate, service or batch
* @property userClaim The claim to use to uniquely identify
* the user; this will be used as the name for the Identity entity alias created
* due to a successful login.
* @property userClaimJsonPointer Specifies if the `user_claim` value uses
* [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
* syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
* Requires Vault 1.11+.
* @property verboseOidcLogging Log received OIDC tokens and claims when debug-level
* logging is active. Not recommended in production since sensitive information may be present
* in OIDC responses.
*/
public data class AuthBackendRoleArgs(
public val allowedRedirectUris: Output>? = null,
public val backend: Output? = null,
public val boundAudiences: Output>? = null,
public val boundClaims: Output>? = null,
public val boundClaimsType: Output? = null,
public val boundSubject: Output? = null,
public val claimMappings: Output>? = null,
public val clockSkewLeeway: Output? = null,
public val disableBoundClaimsParsing: Output? = null,
public val expirationLeeway: Output? = null,
public val groupsClaim: Output? = null,
public val maxAge: Output? = null,
public val namespace: Output? = null,
public val notBeforeLeeway: Output? = null,
public val oidcScopes: Output>? = null,
public val roleName: Output? = null,
public val roleType: Output? = null,
public val tokenBoundCidrs: Output>? = null,
public val tokenExplicitMaxTtl: Output? = null,
public val tokenMaxTtl: Output? = null,
public val tokenNoDefaultPolicy: Output? = null,
public val tokenNumUses: Output? = null,
public val tokenPeriod: Output? = null,
public val tokenPolicies: Output>? = null,
public val tokenTtl: Output? = null,
public val tokenType: Output? = null,
public val userClaim: Output? = null,
public val userClaimJsonPointer: Output? = null,
public val verboseOidcLogging: Output? = null,
) : ConvertibleToJava {
override fun toJava(): com.pulumi.vault.jwt.AuthBackendRoleArgs =
com.pulumi.vault.jwt.AuthBackendRoleArgs.builder()
.allowedRedirectUris(allowedRedirectUris?.applyValue({ args0 -> args0.map({ args0 -> args0 }) }))
.backend(backend?.applyValue({ args0 -> args0 }))
.boundAudiences(boundAudiences?.applyValue({ args0 -> args0.map({ args0 -> args0 }) }))
.boundClaims(
boundClaims?.applyValue({ args0 ->
args0.map({ args0 ->
args0.key.to(args0.value)
}).toMap()
}),
)
.boundClaimsType(boundClaimsType?.applyValue({ args0 -> args0 }))
.boundSubject(boundSubject?.applyValue({ args0 -> args0 }))
.claimMappings(
claimMappings?.applyValue({ args0 ->
args0.map({ args0 ->
args0.key.to(args0.value)
}).toMap()
}),
)
.clockSkewLeeway(clockSkewLeeway?.applyValue({ args0 -> args0 }))
.disableBoundClaimsParsing(disableBoundClaimsParsing?.applyValue({ args0 -> args0 }))
.expirationLeeway(expirationLeeway?.applyValue({ args0 -> args0 }))
.groupsClaim(groupsClaim?.applyValue({ args0 -> args0 }))
.maxAge(maxAge?.applyValue({ args0 -> args0 }))
.namespace(namespace?.applyValue({ args0 -> args0 }))
.notBeforeLeeway(notBeforeLeeway?.applyValue({ args0 -> args0 }))
.oidcScopes(oidcScopes?.applyValue({ args0 -> args0.map({ args0 -> args0 }) }))
.roleName(roleName?.applyValue({ args0 -> args0 }))
.roleType(roleType?.applyValue({ args0 -> args0 }))
.tokenBoundCidrs(tokenBoundCidrs?.applyValue({ args0 -> args0.map({ args0 -> args0 }) }))
.tokenExplicitMaxTtl(tokenExplicitMaxTtl?.applyValue({ args0 -> args0 }))
.tokenMaxTtl(tokenMaxTtl?.applyValue({ args0 -> args0 }))
.tokenNoDefaultPolicy(tokenNoDefaultPolicy?.applyValue({ args0 -> args0 }))
.tokenNumUses(tokenNumUses?.applyValue({ args0 -> args0 }))
.tokenPeriod(tokenPeriod?.applyValue({ args0 -> args0 }))
.tokenPolicies(tokenPolicies?.applyValue({ args0 -> args0.map({ args0 -> args0 }) }))
.tokenTtl(tokenTtl?.applyValue({ args0 -> args0 }))
.tokenType(tokenType?.applyValue({ args0 -> args0 }))
.userClaim(userClaim?.applyValue({ args0 -> args0 }))
.userClaimJsonPointer(userClaimJsonPointer?.applyValue({ args0 -> args0 }))
.verboseOidcLogging(verboseOidcLogging?.applyValue({ args0 -> args0 })).build()
}
/**
* Builder for [AuthBackendRoleArgs].
*/
@PulumiTagMarker
public class AuthBackendRoleArgsBuilder internal constructor() {
private var allowedRedirectUris: Output>? = null
private var backend: Output? = null
private var boundAudiences: Output>? = null
private var boundClaims: Output>? = null
private var boundClaimsType: Output? = null
private var boundSubject: Output? = null
private var claimMappings: Output>? = null
private var clockSkewLeeway: Output? = null
private var disableBoundClaimsParsing: Output? = null
private var expirationLeeway: Output? = null
private var groupsClaim: Output? = null
private var maxAge: Output? = null
private var namespace: Output? = null
private var notBeforeLeeway: Output? = null
private var oidcScopes: Output>? = null
private var roleName: Output? = null
private var roleType: Output? = null
private var tokenBoundCidrs: Output>? = null
private var tokenExplicitMaxTtl: Output? = null
private var tokenMaxTtl: Output? = null
private var tokenNoDefaultPolicy: Output? = null
private var tokenNumUses: Output? = null
private var tokenPeriod: Output? = null
private var tokenPolicies: Output>? = null
private var tokenTtl: Output? = null
private var tokenType: Output? = null
private var userClaim: Output? = null
private var userClaimJsonPointer: Output? = null
private var verboseOidcLogging: Output? = null
/**
* @param value The list of allowed values for redirect_uri during OIDC logins.
* Required for OIDC roles
*/
@JvmName("ghlgwtxqibuxhhhj")
public suspend fun allowedRedirectUris(`value`: Output>) {
this.allowedRedirectUris = value
}
@JvmName("iqsmsifvvvcsdfah")
public suspend fun allowedRedirectUris(vararg values: Output) {
this.allowedRedirectUris = Output.all(values.asList())
}
/**
* @param values The list of allowed values for redirect_uri during OIDC logins.
* Required for OIDC roles
*/
@JvmName("bojwapxfyqllawbj")
public suspend fun allowedRedirectUris(values: List>) {
this.allowedRedirectUris = Output.all(values)
}
/**
* @param value The unique name of the auth backend to configure.
* Defaults to `jwt`.
*/
@JvmName("avrfodtmndgrojdc")
public suspend fun backend(`value`: Output) {
this.backend = value
}
/**
* @param value (Required for roles of type `jwt`, optional for roles of
* type `oidc`) List of `aud` claims to match against. Any match is sufficient.
*/
@JvmName("qwmuangvsdvvbtln")
public suspend fun boundAudiences(`value`: Output>) {
this.boundAudiences = value
}
@JvmName("ynatijlapdreaurg")
public suspend fun boundAudiences(vararg values: Output) {
this.boundAudiences = Output.all(values.asList())
}
/**
* @param values (Required for roles of type `jwt`, optional for roles of
* type `oidc`) List of `aud` claims to match against. Any match is sufficient.
*/
@JvmName("nrcbngrkbyuddncj")
public suspend fun boundAudiences(values: List>) {
this.boundAudiences = Output.all(values)
}
/**
* @param value If set, a map of claims to values to match against.
* A claim's value must be a string, which may contain one value or multiple
* comma-separated values, e.g. `"red"` or `"red,green,blue"`.
*/
@JvmName("euxtcsshwmuitlyj")
public suspend fun boundClaims(`value`: Output>) {
this.boundClaims = value
}
/**
* @param value How to interpret values in the claims/values
* map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
* match). Requires Vault 1.4.0 or above.
*/
@JvmName("sacqedvgbwnrgxxt")
public suspend fun boundClaimsType(`value`: Output) {
this.boundClaimsType = value
}
/**
* @param value If set, requires that the `sub` claim matches
* this value.
*/
@JvmName("rukexkkpxgauujjt")
public suspend fun boundSubject(`value`: Output) {
this.boundSubject = value
}
/**
* @param value If set, a map of claims (keys) to be copied
* to specified metadata fields (values).
*/
@JvmName("sifwwyssboufcdee")
public suspend fun claimMappings(`value`: Output>) {
this.claimMappings = value
}
/**
* @param value The amount of leeway to add to all claims to account for clock skew, in
* seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
*/
@JvmName("tvmmxrusenspyung")
public suspend fun clockSkewLeeway(`value`: Output) {
this.clockSkewLeeway = value
}
/**
* @param value Disable bound claim value parsing. Useful when values contain commas.
*/
@JvmName("imjwgmtrsgfioirt")
public suspend fun disableBoundClaimsParsing(`value`: Output) {
this.disableBoundClaimsParsing = value
}
/**
* @param value The amount of leeway to add to expiration (`exp`) claims to account for
* clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
*/
@JvmName("tynwljuwsgsesbmw")
public suspend fun expirationLeeway(`value`: Output) {
this.expirationLeeway = value
}
/**
* @param value The claim to use to uniquely identify
* the set of groups to which the user belongs; this will be used as the names
* for the Identity group aliases created due to a successful login. The claim
* value must be a list of strings.
*/
@JvmName("kltotamiewrytxtm")
public suspend fun groupsClaim(`value`: Output) {
this.groupsClaim = value
}
/**
* @param value Specifies the allowable elapsed time in seconds since the last time
* the user was actively authenticated with the OIDC provider.
*/
@JvmName("apdikjoedyiatuij")
public suspend fun maxAge(`value`: Output) {
this.maxAge = value
}
/**
* @param value The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
@JvmName("aqqtupfbpsesorhq")
public suspend fun namespace(`value`: Output) {
this.namespace = value
}
/**
* @param value The amount of leeway to add to not before (`nbf`) claims to account for
* clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
*/
@JvmName("ulqrkbrypfqpgaeg")
public suspend fun notBeforeLeeway(`value`: Output) {
this.notBeforeLeeway = value
}
/**
* @param value If set, a list of OIDC scopes to be used with an OIDC role.
* The standard scope "openid" is automatically included and need not be specified.
*/
@JvmName("tsowgaltcalkongh")
public suspend fun oidcScopes(`value`: Output>) {
this.oidcScopes = value
}
@JvmName("ohmfmjycwukqhdon")
public suspend fun oidcScopes(vararg values: Output) {
this.oidcScopes = Output.all(values.asList())
}
/**
* @param values If set, a list of OIDC scopes to be used with an OIDC role.
* The standard scope "openid" is automatically included and need not be specified.
*/
@JvmName("ssmtpfbobirbqioq")
public suspend fun oidcScopes(values: List>) {
this.oidcScopes = Output.all(values)
}
/**
* @param value The name of the role.
*/
@JvmName("crfyweyjdcxxuvtt")
public suspend fun roleName(`value`: Output) {
this.roleName = value
}
/**
* @param value Type of role, either "oidc" (default) or "jwt".
*/
@JvmName("cnluwurnpaianprr")
public suspend fun roleType(`value`: Output) {
this.roleType = value
}
/**
* @param value Specifies the blocks of IP addresses which are allowed to use the generated token
*/
@JvmName("icljexqbiglkwmmm")
public suspend fun tokenBoundCidrs(`value`: Output>) {
this.tokenBoundCidrs = value
}
@JvmName("dgdnbplywrcfmnmk")
public suspend fun tokenBoundCidrs(vararg values: Output) {
this.tokenBoundCidrs = Output.all(values.asList())
}
/**
* @param values Specifies the blocks of IP addresses which are allowed to use the generated token
*/
@JvmName("sakplhiehewpeggq")
public suspend fun tokenBoundCidrs(values: List>) {
this.tokenBoundCidrs = Output.all(values)
}
/**
* @param value Generated Token's Explicit Maximum TTL in seconds
*/
@JvmName("uhojpswdcojiqqwd")
public suspend fun tokenExplicitMaxTtl(`value`: Output) {
this.tokenExplicitMaxTtl = value
}
/**
* @param value The maximum lifetime of the generated token
*/
@JvmName("qvfnarsmjxqivbwq")
public suspend fun tokenMaxTtl(`value`: Output) {
this.tokenMaxTtl = value
}
/**
* @param value If true, the 'default' policy will not automatically be added to generated tokens
*/
@JvmName("anhsxgnjuaediqag")
public suspend fun tokenNoDefaultPolicy(`value`: Output) {
this.tokenNoDefaultPolicy = value
}
/**
* @param value The maximum number of times a token may be used, a value of zero means unlimited
*/
@JvmName("itrrujoclqoxnlcc")
public suspend fun tokenNumUses(`value`: Output) {
this.tokenNumUses = value
}
/**
* @param value Generated Token's Period
*/
@JvmName("voxeuqjifsfuigbf")
public suspend fun tokenPeriod(`value`: Output) {
this.tokenPeriod = value
}
/**
* @param value Generated Token's Policies
*/
@JvmName("bxkqmyngvxlsvghx")
public suspend fun tokenPolicies(`value`: Output>) {
this.tokenPolicies = value
}
@JvmName("bfidcgyhvhcyumfy")
public suspend fun tokenPolicies(vararg values: Output) {
this.tokenPolicies = Output.all(values.asList())
}
/**
* @param values Generated Token's Policies
*/
@JvmName("nxmcksohargtuwub")
public suspend fun tokenPolicies(values: List>) {
this.tokenPolicies = Output.all(values)
}
/**
* @param value The initial ttl of the token to generate in seconds
*/
@JvmName("rshlikvwyauiebci")
public suspend fun tokenTtl(`value`: Output) {
this.tokenTtl = value
}
/**
* @param value The type of token to generate, service or batch
*/
@JvmName("ukkgjvalymnemgcj")
public suspend fun tokenType(`value`: Output) {
this.tokenType = value
}
/**
* @param value The claim to use to uniquely identify
* the user; this will be used as the name for the Identity entity alias created
* due to a successful login.
*/
@JvmName("pngbhqhismwcrhul")
public suspend fun userClaim(`value`: Output) {
this.userClaim = value
}
/**
* @param value Specifies if the `user_claim` value uses
* [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
* syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
* Requires Vault 1.11+.
*/
@JvmName("ufdiwnwpyssigpfv")
public suspend fun userClaimJsonPointer(`value`: Output) {
this.userClaimJsonPointer = value
}
/**
* @param value Log received OIDC tokens and claims when debug-level
* logging is active. Not recommended in production since sensitive information may be present
* in OIDC responses.
*/
@JvmName("llgmjqwlbdybtrcs")
public suspend fun verboseOidcLogging(`value`: Output) {
this.verboseOidcLogging = value
}
/**
* @param value The list of allowed values for redirect_uri during OIDC logins.
* Required for OIDC roles
*/
@JvmName("ayycptyvaykwdari")
public suspend fun allowedRedirectUris(`value`: List?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.allowedRedirectUris = mapped
}
/**
* @param values The list of allowed values for redirect_uri during OIDC logins.
* Required for OIDC roles
*/
@JvmName("sjcnqidmipfnjjgw")
public suspend fun allowedRedirectUris(vararg values: String) {
val toBeMapped = values.toList()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.allowedRedirectUris = mapped
}
/**
* @param value The unique name of the auth backend to configure.
* Defaults to `jwt`.
*/
@JvmName("pmrfqnsggmhfrpik")
public suspend fun backend(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.backend = mapped
}
/**
* @param value (Required for roles of type `jwt`, optional for roles of
* type `oidc`) List of `aud` claims to match against. Any match is sufficient.
*/
@JvmName("qbyxqenjdhlefvgb")
public suspend fun boundAudiences(`value`: List?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.boundAudiences = mapped
}
/**
* @param values (Required for roles of type `jwt`, optional for roles of
* type `oidc`) List of `aud` claims to match against. Any match is sufficient.
*/
@JvmName("qnaygycxrvxgxrvu")
public suspend fun boundAudiences(vararg values: String) {
val toBeMapped = values.toList()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.boundAudiences = mapped
}
/**
* @param value If set, a map of claims to values to match against.
* A claim's value must be a string, which may contain one value or multiple
* comma-separated values, e.g. `"red"` or `"red,green,blue"`.
*/
@JvmName("useydljijlimewav")
public suspend fun boundClaims(`value`: Map?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.boundClaims = mapped
}
/**
* @param values If set, a map of claims to values to match against.
* A claim's value must be a string, which may contain one value or multiple
* comma-separated values, e.g. `"red"` or `"red,green,blue"`.
*/
@JvmName("dqljgumslemfsrut")
public fun boundClaims(vararg values: Pair) {
val toBeMapped = values.toMap()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.boundClaims = mapped
}
/**
* @param value How to interpret values in the claims/values
* map (`bound_claims`): can be either `string` (exact match) or `glob` (wildcard
* match). Requires Vault 1.4.0 or above.
*/
@JvmName("eobhaynncckpmblh")
public suspend fun boundClaimsType(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.boundClaimsType = mapped
}
/**
* @param value If set, requires that the `sub` claim matches
* this value.
*/
@JvmName("ylhycgowohldnjbn")
public suspend fun boundSubject(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.boundSubject = mapped
}
/**
* @param value If set, a map of claims (keys) to be copied
* to specified metadata fields (values).
*/
@JvmName("dahfywwxqexvdqal")
public suspend fun claimMappings(`value`: Map?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.claimMappings = mapped
}
/**
* @param values If set, a map of claims (keys) to be copied
* to specified metadata fields (values).
*/
@JvmName("dgdkifhpbntudfcn")
public fun claimMappings(vararg values: Pair) {
val toBeMapped = values.toMap()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.claimMappings = mapped
}
/**
* @param value The amount of leeway to add to all claims to account for clock skew, in
* seconds. Defaults to `60` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
*/
@JvmName("komydfepoumcmooh")
public suspend fun clockSkewLeeway(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.clockSkewLeeway = mapped
}
/**
* @param value Disable bound claim value parsing. Useful when values contain commas.
*/
@JvmName("xonbpuqgdmgqpbrg")
public suspend fun disableBoundClaimsParsing(`value`: Boolean?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.disableBoundClaimsParsing = mapped
}
/**
* @param value The amount of leeway to add to expiration (`exp`) claims to account for
* clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
*/
@JvmName("nmljvhwfmtxupjvw")
public suspend fun expirationLeeway(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.expirationLeeway = mapped
}
/**
* @param value The claim to use to uniquely identify
* the set of groups to which the user belongs; this will be used as the names
* for the Identity group aliases created due to a successful login. The claim
* value must be a list of strings.
*/
@JvmName("wufefayrfodxatqj")
public suspend fun groupsClaim(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.groupsClaim = mapped
}
/**
* @param value Specifies the allowable elapsed time in seconds since the last time
* the user was actively authenticated with the OIDC provider.
*/
@JvmName("yhmrdympbtqriyhf")
public suspend fun maxAge(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.maxAge = mapped
}
/**
* @param value The namespace to provision the resource in.
* The value should not contain leading or trailing forward slashes.
* The `namespace` is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).
* *Available only for Vault Enterprise*.
*/
@JvmName("tudwvgbilexabdht")
public suspend fun namespace(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.namespace = mapped
}
/**
* @param value The amount of leeway to add to not before (`nbf`) claims to account for
* clock skew, in seconds. Defaults to `150` seconds if set to `0` and can be disabled if set to `-1`.
* Only applicable with "jwt" roles.
*/
@JvmName("pewyegvrhmocneby")
public suspend fun notBeforeLeeway(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.notBeforeLeeway = mapped
}
/**
* @param value If set, a list of OIDC scopes to be used with an OIDC role.
* The standard scope "openid" is automatically included and need not be specified.
*/
@JvmName("yurlwnialldvjuqn")
public suspend fun oidcScopes(`value`: List?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.oidcScopes = mapped
}
/**
* @param values If set, a list of OIDC scopes to be used with an OIDC role.
* The standard scope "openid" is automatically included and need not be specified.
*/
@JvmName("oystsqhggekbwjtj")
public suspend fun oidcScopes(vararg values: String) {
val toBeMapped = values.toList()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.oidcScopes = mapped
}
/**
* @param value The name of the role.
*/
@JvmName("awxhwelaakaoffpo")
public suspend fun roleName(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.roleName = mapped
}
/**
* @param value Type of role, either "oidc" (default) or "jwt".
*/
@JvmName("sxyfaqfkhmrbyboq")
public suspend fun roleType(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.roleType = mapped
}
/**
* @param value Specifies the blocks of IP addresses which are allowed to use the generated token
*/
@JvmName("ycxgwhhgjosnlctv")
public suspend fun tokenBoundCidrs(`value`: List?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenBoundCidrs = mapped
}
/**
* @param values Specifies the blocks of IP addresses which are allowed to use the generated token
*/
@JvmName("hdhdwthrfendacjr")
public suspend fun tokenBoundCidrs(vararg values: String) {
val toBeMapped = values.toList()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.tokenBoundCidrs = mapped
}
/**
* @param value Generated Token's Explicit Maximum TTL in seconds
*/
@JvmName("qunitpdgxbwapfrj")
public suspend fun tokenExplicitMaxTtl(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenExplicitMaxTtl = mapped
}
/**
* @param value The maximum lifetime of the generated token
*/
@JvmName("aajtudsxjebroovb")
public suspend fun tokenMaxTtl(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenMaxTtl = mapped
}
/**
* @param value If true, the 'default' policy will not automatically be added to generated tokens
*/
@JvmName("bldpjodebrokhrua")
public suspend fun tokenNoDefaultPolicy(`value`: Boolean?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenNoDefaultPolicy = mapped
}
/**
* @param value The maximum number of times a token may be used, a value of zero means unlimited
*/
@JvmName("fqdieuswwlpuustm")
public suspend fun tokenNumUses(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenNumUses = mapped
}
/**
* @param value Generated Token's Period
*/
@JvmName("xfyldrbyextwopte")
public suspend fun tokenPeriod(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenPeriod = mapped
}
/**
* @param value Generated Token's Policies
*/
@JvmName("rajvlkrikkjxjhrl")
public suspend fun tokenPolicies(`value`: List?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenPolicies = mapped
}
/**
* @param values Generated Token's Policies
*/
@JvmName("xsjkfoonsavclmrx")
public suspend fun tokenPolicies(vararg values: String) {
val toBeMapped = values.toList()
val mapped = toBeMapped.let({ args0 -> of(args0) })
this.tokenPolicies = mapped
}
/**
* @param value The initial ttl of the token to generate in seconds
*/
@JvmName("gsaklxbcldkedrxs")
public suspend fun tokenTtl(`value`: Int?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenTtl = mapped
}
/**
* @param value The type of token to generate, service or batch
*/
@JvmName("hgmskjolxlgnrplf")
public suspend fun tokenType(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.tokenType = mapped
}
/**
* @param value The claim to use to uniquely identify
* the user; this will be used as the name for the Identity entity alias created
* due to a successful login.
*/
@JvmName("bkihvugwqowkeekt")
public suspend fun userClaim(`value`: String?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.userClaim = mapped
}
/**
* @param value Specifies if the `user_claim` value uses
* [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)
* syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
* Requires Vault 1.11+.
*/
@JvmName("ugbdobssvnistrde")
public suspend fun userClaimJsonPointer(`value`: Boolean?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.userClaimJsonPointer = mapped
}
/**
* @param value Log received OIDC tokens and claims when debug-level
* logging is active. Not recommended in production since sensitive information may be present
* in OIDC responses.
*/
@JvmName("ncmjauunqmeupisr")
public suspend fun verboseOidcLogging(`value`: Boolean?) {
val toBeMapped = value
val mapped = toBeMapped?.let({ args0 -> of(args0) })
this.verboseOidcLogging = mapped
}
internal fun build(): AuthBackendRoleArgs = AuthBackendRoleArgs(
allowedRedirectUris = allowedRedirectUris,
backend = backend,
boundAudiences = boundAudiences,
boundClaims = boundClaims,
boundClaimsType = boundClaimsType,
boundSubject = boundSubject,
claimMappings = claimMappings,
clockSkewLeeway = clockSkewLeeway,
disableBoundClaimsParsing = disableBoundClaimsParsing,
expirationLeeway = expirationLeeway,
groupsClaim = groupsClaim,
maxAge = maxAge,
namespace = namespace,
notBeforeLeeway = notBeforeLeeway,
oidcScopes = oidcScopes,
roleName = roleName,
roleType = roleType,
tokenBoundCidrs = tokenBoundCidrs,
tokenExplicitMaxTtl = tokenExplicitMaxTtl,
tokenMaxTtl = tokenMaxTtl,
tokenNoDefaultPolicy = tokenNoDefaultPolicy,
tokenNumUses = tokenNumUses,
tokenPeriod = tokenPeriod,
tokenPolicies = tokenPolicies,
tokenTtl = tokenTtl,
tokenType = tokenType,
userClaim = userClaim,
userClaimJsonPointer = userClaimJsonPointer,
verboseOidcLogging = verboseOidcLogging,
)
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy