{"name":"vault","displayName":"HashiCorp Vault","version":"7.7.0","description":"A Pulumi package for creating and managing HashiCorp Vault cloud resources.","keywords":["pulumi","vault"],"homepage":"https://pulumi.io","license":"Apache-2.0","attribution":"This Pulumi package is based on the [`vault` Terraform Provider](https://github.com/hashicorp/terraform-provider-vault).","repository":"https://github.com/pulumi/pulumi-vault","meta":{"moduleFormat":"(.*)(?:/[^/]*)"},"language":{"csharp":{"packageReferences":{"Pulumi":"3.*"},"namespaces":{"ad":"AD","alicloud":"AliCloud","appRole":"AppRole","aws":"Aws","azure":"Azure","config":"Config","consul":"Consul","database":"Database","gcp":"Gcp","generic":"Generic","github":"GitHub","identity":"Identity","index":"index","jwt":"Jwt","kmip":"Kmip","kubernetes":"Kubernetes","kv":"kv","ldap":"Ldap","managed":"Managed","mongodbatlas":"MongoDBAtlas","okta":"Okta","pkiSecret":"PkiSecret","rabbitMq":"RabbitMQ","saml":"Saml","secrets":"Secrets","ssh":"Ssh","terraformcloud":"TerraformCloud","tokenauth":"TokenAuth","transform":"Transform","transit":"Transit","vault":"Vault"},"compatibility":"tfbridge20","respectSchemaVersion":true},"go":{"importBasePath":"github.com/pulumi/pulumi-vault/sdk/v7/go/vault","generateResourceContainerTypes":true,"generateExtraInputTypes":true,"respectSchemaVersion":true},"nodejs":{"packageDescription":"A Pulumi package for creating and managing HashiCorp Vault cloud resources.","readme":"\u003e This provider is a derived work of the [Terraform Provider](https://github.com/hashicorp/terraform-provider-vault)\n\u003e distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n\u003e first check the [`pulumi-vault` repo](https://github.com/pulumi/pulumi-vault/issues); however, if that doesn't turn up anything,\n\u003e please consult the source [`terraform-provider-vault` repo](https://github.com/hashicorp/terraform-provider-vault/issues).","devDependencies":{"@types/mime":"^2.0.0","@types/node":"^10.0.0"},"compatibility":"tfbridge20","disableUnionOutputTypes":true,"respectSchemaVersion":true},"python":{"readme":"\u003e This provider is a derived work of the [Terraform Provider](https://github.com/hashicorp/terraform-provider-vault)\n\u003e distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n\u003e first check the [`pulumi-vault` repo](https://github.com/pulumi/pulumi-vault/issues); however, if that doesn't turn up anything,\n\u003e please consult the source [`terraform-provider-vault` repo](https://github.com/hashicorp/terraform-provider-vault/issues).","compatibility":"tfbridge20","respectSchemaVersion":true,"pyproject":{"enabled":true}}},"config":{"variables":{"addAddressToEnv":{"type":"string"},"address":{"type":"string","description":"URL of the root of the target Vault server."},"authLogin":{"$ref":"#/types/vault:config/authLogin:authLogin","description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login"},"authLoginAws":{"$ref":"#/types/vault:config/authLoginAws:authLoginAws","description":"Login to vault using the AWS method"},"authLoginAzure":{"$ref":"#/types/vault:config/authLoginAzure:authLoginAzure","description":"Login to vault using the azure method"},"authLoginCert":{"$ref":"#/types/vault:config/authLoginCert:authLoginCert","description":"Login to vault using the cert method"},"authLoginGcp":{"$ref":"#/types/vault:config/authLoginGcp:authLoginGcp","description":"Login to vault using the gcp method"},"authLoginJwt":{"$ref":"#/types/vault:config/authLoginJwt:authLoginJwt","description":"Login to vault using the jwt method"},"authLoginKerberos":{"$ref":"#/types/vault:config/authLoginKerberos:authLoginKerberos","description":"Login to vault using the kerberos method"},"authLoginOci":{"$ref":"#/types/vault:config/authLoginOci:authLoginOci","description":"Login to vault using the OCI method"},"authLoginOidc":{"$ref":"#/types/vault:config/authLoginOidc:authLoginOidc","description":"Login to vault using the oidc method"},"authLoginRadius":{"$ref":"#/types/vault:config/authLoginRadius:authLoginRadius","description":"Login to vault using the radius method"},"authLoginTokenFile":{"$ref":"#/types/vault:config/authLoginTokenFile:authLoginTokenFile","description":"Login to vault using"},"authLoginUserpass":{"$ref":"#/types/vault:config/authLoginUserpass:authLoginUserpass","description":"Login to vault using the userpass method"},"caCertDir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate."},"caCertFile":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate."},"clientAuth":{"$ref":"#/types/vault:config/clientAuth:clientAuth","description":"Client authentication credentials."},"headers":{"type":"array","items":{"$ref":"#/types/vault:config/headers:headers"},"description":"The headers to send with each Vault request."},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum TTL for secret leases requested by this provider.","default":1200,"defaultInfo":{"environment":["TERRAFORM_VAULT_MAX_TTL"]}},"maxRetries":{"type":"integer","description":"Maximum number of retries when a 5xx error code is encountered.","default":2,"defaultInfo":{"environment":["VAULT_MAX_RETRIES"]}},"maxRetriesCcc":{"type":"integer","description":"Maximum number of retries for Client Controlled Consistency related operations"},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise."},"setNamespaceFromToken":{"type":"boolean","description":"In the case where the Vault token is for a specific namespace and the provider namespace is not configured, use the token namespace as the root namespace for all resources."},"skipChildToken":{"type":"boolean","description":"Set this to true to prevent the creation of ephemeral child token used by this provider."},"skipGetVaultVersion":{"type":"boolean","description":"Skip the dynamic fetching of the Vault server version."},"skipTlsVerify":{"type":"boolean","description":"Set this to true only if the target Vault server is an insecure development instance.","defaultInfo":{"environment":["VAULT_SKIP_VERIFY"]}},"tlsServerName":{"type":"string","description":"Name to use as the SNI host when connecting via TLS."},"token":{"type":"string","description":"Token to use to authenticate to Vault."},"tokenName":{"type":"string","description":"Token name to use for creating the Vault child token."},"vaultVersionOverride":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server"}}},"types":{"vault:azure/BackendRoleAzureGroup:BackendRoleAzureGroup":{"properties":{"groupName":{"type":"string"},"objectId":{"type":"string"}},"type":"object","required":["groupName"],"language":{"nodejs":{"requiredOutputs":["groupName","objectId"]}}},"vault:azure/BackendRoleAzureRole:BackendRoleAzureRole":{"properties":{"roleId":{"type":"string"},"roleName":{"type":"string"},"scope":{"type":"string"}},"type":"object","required":["scope"],"language":{"nodejs":{"requiredOutputs":["roleId","roleName","scope"]}}},"vault:config/UiCustomMessageLink:UiCustomMessageLink":{"properties":{"href":{"type":"string","description":"The URL of the hyperlink\n"},"title":{"type":"string","description":"The title of the hyperlink\n"}},"type":"object","required":["href","title"]},"vault:config/authLogin:authLogin":{"properties":{"method":{"type":"string"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"parameters":{"type":"object","additionalProperties":{"type":"string"},"secret":true},"path":{"type":"string"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["path"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/authLoginAws:authLoginAws":{"properties":{"awsAccessKeyId":{"type":"string","description":"The AWS access key ID.\n"},"awsIamEndpoint":{"type":"string","description":"The IAM endpoint URL.\n"},"awsProfile":{"type":"string","description":"The name of the AWS profile.\n"},"awsRegion":{"type":"string","description":"The AWS region.\n"},"awsRoleArn":{"type":"string","description":"The ARN of the AWS Role to assume.Used during STS AssumeRole\n"},"awsRoleSessionName":{"type":"string","description":"Specifies the name to attach to the AWS role session. Used during STS AssumeRole\n"},"awsSecretAccessKey":{"type":"string","description":"The AWS secret access key.\n"},"awsSessionToken":{"type":"string","description":"The AWS session token.\n"},"awsSharedCredentialsFile":{"type":"string","description":"Path to the AWS shared credentials file.\n"},"awsStsEndpoint":{"type":"string","description":"The STS endpoint URL.\n"},"awsWebIdentityTokenFile":{"type":"string","description":"Path to the file containing an OAuth 2.0 access token or OpenID Connect ID token.\n"},"headerValue":{"type":"string","description":"The Vault header value to include in the STS signing request.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"The Vault role to use when logging into Vault.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["role"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/authLoginAzure:authLoginAzure":{"properties":{"clientId":{"type":"string","description":"The identity's client ID.\n"},"jwt":{"type":"string","description":"A signed JSON Web Token. If not specified on will be created automatically\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"resourceGroupName":{"type":"string","description":"The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata.\n"},"role":{"type":"string","description":"Name of the login role.\n"},"scope":{"type":"string","description":"The scopes to include in the token request.\n"},"subscriptionId":{"type":"string","description":"The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata.\n"},"tenantId":{"type":"string","description":"Provides the tenant ID to use in a multi-tenant authentication scenario.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"},"vmName":{"type":"string","description":"The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata.\n"},"vmssName":{"type":"string","description":"The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata.\n"}},"type":"object","required":["resourceGroupName","role","subscriptionId"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/authLoginCert:authLoginCert":{"properties":{"certFile":{"type":"string","description":"Path to a file containing the client certificate.\n"},"keyFile":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"name":{"type":"string","description":"Name of the certificate's role\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["certFile","keyFile"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/authLoginGcp:authLoginGcp":{"properties":{"credentials":{"type":"string","description":"Path to the Google Cloud credentials file.\n"},"jwt":{"type":"string","description":"A signed JSON Web Token.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"Name of the login role.\n"},"serviceAccount":{"type":"string","description":"IAM service account.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["role"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/authLoginJwt:authLoginJwt":{"properties":{"jwt":{"type":"string","description":"A signed JSON Web Token.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"Name of the login role.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["role"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/authLoginKerberos:authLoginKerberos":{"properties":{"disableFastNegotiation":{"type":"boolean","description":"Disable the Kerberos FAST negotiation.\n"},"keytabPath":{"type":"string","description":"The Kerberos keytab file containing the entry of the login entity.\n"},"krb5confPath":{"type":"string","description":"A valid Kerberos configuration file e.g. /etc/krb5.conf.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"realm":{"type":"string","description":"The Kerberos server's authoritative authentication domain\n"},"removeInstanceName":{"type":"boolean","description":"Strip the host from the username found in the keytab.\n"},"service":{"type":"string","description":"The service principle name.\n"},"token":{"type":"string","description":"Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"},"username":{"type":"string","description":"The username to login into Kerberos with.\n"}},"type":"object"},"vault:config/authLoginOci:authLoginOci":{"properties":{"authType":{"type":"string","description":"Authentication type to use when getting OCI credentials.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"Name of the login role.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["authType","role"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/authLoginOidc:authLoginOidc":{"properties":{"callbackAddress":{"type":"string","description":"The callback address. Must be a valid URI without the path.\n"},"callbackListenerAddress":{"type":"string","description":"The callback listener's address. Must be a valid URI without the path.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"Name of the login role.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["role"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/authLoginRadius:authLoginRadius":{"properties":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"password":{"type":"string","description":"The Radius password for username.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"},"username":{"type":"string","description":"The Radius username.\n"}},"type":"object"},"vault:config/authLoginTokenFile:authLoginTokenFile":{"properties":{"filename":{"type":"string","description":"The name of a file containing a single line that is a valid Vault token\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object"},"vault:config/authLoginUserpass:authLoginUserpass":{"properties":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"password":{"type":"string","description":"Login with password\n"},"passwordFile":{"type":"string","description":"Login with password from a file\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"},"username":{"type":"string","description":"Login with username\n"}},"type":"object"},"vault:config/clientAuth:clientAuth":{"properties":{"certFile":{"type":"string","description":"Path to a file containing the client certificate.\n"},"keyFile":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.\n"}},"type":"object","required":["certFile","keyFile"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:config/headers:headers":{"properties":{"name":{"type":"string","description":"The header name\n","secret":true},"value":{"type":"string","description":"The header value\n","secret":true}},"type":"object","required":["name","value"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:database/SecretBackendConnectionCassandra:SecretBackendConnectionCassandra":{"properties":{"connectTimeout":{"type":"integer","description":"The number of seconds to use as a connection timeout.\n"},"consistency":{"type":"string","description":"Cassandra consistency level.\n"},"hosts":{"type":"array","items":{"type":"string"},"description":"Cassandra hosts to connect to.\n"},"insecureTls":{"type":"boolean","description":"Whether to skip verification of the server certificate when using TLS.\n"},"localDatacenter":{"type":"string","description":"Cassandra local datacenter name.\n"},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.\n","secret":true},"pemBundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.\n","secret":true},"pemJson":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.\n","secret":true},"port":{"type":"integer","description":"The transport port to use to connect to Cassandra.\n"},"protocolVersion":{"type":"integer","description":"The CQL protocol version to use.\n"},"skipVerification":{"type":"boolean","description":"Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.\n"},"socketKeepAlive":{"type":"string","description":"Enable TCP keepalive for Cassandra connections.\n"},"tls":{"type":"boolean","description":"Whether to use TLS when connecting to Cassandra.\n"},"tlsServerName":{"type":"string","description":"SNI host for TLS connections.\n"},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.\n"},"usernameTemplate":{"type":"string","description":"Template for dynamic Cassandra usernames.\n"}},"type":"object"},"vault:database/SecretBackendConnectionCouchbase:SecretBackendConnectionCouchbase":{"properties":{"base64Pem":{"type":"string","description":"Required if \u003cspan pulumi-lang-nodejs=\"`tls`\" pulumi-lang-dotnet=\"`Tls`\" pulumi-lang-go=\"`tls`\" pulumi-lang-python=\"`tls`\" pulumi-lang-yaml=\"`tls`\" pulumi-lang-java=\"`tls`\"\u003e`tls`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.\n","secret":true},"bucketName":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.\n"},"hosts":{"type":"array","items":{"type":"string"},"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if \u003cspan pulumi-lang-nodejs=\"`tls`\" pulumi-lang-dotnet=\"`Tls`\" pulumi-lang-go=\"`tls`\" pulumi-lang-python=\"`tls`\" pulumi-lang-yaml=\"`tls`\" pulumi-lang-java=\"`tls`\"\u003e`tls`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"},"insecureTls":{"type":"boolean","description":"Specifies whether to skip verification of the server certificate when using TLS.\n"},"password":{"type":"string","description":"Specifies the password corresponding to the given username.\n","secret":true},"tls":{"type":"boolean","description":"Specifies whether to use TLS when connecting to Couchbase.\n"},"username":{"type":"string","description":"Specifies the username for Vault to use.\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated.\n"}},"type":"object","required":["hosts","password","username"]},"vault:database/SecretBackendConnectionElasticsearch:SecretBackendConnectionElasticsearch":{"properties":{"caCert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity\n"},"caPath":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity\n"},"clientCert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication\n"},"clientKey":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication\n"},"insecure":{"type":"boolean","description":"Whether to disable certificate verification\n"},"password":{"type":"string","description":"The password to be used in the connection URL\n","secret":true},"tlsServerName":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS\n"},"url":{"type":"string","description":"The URL for Elasticsearch's API\n"},"username":{"type":"string","description":"The username to be used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated.\n"}},"type":"object","required":["password","url","username"]},"vault:database/SecretBackendConnectionHana:SecretBackendConnectionHana":{"properties":{"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"disableEscaping":{"type":"boolean","description":"Disable special character escaping in username and password\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionInfluxdb:SecretBackendConnectionInfluxdb":{"properties":{"connectTimeout":{"type":"integer","description":"The number of seconds to use as a connection timeout.\n"},"host":{"type":"string","description":"Influxdb host to connect to.\n"},"insecureTls":{"type":"boolean","description":"Whether to skip verification of the server certificate when using TLS.\n"},"password":{"type":"string","description":"Specifies the password corresponding to the given username.\n","secret":true},"pemBundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.\n","secret":true},"pemJson":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.\n","secret":true},"port":{"type":"integer","description":"The transport port to use to connect to Influxdb.\n"},"tls":{"type":"boolean","description":"Whether to use TLS when connecting to Influxdb.\n"},"username":{"type":"string","description":"Specifies the username to use for superuser access.\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated.\n"}},"type":"object","required":["host","password","username"]},"vault:database/SecretBackendConnectionMongodb:SecretBackendConnectionMongodb":{"properties":{"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"tlsCa":{"type":"string","description":"The x509 CA file for validating the certificate presented by the MongoDB server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"The x509 certificate and private key bundle for connecting to the database. Must be PEM encoded.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"writeConcern":{"type":"string","description":"Specifies the MongoDB write concern for Vault management operations.\n"}},"type":"object"},"vault:database/SecretBackendConnectionMongodbatlas:SecretBackendConnectionMongodbatlas":{"properties":{"privateKey":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.\n","secret":true},"projectId":{"type":"string","description":"The Project ID the Database User should be created within.\n"},"publicKey":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated.\n"}},"type":"object","required":["privateKey","projectId","publicKey"]},"vault:database/SecretBackendConnectionMssql:SecretBackendConnectionMssql":{"properties":{"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"containedDb":{"type":"boolean","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.\n"},"disableEscaping":{"type":"boolean","description":"Disable special character escaping in username and password\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionMysql:SecretBackendConnectionMysql":{"properties":{"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionMysqlAurora:SecretBackendConnectionMysqlAurora":{"properties":{"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionMysqlLegacy:SecretBackendConnectionMysqlLegacy":{"properties":{"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionMysqlRds:SecretBackendConnectionMysqlRds":{"properties":{"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionOracle:SecretBackendConnectionOracle":{"properties":{"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"disconnectSessions":{"type":"boolean","description":"Set to true to disconnect any open sessions prior to running the revocation statements.\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"selfManaged":{"type":"boolean","description":"If set, allows onboarding static roles with a rootless connection configuration.\n"},"splitStatements":{"type":"boolean","description":"Set to true in order to split statements after semi-colons.\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionPostgresql:SecretBackendConnectionPostgresql":{"properties":{"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"disableEscaping":{"type":"boolean","description":"Disable special character escaping in username and password\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordAuthentication":{"type":"string","description":"When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL.\n"},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"privateKey":{"type":"string","description":"The secret key used for the x509 client certificate. Must be PEM encoded.\n","secret":true},"selfManaged":{"type":"boolean","description":"If set, allows onboarding static roles with a rootless connection configuration.\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded.\n"},"tlsCertificate":{"type":"string","description":"The x509 client certificate for connecting to the database. Must be PEM encoded.\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionRedis:SecretBackendConnectionRedis":{"properties":{"caCert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.\n"},"host":{"type":"string","description":"Specifies the host to connect to\n"},"insecureTls":{"type":"boolean","description":"Specifies whether to skip verification of the server certificate when using TLS.\n"},"password":{"type":"string","description":"Specifies the password corresponding to the given username.\n","secret":true},"port":{"type":"integer","description":"The transport port to use to connect to Redis.\n"},"tls":{"type":"boolean","description":"Specifies whether to use TLS when connecting to Redis.\n"},"username":{"type":"string","description":"Specifies the username for Vault to use.\n"}},"type":"object","required":["host","password","username"]},"vault:database/SecretBackendConnectionRedisElasticache:SecretBackendConnectionRedisElasticache":{"properties":{"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.\n","secret":true},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.\n"},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.\n"},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.\n","secret":true}},"type":"object","required":["url"]},"vault:database/SecretBackendConnectionRedshift:SecretBackendConnectionRedshift":{"properties":{"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"disableEscaping":{"type":"boolean","description":"Disable special character escaping in username and password\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretBackendConnectionSnowflake:SecretBackendConnectionSnowflake":{"properties":{"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","deprecationMessage":"Snowflake is ending support for single-factor password authentication by November 2025. Refer to the documentation for more information on migrating to key-pair authentication.","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"privateKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe private key configured for the admin user in Snowflake.\n","secret":true},"privateKeyWoVersion":{"type":"integer","description":"Version counter for the private key key-pair credentials write-only field\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"}},"type":"object"},"vault:database/SecretsMountCassandra:SecretsMountCassandra":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"connectTimeout":{"type":"integer","description":"The number of seconds to use as a connection timeout.\n"},"consistency":{"type":"string","description":"Cassandra consistency level.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"hosts":{"type":"array","items":{"type":"string"},"description":"Cassandra hosts to connect to.\n"},"insecureTls":{"type":"boolean","description":"Whether to skip verification of the server certificate when using TLS.\n"},"localDatacenter":{"type":"string","description":"Cassandra local datacenter name.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The password to use when authenticating with Cassandra.\n","secret":true},"pemBundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.\n","secret":true},"pemJson":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.\n","secret":true},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"port":{"type":"integer","description":"The transport port to use to connect to Cassandra.\n"},"protocolVersion":{"type":"integer","description":"The CQL protocol version to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"skipVerification":{"type":"boolean","description":"Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.\n"},"socketKeepAlive":{"type":"string","description":"Enable TCP keepalive for Cassandra connections.\n"},"tls":{"type":"boolean","description":"Whether to use TLS when connecting to Cassandra.\n"},"tlsServerName":{"type":"string","description":"SNI host for TLS connections.\n"},"username":{"type":"string","description":"The username to use when authenticating with Cassandra.\n"},"usernameTemplate":{"type":"string","description":"Template for dynamic Cassandra usernames.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountCouchbase:SecretsMountCouchbase":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"base64Pem":{"type":"string","description":"Required if \u003cspan pulumi-lang-nodejs=\"`tls`\" pulumi-lang-dotnet=\"`Tls`\" pulumi-lang-go=\"`tls`\" pulumi-lang-python=\"`tls`\" pulumi-lang-yaml=\"`tls`\" pulumi-lang-java=\"`tls`\"\u003e`tls`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.\n","secret":true},"bucketName":{"type":"string","description":"Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"hosts":{"type":"array","items":{"type":"string"},"description":"A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if \u003cspan pulumi-lang-nodejs=\"`tls`\" pulumi-lang-dotnet=\"`Tls`\" pulumi-lang-go=\"`tls`\" pulumi-lang-python=\"`tls`\" pulumi-lang-yaml=\"`tls`\" pulumi-lang-java=\"`tls`\"\u003e`tls`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"},"insecureTls":{"type":"boolean","description":"Specifies whether to skip verification of the server certificate when using TLS.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"Specifies the password corresponding to the given username.\n","secret":true},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"tls":{"type":"boolean","description":"Specifies whether to use TLS when connecting to Couchbase.\n"},"username":{"type":"string","description":"Specifies the username for Vault to use.\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["hosts","name","password","username"],"language":{"nodejs":{"requiredOutputs":["hosts","name","password","pluginName","username"]}}},"vault:database/SecretsMountElasticsearch:SecretsMountElasticsearch":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"caCert":{"type":"string","description":"The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity\n"},"caPath":{"type":"string","description":"The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity\n"},"clientCert":{"type":"string","description":"The path to the certificate for the Elasticsearch client to present for communication\n"},"clientKey":{"type":"string","description":"The path to the key for the Elasticsearch client to use for communication\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"insecure":{"type":"boolean","description":"Whether to disable certificate verification\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The password to be used in the connection URL\n","secret":true},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"tlsServerName":{"type":"string","description":"This, if set, is used to set the SNI host when connecting via TLS\n"},"url":{"type":"string","description":"The URL for Elasticsearch's API\n"},"username":{"type":"string","description":"The username to be used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name","password","url","username"],"language":{"nodejs":{"requiredOutputs":["name","password","pluginName","url","username"]}}},"vault:database/SecretsMountHana:SecretsMountHana":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"disableEscaping":{"type":"boolean","description":"Disable special character escaping in username and password\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountInfluxdb:SecretsMountInfluxdb":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"connectTimeout":{"type":"integer","description":"The number of seconds to use as a connection timeout.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"host":{"type":"string","description":"Influxdb host to connect to.\n"},"insecureTls":{"type":"boolean","description":"Whether to skip verification of the server certificate when using TLS.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"Specifies the password corresponding to the given username.\n","secret":true},"pemBundle":{"type":"string","description":"Concatenated PEM blocks containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.\n","secret":true},"pemJson":{"type":"string","description":"Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.\n","secret":true},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"port":{"type":"integer","description":"The transport port to use to connect to Influxdb.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"tls":{"type":"boolean","description":"Whether to use TLS when connecting to Influxdb.\n"},"username":{"type":"string","description":"Specifies the username to use for superuser access.\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["host","name","password","username"],"language":{"nodejs":{"requiredOutputs":["host","name","password","pluginName","username"]}}},"vault:database/SecretsMountMongodb:SecretsMountMongodb":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"tlsCa":{"type":"string","description":"The x509 CA file for validating the certificate presented by the MongoDB server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"The x509 certificate and private key bundle for connecting to the database. Must be PEM encoded.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"},"writeConcern":{"type":"string","description":"Specifies the MongoDB write concern for Vault management operations.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountMongodbatla:SecretsMountMongodbatla":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"privateKey":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API.\n","secret":true},"projectId":{"type":"string","description":"The Project ID the Database User should be created within.\n"},"publicKey":{"type":"string","description":"The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name","privateKey","projectId","publicKey"],"language":{"nodejs":{"requiredOutputs":["name","pluginName","privateKey","projectId","publicKey"]}}},"vault:database/SecretsMountMssql:SecretsMountMssql":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"containedDb":{"type":"boolean","description":"Set to true when the target is a Contained Database, e.g. AzureSQL.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"disableEscaping":{"type":"boolean","description":"Disable special character escaping in username and password\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountMysql:SecretsMountMysql":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountMysqlAurora:SecretsMountMysqlAurora":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountMysqlLegacy:SecretsMountMysqlLegacy":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountMysqlRd:SecretsMountMysqlRd":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.\n"},"tlsCertificateKey":{"type":"string","description":"x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.\n","secret":true},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountOracle:SecretsMountOracle":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"disconnectSessions":{"type":"boolean","description":"Set to true to disconnect any open sessions prior to running the revocation statements.\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"selfManaged":{"type":"boolean","description":"If set, allows onboarding static roles with a rootless connection configuration.\n"},"splitStatements":{"type":"boolean","description":"Set to true in order to split statements after semi-colons.\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountPostgresql:SecretsMountPostgresql":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"authType":{"type":"string","description":"Specify alternative authorization type. (Only 'gcp_iam' is valid currently)\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"disableEscaping":{"type":"boolean","description":"Disable special character escaping in username and password\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordAuthentication":{"type":"string","description":"When set to `scram-sha-256`, passwords will be hashed by Vault before being sent to PostgreSQL.\n"},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"privateKey":{"type":"string","description":"The secret key used for the x509 client certificate. Must be PEM encoded.\n","secret":true},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"selfManaged":{"type":"boolean","description":"If set, allows onboarding static roles with a rootless connection configuration.\n"},"serviceAccountJson":{"type":"string","description":"A JSON encoded credential for use with IAM authorization\n","secret":true},"tlsCa":{"type":"string","description":"The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded.\n"},"tlsCertificate":{"type":"string","description":"The x509 client certificate for connecting to the database. Must be PEM encoded.\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountRedi:SecretsMountRedi":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"caCert":{"type":"string","description":"The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"host":{"type":"string","description":"Specifies the host to connect to\n"},"insecureTls":{"type":"boolean","description":"Specifies whether to skip verification of the server certificate when using TLS.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"Specifies the password corresponding to the given username.\n","secret":true},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"port":{"type":"integer","description":"The transport port to use to connect to Redis.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"tls":{"type":"boolean","description":"Specifies whether to use TLS when connecting to Redis.\n"},"username":{"type":"string","description":"Specifies the username for Vault to use.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["host","name","password","username"],"language":{"nodejs":{"requiredOutputs":["host","name","password","pluginName","username"]}}},"vault:database/SecretsMountRedisElasticache:SecretsMountRedisElasticache":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The AWS secret key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.\n","secret":true},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"region":{"type":"string","description":"The AWS region where the ElastiCache cluster is hosted. If omitted the plugin tries to infer the region from the environment.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"url":{"type":"string","description":"The configuration endpoint for the ElastiCache cluster to connect to.\n"},"username":{"type":"string","description":"The AWS access key id to use to talk to ElastiCache. If omitted the credentials chain provider is used instead.\n","secret":true},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name","url"],"language":{"nodejs":{"requiredOutputs":["name","pluginName","url"]}}},"vault:database/SecretsMountRedshift:SecretsMountRedshift":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"disableEscaping":{"type":"boolean","description":"Disable special character escaping in username and password\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:database/SecretsMountSnowflake:SecretsMountSnowflake":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"connectionUrl":{"type":"string","description":"Connection string to use to connect to the database.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n\nSupported list of database secrets engines that can be configured:\n"},"maxConnectionLifetime":{"type":"integer","description":"Maximum number of seconds a connection may be reused.\n"},"maxIdleConnections":{"type":"integer","description":"Maximum number of idle connections to the database.\n"},"maxOpenConnections":{"type":"integer","description":"Maximum number of open connections to the database.\n"},"name":{"type":"string","description":"Name of the database connection.\n"},"password":{"type":"string","description":"The root credential password used in the connection URL\n","deprecationMessage":"Snowflake is ending support for single-factor password authentication by November 2025. Refer to the documentation for more information on migrating to key-pair authentication.","secret":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only field for the root credential password used in the connection URL\n","secret":true},"passwordWoVersion":{"type":"integer","description":"Version counter for root credential password write-only field\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"privateKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe private key configured for the admin user in Snowflake.\n","secret":true},"privateKeyWoVersion":{"type":"integer","description":"Version counter for the private key key-pair credentials write-only field\n"},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"username":{"type":"string","description":"The root credential username used in the connection URL\n"},"usernameTemplate":{"type":"string","description":"Username generation template.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object","required":["name"],"language":{"nodejs":{"requiredOutputs":["name","pluginName"]}}},"vault:gcp/AuthBackendCustomEndpoint:AuthBackendCustomEndpoint":{"properties":{"api":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://www.googleapis.com`.\n"},"compute":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://compute.googleapis.com`.\n\nThe endpoint value provided for a given key has the form of `scheme://host:port`.\nThe `scheme://` and `:port` portions of the endpoint value are optional.\n"},"crm":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://cloudresourcemanager.googleapis.com`.\n"},"iam":{"type":"string","description":"Replaces the service endpoint used in API requests to `https://iam.googleapis.com`.\n"}},"type":"object"},"vault:gcp/AuthBackendTune:AuthBackendTune":{"properties":{"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and allowing\na plugin to include them in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtl":{"type":"string","description":"Specifies the default time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in\nthe UI-specific listing endpoint. Valid values are \"unauth\" or \"hidden\".\n"},"maxLeaseTtl":{"type":"string","description":"Specifies the maximum time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and\npass from the request to the backend.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n\n\nFor more details on the usage of each argument consult the [Vault GCP API documentation](https://www.vaultproject.io/api-docs/auth/gcp#configure).\n"}},"type":"object"},"vault:gcp/SecretRolesetBinding:SecretRolesetBinding":{"properties":{"resource":{"type":"string","description":"Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings).\n"},"roles":{"type":"array","items":{"type":"string"},"description":"List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.\n"}},"type":"object","required":["resource","roles"]},"vault:gcp/SecretStaticAccountBinding:SecretStaticAccountBinding":{"properties":{"resource":{"type":"string","description":"Resource or resource path for which IAM policy information will be bound. The resource path may be specified in a few different [formats](https://www.vaultproject.io/docs/secrets/gcp/index.html#bindings).\n"},"roles":{"type":"array","items":{"type":"string"},"description":"List of [GCP IAM roles](https://cloud.google.com/iam/docs/understanding-roles) for the resource.\n"}},"type":"object","required":["resource","roles"]},"vault:github/AuthBackendTune:AuthBackendTune":{"properties":{"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and allowing\na plugin to include them in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtl":{"type":"string","description":"Specifies the default time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in\nthe UI-specific listing endpoint. Valid values are \"unauth\" or \"hidden\".\n"},"maxLeaseTtl":{"type":"string","description":"Specifies the maximum time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and\npass from the request to the backend.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"}},"type":"object"},"vault:identity/getEntityAlias:getEntityAlias":{"properties":{"canonicalId":{"type":"string","description":"Canonical ID of the Alias\n"},"creationTime":{"type":"string","description":"Creation time of the Alias\n"},"id":{"type":"string","description":"ID of the alias\n"},"lastUpdateTime":{"type":"string","description":"Last update time of the alias\n"},"mergedFromCanonicalIds":{"type":"array","items":{"type":"string"},"description":"List of canonical IDs merged with this alias\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Arbitrary metadata\n"},"mountAccessor":{"type":"string","description":"Authentication mount acccessor which this alias belongs to\n"},"mountPath":{"type":"string","description":"Authentication mount path which this alias belongs to\n"},"mountType":{"type":"string","description":"Authentication mount type which this alias belongs to\n"},"name":{"type":"string","description":"Name of the alias\n"}},"type":"object","required":["canonicalId","creationTime","id","lastUpdateTime","mergedFromCanonicalIds","metadata","mountAccessor","mountPath","mountType","name"],"language":{"nodejs":{"requiredInputs":[]}}},"vault:index/AuthBackendTune:AuthBackendTune":{"properties":{"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and allowing\na plugin to include them in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtl":{"type":"string","description":"Specifies the default time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in\nthe UI-specific listing endpoint. Valid values are \"unauth\" or \"hidden\".\n"},"maxLeaseTtl":{"type":"string","description":"Specifies the maximum time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and\npass from the request to the backend.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"}},"type":"object"},"vault:index/OciAuthBackendTune:OciAuthBackendTune":{"properties":{"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and allowing\na plugin to include them in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtl":{"type":"string","description":"Specifies the default time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in\nthe UI-specific listing endpoint. Valid values are \"unauth\" or \"hidden\".\n"},"maxLeaseTtl":{"type":"string","description":"Specifies the maximum time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and\npass from the request to the backend.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by the mount.\n"}},"type":"object"},"vault:index/ProviderAuthLogin:ProviderAuthLogin":{"properties":{"method":{"type":"string"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"parameters":{"type":"object","additionalProperties":{"type":"string"},"secret":true},"path":{"type":"string"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["path"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderAuthLoginAws:ProviderAuthLoginAws":{"properties":{"awsAccessKeyId":{"type":"string","description":"The AWS access key ID.\n"},"awsIamEndpoint":{"type":"string","description":"The IAM endpoint URL.\n"},"awsProfile":{"type":"string","description":"The name of the AWS profile.\n"},"awsRegion":{"type":"string","description":"The AWS region.\n"},"awsRoleArn":{"type":"string","description":"The ARN of the AWS Role to assume.Used during STS AssumeRole\n"},"awsRoleSessionName":{"type":"string","description":"Specifies the name to attach to the AWS role session. Used during STS AssumeRole\n"},"awsSecretAccessKey":{"type":"string","description":"The AWS secret access key.\n"},"awsSessionToken":{"type":"string","description":"The AWS session token.\n"},"awsSharedCredentialsFile":{"type":"string","description":"Path to the AWS shared credentials file.\n"},"awsStsEndpoint":{"type":"string","description":"The STS endpoint URL.\n"},"awsWebIdentityTokenFile":{"type":"string","description":"Path to the file containing an OAuth 2.0 access token or OpenID Connect ID token.\n"},"headerValue":{"type":"string","description":"The Vault header value to include in the STS signing request.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"The Vault role to use when logging into Vault.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["role"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderAuthLoginAzure:ProviderAuthLoginAzure":{"properties":{"clientId":{"type":"string","description":"The identity's client ID.\n"},"jwt":{"type":"string","description":"A signed JSON Web Token. If not specified on will be created automatically\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"resourceGroupName":{"type":"string","description":"The resource group for the machine that generated the MSI token. This information can be obtained through instance metadata.\n"},"role":{"type":"string","description":"Name of the login role.\n"},"scope":{"type":"string","description":"The scopes to include in the token request.\n"},"subscriptionId":{"type":"string","description":"The subscription ID for the machine that generated the MSI token. This information can be obtained through instance metadata.\n"},"tenantId":{"type":"string","description":"Provides the tenant ID to use in a multi-tenant authentication scenario.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"},"vmName":{"type":"string","description":"The virtual machine name for the machine that generated the MSI token. This information can be obtained through instance metadata.\n"},"vmssName":{"type":"string","description":"The virtual machine scale set name for the machine that generated the MSI token. This information can be obtained through instance metadata.\n"}},"type":"object","required":["resourceGroupName","role","subscriptionId"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderAuthLoginCert:ProviderAuthLoginCert":{"properties":{"certFile":{"type":"string","description":"Path to a file containing the client certificate.\n"},"keyFile":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"name":{"type":"string","description":"Name of the certificate's role\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["certFile","keyFile"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderAuthLoginGcp:ProviderAuthLoginGcp":{"properties":{"credentials":{"type":"string","description":"Path to the Google Cloud credentials file.\n"},"jwt":{"type":"string","description":"A signed JSON Web Token.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"Name of the login role.\n"},"serviceAccount":{"type":"string","description":"IAM service account.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["role"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderAuthLoginJwt:ProviderAuthLoginJwt":{"properties":{"jwt":{"type":"string","description":"A signed JSON Web Token.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"Name of the login role.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["role"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderAuthLoginKerberos:ProviderAuthLoginKerberos":{"properties":{"disableFastNegotiation":{"type":"boolean","description":"Disable the Kerberos FAST negotiation.\n"},"keytabPath":{"type":"string","description":"The Kerberos keytab file containing the entry of the login entity.\n"},"krb5confPath":{"type":"string","description":"A valid Kerberos configuration file e.g. /etc/krb5.conf.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"realm":{"type":"string","description":"The Kerberos server's authoritative authentication domain\n"},"removeInstanceName":{"type":"boolean","description":"Strip the host from the username found in the keytab.\n"},"service":{"type":"string","description":"The service principle name.\n"},"token":{"type":"string","description":"Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) token\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"},"username":{"type":"string","description":"The username to login into Kerberos with.\n"}},"type":"object"},"vault:index/ProviderAuthLoginOci:ProviderAuthLoginOci":{"properties":{"authType":{"type":"string","description":"Authentication type to use when getting OCI credentials.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"Name of the login role.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["authType","role"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderAuthLoginOidc:ProviderAuthLoginOidc":{"properties":{"callbackAddress":{"type":"string","description":"The callback address. Must be a valid URI without the path.\n"},"callbackListenerAddress":{"type":"string","description":"The callback listener's address. Must be a valid URI without the path.\n"},"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"role":{"type":"string","description":"Name of the login role.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object","required":["role"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderAuthLoginRadius:ProviderAuthLoginRadius":{"properties":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"password":{"type":"string","description":"The Radius password for username.\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"},"username":{"type":"string","description":"The Radius username.\n"}},"type":"object"},"vault:index/ProviderAuthLoginTokenFile:ProviderAuthLoginTokenFile":{"properties":{"filename":{"type":"string","description":"The name of a file containing a single line that is a valid Vault token\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"}},"type":"object"},"vault:index/ProviderAuthLoginUserpass:ProviderAuthLoginUserpass":{"properties":{"mount":{"type":"string","description":"The path where the authentication engine is mounted.\n"},"namespace":{"type":"string","description":"The authentication engine's namespace. Conflicts with use_root_namespace\n"},"password":{"type":"string","description":"Login with password\n"},"passwordFile":{"type":"string","description":"Login with password from a file\n"},"useRootNamespace":{"type":"boolean","description":"Authenticate to the root Vault namespace. Conflicts with namespace\n"},"username":{"type":"string","description":"Login with username\n"}},"type":"object"},"vault:index/ProviderClientAuth:ProviderClientAuth":{"properties":{"certFile":{"type":"string","description":"Path to a file containing the client certificate.\n"},"keyFile":{"type":"string","description":"Path to a file containing the private key that the certificate was issued for.\n"}},"type":"object","required":["certFile","keyFile"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/ProviderHeader:ProviderHeader":{"properties":{"name":{"type":"string","description":"The header name\n","secret":true},"value":{"type":"string","description":"The header value\n","secret":true}},"type":"object","required":["name","value"],"language":{"nodejs":{"requiredOutputs":[]}}},"vault:index/getPolicyDocumentRule:getPolicyDocumentRule":{"properties":{"allowedParameters":{"type":"array","items":{"$ref":"#/types/vault:index/getPolicyDocumentRuleAllowedParameter:getPolicyDocumentRuleAllowedParameter"},"description":"Whitelists a list of keys and values that are permitted on the given path. See Parameters below.\n"},"capabilities":{"type":"array","items":{"type":"string"},"description":"A list of capabilities that this rule apply to \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e. For example, [\"read\", \"write\"].\n"},"deniedParameters":{"type":"array","items":{"$ref":"#/types/vault:index/getPolicyDocumentRuleDeniedParameter:getPolicyDocumentRuleDeniedParameter"},"description":"Blacklists a list of parameter and values. Any values specified here take precedence over \u003cspan pulumi-lang-nodejs=\"`allowedParameter`\" pulumi-lang-dotnet=\"`AllowedParameter`\" pulumi-lang-go=\"`allowedParameter`\" pulumi-lang-python=\"`allowed_parameter`\" pulumi-lang-yaml=\"`allowedParameter`\" pulumi-lang-java=\"`allowedParameter`\"\u003e`allowed_parameter`\u003c/span\u003e. See Parameters below.\n"},"description":{"type":"string","description":"Description of the rule. Will be added as a comment to rendered rule.\n"},"maxWrappingTtl":{"type":"string","description":"The maximum allowed TTL that clients can specify for a wrapped response.\n"},"minWrappingTtl":{"type":"string","description":"The minimum allowed TTL that clients can specify for a wrapped response.\n"},"path":{"type":"string","description":"A path in Vault that this rule applies to.\n"},"requiredParameters":{"type":"array","items":{"type":"string"},"description":"A list of parameters that must be specified.\n"},"subscribeEventTypes":{"type":"array","items":{"type":"string"},"description":"A list of event types to subscribe to when using \u003cspan pulumi-lang-nodejs=\"`subscribe`\" pulumi-lang-dotnet=\"`Subscribe`\" pulumi-lang-go=\"`subscribe`\" pulumi-lang-python=\"`subscribe`\" pulumi-lang-yaml=\"`subscribe`\" pulumi-lang-java=\"`subscribe`\"\u003e`subscribe`\u003c/span\u003e capability.\n"}},"type":"object","required":["capabilities","path"]},"vault:index/getPolicyDocumentRuleAllowedParameter:getPolicyDocumentRuleAllowedParameter":{"properties":{"key":{"type":"string","description":"Name of permitted key.\n"},"values":{"type":"array","items":{"type":"string"},"description":"A list of values what are permitted by policy rule.\n"}},"type":"object","required":["key","values"]},"vault:index/getPolicyDocumentRuleDeniedParameter:getPolicyDocumentRuleDeniedParameter":{"properties":{"key":{"type":"string","description":"Name of denied key.\n"},"values":{"type":"array","items":{"type":"string"},"description":"A list of values what are denied by policy rule.\n"}},"type":"object","required":["key","values"]},"vault:jwt/AuthBackendTune:AuthBackendTune":{"properties":{"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and allowing\na plugin to include them in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtl":{"type":"string","description":"Specifies the default time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in\nthe UI-specific listing endpoint. Valid values are \"unauth\" or \"hidden\".\n"},"maxLeaseTtl":{"type":"string","description":"Specifies the maximum time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and\npass from the request to the backend.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"}},"type":"object"},"vault:kv/SecretV2CustomMetadata:SecretV2CustomMetadata":{"properties":{"casRequired":{"type":"boolean","description":"If true, all keys will require the cas parameter to be set on all write requests.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"**Deprecated. Please use new ephemeral resource \u003cspan pulumi-lang-nodejs=\"`vault.kv.SecretV2`\" pulumi-lang-dotnet=\"`vault.kv.SecretV2`\" pulumi-lang-go=\"`kv.SecretV2`\" pulumi-lang-python=\"`kv.SecretV2`\" pulumi-lang-yaml=\"`vault.kv.SecretV2`\" pulumi-lang-java=\"`vault.kv.SecretV2`\"\u003e`vault.kv.SecretV2`\u003c/span\u003e to read back\nsecret data from Vault**. A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only represent string data,\nso any non-string values returned from Vault are serialized as JSON.\n"},"deleteVersionAfter":{"type":"integer","description":"If set, specifies the length of time before a version is deleted.\n"},"maxVersions":{"type":"integer","description":"The number of versions to keep per key.\n"}},"type":"object"},"vault:ldap/AuthBackendTune:AuthBackendTune":{"properties":{"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and allowing\na plugin to include them in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtl":{"type":"string","description":"Specifies the default time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in\nthe UI-specific listing endpoint. Valid values are \"unauth\" or \"hidden\".\n"},"maxLeaseTtl":{"type":"string","description":"Specifies the maximum time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and\npass from the request to the backend.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"}},"type":"object"},"vault:managed/KeysAw:KeysAw":{"properties":{"accessKey":{"type":"string","description":"The AWS access key to use\n"},"allowGenerateKey":{"type":"boolean","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend\n"},"allowReplaceKey":{"type":"boolean","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.\n"},"allowStoreKey":{"type":"boolean","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden\n"},"anyMount":{"type":"boolean","description":"Allow usage from any mount point within the namespace if 'true'\n"},"curve":{"type":"string","description":"The curve to use for an ECDSA key. Used when\u003cspan pulumi-lang-nodejs=\" keyType \" pulumi-lang-dotnet=\" KeyType \" pulumi-lang-go=\" keyType \" pulumi-lang-python=\" key_type \" pulumi-lang-yaml=\" keyType \" pulumi-lang-java=\" keyType \"\u003e key_type \u003c/span\u003eis 'ECDSA'. Required if 'allow_generate_key' is true\n"},"endpoint":{"type":"string","description":"Used to specify a custom AWS endpoint\n"},"keyBits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA'\n"},"keyType":{"type":"string","description":"The type of key to use\n"},"kmsKey":{"type":"string","description":"An identifier for the key\n"},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key\n"},"region":{"type":"string","description":"The AWS region where the keys are stored (or will be stored)\n"},"secretKey":{"type":"string","description":"The AWS secret key to use\n"},"uuid":{"type":"string","description":"ID of the managed key read from Vault\n"}},"type":"object","required":["accessKey","keyBits","keyType","kmsKey","name","secretKey"],"language":{"nodejs":{"requiredOutputs":["accessKey","allowGenerateKey","allowReplaceKey","allowStoreKey","anyMount","keyBits","keyType","kmsKey","name","region","secretKey","uuid"]}}},"vault:managed/KeysAzure:KeysAzure":{"properties":{"allowGenerateKey":{"type":"boolean","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend\n"},"allowReplaceKey":{"type":"boolean","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.\n"},"allowStoreKey":{"type":"boolean","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden\n"},"anyMount":{"type":"boolean","description":"Allow usage from any mount point within the namespace if 'true'\n"},"clientId":{"type":"string","description":"The client id for credentials to query the Azure APIs\n"},"clientSecret":{"type":"string","description":"The client secret for credentials to query the Azure APIs\n"},"environment":{"type":"string","description":"The Azure Cloud environment API endpoints to use\n"},"keyBits":{"type":"string","description":"The size in bits for an RSA key. This field is required when 'key_type' is 'RSA' or when 'allow_generate_key' is true\n"},"keyName":{"type":"string","description":"The Key Vault key to use for encryption and decryption\n"},"keyType":{"type":"string","description":"The type of key to use\n"},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key\n"},"resource":{"type":"string","description":"The Azure Key Vault resource's DNS Suffix to connect to\n"},"tenantId":{"type":"string","description":"The tenant id for the Azure Active Directory organization\n"},"uuid":{"type":"string","description":"ID of the managed key read from Vault\n"},"vaultName":{"type":"string","description":"The Key Vault vault to use the encryption keys for encryption and decryption\n"}},"type":"object","required":["clientId","clientSecret","keyName","keyType","name","tenantId","vaultName"],"language":{"nodejs":{"requiredOutputs":["allowGenerateKey","allowReplaceKey","allowStoreKey","anyMount","clientId","clientSecret","environment","keyName","keyType","name","resource","tenantId","uuid","vaultName"]}}},"vault:managed/KeysPkc:KeysPkc":{"properties":{"allowGenerateKey":{"type":"boolean","description":"If no existing key can be found in the referenced backend, instructs Vault to generate a key within the backend\n"},"allowReplaceKey":{"type":"boolean","description":"Controls the ability for Vault to replace through generation or importing a key into the configured backend even if a key is present, if set to false those operations are forbidden if a key exists.\n"},"allowStoreKey":{"type":"boolean","description":"Controls the ability for Vault to import a key to the configured backend, if 'false', those operations will be forbidden\n"},"anyMount":{"type":"boolean","description":"Allow usage from any mount point within the namespace if 'true'\n"},"curve":{"type":"string","description":"Supplies the curve value when using the 'CKM_ECDSA' mechanism. Required if 'allow_generate_key' is true\n"},"forceRwSession":{"type":"string","description":"Force all operations to open up a read-write session to the HSM\n"},"keyBits":{"type":"string","description":"Supplies the size in bits of the key when using 'CKM_RSA_PKCS_PSS', 'CKM_RSA_PKCS_OAEP' or 'CKM_RSA_PKCS' as a value for 'mechanism'. Required if 'allow_generate_key' is true\n"},"keyId":{"type":"string","description":"The id of a PKCS#11 key to use\n"},"keyLabel":{"type":"string","description":"The label of the key to use\n"},"library":{"type":"string","description":"The name of the\u003cspan pulumi-lang-nodejs=\" kmsLibrary \" pulumi-lang-dotnet=\" KmsLibrary \" pulumi-lang-go=\" kmsLibrary \" pulumi-lang-python=\" kms_library \" pulumi-lang-yaml=\" kmsLibrary \" pulumi-lang-java=\" kmsLibrary \"\u003e kms_library \u003c/span\u003estanza to use from Vault's config to lookup the local library path\n"},"mechanism":{"type":"string","description":"The encryption/decryption mechanism to use, specified as a hexadecimal (prefixed by 0x) string.\n"},"name":{"type":"string","description":"A unique lowercase name that serves as identifying the key\n"},"pin":{"type":"string","description":"The PIN for login\n"},"slot":{"type":"string","description":"The slot number to use, specified as a string in a decimal format (e.g. '2305843009213693953')\n"},"tokenLabel":{"type":"string","description":"The slot token label to use\n"},"uuid":{"type":"string","description":"ID of the managed key read from Vault\n"}},"type":"object","required":["library","mechanism","name","pin"],"language":{"nodejs":{"requiredOutputs":["allowGenerateKey","allowReplaceKey","allowStoreKey","anyMount","library","mechanism","name","pin","uuid"]}}},"vault:okta/AuthBackendGroup:AuthBackendGroup":{"properties":{"groupName":{"type":"string","description":"Name of the Okta group\n"},"policies":{"type":"array","items":{"type":"string"},"description":"Policies to associate with this group\n"}},"type":"object","required":["groupName","policies"]},"vault:okta/AuthBackendTune:AuthBackendTune":{"properties":{"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and allowing a plugin to include them in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtl":{"type":"string","description":"Specifies the default time-to-live duration. This overrides the global default. A value of 0 is equivalent to the system default TTL\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are \"unauth\" or \"hidden\". If not set, behaves like \"hidden\".\n"},"maxLeaseTtl":{"type":"string","description":"Specifies the maximum time-to-live duration. This overrides the global default. A value of 0 are equivalent and set to the system max TTL.\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and pass from the request to the backend.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by the mount.\n"}},"type":"object"},"vault:okta/AuthBackendUser:AuthBackendUser":{"properties":{"groups":{"type":"array","items":{"type":"string"},"description":"Groups within the Okta auth backend to associate with this user\n"},"policies":{"type":"array","items":{"type":"string"},"description":"Policies to associate with this user\n"},"username":{"type":"string","description":"Name of the user within Okta\n"}},"type":"object","required":["username"]},"vault:pkiSecret/BackendConfigCmpv2Authenticators:BackendConfigCmpv2Authenticators":{"properties":{"cert":{"type":"object","additionalProperties":{"type":"string"},"description":"\"The accessor (required) and\u003cspan pulumi-lang-nodejs=\" certRole \" pulumi-lang-dotnet=\" CertRole \" pulumi-lang-go=\" certRole \" pulumi-lang-python=\" cert_role \" pulumi-lang-yaml=\" certRole \" pulumi-lang-java=\" certRole \"\u003e cert_role \u003c/span\u003e(optional) properties for cert auth backends\".\n"}},"type":"object"},"vault:pkiSecret/BackendConfigEstAuthenticators:BackendConfigEstAuthenticators":{"properties":{"cert":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor (required) and\u003cspan pulumi-lang-nodejs=\" certRole \" pulumi-lang-dotnet=\" CertRole \" pulumi-lang-go=\" certRole \" pulumi-lang-python=\" cert_role \" pulumi-lang-yaml=\" certRole \" pulumi-lang-java=\" certRole \"\u003e cert_role \u003c/span\u003e(optional) properties for cert auth backends.\n"},"userpass":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor (required) property for user pass auth backends.\n"}},"type":"object"},"vault:pkiSecret/BackendConfigScepAuthenticators:BackendConfigScepAuthenticators":{"properties":{"cert":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor and\u003cspan pulumi-lang-nodejs=\" certRole \" pulumi-lang-dotnet=\" CertRole \" pulumi-lang-go=\" certRole \" pulumi-lang-python=\" cert_role \" pulumi-lang-yaml=\" certRole \" pulumi-lang-java=\" certRole \"\u003e cert_role \u003c/span\u003eproperties for cert auth backends\n"},"scep":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor property for SCEP auth backends\n"}},"type":"object"},"vault:pkiSecret/BackendConfigScepExternalValidation:BackendConfigScepExternalValidation":{"properties":{"intune":{"type":"object","additionalProperties":{"type":"string"},"description":"The credentials to enable Microsoft Intune validation of SCEP requests\n"}},"type":"object"},"vault:pkiSecret/SecretBackendRolePolicyIdentifier:SecretBackendRolePolicyIdentifier":{"properties":{"cps":{"type":"string","description":"The URL of the CPS for the policy identifier\n"},"notice":{"type":"string","description":"A notice for the policy identifier\n"},"oid":{"type":"string","description":"The OID for the policy identifier\n"}},"type":"object","required":["oid"]},"vault:pkiSecret/getBackendConfigCmpv2Authenticator:getBackendConfigCmpv2Authenticator":{"properties":{"cert":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor and\u003cspan pulumi-lang-nodejs=\" certRole \" pulumi-lang-dotnet=\" CertRole \" pulumi-lang-go=\" certRole \" pulumi-lang-python=\" cert_role \" pulumi-lang-yaml=\" certRole \" pulumi-lang-java=\" certRole \"\u003e cert_role \u003c/span\u003eproperties for cert auth backends\n"}},"type":"object"},"vault:pkiSecret/getBackendConfigEstAuthenticator:getBackendConfigEstAuthenticator":{"properties":{"cert":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor and\u003cspan pulumi-lang-nodejs=\" certRole \" pulumi-lang-dotnet=\" CertRole \" pulumi-lang-go=\" certRole \" pulumi-lang-python=\" cert_role \" pulumi-lang-yaml=\" certRole \" pulumi-lang-java=\" certRole \"\u003e cert_role \u003c/span\u003eproperties for cert auth backends.\n"},"userpass":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor property for user pass auth backends.\n"}},"type":"object"},"vault:pkiSecret/getBackendConfigScepAuthenticator:getBackendConfigScepAuthenticator":{"properties":{"cert":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor and\u003cspan pulumi-lang-nodejs=\" certRole \" pulumi-lang-dotnet=\" CertRole \" pulumi-lang-go=\" certRole \" pulumi-lang-python=\" cert_role \" pulumi-lang-yaml=\" certRole \" pulumi-lang-java=\" certRole \"\u003e cert_role \u003c/span\u003eproperties for cert auth backends.\n"},"scep":{"type":"object","additionalProperties":{"type":"string"},"description":"The accessor property for scep auth backends.\n"}},"type":"object"},"vault:pkiSecret/getBackendConfigScepExternalValidation:getBackendConfigScepExternalValidation":{"properties":{"intune":{"type":"object","additionalProperties":{"type":"string"},"description":"The tenant_id, client_id,\u003cspan pulumi-lang-nodejs=\" clientSecret \" pulumi-lang-dotnet=\" ClientSecret \" pulumi-lang-go=\" clientSecret \" pulumi-lang-python=\" client_secret \" pulumi-lang-yaml=\" clientSecret \" pulumi-lang-java=\" clientSecret \"\u003e client_secret \u003c/span\u003eand environment properties for Microsoft Intune validation of SCEP requests.\n"}},"type":"object"},"vault:rabbitMq/SecretBackendRoleVhost:SecretBackendRoleVhost":{"properties":{"configure":{"type":"string","description":"The configure permissions for this vhost.\n"},"host":{"type":"string","description":"The vhost to set permissions for.\n"},"read":{"type":"string","description":"The read permissions for this vhost.\n"},"write":{"type":"string","description":"The write permissions for this vhost.\n"}},"type":"object","required":["configure","host","read","write"]},"vault:rabbitMq/SecretBackendRoleVhostTopic:SecretBackendRoleVhostTopic":{"properties":{"host":{"type":"string","description":"The vhost to set permissions for.\n"},"vhosts":{"type":"array","items":{"$ref":"#/types/vault:rabbitMq/SecretBackendRoleVhostTopicVhost:SecretBackendRoleVhostTopicVhost"},"description":"Specifies a map of virtual hosts to permissions.\n"}},"type":"object","required":["host"]},"vault:rabbitMq/SecretBackendRoleVhostTopicVhost:SecretBackendRoleVhostTopicVhost":{"properties":{"read":{"type":"string","description":"The read permissions for this vhost.\n"},"topic":{"type":"string","description":"The vhost to set permissions for.\n"},"write":{"type":"string","description":"The write permissions for this vhost.\n"}},"type":"object","required":["read","topic","write"]},"vault:saml/AuthBackendTune:AuthBackendTune":{"properties":{"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and allowing\na plugin to include them in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will\nnot be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtl":{"type":"string","description":"Specifies the default time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in\nthe UI-specific listing endpoint. Valid values are \"unauth\" or \"hidden\".\n"},"maxLeaseTtl":{"type":"string","description":"Specifies the maximum time-to-live.\nIf set, this overrides the global default.\nMust be a valid [duration string](https://golang.org/pkg/time/#ParseDuration)\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to whitelist and\npass from the request to the backend.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"}},"type":"object"},"vault:secrets/SyncAssociationMetadata:SyncAssociationMetadata":{"properties":{"subKey":{"type":"string","description":"Subkey of the associated secret.\n"},"syncStatus":{"type":"string","description":"A map of sync statuses for each subkey of the associated secret\n(for ex. `{kv_624bea/aws-token/dev: \"SYNCED\", kv_624bea/aws-token/prod: \"SYNCED\"}`).\n"},"updatedAt":{"type":"string","description":"A map of duration strings specifying when each subkey of the associated\nsecret was last updated.\n(for ex.\n`{kv_624bea/aws-token/dev: \"2024-03-21T12:42:02.558533-07:00\",\nkv_624bea/aws-token/prod: \"2024-03-21T12:42:02.558533-07:00\"}`).\n"}},"type":"object","language":{"nodejs":{"requiredOutputs":["subKey","syncStatus","updatedAt"]}}},"vault:ssh/SecretBackendRoleAllowedUserKeyConfig:SecretBackendRoleAllowedUserKeyConfig":{"properties":{"lengths":{"type":"array","items":{"type":"integer"},"description":"List of allowed key lengths, vault-1.10 and above\n"},"type":{"type":"string","description":"Key type, choices:\nrsa, ecdsa, ec, dsa, ed25519, ssh-rsa, ssh-dss, ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521\n"}},"type":"object","required":["lengths","type"]}},"provider":{"description":"The provider type for the vault package. By default, resources use package-wide configuration\nsettings, however an explicit `Provider` instance may be created and passed during resource\nconstruction to achieve fine-grained programmatic control over provider settings. See the\n[documentation](https://www.pulumi.com/docs/reference/programming-model/#providers) for more information.\n","properties":{"addAddressToEnv":{"type":"string"},"address":{"type":"string","description":"URL of the root of the target Vault server."},"authLogin":{"$ref":"#/types/vault:index/ProviderAuthLogin:ProviderAuthLogin","description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login"},"authLoginAws":{"$ref":"#/types/vault:index/ProviderAuthLoginAws:ProviderAuthLoginAws","description":"Login to vault using the AWS method"},"authLoginAzure":{"$ref":"#/types/vault:index/ProviderAuthLoginAzure:ProviderAuthLoginAzure","description":"Login to vault using the azure method"},"authLoginCert":{"$ref":"#/types/vault:index/ProviderAuthLoginCert:ProviderAuthLoginCert","description":"Login to vault using the cert method"},"authLoginGcp":{"$ref":"#/types/vault:index/ProviderAuthLoginGcp:ProviderAuthLoginGcp","description":"Login to vault using the gcp method"},"authLoginJwt":{"$ref":"#/types/vault:index/ProviderAuthLoginJwt:ProviderAuthLoginJwt","description":"Login to vault using the jwt method"},"authLoginKerberos":{"$ref":"#/types/vault:index/ProviderAuthLoginKerberos:ProviderAuthLoginKerberos","description":"Login to vault using the kerberos method"},"authLoginOci":{"$ref":"#/types/vault:index/ProviderAuthLoginOci:ProviderAuthLoginOci","description":"Login to vault using the OCI method"},"authLoginOidc":{"$ref":"#/types/vault:index/ProviderAuthLoginOidc:ProviderAuthLoginOidc","description":"Login to vault using the oidc method"},"authLoginRadius":{"$ref":"#/types/vault:index/ProviderAuthLoginRadius:ProviderAuthLoginRadius","description":"Login to vault using the radius method"},"authLoginTokenFile":{"$ref":"#/types/vault:index/ProviderAuthLoginTokenFile:ProviderAuthLoginTokenFile","description":"Login to vault using"},"authLoginUserpass":{"$ref":"#/types/vault:index/ProviderAuthLoginUserpass:ProviderAuthLoginUserpass","description":"Login to vault using the userpass method"},"caCertDir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate."},"caCertFile":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate."},"clientAuth":{"$ref":"#/types/vault:index/ProviderClientAuth:ProviderClientAuth","description":"Client authentication credentials."},"headers":{"type":"array","items":{"$ref":"#/types/vault:index/ProviderHeader:ProviderHeader"},"description":"The headers to send with each Vault request."},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum TTL for secret leases requested by this provider."},"maxRetries":{"type":"integer","description":"Maximum number of retries when a 5xx error code is encountered."},"maxRetriesCcc":{"type":"integer","description":"Maximum number of retries for Client Controlled Consistency related operations"},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise."},"setNamespaceFromToken":{"type":"boolean","description":"In the case where the Vault token is for a specific namespace and the provider namespace is not configured, use the token namespace as the root namespace for all resources."},"skipChildToken":{"type":"boolean","description":"Set this to true to prevent the creation of ephemeral child token used by this provider."},"skipGetVaultVersion":{"type":"boolean","description":"Skip the dynamic fetching of the Vault server version."},"skipTlsVerify":{"type":"boolean","description":"Set this to true only if the target Vault server is an insecure development instance."},"tlsServerName":{"type":"string","description":"Name to use as the SNI host when connecting via TLS."},"token":{"type":"string","description":"Token to use to authenticate to Vault."},"tokenName":{"type":"string","description":"Token name to use for creating the Vault child token."},"vaultVersionOverride":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server"}},"inputProperties":{"addAddressToEnv":{"type":"string"},"address":{"type":"string","description":"URL of the root of the target Vault server."},"authLogin":{"$ref":"#/types/vault:index/ProviderAuthLogin:ProviderAuthLogin","description":"Login to vault with an existing auth method using auth/\u003cmount\u003e/login"},"authLoginAws":{"$ref":"#/types/vault:index/ProviderAuthLoginAws:ProviderAuthLoginAws","description":"Login to vault using the AWS method"},"authLoginAzure":{"$ref":"#/types/vault:index/ProviderAuthLoginAzure:ProviderAuthLoginAzure","description":"Login to vault using the azure method"},"authLoginCert":{"$ref":"#/types/vault:index/ProviderAuthLoginCert:ProviderAuthLoginCert","description":"Login to vault using the cert method"},"authLoginGcp":{"$ref":"#/types/vault:index/ProviderAuthLoginGcp:ProviderAuthLoginGcp","description":"Login to vault using the gcp method"},"authLoginJwt":{"$ref":"#/types/vault:index/ProviderAuthLoginJwt:ProviderAuthLoginJwt","description":"Login to vault using the jwt method"},"authLoginKerberos":{"$ref":"#/types/vault:index/ProviderAuthLoginKerberos:ProviderAuthLoginKerberos","description":"Login to vault using the kerberos method"},"authLoginOci":{"$ref":"#/types/vault:index/ProviderAuthLoginOci:ProviderAuthLoginOci","description":"Login to vault using the OCI method"},"authLoginOidc":{"$ref":"#/types/vault:index/ProviderAuthLoginOidc:ProviderAuthLoginOidc","description":"Login to vault using the oidc method"},"authLoginRadius":{"$ref":"#/types/vault:index/ProviderAuthLoginRadius:ProviderAuthLoginRadius","description":"Login to vault using the radius method"},"authLoginTokenFile":{"$ref":"#/types/vault:index/ProviderAuthLoginTokenFile:ProviderAuthLoginTokenFile","description":"Login to vault using"},"authLoginUserpass":{"$ref":"#/types/vault:index/ProviderAuthLoginUserpass:ProviderAuthLoginUserpass","description":"Login to vault using the userpass method"},"caCertDir":{"type":"string","description":"Path to directory containing CA certificate files to validate the server's certificate."},"caCertFile":{"type":"string","description":"Path to a CA certificate file to validate the server's certificate."},"clientAuth":{"$ref":"#/types/vault:index/ProviderClientAuth:ProviderClientAuth","description":"Client authentication credentials."},"headers":{"type":"array","items":{"$ref":"#/types/vault:index/ProviderHeader:ProviderHeader"},"description":"The headers to send with each Vault request."},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum TTL for secret leases requested by this provider.","default":1200,"defaultInfo":{"environment":["TERRAFORM_VAULT_MAX_TTL"]}},"maxRetries":{"type":"integer","description":"Maximum number of retries when a 5xx error code is encountered.","default":2,"defaultInfo":{"environment":["VAULT_MAX_RETRIES"]}},"maxRetriesCcc":{"type":"integer","description":"Maximum number of retries for Client Controlled Consistency related operations"},"namespace":{"type":"string","description":"The namespace to use. Available only for Vault Enterprise."},"setNamespaceFromToken":{"type":"boolean","description":"In the case where the Vault token is for a specific namespace and the provider namespace is not configured, use the token namespace as the root namespace for all resources."},"skipChildToken":{"type":"boolean","description":"Set this to true to prevent the creation of ephemeral child token used by this provider."},"skipGetVaultVersion":{"type":"boolean","description":"Skip the dynamic fetching of the Vault server version."},"skipTlsVerify":{"type":"boolean","description":"Set this to true only if the target Vault server is an insecure development instance.","defaultInfo":{"environment":["VAULT_SKIP_VERIFY"]}},"tlsServerName":{"type":"string","description":"Name to use as the SNI host when connecting via TLS."},"token":{"type":"string","description":"Token to use to authenticate to Vault."},"tokenName":{"type":"string","description":"Token name to use for creating the Vault child token."},"vaultVersionOverride":{"type":"string","description":"Override the Vault server version, which is normally determined dynamically from the target Vault server"}},"methods":{"terraformConfig":"pulumi:providers:vault/terraformConfig"}},"resources":{"vault:ad/secretBackend:SecretBackend":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.ad.SecretBackend(\"config\", {\n    backend: \"ad\",\n    binddn: \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass: \"SuperSecretPassw0rd\",\n    url: \"ldaps://ad\",\n    insecureTls: true,\n    userdn: \"CN=Users,DC=corp,DC=example,DC=net\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.ad.SecretBackend(\"config\",\n    backend=\"ad\",\n    binddn=\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass=\"SuperSecretPassw0rd\",\n    url=\"ldaps://ad\",\n    insecure_tls=True,\n    userdn=\"CN=Users,DC=corp,DC=example,DC=net\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.AD.SecretBackend(\"config\", new()\n    {\n        Backend = \"ad\",\n        Binddn = \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n        Bindpass = \"SuperSecretPassw0rd\",\n        Url = \"ldaps://ad\",\n        InsecureTls = true,\n        Userdn = \"CN=Users,DC=corp,DC=example,DC=net\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ad\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ad.NewSecretBackend(ctx, \"config\", \u0026ad.SecretBackendArgs{\n\t\t\tBackend:     pulumi.String(\"ad\"),\n\t\t\tBinddn:      pulumi.String(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tBindpass:    pulumi.String(\"SuperSecretPassw0rd\"),\n\t\t\tUrl:         pulumi.String(\"ldaps://ad\"),\n\t\t\tInsecureTls: pulumi.Bool(true),\n\t\t\tUserdn:      pulumi.String(\"CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ad.SecretBackend;\nimport com.pulumi.vault.ad.SecretBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .backend(\"ad\")\n            .binddn(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\")\n            .bindpass(\"SuperSecretPassw0rd\")\n            .url(\"ldaps://ad\")\n            .insecureTls(true)\n            .userdn(\"CN=Users,DC=corp,DC=example,DC=net\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:ad:SecretBackend\n    properties:\n      backend: ad\n      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\n      bindpass: SuperSecretPassw0rd\n      url: ldaps://ad\n      insecureTls: 'true'\n      userdn: CN=Users,DC=corp,DC=example,DC=net\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAD secret backend can be imported using the `backend`, e.g.\n\n```sh\n$ pulumi import vault:ad/secretBackend:SecretBackend ad ad\n```\n","properties":{"anonymousGroupSearch":{"type":"boolean","description":"Use anonymous binds when performing LDAP group searches\n(if true the initial credentials will still be used for the initial connection test).\n"},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ad`\" pulumi-lang-dotnet=\"`Ad`\" pulumi-lang-go=\"`ad`\" pulumi-lang-python=\"`ad`\" pulumi-lang-yaml=\"`ad`\" pulumi-lang-java=\"`ad`\"\u003e`ad`\u003c/span\u003e.\n"},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.\n"},"bindpass":{"type":"string","description":"Password to use along with binddn when performing user search.\n","secret":true},"caseSensitiveNames":{"type":"boolean","description":"If set, user and group names assigned to policies within the\nbackend will be case sensitive. Otherwise, names will be normalized to lower case.\n"},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be\nx509 PEM encoded.\n"},"clientTlsCert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"clientTlsKey":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds.\n"},"denyNullBind":{"type":"boolean","description":"Denies an unauthenticated LDAP bind request if the user's password is empty;\ndefaults to true.\n"},"description":{"type":"string","description":"Human-friendly description of the mount for the Active Directory backend.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"discoverdn":{"type":"boolean","description":"Use anonymous bind to discover the bind Distinguished Name of a user.\n"},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate\nuser group membership. Examples: \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e or `memberOf`, etc. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).\n"},"groupfilter":{"type":"string","description":"Go template for querying group membership of user (optional) The template can access\nthe following context variables: UserDN, Username. Defaults to `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`\n"},"insecureTls":{"type":"boolean","description":"Skip LDAP server SSL Certificate verification. This is not recommended for production.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"lastRotationTolerance":{"type":"integer","description":"The number of seconds after a Vault rotation where, if Active Directory\nshows a later rotation, it should be considered out-of-band\n"},"local":{"type":"boolean","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by\nreplication.Tolerance duration to use when checking the last rotation time.\n"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds.\n"},"maxTtl":{"type":"integer","description":"In seconds, the maximum password time-to-live.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"passwordPolicy":{"type":"string","description":"Name of the password policy to use to generate passwords.\n"},"requestTimeout":{"type":"integer","description":"Timeout, in seconds, for the connection when making requests against the server\nbefore returning back an error.\n"},"starttls":{"type":"boolean","description":"Issue a StartTLS command after establishing unencrypted connection.\n"},"tlsMaxVersion":{"type":"string","description":"Maximum TLS version to use. Accepted values are \u003cspan pulumi-lang-nodejs=\"`tls10`\" pulumi-lang-dotnet=\"`Tls10`\" pulumi-lang-go=\"`tls10`\" pulumi-lang-python=\"`tls10`\" pulumi-lang-yaml=\"`tls10`\" pulumi-lang-java=\"`tls10`\"\u003e`tls10`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`tls11`\" pulumi-lang-dotnet=\"`Tls11`\" pulumi-lang-go=\"`tls11`\" pulumi-lang-python=\"`tls11`\" pulumi-lang-yaml=\"`tls11`\" pulumi-lang-java=\"`tls11`\"\u003e`tls11`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`tls13`\" pulumi-lang-dotnet=\"`Tls13`\" pulumi-lang-go=\"`tls13`\" pulumi-lang-python=\"`tls13`\" pulumi-lang-yaml=\"`tls13`\" pulumi-lang-java=\"`tls13`\"\u003e`tls13`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e.\n"},"tlsMinVersion":{"type":"string","description":"Minimum TLS version to use. Accepted values are \u003cspan pulumi-lang-nodejs=\"`tls10`\" pulumi-lang-dotnet=\"`Tls10`\" pulumi-lang-go=\"`tls10`\" pulumi-lang-python=\"`tls10`\" pulumi-lang-yaml=\"`tls10`\" pulumi-lang-java=\"`tls10`\"\u003e`tls10`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`tls11`\" pulumi-lang-dotnet=\"`Tls11`\" pulumi-lang-go=\"`tls11`\" pulumi-lang-python=\"`tls11`\" pulumi-lang-yaml=\"`tls11`\" pulumi-lang-java=\"`tls11`\"\u003e`tls11`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`tls13`\" pulumi-lang-dotnet=\"`Tls13`\" pulumi-lang-go=\"`tls13`\" pulumi-lang-python=\"`tls13`\" pulumi-lang-yaml=\"`tls13`\" pulumi-lang-java=\"`tls13`\"\u003e`tls13`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e.\n"},"ttl":{"type":"integer","description":"In seconds, the default password time-to-live.\n"},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.\n"},"url":{"type":"string","description":"LDAP URL to connect to. Multiple URLs can be specified by concatenating\nthem with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.\n"},"usePre111GroupCnBehavior":{"type":"boolean","description":"In Vault 1.1.1 a fix for handling group CN values of\ndifferent cases unfortunately introduced a regression that could cause previously defined groups\nto not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for\nmatching group CNs will be used. This is only needed in some upgrade scenarios for backwards\ncompatibility. It is enabled by default if the config is upgraded but disabled by default on\nnew configurations.\n"},"useTokenGroups":{"type":"boolean","description":"If true, use the Active Directory tokenGroups constructed attribute of the\nuser to find the group memberships. This will find all security groups including nested ones.\n"},"userattr":{"type":"string","description":"Attribute used when searching users. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.\n"}},"required":["binddn","bindpass","defaultLeaseTtlSeconds","lastRotationTolerance","maxLeaseTtlSeconds","maxTtl","starttls","tlsMaxVersion","tlsMinVersion","ttl","upndomain","usePre111GroupCnBehavior"],"inputProperties":{"anonymousGroupSearch":{"type":"boolean","description":"Use anonymous binds when performing LDAP group searches\n(if true the initial credentials will still be used for the initial connection test).\n"},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ad`\" pulumi-lang-dotnet=\"`Ad`\" pulumi-lang-go=\"`ad`\" pulumi-lang-python=\"`ad`\" pulumi-lang-yaml=\"`ad`\" pulumi-lang-java=\"`ad`\"\u003e`ad`\u003c/span\u003e.\n"},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.\n"},"bindpass":{"type":"string","description":"Password to use along with binddn when performing user search.\n","secret":true},"caseSensitiveNames":{"type":"boolean","description":"If set, user and group names assigned to policies within the\nbackend will be case sensitive. Otherwise, names will be normalized to lower case.\n"},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be\nx509 PEM encoded.\n"},"clientTlsCert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"clientTlsKey":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds.\n"},"denyNullBind":{"type":"boolean","description":"Denies an unauthenticated LDAP bind request if the user's password is empty;\ndefaults to true.\n"},"description":{"type":"string","description":"Human-friendly description of the mount for the Active Directory backend.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"discoverdn":{"type":"boolean","description":"Use anonymous bind to discover the bind Distinguished Name of a user.\n"},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate\nuser group membership. Examples: \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e or `memberOf`, etc. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).\n"},"groupfilter":{"type":"string","description":"Go template for querying group membership of user (optional) The template can access\nthe following context variables: UserDN, Username. Defaults to `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`\n"},"insecureTls":{"type":"boolean","description":"Skip LDAP server SSL Certificate verification. This is not recommended for production.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"lastRotationTolerance":{"type":"integer","description":"The number of seconds after a Vault rotation where, if Active Directory\nshows a later rotation, it should be considered out-of-band\n"},"local":{"type":"boolean","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by\nreplication.Tolerance duration to use when checking the last rotation time.\n"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds.\n"},"maxTtl":{"type":"integer","description":"In seconds, the maximum password time-to-live.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"passwordPolicy":{"type":"string","description":"Name of the password policy to use to generate passwords.\n"},"requestTimeout":{"type":"integer","description":"Timeout, in seconds, for the connection when making requests against the server\nbefore returning back an error.\n"},"starttls":{"type":"boolean","description":"Issue a StartTLS command after establishing unencrypted connection.\n"},"tlsMaxVersion":{"type":"string","description":"Maximum TLS version to use. Accepted values are \u003cspan pulumi-lang-nodejs=\"`tls10`\" pulumi-lang-dotnet=\"`Tls10`\" pulumi-lang-go=\"`tls10`\" pulumi-lang-python=\"`tls10`\" pulumi-lang-yaml=\"`tls10`\" pulumi-lang-java=\"`tls10`\"\u003e`tls10`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`tls11`\" pulumi-lang-dotnet=\"`Tls11`\" pulumi-lang-go=\"`tls11`\" pulumi-lang-python=\"`tls11`\" pulumi-lang-yaml=\"`tls11`\" pulumi-lang-java=\"`tls11`\"\u003e`tls11`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`tls13`\" pulumi-lang-dotnet=\"`Tls13`\" pulumi-lang-go=\"`tls13`\" pulumi-lang-python=\"`tls13`\" pulumi-lang-yaml=\"`tls13`\" pulumi-lang-java=\"`tls13`\"\u003e`tls13`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e.\n"},"tlsMinVersion":{"type":"string","description":"Minimum TLS version to use. Accepted values are \u003cspan pulumi-lang-nodejs=\"`tls10`\" pulumi-lang-dotnet=\"`Tls10`\" pulumi-lang-go=\"`tls10`\" pulumi-lang-python=\"`tls10`\" pulumi-lang-yaml=\"`tls10`\" pulumi-lang-java=\"`tls10`\"\u003e`tls10`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`tls11`\" pulumi-lang-dotnet=\"`Tls11`\" pulumi-lang-go=\"`tls11`\" pulumi-lang-python=\"`tls11`\" pulumi-lang-yaml=\"`tls11`\" pulumi-lang-java=\"`tls11`\"\u003e`tls11`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`tls13`\" pulumi-lang-dotnet=\"`Tls13`\" pulumi-lang-go=\"`tls13`\" pulumi-lang-python=\"`tls13`\" pulumi-lang-yaml=\"`tls13`\" pulumi-lang-java=\"`tls13`\"\u003e`tls13`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e.\n"},"ttl":{"type":"integer","description":"In seconds, the default password time-to-live.\n"},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.\n"},"url":{"type":"string","description":"LDAP URL to connect to. Multiple URLs can be specified by concatenating\nthem with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.\n"},"usePre111GroupCnBehavior":{"type":"boolean","description":"In Vault 1.1.1 a fix for handling group CN values of\ndifferent cases unfortunately introduced a regression that could cause previously defined groups\nto not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for\nmatching group CNs will be used. This is only needed in some upgrade scenarios for backwards\ncompatibility. It is enabled by default if the config is upgraded but disabled by default on\nnew configurations.\n"},"useTokenGroups":{"type":"boolean","description":"If true, use the Active Directory tokenGroups constructed attribute of the\nuser to find the group memberships. This will find all security groups including nested ones.\n"},"userattr":{"type":"string","description":"Attribute used when searching users. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.\n"}},"requiredInputs":["binddn","bindpass"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"anonymousGroupSearch":{"type":"boolean","description":"Use anonymous binds when performing LDAP group searches\n(if true the initial credentials will still be used for the initial connection test).\n"},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ad`\" pulumi-lang-dotnet=\"`Ad`\" pulumi-lang-go=\"`ad`\" pulumi-lang-python=\"`ad`\" pulumi-lang-yaml=\"`ad`\" pulumi-lang-java=\"`ad`\"\u003e`ad`\u003c/span\u003e.\n"},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.\n"},"bindpass":{"type":"string","description":"Password to use along with binddn when performing user search.\n","secret":true},"caseSensitiveNames":{"type":"boolean","description":"If set, user and group names assigned to policies within the\nbackend will be case sensitive. Otherwise, names will be normalized to lower case.\n"},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be\nx509 PEM encoded.\n"},"clientTlsCert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"clientTlsKey":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds.\n"},"denyNullBind":{"type":"boolean","description":"Denies an unauthenticated LDAP bind request if the user's password is empty;\ndefaults to true.\n"},"description":{"type":"string","description":"Human-friendly description of the mount for the Active Directory backend.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"discoverdn":{"type":"boolean","description":"Use anonymous bind to discover the bind Distinguished Name of a user.\n"},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by \u003cgroupfilter\u003e in order to enumerate\nuser group membership. Examples: \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e or `memberOf`, etc. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"groupdn":{"type":"string","description":"LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org).\n"},"groupfilter":{"type":"string","description":"Go template for querying group membership of user (optional) The template can access\nthe following context variables: UserDN, Username. Defaults to `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`\n"},"insecureTls":{"type":"boolean","description":"Skip LDAP server SSL Certificate verification. This is not recommended for production.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"lastRotationTolerance":{"type":"integer","description":"The number of seconds after a Vault rotation where, if Active Directory\nshows a later rotation, it should be considered out-of-band\n"},"local":{"type":"boolean","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by\nreplication.Tolerance duration to use when checking the last rotation time.\n"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds.\n"},"maxTtl":{"type":"integer","description":"In seconds, the maximum password time-to-live.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"passwordPolicy":{"type":"string","description":"Name of the password policy to use to generate passwords.\n"},"requestTimeout":{"type":"integer","description":"Timeout, in seconds, for the connection when making requests against the server\nbefore returning back an error.\n"},"starttls":{"type":"boolean","description":"Issue a StartTLS command after establishing unencrypted connection.\n"},"tlsMaxVersion":{"type":"string","description":"Maximum TLS version to use. Accepted values are \u003cspan pulumi-lang-nodejs=\"`tls10`\" pulumi-lang-dotnet=\"`Tls10`\" pulumi-lang-go=\"`tls10`\" pulumi-lang-python=\"`tls10`\" pulumi-lang-yaml=\"`tls10`\" pulumi-lang-java=\"`tls10`\"\u003e`tls10`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`tls11`\" pulumi-lang-dotnet=\"`Tls11`\" pulumi-lang-go=\"`tls11`\" pulumi-lang-python=\"`tls11`\" pulumi-lang-yaml=\"`tls11`\" pulumi-lang-java=\"`tls11`\"\u003e`tls11`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`tls13`\" pulumi-lang-dotnet=\"`Tls13`\" pulumi-lang-go=\"`tls13`\" pulumi-lang-python=\"`tls13`\" pulumi-lang-yaml=\"`tls13`\" pulumi-lang-java=\"`tls13`\"\u003e`tls13`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e.\n"},"tlsMinVersion":{"type":"string","description":"Minimum TLS version to use. Accepted values are \u003cspan pulumi-lang-nodejs=\"`tls10`\" pulumi-lang-dotnet=\"`Tls10`\" pulumi-lang-go=\"`tls10`\" pulumi-lang-python=\"`tls10`\" pulumi-lang-yaml=\"`tls10`\" pulumi-lang-java=\"`tls10`\"\u003e`tls10`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`tls11`\" pulumi-lang-dotnet=\"`Tls11`\" pulumi-lang-go=\"`tls11`\" pulumi-lang-python=\"`tls11`\" pulumi-lang-yaml=\"`tls11`\" pulumi-lang-java=\"`tls11`\"\u003e`tls11`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`tls13`\" pulumi-lang-dotnet=\"`Tls13`\" pulumi-lang-go=\"`tls13`\" pulumi-lang-python=\"`tls13`\" pulumi-lang-yaml=\"`tls13`\" pulumi-lang-java=\"`tls13`\"\u003e`tls13`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`tls12`\" pulumi-lang-dotnet=\"`Tls12`\" pulumi-lang-go=\"`tls12`\" pulumi-lang-python=\"`tls12`\" pulumi-lang-yaml=\"`tls12`\" pulumi-lang-java=\"`tls12`\"\u003e`tls12`\u003c/span\u003e.\n"},"ttl":{"type":"integer","description":"In seconds, the default password time-to-live.\n"},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.\n"},"url":{"type":"string","description":"LDAP URL to connect to. Multiple URLs can be specified by concatenating\nthem with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.\n"},"usePre111GroupCnBehavior":{"type":"boolean","description":"In Vault 1.1.1 a fix for handling group CN values of\ndifferent cases unfortunately introduced a regression that could cause previously defined groups\nto not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for\nmatching group CNs will be used. This is only needed in some upgrade scenarios for backwards\ncompatibility. It is enabled by default if the config is upgraded but disabled by default on\nnew configurations.\n"},"useTokenGroups":{"type":"boolean","description":"If true, use the Active Directory tokenGroups constructed attribute of the\nuser to find the group memberships. This will find all security groups including nested ones.\n"},"userattr":{"type":"string","description":"Attribute used when searching users. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.\n"}},"type":"object"}},"vault:ad/secretLibrary:SecretLibrary":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.ad.SecretBackend(\"config\", {\n    backend: \"ad\",\n    binddn: \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass: \"SuperSecretPassw0rd\",\n    url: \"ldaps://ad\",\n    insecureTls: true,\n    userdn: \"CN=Users,DC=corp,DC=example,DC=net\",\n});\nconst qa = new vault.ad.SecretLibrary(\"qa\", {\n    backend: config.backend,\n    name: \"qa\",\n    serviceAccountNames: [\n        \"Bob\",\n        \"Mary\",\n    ],\n    ttl: 60,\n    disableCheckInEnforcement: true,\n    maxTtl: 120,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.ad.SecretBackend(\"config\",\n    backend=\"ad\",\n    binddn=\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass=\"SuperSecretPassw0rd\",\n    url=\"ldaps://ad\",\n    insecure_tls=True,\n    userdn=\"CN=Users,DC=corp,DC=example,DC=net\")\nqa = vault.ad.SecretLibrary(\"qa\",\n    backend=config.backend,\n    name=\"qa\",\n    service_account_names=[\n        \"Bob\",\n        \"Mary\",\n    ],\n    ttl=60,\n    disable_check_in_enforcement=True,\n    max_ttl=120)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.AD.SecretBackend(\"config\", new()\n    {\n        Backend = \"ad\",\n        Binddn = \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n        Bindpass = \"SuperSecretPassw0rd\",\n        Url = \"ldaps://ad\",\n        InsecureTls = true,\n        Userdn = \"CN=Users,DC=corp,DC=example,DC=net\",\n    });\n\n    var qa = new Vault.AD.SecretLibrary(\"qa\", new()\n    {\n        Backend = config.Backend,\n        Name = \"qa\",\n        ServiceAccountNames = new[]\n        {\n            \"Bob\",\n            \"Mary\",\n        },\n        Ttl = 60,\n        DisableCheckInEnforcement = true,\n        MaxTtl = 120,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ad\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tconfig, err := ad.NewSecretBackend(ctx, \"config\", \u0026ad.SecretBackendArgs{\n\t\t\tBackend:     pulumi.String(\"ad\"),\n\t\t\tBinddn:      pulumi.String(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tBindpass:    pulumi.String(\"SuperSecretPassw0rd\"),\n\t\t\tUrl:         pulumi.String(\"ldaps://ad\"),\n\t\t\tInsecureTls: pulumi.Bool(true),\n\t\t\tUserdn:      pulumi.String(\"CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ad.NewSecretLibrary(ctx, \"qa\", \u0026ad.SecretLibraryArgs{\n\t\t\tBackend: config.Backend,\n\t\t\tName:    pulumi.String(\"qa\"),\n\t\t\tServiceAccountNames: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"Bob\"),\n\t\t\t\tpulumi.String(\"Mary\"),\n\t\t\t},\n\t\t\tTtl:                       pulumi.Int(60),\n\t\t\tDisableCheckInEnforcement: pulumi.Bool(true),\n\t\t\tMaxTtl:                    pulumi.Int(120),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ad.SecretBackend;\nimport com.pulumi.vault.ad.SecretBackendArgs;\nimport com.pulumi.vault.ad.SecretLibrary;\nimport com.pulumi.vault.ad.SecretLibraryArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .backend(\"ad\")\n            .binddn(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\")\n            .bindpass(\"SuperSecretPassw0rd\")\n            .url(\"ldaps://ad\")\n            .insecureTls(true)\n            .userdn(\"CN=Users,DC=corp,DC=example,DC=net\")\n            .build());\n\n        var qa = new SecretLibrary(\"qa\", SecretLibraryArgs.builder()\n            .backend(config.backend())\n            .name(\"qa\")\n            .serviceAccountNames(            \n                \"Bob\",\n                \"Mary\")\n            .ttl(60)\n            .disableCheckInEnforcement(true)\n            .maxTtl(120)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:ad:SecretBackend\n    properties:\n      backend: ad\n      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\n      bindpass: SuperSecretPassw0rd\n      url: ldaps://ad\n      insecureTls: 'true'\n      userdn: CN=Users,DC=corp,DC=example,DC=net\n  qa:\n    type: vault:ad:SecretLibrary\n    properties:\n      backend: ${config.backend}\n      name: qa\n      serviceAccountNames:\n        - Bob\n        - Mary\n      ttl: 60\n      disableCheckInEnforcement: true\n      maxTtl: 120\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAD secret backend libraries can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:ad/secretLibrary:SecretLibrary role ad/library/bob\n```\n","properties":{"backend":{"type":"string","description":"The path the AD secret backend is mounted at,\nwith no leading or trailing `/`s.\n"},"disableCheckInEnforcement":{"type":"boolean","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out."},"maxTtl":{"type":"integer","description":"The maximum password time-to-live in seconds. Defaults to the configuration\u003cspan pulumi-lang-nodejs=\"\nmaxTtl \" pulumi-lang-dotnet=\"\nMaxTtl \" pulumi-lang-go=\"\nmaxTtl \" pulumi-lang-python=\"\nmax_ttl \" pulumi-lang-yaml=\"\nmaxTtl \" pulumi-lang-java=\"\nmaxTtl \"\u003e\nmax_ttl \u003c/span\u003eif not provided.\n"},"name":{"type":"string","description":"The name to identify this set of service accounts.\nMust be unique within the backend.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"serviceAccountNames":{"type":"array","items":{"type":"string"},"description":"Specifies the slice of service accounts mapped to this set.\n"},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"required":["backend","maxTtl","name","serviceAccountNames","ttl"],"inputProperties":{"backend":{"type":"string","description":"The path the AD secret backend is mounted at,\nwith no leading or trailing `/`s.\n","willReplaceOnChanges":true},"disableCheckInEnforcement":{"type":"boolean","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out."},"maxTtl":{"type":"integer","description":"The maximum password time-to-live in seconds. Defaults to the configuration\u003cspan pulumi-lang-nodejs=\"\nmaxTtl \" pulumi-lang-dotnet=\"\nMaxTtl \" pulumi-lang-go=\"\nmaxTtl \" pulumi-lang-python=\"\nmax_ttl \" pulumi-lang-yaml=\"\nmaxTtl \" pulumi-lang-java=\"\nmaxTtl \"\u003e\nmax_ttl \u003c/span\u003eif not provided.\n"},"name":{"type":"string","description":"The name to identify this set of service accounts.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"serviceAccountNames":{"type":"array","items":{"type":"string"},"description":"Specifies the slice of service accounts mapped to this set.\n","willReplaceOnChanges":true},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"requiredInputs":["backend","serviceAccountNames"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretLibrary resources.\n","properties":{"backend":{"type":"string","description":"The path the AD secret backend is mounted at,\nwith no leading or trailing `/`s.\n","willReplaceOnChanges":true},"disableCheckInEnforcement":{"type":"boolean","description":"Disable enforcing that service accounts must be checked in by the entity or client token that checked them out."},"maxTtl":{"type":"integer","description":"The maximum password time-to-live in seconds. Defaults to the configuration\u003cspan pulumi-lang-nodejs=\"\nmaxTtl \" pulumi-lang-dotnet=\"\nMaxTtl \" pulumi-lang-go=\"\nmaxTtl \" pulumi-lang-python=\"\nmax_ttl \" pulumi-lang-yaml=\"\nmaxTtl \" pulumi-lang-java=\"\nmaxTtl \"\u003e\nmax_ttl \u003c/span\u003eif not provided.\n"},"name":{"type":"string","description":"The name to identify this set of service accounts.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"serviceAccountNames":{"type":"array","items":{"type":"string"},"description":"Specifies the slice of service accounts mapped to this set.\n","willReplaceOnChanges":true},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"type":"object"}},"vault:ad/secretRole:SecretRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.ad.SecretBackend(\"config\", {\n    backend: \"ad\",\n    binddn: \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass: \"SuperSecretPassw0rd\",\n    url: \"ldaps://ad\",\n    insecureTls: true,\n    userdn: \"CN=Users,DC=corp,DC=example,DC=net\",\n});\nconst role = new vault.ad.SecretRole(\"role\", {\n    backend: config.backend,\n    role: \"bob\",\n    serviceAccountName: \"Bob\",\n    ttl: 60,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.ad.SecretBackend(\"config\",\n    backend=\"ad\",\n    binddn=\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass=\"SuperSecretPassw0rd\",\n    url=\"ldaps://ad\",\n    insecure_tls=True,\n    userdn=\"CN=Users,DC=corp,DC=example,DC=net\")\nrole = vault.ad.SecretRole(\"role\",\n    backend=config.backend,\n    role=\"bob\",\n    service_account_name=\"Bob\",\n    ttl=60)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.AD.SecretBackend(\"config\", new()\n    {\n        Backend = \"ad\",\n        Binddn = \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n        Bindpass = \"SuperSecretPassw0rd\",\n        Url = \"ldaps://ad\",\n        InsecureTls = true,\n        Userdn = \"CN=Users,DC=corp,DC=example,DC=net\",\n    });\n\n    var role = new Vault.AD.SecretRole(\"role\", new()\n    {\n        Backend = config.Backend,\n        Role = \"bob\",\n        ServiceAccountName = \"Bob\",\n        Ttl = 60,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ad\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tconfig, err := ad.NewSecretBackend(ctx, \"config\", \u0026ad.SecretBackendArgs{\n\t\t\tBackend:     pulumi.String(\"ad\"),\n\t\t\tBinddn:      pulumi.String(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tBindpass:    pulumi.String(\"SuperSecretPassw0rd\"),\n\t\t\tUrl:         pulumi.String(\"ldaps://ad\"),\n\t\t\tInsecureTls: pulumi.Bool(true),\n\t\t\tUserdn:      pulumi.String(\"CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ad.NewSecretRole(ctx, \"role\", \u0026ad.SecretRoleArgs{\n\t\t\tBackend:            config.Backend,\n\t\t\tRole:               pulumi.String(\"bob\"),\n\t\t\tServiceAccountName: pulumi.String(\"Bob\"),\n\t\t\tTtl:                pulumi.Int(60),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ad.SecretBackend;\nimport com.pulumi.vault.ad.SecretBackendArgs;\nimport com.pulumi.vault.ad.SecretRole;\nimport com.pulumi.vault.ad.SecretRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .backend(\"ad\")\n            .binddn(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\")\n            .bindpass(\"SuperSecretPassw0rd\")\n            .url(\"ldaps://ad\")\n            .insecureTls(true)\n            .userdn(\"CN=Users,DC=corp,DC=example,DC=net\")\n            .build());\n\n        var role = new SecretRole(\"role\", SecretRoleArgs.builder()\n            .backend(config.backend())\n            .role(\"bob\")\n            .serviceAccountName(\"Bob\")\n            .ttl(60)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:ad:SecretBackend\n    properties:\n      backend: ad\n      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\n      bindpass: SuperSecretPassw0rd\n      url: ldaps://ad\n      insecureTls: 'true'\n      userdn: CN=Users,DC=corp,DC=example,DC=net\n  role:\n    type: vault:ad:SecretRole\n    properties:\n      backend: ${config.backend}\n      role: bob\n      serviceAccountName: Bob\n      ttl: 60\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAD secret backend roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:ad/secretRole:SecretRole role ad/roles/bob\n```\n","properties":{"backend":{"type":"string","description":"The path the AD secret backend is mounted at,\nwith no leading or trailing `/`s.\n"},"lastVaultRotation":{"type":"string","description":"Timestamp of the last password rotation by Vault.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"passwordLastSet":{"type":"string","description":"Timestamp of the last password set by Vault.\n"},"role":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n"},"serviceAccountName":{"type":"string","description":"Specifies the name of the Active Directory service\naccount mapped to this role.\n"},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"required":["backend","lastVaultRotation","passwordLastSet","role","serviceAccountName"],"inputProperties":{"backend":{"type":"string","description":"The path the AD secret backend is mounted at,\nwith no leading or trailing `/`s.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"serviceAccountName":{"type":"string","description":"Specifies the name of the Active Directory service\naccount mapped to this role.\n"},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"requiredInputs":["backend","role","serviceAccountName"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretRole resources.\n","properties":{"backend":{"type":"string","description":"The path the AD secret backend is mounted at,\nwith no leading or trailing `/`s.\n","willReplaceOnChanges":true},"lastVaultRotation":{"type":"string","description":"Timestamp of the last password rotation by Vault.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"passwordLastSet":{"type":"string","description":"Timestamp of the last password set by Vault.\n"},"role":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"serviceAccountName":{"type":"string","description":"Specifies the name of the Active Directory service\naccount mapped to this role.\n"},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"type":"object"}},"vault:alicloud/authBackendRole:AuthBackendRole":{"description":"Provides a resource to create a role in an [AliCloud auth backend within Vault](https://www.vaultproject.io/docs/auth/alicloud.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst alicloud = new vault.AuthBackend(\"alicloud\", {\n    type: \"alicloud\",\n    path: \"alicloud\",\n});\nconst alicloudAuthBackendRole = new vault.alicloud.AuthBackendRole(\"alicloud\", {\n    backend: alicloud.path,\n    role: \"example\",\n    arn: \"acs:ram:123456:tf:role/foobar\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nalicloud = vault.AuthBackend(\"alicloud\",\n    type=\"alicloud\",\n    path=\"alicloud\")\nalicloud_auth_backend_role = vault.alicloud.AuthBackendRole(\"alicloud\",\n    backend=alicloud.path,\n    role=\"example\",\n    arn=\"acs:ram:123456:tf:role/foobar\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var alicloud = new Vault.AuthBackend(\"alicloud\", new()\n    {\n        Type = \"alicloud\",\n        Path = \"alicloud\",\n    });\n\n    var alicloudAuthBackendRole = new Vault.AliCloud.AuthBackendRole(\"alicloud\", new()\n    {\n        Backend = alicloud.Path,\n        Role = \"example\",\n        Arn = \"acs:ram:123456:tf:role/foobar\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/alicloud\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\talicloud, err := vault.NewAuthBackend(ctx, \"alicloud\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"alicloud\"),\n\t\t\tPath: pulumi.String(\"alicloud\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = alicloud.NewAuthBackendRole(ctx, \"alicloud\", \u0026alicloud.AuthBackendRoleArgs{\n\t\t\tBackend: alicloud.Path,\n\t\t\tRole:    pulumi.String(\"example\"),\n\t\t\tArn:     pulumi.String(\"acs:ram:123456:tf:role/foobar\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.alicloud.AuthBackendRole;\nimport com.pulumi.vault.alicloud.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var alicloud = new AuthBackend(\"alicloud\", AuthBackendArgs.builder()\n            .type(\"alicloud\")\n            .path(\"alicloud\")\n            .build());\n\n        var alicloudAuthBackendRole = new AuthBackendRole(\"alicloudAuthBackendRole\", AuthBackendRoleArgs.builder()\n            .backend(alicloud.path())\n            .role(\"example\")\n            .arn(\"acs:ram:123456:tf:role/foobar\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  alicloud:\n    type: vault:AuthBackend\n    properties:\n      type: alicloud\n      path: alicloud\n  alicloudAuthBackendRole:\n    type: vault:alicloud:AuthBackendRole\n    name: alicloud\n    properties:\n      backend: ${alicloud.path}\n      role: example\n      arn: acs:ram:123456:tf:role/foobar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAlicloud authentication roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:alicloud/authBackendRole:AuthBackendRole my_role auth/alicloud/role/my_role\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"arn":{"type":"string","description":"The role's arn.\n"},"backend":{"type":"string","description":"Path to the mounted AliCloud auth backend.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`alicloud`\" pulumi-lang-dotnet=\"`Alicloud`\" pulumi-lang-go=\"`alicloud`\" pulumi-lang-python=\"`alicloud`\" pulumi-lang-yaml=\"`alicloud`\" pulumi-lang-java=\"`alicloud`\"\u003e`alicloud`\u003c/span\u003e\n\nFor more details on the usage of each argument consult the [Vault AliCloud API documentation](https://www.vaultproject.io/api-docs/auth/alicloud).\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n"},"role":{"type":"string","description":"Name of the role. Must correspond with the name of\nthe role reflected in the arn.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["arn","role"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"arn":{"type":"string","description":"The role's arn.\n"},"backend":{"type":"string","description":"Path to the mounted AliCloud auth backend.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`alicloud`\" pulumi-lang-dotnet=\"`Alicloud`\" pulumi-lang-go=\"`alicloud`\" pulumi-lang-python=\"`alicloud`\" pulumi-lang-yaml=\"`alicloud`\" pulumi-lang-java=\"`alicloud`\"\u003e`alicloud`\u003c/span\u003e\n\nFor more details on the usage of each argument consult the [Vault AliCloud API documentation](https://www.vaultproject.io/api-docs/auth/alicloud).\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"Name of the role. Must correspond with the name of\nthe role reflected in the arn.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["arn","role"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"arn":{"type":"string","description":"The role's arn.\n"},"backend":{"type":"string","description":"Path to the mounted AliCloud auth backend.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`alicloud`\" pulumi-lang-dotnet=\"`Alicloud`\" pulumi-lang-go=\"`alicloud`\" pulumi-lang-python=\"`alicloud`\" pulumi-lang-yaml=\"`alicloud`\" pulumi-lang-java=\"`alicloud`\"\u003e`alicloud`\u003c/span\u003e\n\nFor more details on the usage of each argument consult the [Vault AliCloud API documentation](https://www.vaultproject.io/api-docs/auth/alicloud).\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"Name of the role. Must correspond with the name of\nthe role reflected in the arn.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:appRole/authBackendLogin:AuthBackendLogin":{"properties":{"accessor":{"type":"string","description":"The accessor for the token.\n"},"backend":{"type":"string","description":"The unique path of the Vault backend to log in with.\n"},"clientToken":{"type":"string","description":"The Vault token created.\n","secret":true},"leaseDuration":{"type":"integer","description":"How long the token is valid for, in seconds.\n"},"leaseStarted":{"type":"string","description":"The date and time the lease started, in RFC 3339 format.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata associated with the token.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"A list of policies applied to the token.\n"},"renewable":{"type":"boolean","description":"Whether the token is renewable or not.\n"},"roleId":{"type":"string","description":"The ID of the role to log in with.\n"},"secretId":{"type":"string","description":"The secret ID of the role to log in with. Required\nunless \u003cspan pulumi-lang-nodejs=\"`bindSecretId`\" pulumi-lang-dotnet=\"`BindSecretId`\" pulumi-lang-go=\"`bindSecretId`\" pulumi-lang-python=\"`bind_secret_id`\" pulumi-lang-yaml=\"`bindSecretId`\" pulumi-lang-java=\"`bindSecretId`\"\u003e`bind_secret_id`\u003c/span\u003e is set to false on the role.\n","secret":true},"secretIdWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe SecretID to log in with. Write-only attribute that can accept ephemeral values. Required unless \u003cspan pulumi-lang-nodejs=\"`bindSecretId`\" pulumi-lang-dotnet=\"`BindSecretId`\" pulumi-lang-go=\"`bindSecretId`\" pulumi-lang-python=\"`bind_secret_id`\" pulumi-lang-yaml=\"`bindSecretId`\" pulumi-lang-java=\"`bindSecretId`\"\u003e`bind_secret_id`\u003c/span\u003e is set to false on the role.","secret":true},"secretIdWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`secretIdWo`\" pulumi-lang-dotnet=\"`SecretIdWo`\" pulumi-lang-go=\"`secretIdWo`\" pulumi-lang-python=\"`secret_id_wo`\" pulumi-lang-yaml=\"`secretIdWo`\" pulumi-lang-java=\"`secretIdWo`\"\u003e`secret_id_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"}},"required":["accessor","clientToken","leaseDuration","leaseStarted","metadata","policies","renewable","roleId"],"inputProperties":{"backend":{"type":"string","description":"The unique path of the Vault backend to log in with.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleId":{"type":"string","description":"The ID of the role to log in with.\n","willReplaceOnChanges":true},"secretId":{"type":"string","description":"The secret ID of the role to log in with. Required\nunless \u003cspan pulumi-lang-nodejs=\"`bindSecretId`\" pulumi-lang-dotnet=\"`BindSecretId`\" pulumi-lang-go=\"`bindSecretId`\" pulumi-lang-python=\"`bind_secret_id`\" pulumi-lang-yaml=\"`bindSecretId`\" pulumi-lang-java=\"`bindSecretId`\"\u003e`bind_secret_id`\u003c/span\u003e is set to false on the role.\n","secret":true,"willReplaceOnChanges":true},"secretIdWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe SecretID to log in with. Write-only attribute that can accept ephemeral values. Required unless \u003cspan pulumi-lang-nodejs=\"`bindSecretId`\" pulumi-lang-dotnet=\"`BindSecretId`\" pulumi-lang-go=\"`bindSecretId`\" pulumi-lang-python=\"`bind_secret_id`\" pulumi-lang-yaml=\"`bindSecretId`\" pulumi-lang-java=\"`bindSecretId`\"\u003e`bind_secret_id`\u003c/span\u003e is set to false on the role.","secret":true},"secretIdWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`secretIdWo`\" pulumi-lang-dotnet=\"`SecretIdWo`\" pulumi-lang-go=\"`secretIdWo`\" pulumi-lang-python=\"`secret_id_wo`\" pulumi-lang-yaml=\"`secretIdWo`\" pulumi-lang-java=\"`secretIdWo`\"\u003e`secret_id_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n","willReplaceOnChanges":true}},"requiredInputs":["roleId"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendLogin resources.\n","properties":{"accessor":{"type":"string","description":"The accessor for the token.\n"},"backend":{"type":"string","description":"The unique path of the Vault backend to log in with.\n","willReplaceOnChanges":true},"clientToken":{"type":"string","description":"The Vault token created.\n","secret":true},"leaseDuration":{"type":"integer","description":"How long the token is valid for, in seconds.\n"},"leaseStarted":{"type":"string","description":"The date and time the lease started, in RFC 3339 format.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata associated with the token.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"A list of policies applied to the token.\n"},"renewable":{"type":"boolean","description":"Whether the token is renewable or not.\n"},"roleId":{"type":"string","description":"The ID of the role to log in with.\n","willReplaceOnChanges":true},"secretId":{"type":"string","description":"The secret ID of the role to log in with. Required\nunless \u003cspan pulumi-lang-nodejs=\"`bindSecretId`\" pulumi-lang-dotnet=\"`BindSecretId`\" pulumi-lang-go=\"`bindSecretId`\" pulumi-lang-python=\"`bind_secret_id`\" pulumi-lang-yaml=\"`bindSecretId`\" pulumi-lang-java=\"`bindSecretId`\"\u003e`bind_secret_id`\u003c/span\u003e is set to false on the role.\n","secret":true,"willReplaceOnChanges":true},"secretIdWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe SecretID to log in with. Write-only attribute that can accept ephemeral values. Required unless \u003cspan pulumi-lang-nodejs=\"`bindSecretId`\" pulumi-lang-dotnet=\"`BindSecretId`\" pulumi-lang-go=\"`bindSecretId`\" pulumi-lang-python=\"`bind_secret_id`\" pulumi-lang-yaml=\"`bindSecretId`\" pulumi-lang-java=\"`bindSecretId`\"\u003e`bind_secret_id`\u003c/span\u003e is set to false on the role.","secret":true},"secretIdWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`secretIdWo`\" pulumi-lang-dotnet=\"`SecretIdWo`\" pulumi-lang-go=\"`secretIdWo`\" pulumi-lang-python=\"`secret_id_wo`\" pulumi-lang-yaml=\"`secretIdWo`\" pulumi-lang-java=\"`secretIdWo`\"\u003e`secret_id_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:appRole/authBackendRole:AuthBackendRole":{"description":"Manages an AppRole auth backend role in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/approle) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst approle = new vault.AuthBackend(\"approle\", {type: \"approle\"});\nconst example = new vault.approle.AuthBackendRole(\"example\", {\n    backend: approle.path,\n    roleName: \"test-role\",\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\napprole = vault.AuthBackend(\"approle\", type=\"approle\")\nexample = vault.approle.AuthBackendRole(\"example\",\n    backend=approle.path,\n    role_name=\"test-role\",\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var approle = new Vault.AuthBackend(\"approle\", new()\n    {\n        Type = \"approle\",\n    });\n\n    var example = new Vault.AppRole.AuthBackendRole(\"example\", new()\n    {\n        Backend = approle.Path,\n        RoleName = \"test-role\",\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/approle\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tapprole, err := vault.NewAuthBackend(ctx, \"approle\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"approle\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = approle.NewAuthBackendRole(ctx, \"example\", \u0026approle.AuthBackendRoleArgs{\n\t\t\tBackend:  approle.Path,\n\t\t\tRoleName: pulumi.String(\"test-role\"),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.appRole.AuthBackendRole;\nimport com.pulumi.vault.appRole.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var approle = new AuthBackend(\"approle\", AuthBackendArgs.builder()\n            .type(\"approle\")\n            .build());\n\n        var example = new AuthBackendRole(\"example\", AuthBackendRoleArgs.builder()\n            .backend(approle.path())\n            .roleName(\"test-role\")\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  approle:\n    type: vault:AuthBackend\n    properties:\n      type: approle\n  example:\n    type: vault:appRole:AuthBackendRole\n    properties:\n      backend: ${approle.path}\n      roleName: test-role\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAppRole authentication backend roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:appRole/authBackendRole:AuthBackendRole example auth/approle/role/test-role\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"The unique name of the auth backend to configure.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`approle`\" pulumi-lang-dotnet=\"`Approle`\" pulumi-lang-go=\"`approle`\" pulumi-lang-python=\"`approle`\" pulumi-lang-yaml=\"`approle`\" pulumi-lang-java=\"`approle`\"\u003e`approle`\u003c/span\u003e.\n"},"bindSecretId":{"type":"boolean","description":"Whether or not to require \u003cspan pulumi-lang-nodejs=\"`secretId`\" pulumi-lang-dotnet=\"`SecretId`\" pulumi-lang-go=\"`secretId`\" pulumi-lang-python=\"`secret_id`\" pulumi-lang-yaml=\"`secretId`\" pulumi-lang-java=\"`secretId`\"\u003e`secret_id`\u003c/span\u003e to be\npresented when logging in using this AppRole. Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"},"localSecretIds":{"type":"boolean","description":"If true, SecretIDs generated against this role will be 'local' to the node they were generated on. This means that they will only be valid when used against the same node that they were generated on."},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"roleId":{"type":"string","description":"The RoleID of this role. If not specified, one will be\nauto-generated.\n"},"roleName":{"type":"string","description":"The name of the role.\n"},"secretIdBoundCidrs":{"type":"array","items":{"type":"string"},"description":"If set,\nspecifies blocks of IP addresses which can perform the login operation.\n"},"secretIdNumUses":{"type":"integer","description":"The number of times any particular SecretID\ncan be used to fetch a token from this AppRole, after which the SecretID will\nexpire. A value of zero will allow unlimited uses.\n"},"secretIdTtl":{"type":"integer","description":"The number of seconds after which any SecretID\nexpires.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["roleId","roleName"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"The unique name of the auth backend to configure.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`approle`\" pulumi-lang-dotnet=\"`Approle`\" pulumi-lang-go=\"`approle`\" pulumi-lang-python=\"`approle`\" pulumi-lang-yaml=\"`approle`\" pulumi-lang-java=\"`approle`\"\u003e`approle`\u003c/span\u003e.\n","willReplaceOnChanges":true},"bindSecretId":{"type":"boolean","description":"Whether or not to require \u003cspan pulumi-lang-nodejs=\"`secretId`\" pulumi-lang-dotnet=\"`SecretId`\" pulumi-lang-go=\"`secretId`\" pulumi-lang-python=\"`secret_id`\" pulumi-lang-yaml=\"`secretId`\" pulumi-lang-java=\"`secretId`\"\u003e`secret_id`\u003c/span\u003e to be\npresented when logging in using this AppRole. Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"},"localSecretIds":{"type":"boolean","description":"If true, SecretIDs generated against this role will be 'local' to the node they were generated on. This means that they will only be valid when used against the same node that they were generated on."},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleId":{"type":"string","description":"The RoleID of this role. If not specified, one will be\nauto-generated.\n"},"roleName":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"secretIdBoundCidrs":{"type":"array","items":{"type":"string"},"description":"If set,\nspecifies blocks of IP addresses which can perform the login operation.\n"},"secretIdNumUses":{"type":"integer","description":"The number of times any particular SecretID\ncan be used to fetch a token from this AppRole, after which the SecretID will\nexpire. A value of zero will allow unlimited uses.\n"},"secretIdTtl":{"type":"integer","description":"The number of seconds after which any SecretID\nexpires.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["roleName"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"The unique name of the auth backend to configure.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`approle`\" pulumi-lang-dotnet=\"`Approle`\" pulumi-lang-go=\"`approle`\" pulumi-lang-python=\"`approle`\" pulumi-lang-yaml=\"`approle`\" pulumi-lang-java=\"`approle`\"\u003e`approle`\u003c/span\u003e.\n","willReplaceOnChanges":true},"bindSecretId":{"type":"boolean","description":"Whether or not to require \u003cspan pulumi-lang-nodejs=\"`secretId`\" pulumi-lang-dotnet=\"`SecretId`\" pulumi-lang-go=\"`secretId`\" pulumi-lang-python=\"`secret_id`\" pulumi-lang-yaml=\"`secretId`\" pulumi-lang-java=\"`secretId`\"\u003e`secret_id`\u003c/span\u003e to be\npresented when logging in using this AppRole. Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"},"localSecretIds":{"type":"boolean","description":"If true, SecretIDs generated against this role will be 'local' to the node they were generated on. This means that they will only be valid when used against the same node that they were generated on."},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleId":{"type":"string","description":"The RoleID of this role. If not specified, one will be\nauto-generated.\n"},"roleName":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"secretIdBoundCidrs":{"type":"array","items":{"type":"string"},"description":"If set,\nspecifies blocks of IP addresses which can perform the login operation.\n"},"secretIdNumUses":{"type":"integer","description":"The number of times any particular SecretID\ncan be used to fetch a token from this AppRole, after which the SecretID will\nexpire. A value of zero will allow unlimited uses.\n"},"secretIdTtl":{"type":"integer","description":"The number of seconds after which any SecretID\nexpires.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:appRole/authBackendRoleSecretId:AuthBackendRoleSecretId":{"description":"Manages an AppRole auth backend SecretID in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/approle) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst approle = new vault.AuthBackend(\"approle\", {type: \"approle\"});\nconst example = new vault.approle.AuthBackendRole(\"example\", {\n    backend: approle.path,\n    roleName: \"test-role\",\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n});\nconst id = new vault.approle.AuthBackendRoleSecretId(\"id\", {\n    backend: approle.path,\n    roleName: example.roleName,\n    metadata: JSON.stringify({\n        hello: \"world\",\n    }),\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\napprole = vault.AuthBackend(\"approle\", type=\"approle\")\nexample = vault.approle.AuthBackendRole(\"example\",\n    backend=approle.path,\n    role_name=\"test-role\",\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ])\nid = vault.approle.AuthBackendRoleSecretId(\"id\",\n    backend=approle.path,\n    role_name=example.role_name,\n    metadata=json.dumps({\n        \"hello\": \"world\",\n    }))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var approle = new Vault.AuthBackend(\"approle\", new()\n    {\n        Type = \"approle\",\n    });\n\n    var example = new Vault.AppRole.AuthBackendRole(\"example\", new()\n    {\n        Backend = approle.Path,\n        RoleName = \"test-role\",\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n    });\n\n    var id = new Vault.AppRole.AuthBackendRoleSecretId(\"id\", new()\n    {\n        Backend = approle.Path,\n        RoleName = example.RoleName,\n        Metadata = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"hello\"] = \"world\",\n        }),\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/approle\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tapprole, err := vault.NewAuthBackend(ctx, \"approle\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"approle\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texample, err := approle.NewAuthBackendRole(ctx, \"example\", \u0026approle.AuthBackendRoleArgs{\n\t\t\tBackend:  approle.Path,\n\t\t\tRoleName: pulumi.String(\"test-role\"),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"hello\": \"world\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err = approle.NewAuthBackendRoleSecretId(ctx, \"id\", \u0026approle.AuthBackendRoleSecretIdArgs{\n\t\t\tBackend:  approle.Path,\n\t\t\tRoleName: example.RoleName,\n\t\t\tMetadata: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.appRole.AuthBackendRole;\nimport com.pulumi.vault.appRole.AuthBackendRoleArgs;\nimport com.pulumi.vault.appRole.AuthBackendRoleSecretId;\nimport com.pulumi.vault.appRole.AuthBackendRoleSecretIdArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var approle = new AuthBackend(\"approle\", AuthBackendArgs.builder()\n            .type(\"approle\")\n            .build());\n\n        var example = new AuthBackendRole(\"example\", AuthBackendRoleArgs.builder()\n            .backend(approle.path())\n            .roleName(\"test-role\")\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .build());\n\n        var id = new AuthBackendRoleSecretId(\"id\", AuthBackendRoleSecretIdArgs.builder()\n            .backend(approle.path())\n            .roleName(example.roleName())\n            .metadata(serializeJson(\n                jsonObject(\n                    jsonProperty(\"hello\", \"world\")\n                )))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  approle:\n    type: vault:AuthBackend\n    properties:\n      type: approle\n  example:\n    type: vault:appRole:AuthBackendRole\n    properties:\n      backend: ${approle.path}\n      roleName: test-role\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n  id:\n    type: vault:appRole:AuthBackendRoleSecretId\n    properties:\n      backend: ${approle.path}\n      roleName: ${example.roleName}\n      metadata:\n        fn::toJSON:\n          hello: world\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"accessor":{"type":"string","description":"The unique ID for this SecretID that can be safely logged.\n"},"backend":{"type":"string","description":"Unique name of the auth backend to configure."},"cidrLists":{"type":"array","items":{"type":"string"},"description":"If set, specifies blocks of IP addresses which can\nperform the login operation using this SecretID.\n"},"metadata":{"type":"string","description":"A JSON-encoded string containing metadata in\nkey-value pairs to be set on tokens issued with this SecretID.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"numUses":{"type":"integer","description":"The number of uses for the secret-id."},"roleName":{"type":"string","description":"The name of the role to create the SecretID for.\n"},"secretId":{"type":"string","description":"The SecretID to be created. If set, uses \"Push\"\nmode.  Defaults to Vault auto-generating SecretIDs.\n","secret":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"If set, specifies blocks of IP addresses which\ncan use the auth tokens generated by this SecretID. Overrides any role-set\nvalue but must be a subset.\n"},"ttl":{"type":"integer","description":"The TTL duration of the SecretID."},"withWrappedAccessor":{"type":"boolean","description":"Set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e to use the wrapped secret-id accessor as the resource ID.\nIf \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or\ninvalidated through unwrapping.\n"},"wrappingAccessor":{"type":"string","description":"The unique ID for the response-wrapped SecretID that can\nbe safely logged.\n"},"wrappingToken":{"type":"string","description":"The token used to retrieve a response-wrapped SecretID.\n","secret":true},"wrappingTtl":{"type":"string","description":"If set, the SecretID response will be\n[response-wrapped](https://www.vaultproject.io/docs/concepts/response-wrapping)\nand available for the duration specified. Only a single unwrapping of the\ntoken is allowed.\n"}},"required":["accessor","roleName","secretId","wrappingAccessor","wrappingToken"],"inputProperties":{"backend":{"type":"string","description":"Unique name of the auth backend to configure.","willReplaceOnChanges":true},"cidrLists":{"type":"array","items":{"type":"string"},"description":"If set, specifies blocks of IP addresses which can\nperform the login operation using this SecretID.\n","willReplaceOnChanges":true},"metadata":{"type":"string","description":"A JSON-encoded string containing metadata in\nkey-value pairs to be set on tokens issued with this SecretID.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"numUses":{"type":"integer","description":"The number of uses for the secret-id.","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The name of the role to create the SecretID for.\n","willReplaceOnChanges":true},"secretId":{"type":"string","description":"The SecretID to be created. If set, uses \"Push\"\nmode.  Defaults to Vault auto-generating SecretIDs.\n","secret":true,"willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"If set, specifies blocks of IP addresses which\ncan use the auth tokens generated by this SecretID. Overrides any role-set\nvalue but must be a subset.\n","willReplaceOnChanges":true},"ttl":{"type":"integer","description":"The TTL duration of the SecretID.","willReplaceOnChanges":true},"withWrappedAccessor":{"type":"boolean","description":"Set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e to use the wrapped secret-id accessor as the resource ID.\nIf \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or\ninvalidated through unwrapping.\n","willReplaceOnChanges":true},"wrappingTtl":{"type":"string","description":"If set, the SecretID response will be\n[response-wrapped](https://www.vaultproject.io/docs/concepts/response-wrapping)\nand available for the duration specified. Only a single unwrapping of the\ntoken is allowed.\n","willReplaceOnChanges":true}},"requiredInputs":["roleName"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRoleSecretId resources.\n","properties":{"accessor":{"type":"string","description":"The unique ID for this SecretID that can be safely logged.\n"},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","willReplaceOnChanges":true},"cidrLists":{"type":"array","items":{"type":"string"},"description":"If set, specifies blocks of IP addresses which can\nperform the login operation using this SecretID.\n","willReplaceOnChanges":true},"metadata":{"type":"string","description":"A JSON-encoded string containing metadata in\nkey-value pairs to be set on tokens issued with this SecretID.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"numUses":{"type":"integer","description":"The number of uses for the secret-id.","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The name of the role to create the SecretID for.\n","willReplaceOnChanges":true},"secretId":{"type":"string","description":"The SecretID to be created. If set, uses \"Push\"\nmode.  Defaults to Vault auto-generating SecretIDs.\n","secret":true,"willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"If set, specifies blocks of IP addresses which\ncan use the auth tokens generated by this SecretID. Overrides any role-set\nvalue but must be a subset.\n","willReplaceOnChanges":true},"ttl":{"type":"integer","description":"The TTL duration of the SecretID.","willReplaceOnChanges":true},"withWrappedAccessor":{"type":"boolean","description":"Set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e to use the wrapped secret-id accessor as the resource ID.\nIf \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e (default value), a fresh secret ID will be regenerated whenever the wrapping token is expired or\ninvalidated through unwrapping.\n","willReplaceOnChanges":true},"wrappingAccessor":{"type":"string","description":"The unique ID for the response-wrapped SecretID that can\nbe safely logged.\n"},"wrappingToken":{"type":"string","description":"The token used to retrieve a response-wrapped SecretID.\n","secret":true},"wrappingTtl":{"type":"string","description":"If set, the SecretID response will be\n[response-wrapped](https://www.vaultproject.io/docs/concepts/response-wrapping)\nand available for the duration specified. Only a single unwrapping of the\ntoken is allowed.\n","willReplaceOnChanges":true}},"type":"object"},"aliases":[{"type":"vault:appRole/authBackendRoleSecretID:AuthBackendRoleSecretID"}]},"vault:aws/authBackendCert:AuthBackendCert":{"description":"## Example Usage\n\n## Import\n\nAWS auth backend certificates can be imported using `auth/`, the `backend` path, `/config/certificate/`, and the `cert_name` e.g.\n\n```sh\n$ pulumi import vault:aws/authBackendCert:AuthBackendCert example auth/aws/config/certificate/my-cert\n```\n","properties":{"awsPublicCert":{"type":"string","description":"The  Base64 encoded AWS Public key required to\nverify PKCS7 signature of the EC2 instance metadata. You can find this key in\nthe [AWS\ndocumentation](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html).\n"},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n"},"certName":{"type":"string","description":"The name of the certificate.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"type":{"type":"string","description":"Either \"pkcs7\" or \"identity\", indicating the type of\ndocument which can be verified using the given certificate. Defaults to\n\"pkcs7\".\n"}},"required":["awsPublicCert","certName"],"inputProperties":{"awsPublicCert":{"type":"string","description":"The  Base64 encoded AWS Public key required to\nverify PKCS7 signature of the EC2 instance metadata. You can find this key in\nthe [AWS\ndocumentation](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html).\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n","willReplaceOnChanges":true},"certName":{"type":"string","description":"The name of the certificate.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Either \"pkcs7\" or \"identity\", indicating the type of\ndocument which can be verified using the given certificate. Defaults to\n\"pkcs7\".\n","willReplaceOnChanges":true}},"requiredInputs":["awsPublicCert","certName"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendCert resources.\n","properties":{"awsPublicCert":{"type":"string","description":"The  Base64 encoded AWS Public key required to\nverify PKCS7 signature of the EC2 instance metadata. You can find this key in\nthe [AWS\ndocumentation](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html).\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n","willReplaceOnChanges":true},"certName":{"type":"string","description":"The name of the certificate.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Either \"pkcs7\" or \"identity\", indicating the type of\ndocument which can be verified using the given certificate. Defaults to\n\"pkcs7\".\n","willReplaceOnChanges":true}},"type":"object"}},"vault:aws/authBackendClient:AuthBackendClient":{"description":"\n\n## Import\n\nAWS auth backend clients can be imported using `auth/`, the `backend` path, and `/config/client` e.g.\n\n```sh\n$ pulumi import vault:aws/authBackendClient:AuthBackendClient example auth/aws/config/client\n```\n","properties":{"accessKey":{"type":"string","description":"The AWS access key that Vault should use for the\nauth backend. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e.\n","secret":true},"allowedStsHeaderValues":{"type":"array","items":{"type":"string"},"description":"List of additional headers that are allowed to be in STS request headers.\nThe headers are automatically canonicalized (e.g., `content-type` becomes `Content-Type`). Duplicate values are automatically\nremoved. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.\n"},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"ec2Endpoint":{"type":"string","description":"Override the URL Vault uses when making EC2 API\ncalls.\n"},"iamEndpoint":{"type":"string","description":"Override the URL Vault uses when making IAM API\ncalls.\n"},"iamServerIdHeaderValue":{"type":"string","description":"The value to require in the\n`X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests\nthat are used in the IAM auth method.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`accessKey`\" pulumi-lang-dotnet=\"`AccessKey`\" pulumi-lang-go=\"`accessKey`\" pulumi-lang-python=\"`access_key`\" pulumi-lang-yaml=\"`accessKey`\" pulumi-lang-java=\"`accessKey`\"\u003e`access_key`\u003c/span\u003e. \nRequires Vault 1.17+. *Available only for Vault Enterprise*\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"maxRetries":{"type":"integer","description":"Number of max retries the client should use for recoverable errors. \nThe default `-1` falls back to the AWS SDK's default behavior.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"roleArn":{"type":"string","description":"Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"secretKey":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","secret":true},"secretKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only AWS Secret key with permissions to query AWS APIs. This field is recommended over\u003cspan pulumi-lang-nodejs=\" secretKey \" pulumi-lang-dotnet=\" SecretKey \" pulumi-lang-go=\" secretKey \" pulumi-lang-python=\" secret_key \" pulumi-lang-yaml=\" secretKey \" pulumi-lang-java=\" secretKey \"\u003e secret_key \u003c/span\u003efor enhanced security.","secret":true},"secretKeyWoVersion":{"type":"integer","description":"Version counter for the write-only \u003cspan pulumi-lang-nodejs=\"`secretKeyWo`\" pulumi-lang-dotnet=\"`SecretKeyWo`\" pulumi-lang-go=\"`secretKeyWo`\" pulumi-lang-python=\"`secret_key_wo`\" pulumi-lang-yaml=\"`secretKeyWo`\" pulumi-lang-java=\"`secretKeyWo`\"\u003e`secret_key_wo`\u003c/span\u003e field.\nIncrement this value to rotate the secret key. Required when \u003cspan pulumi-lang-nodejs=\"`secretKeyWo`\" pulumi-lang-dotnet=\"`SecretKeyWo`\" pulumi-lang-go=\"`secretKeyWo`\" pulumi-lang-python=\"`secret_key_wo`\" pulumi-lang-yaml=\"`secretKeyWo`\" pulumi-lang-java=\"`secretKeyWo`\"\u003e`secret_key_wo`\u003c/span\u003e is set.\n"},"stsEndpoint":{"type":"string","description":"Override the URL Vault uses when making STS API\ncalls.\n"},"stsRegion":{"type":"string","description":"Override the default region when making STS API \ncalls. The \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e argument must be set when using \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003e.\n"},"useStsRegionFromClient":{"type":"boolean","description":"Available in Vault v1.15+. If set, \noverrides both \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003e to instead use the region\nspecified in the client request headers for IAM-based authentication.\nThis can be useful when you have client requests coming from different\nregions and want flexibility in which regional STS API is used.\n"}},"required":["identityTokenTtl","useStsRegionFromClient"],"inputProperties":{"accessKey":{"type":"string","description":"The AWS access key that Vault should use for the\nauth backend. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e.\n","secret":true},"allowedStsHeaderValues":{"type":"array","items":{"type":"string"},"description":"List of additional headers that are allowed to be in STS request headers.\nThe headers are automatically canonicalized (e.g., `content-type` becomes `Content-Type`). Duplicate values are automatically\nremoved. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.\n"},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n","willReplaceOnChanges":true},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"ec2Endpoint":{"type":"string","description":"Override the URL Vault uses when making EC2 API\ncalls.\n"},"iamEndpoint":{"type":"string","description":"Override the URL Vault uses when making IAM API\ncalls.\n"},"iamServerIdHeaderValue":{"type":"string","description":"The value to require in the\n`X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests\nthat are used in the IAM auth method.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`accessKey`\" pulumi-lang-dotnet=\"`AccessKey`\" pulumi-lang-go=\"`accessKey`\" pulumi-lang-python=\"`access_key`\" pulumi-lang-yaml=\"`accessKey`\" pulumi-lang-java=\"`accessKey`\"\u003e`access_key`\u003c/span\u003e. \nRequires Vault 1.17+. *Available only for Vault Enterprise*\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"maxRetries":{"type":"integer","description":"Number of max retries the client should use for recoverable errors. \nThe default `-1` falls back to the AWS SDK's default behavior.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleArn":{"type":"string","description":"Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"secretKey":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","secret":true},"secretKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only AWS Secret key with permissions to query AWS APIs. This field is recommended over\u003cspan pulumi-lang-nodejs=\" secretKey \" pulumi-lang-dotnet=\" SecretKey \" pulumi-lang-go=\" secretKey \" pulumi-lang-python=\" secret_key \" pulumi-lang-yaml=\" secretKey \" pulumi-lang-java=\" secretKey \"\u003e secret_key \u003c/span\u003efor enhanced security.","secret":true},"secretKeyWoVersion":{"type":"integer","description":"Version counter for the write-only \u003cspan pulumi-lang-nodejs=\"`secretKeyWo`\" pulumi-lang-dotnet=\"`SecretKeyWo`\" pulumi-lang-go=\"`secretKeyWo`\" pulumi-lang-python=\"`secret_key_wo`\" pulumi-lang-yaml=\"`secretKeyWo`\" pulumi-lang-java=\"`secretKeyWo`\"\u003e`secret_key_wo`\u003c/span\u003e field.\nIncrement this value to rotate the secret key. Required when \u003cspan pulumi-lang-nodejs=\"`secretKeyWo`\" pulumi-lang-dotnet=\"`SecretKeyWo`\" pulumi-lang-go=\"`secretKeyWo`\" pulumi-lang-python=\"`secret_key_wo`\" pulumi-lang-yaml=\"`secretKeyWo`\" pulumi-lang-java=\"`secretKeyWo`\"\u003e`secret_key_wo`\u003c/span\u003e is set.\n"},"stsEndpoint":{"type":"string","description":"Override the URL Vault uses when making STS API\ncalls.\n"},"stsRegion":{"type":"string","description":"Override the default region when making STS API \ncalls. The \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e argument must be set when using \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003e.\n"},"useStsRegionFromClient":{"type":"boolean","description":"Available in Vault v1.15+. If set, \noverrides both \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003e to instead use the region\nspecified in the client request headers for IAM-based authentication.\nThis can be useful when you have client requests coming from different\nregions and want flexibility in which regional STS API is used.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendClient resources.\n","properties":{"accessKey":{"type":"string","description":"The AWS access key that Vault should use for the\nauth backend. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e.\n","secret":true},"allowedStsHeaderValues":{"type":"array","items":{"type":"string"},"description":"List of additional headers that are allowed to be in STS request headers.\nThe headers are automatically canonicalized (e.g., `content-type` becomes `Content-Type`). Duplicate values are automatically\nremoved. This can be useful when you need to allow specific headers in STS requests for IAM-based authentication.\n"},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n","willReplaceOnChanges":true},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"ec2Endpoint":{"type":"string","description":"Override the URL Vault uses when making EC2 API\ncalls.\n"},"iamEndpoint":{"type":"string","description":"Override the URL Vault uses when making IAM API\ncalls.\n"},"iamServerIdHeaderValue":{"type":"string","description":"The value to require in the\n`X-Vault-AWS-IAM-Server-ID` header as part of `GetCallerIdentity` requests\nthat are used in the IAM auth method.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`accessKey`\" pulumi-lang-dotnet=\"`AccessKey`\" pulumi-lang-go=\"`accessKey`\" pulumi-lang-python=\"`access_key`\" pulumi-lang-yaml=\"`accessKey`\" pulumi-lang-java=\"`accessKey`\"\u003e`access_key`\u003c/span\u003e. \nRequires Vault 1.17+. *Available only for Vault Enterprise*\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"maxRetries":{"type":"integer","description":"Number of max retries the client should use for recoverable errors. \nThe default `-1` falls back to the AWS SDK's default behavior.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleArn":{"type":"string","description":"Role ARN to assume for plugin identity token federation. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"secretKey":{"type":"string","description":"AWS Secret key with permissions to query AWS APIs.","secret":true},"secretKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only AWS Secret key with permissions to query AWS APIs. This field is recommended over\u003cspan pulumi-lang-nodejs=\" secretKey \" pulumi-lang-dotnet=\" SecretKey \" pulumi-lang-go=\" secretKey \" pulumi-lang-python=\" secret_key \" pulumi-lang-yaml=\" secretKey \" pulumi-lang-java=\" secretKey \"\u003e secret_key \u003c/span\u003efor enhanced security.","secret":true},"secretKeyWoVersion":{"type":"integer","description":"Version counter for the write-only \u003cspan pulumi-lang-nodejs=\"`secretKeyWo`\" pulumi-lang-dotnet=\"`SecretKeyWo`\" pulumi-lang-go=\"`secretKeyWo`\" pulumi-lang-python=\"`secret_key_wo`\" pulumi-lang-yaml=\"`secretKeyWo`\" pulumi-lang-java=\"`secretKeyWo`\"\u003e`secret_key_wo`\u003c/span\u003e field.\nIncrement this value to rotate the secret key. Required when \u003cspan pulumi-lang-nodejs=\"`secretKeyWo`\" pulumi-lang-dotnet=\"`SecretKeyWo`\" pulumi-lang-go=\"`secretKeyWo`\" pulumi-lang-python=\"`secret_key_wo`\" pulumi-lang-yaml=\"`secretKeyWo`\" pulumi-lang-java=\"`secretKeyWo`\"\u003e`secret_key_wo`\u003c/span\u003e is set.\n"},"stsEndpoint":{"type":"string","description":"Override the URL Vault uses when making STS API\ncalls.\n"},"stsRegion":{"type":"string","description":"Override the default region when making STS API \ncalls. The \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e argument must be set when using \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003e.\n"},"useStsRegionFromClient":{"type":"boolean","description":"Available in Vault v1.15+. If set, \noverrides both \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003e to instead use the region\nspecified in the client request headers for IAM-based authentication.\nThis can be useful when you have client requests coming from different\nregions and want flexibility in which regional STS API is used.\n"}},"type":"object"}},"vault:aws/authBackendConfigIdentity:AuthBackendConfigIdentity":{"description":"Manages an AWS auth backend identity configuration in a Vault server. This configuration defines how Vault interacts\nwith the identity store. See the [Vault documentation](https://www.vaultproject.io/docs/auth/aws.html) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.AuthBackend(\"aws\", {type: \"aws\"});\nconst example = new vault.aws.AuthBackendConfigIdentity(\"example\", {\n    backend: aws.path,\n    iamAlias: \"full_arn\",\n    iamMetadatas: [\n        \"canonical_arn\",\n        \"account_id\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.AuthBackend(\"aws\", type=\"aws\")\nexample = vault.aws.AuthBackendConfigIdentity(\"example\",\n    backend=aws.path,\n    iam_alias=\"full_arn\",\n    iam_metadatas=[\n        \"canonical_arn\",\n        \"account_id\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.AuthBackend(\"aws\", new()\n    {\n        Type = \"aws\",\n    });\n\n    var example = new Vault.Aws.AuthBackendConfigIdentity(\"example\", new()\n    {\n        Backend = aws.Path,\n        IamAlias = \"full_arn\",\n        IamMetadatas = new[]\n        {\n            \"canonical_arn\",\n            \"account_id\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := vault.NewAuthBackend(ctx, \"aws\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"aws\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewAuthBackendConfigIdentity(ctx, \"example\", \u0026aws.AuthBackendConfigIdentityArgs{\n\t\t\tBackend:  aws.Path,\n\t\t\tIamAlias: pulumi.String(\"full_arn\"),\n\t\t\tIamMetadatas: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"canonical_arn\"),\n\t\t\t\tpulumi.String(\"account_id\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.aws.AuthBackendConfigIdentity;\nimport com.pulumi.vault.aws.AuthBackendConfigIdentityArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new AuthBackend(\"aws\", AuthBackendArgs.builder()\n            .type(\"aws\")\n            .build());\n\n        var example = new AuthBackendConfigIdentity(\"example\", AuthBackendConfigIdentityArgs.builder()\n            .backend(aws.path())\n            .iamAlias(\"full_arn\")\n            .iamMetadatas(            \n                \"canonical_arn\",\n                \"account_id\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:AuthBackend\n    properties:\n      type: aws\n  example:\n    type: vault:aws:AuthBackendConfigIdentity\n    properties:\n      backend: ${aws.path}\n      iamAlias: full_arn\n      iamMetadatas:\n        - canonical_arn\n        - account_id\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAWS auth backend identity config can be imported using `auth/`, the `backend` path, and `/config/identity` e.g.\n\n```sh\n$ pulumi import vault:aws/authBackendConfigIdentity:AuthBackendConfigIdentity example auth/aws/config/identity\n```\n","properties":{"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n"},"ec2Alias":{"type":"string","description":"How to generate the identity alias when using the ec2 auth method. Valid choices are\n\u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`instanceId`\" pulumi-lang-dotnet=\"`InstanceId`\" pulumi-lang-go=\"`instanceId`\" pulumi-lang-python=\"`instance_id`\" pulumi-lang-yaml=\"`instanceId`\" pulumi-lang-java=\"`instanceId`\"\u003e`instance_id`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`imageId`\" pulumi-lang-dotnet=\"`ImageId`\" pulumi-lang-go=\"`imageId`\" pulumi-lang-python=\"`image_id`\" pulumi-lang-yaml=\"`imageId`\" pulumi-lang-java=\"`imageId`\"\u003e`image_id`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e\n"},"ec2Metadatas":{"type":"array","items":{"type":"string"},"description":"The metadata to include on the token returned by the \u003cspan pulumi-lang-nodejs=\"`login`\" pulumi-lang-dotnet=\"`Login`\" pulumi-lang-go=\"`login`\" pulumi-lang-python=\"`login`\" pulumi-lang-yaml=\"`login`\" pulumi-lang-java=\"`login`\"\u003e`login`\u003c/span\u003e endpoint. This metadata will be\nadded to both audit logs, and on the \u003cspan pulumi-lang-nodejs=\"`ec2Alias`\" pulumi-lang-dotnet=\"`Ec2Alias`\" pulumi-lang-go=\"`ec2Alias`\" pulumi-lang-python=\"`ec2_alias`\" pulumi-lang-yaml=\"`ec2Alias`\" pulumi-lang-java=\"`ec2Alias`\"\u003e`ec2_alias`\u003c/span\u003e\n"},"iamAlias":{"type":"string","description":"How to generate the identity alias when using the iam auth method. Valid choices are\n\u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`uniqueId`\" pulumi-lang-dotnet=\"`UniqueId`\" pulumi-lang-go=\"`uniqueId`\" pulumi-lang-python=\"`unique_id`\" pulumi-lang-yaml=\"`uniqueId`\" pulumi-lang-java=\"`uniqueId`\"\u003e`unique_id`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`fullArn`\" pulumi-lang-dotnet=\"`FullArn`\" pulumi-lang-go=\"`fullArn`\" pulumi-lang-python=\"`full_arn`\" pulumi-lang-yaml=\"`fullArn`\" pulumi-lang-java=\"`fullArn`\"\u003e`full_arn`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e\n"},"iamMetadatas":{"type":"array","items":{"type":"string"},"description":"The metadata to include on the token returned by the \u003cspan pulumi-lang-nodejs=\"`login`\" pulumi-lang-dotnet=\"`Login`\" pulumi-lang-go=\"`login`\" pulumi-lang-python=\"`login`\" pulumi-lang-yaml=\"`login`\" pulumi-lang-java=\"`login`\"\u003e`login`\u003c/span\u003e endpoint. This metadata will be\nadded to both audit logs, and on the \u003cspan pulumi-lang-nodejs=\"`iamAlias`\" pulumi-lang-dotnet=\"`IamAlias`\" pulumi-lang-go=\"`iamAlias`\" pulumi-lang-python=\"`iam_alias`\" pulumi-lang-yaml=\"`iamAlias`\" pulumi-lang-java=\"`iamAlias`\"\u003e`iam_alias`\u003c/span\u003e\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"inputProperties":{"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n","willReplaceOnChanges":true},"ec2Alias":{"type":"string","description":"How to generate the identity alias when using the ec2 auth method. Valid choices are\n\u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`instanceId`\" pulumi-lang-dotnet=\"`InstanceId`\" pulumi-lang-go=\"`instanceId`\" pulumi-lang-python=\"`instance_id`\" pulumi-lang-yaml=\"`instanceId`\" pulumi-lang-java=\"`instanceId`\"\u003e`instance_id`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`imageId`\" pulumi-lang-dotnet=\"`ImageId`\" pulumi-lang-go=\"`imageId`\" pulumi-lang-python=\"`image_id`\" pulumi-lang-yaml=\"`imageId`\" pulumi-lang-java=\"`imageId`\"\u003e`image_id`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e\n"},"ec2Metadatas":{"type":"array","items":{"type":"string"},"description":"The metadata to include on the token returned by the \u003cspan pulumi-lang-nodejs=\"`login`\" pulumi-lang-dotnet=\"`Login`\" pulumi-lang-go=\"`login`\" pulumi-lang-python=\"`login`\" pulumi-lang-yaml=\"`login`\" pulumi-lang-java=\"`login`\"\u003e`login`\u003c/span\u003e endpoint. This metadata will be\nadded to both audit logs, and on the \u003cspan pulumi-lang-nodejs=\"`ec2Alias`\" pulumi-lang-dotnet=\"`Ec2Alias`\" pulumi-lang-go=\"`ec2Alias`\" pulumi-lang-python=\"`ec2_alias`\" pulumi-lang-yaml=\"`ec2Alias`\" pulumi-lang-java=\"`ec2Alias`\"\u003e`ec2_alias`\u003c/span\u003e\n"},"iamAlias":{"type":"string","description":"How to generate the identity alias when using the iam auth method. Valid choices are\n\u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`uniqueId`\" pulumi-lang-dotnet=\"`UniqueId`\" pulumi-lang-go=\"`uniqueId`\" pulumi-lang-python=\"`unique_id`\" pulumi-lang-yaml=\"`uniqueId`\" pulumi-lang-java=\"`uniqueId`\"\u003e`unique_id`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`fullArn`\" pulumi-lang-dotnet=\"`FullArn`\" pulumi-lang-go=\"`fullArn`\" pulumi-lang-python=\"`full_arn`\" pulumi-lang-yaml=\"`fullArn`\" pulumi-lang-java=\"`fullArn`\"\u003e`full_arn`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e\n"},"iamMetadatas":{"type":"array","items":{"type":"string"},"description":"The metadata to include on the token returned by the \u003cspan pulumi-lang-nodejs=\"`login`\" pulumi-lang-dotnet=\"`Login`\" pulumi-lang-go=\"`login`\" pulumi-lang-python=\"`login`\" pulumi-lang-yaml=\"`login`\" pulumi-lang-java=\"`login`\"\u003e`login`\u003c/span\u003e endpoint. This metadata will be\nadded to both audit logs, and on the \u003cspan pulumi-lang-nodejs=\"`iamAlias`\" pulumi-lang-dotnet=\"`IamAlias`\" pulumi-lang-go=\"`iamAlias`\" pulumi-lang-python=\"`iam_alias`\" pulumi-lang-yaml=\"`iamAlias`\" pulumi-lang-java=\"`iamAlias`\"\u003e`iam_alias`\u003c/span\u003e\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendConfigIdentity resources.\n","properties":{"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n","willReplaceOnChanges":true},"ec2Alias":{"type":"string","description":"How to generate the identity alias when using the ec2 auth method. Valid choices are\n\u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`instanceId`\" pulumi-lang-dotnet=\"`InstanceId`\" pulumi-lang-go=\"`instanceId`\" pulumi-lang-python=\"`instance_id`\" pulumi-lang-yaml=\"`instanceId`\" pulumi-lang-java=\"`instanceId`\"\u003e`instance_id`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`imageId`\" pulumi-lang-dotnet=\"`ImageId`\" pulumi-lang-go=\"`imageId`\" pulumi-lang-python=\"`image_id`\" pulumi-lang-yaml=\"`imageId`\" pulumi-lang-java=\"`imageId`\"\u003e`image_id`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e\n"},"ec2Metadatas":{"type":"array","items":{"type":"string"},"description":"The metadata to include on the token returned by the \u003cspan pulumi-lang-nodejs=\"`login`\" pulumi-lang-dotnet=\"`Login`\" pulumi-lang-go=\"`login`\" pulumi-lang-python=\"`login`\" pulumi-lang-yaml=\"`login`\" pulumi-lang-java=\"`login`\"\u003e`login`\u003c/span\u003e endpoint. This metadata will be\nadded to both audit logs, and on the \u003cspan pulumi-lang-nodejs=\"`ec2Alias`\" pulumi-lang-dotnet=\"`Ec2Alias`\" pulumi-lang-go=\"`ec2Alias`\" pulumi-lang-python=\"`ec2_alias`\" pulumi-lang-yaml=\"`ec2Alias`\" pulumi-lang-java=\"`ec2Alias`\"\u003e`ec2_alias`\u003c/span\u003e\n"},"iamAlias":{"type":"string","description":"How to generate the identity alias when using the iam auth method. Valid choices are\n\u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`uniqueId`\" pulumi-lang-dotnet=\"`UniqueId`\" pulumi-lang-go=\"`uniqueId`\" pulumi-lang-python=\"`unique_id`\" pulumi-lang-yaml=\"`uniqueId`\" pulumi-lang-java=\"`uniqueId`\"\u003e`unique_id`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`fullArn`\" pulumi-lang-dotnet=\"`FullArn`\" pulumi-lang-go=\"`fullArn`\" pulumi-lang-python=\"`full_arn`\" pulumi-lang-yaml=\"`fullArn`\" pulumi-lang-java=\"`fullArn`\"\u003e`full_arn`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`roleId`\" pulumi-lang-dotnet=\"`RoleId`\" pulumi-lang-go=\"`roleId`\" pulumi-lang-python=\"`role_id`\" pulumi-lang-yaml=\"`roleId`\" pulumi-lang-java=\"`roleId`\"\u003e`role_id`\u003c/span\u003e\n"},"iamMetadatas":{"type":"array","items":{"type":"string"},"description":"The metadata to include on the token returned by the \u003cspan pulumi-lang-nodejs=\"`login`\" pulumi-lang-dotnet=\"`Login`\" pulumi-lang-go=\"`login`\" pulumi-lang-python=\"`login`\" pulumi-lang-yaml=\"`login`\" pulumi-lang-java=\"`login`\"\u003e`login`\u003c/span\u003e endpoint. This metadata will be\nadded to both audit logs, and on the \u003cspan pulumi-lang-nodejs=\"`iamAlias`\" pulumi-lang-dotnet=\"`IamAlias`\" pulumi-lang-go=\"`iamAlias`\" pulumi-lang-python=\"`iam_alias`\" pulumi-lang-yaml=\"`iamAlias`\" pulumi-lang-java=\"`iamAlias`\"\u003e`iam_alias`\u003c/span\u003e\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:aws/authBackendIdentityWhitelist:AuthBackendIdentityWhitelist":{"description":"Configures the periodic tidying operation of the whitelisted identity entries.\n\nFor more information, see the\n[Vault docs](https://www.vaultproject.io/api-docs/auth/aws#configure-identity-whitelist-tidy-operation).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.AuthBackend(\"example\", {type: \"aws\"});\nconst exampleAuthBackendIdentityWhitelist = new vault.aws.AuthBackendIdentityWhitelist(\"example\", {\n    backend: example.path,\n    safetyBuffer: 3600,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.AuthBackend(\"example\", type=\"aws\")\nexample_auth_backend_identity_whitelist = vault.aws.AuthBackendIdentityWhitelist(\"example\",\n    backend=example.path,\n    safety_buffer=3600)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.AuthBackend(\"example\", new()\n    {\n        Type = \"aws\",\n    });\n\n    var exampleAuthBackendIdentityWhitelist = new Vault.Aws.AuthBackendIdentityWhitelist(\"example\", new()\n    {\n        Backend = example.Path,\n        SafetyBuffer = 3600,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := vault.NewAuthBackend(ctx, \"example\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"aws\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewAuthBackendIdentityWhitelist(ctx, \"example\", \u0026aws.AuthBackendIdentityWhitelistArgs{\n\t\t\tBackend:      example.Path,\n\t\t\tSafetyBuffer: pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.aws.AuthBackendIdentityWhitelist;\nimport com.pulumi.vault.aws.AuthBackendIdentityWhitelistArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .type(\"aws\")\n            .build());\n\n        var exampleAuthBackendIdentityWhitelist = new AuthBackendIdentityWhitelist(\"exampleAuthBackendIdentityWhitelist\", AuthBackendIdentityWhitelistArgs.builder()\n            .backend(example.path())\n            .safetyBuffer(3600)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:AuthBackend\n    properties:\n      type: aws\n  exampleAuthBackendIdentityWhitelist:\n    type: vault:aws:AuthBackendIdentityWhitelist\n    name: example\n    properties:\n      backend: ${example.path}\n      safetyBuffer: 3600\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAWS auth backend identity whitelists can be imported using `auth/`, the `backend` path, and `/config/tidy/identity-whitelist` e.g.\n\n```sh\n$ pulumi import vault:aws/authBackendIdentityWhitelist:AuthBackendIdentityWhitelist example auth/aws/config/tidy/identity-whitelist\n```\n","properties":{"backend":{"type":"string","description":"The path of the AWS backend being configured.\n"},"disablePeriodicTidy":{"type":"boolean","description":"If set to true, disables the periodic\ntidying of the identity-whitelist entries.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"safetyBuffer":{"type":"integer","description":"The amount of extra time, in minutes, that must\nhave passed beyond the roletag expiration, before it is removed from the\nbackend storage.\n"}},"inputProperties":{"backend":{"type":"string","description":"The path of the AWS backend being configured.\n","willReplaceOnChanges":true},"disablePeriodicTidy":{"type":"boolean","description":"If set to true, disables the periodic\ntidying of the identity-whitelist entries.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"safetyBuffer":{"type":"integer","description":"The amount of extra time, in minutes, that must\nhave passed beyond the roletag expiration, before it is removed from the\nbackend storage.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendIdentityWhitelist resources.\n","properties":{"backend":{"type":"string","description":"The path of the AWS backend being configured.\n","willReplaceOnChanges":true},"disablePeriodicTidy":{"type":"boolean","description":"If set to true, disables the periodic\ntidying of the identity-whitelist entries.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"safetyBuffer":{"type":"integer","description":"The amount of extra time, in minutes, that must\nhave passed beyond the roletag expiration, before it is removed from the\nbackend storage.\n"}},"type":"object"}},"vault:aws/authBackendLogin:AuthBackendLogin":{"description":"Logs into a Vault server using an AWS auth backend. Login can be\naccomplished using a signed identity request from IAM or using ec2\ninstance metadata. For more information, see the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/aws.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.AuthBackend(\"aws\", {\n    type: \"aws\",\n    path: \"aws\",\n});\nconst example = new vault.aws.AuthBackendClient(\"example\", {\n    backend: aws.path,\n    accessKey: \"123456789012\",\n    secretKey: \"AWSSECRETKEYGOESHERE\",\n});\nconst exampleAuthBackendRole = new vault.aws.AuthBackendRole(\"example\", {\n    backend: aws.path,\n    role: \"test-role\",\n    authType: \"ec2\",\n    boundAmiId: \"ami-8c1be5f6\",\n    boundAccountId: \"123456789012\",\n    boundVpcId: \"vpc-b61106d4\",\n    boundSubnetId: \"vpc-133128f1\",\n    boundIamInstanceProfileArns: [\"arn:aws:iam::123456789012:instance-profile/MyProfile\"],\n    ttl: 60,\n    maxTtl: 120,\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n}, {\n    dependsOn: [example],\n});\nconst exampleAuthBackendLogin = new vault.aws.AuthBackendLogin(\"example\", {\n    backend: exampleVaultAuthBackend.path,\n    role: exampleAuthBackendRole.role,\n    identity: \"BASE64ENCODEDIDENTITYDOCUMENT\",\n    signature: \"BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.AuthBackend(\"aws\",\n    type=\"aws\",\n    path=\"aws\")\nexample = vault.aws.AuthBackendClient(\"example\",\n    backend=aws.path,\n    access_key=\"123456789012\",\n    secret_key=\"AWSSECRETKEYGOESHERE\")\nexample_auth_backend_role = vault.aws.AuthBackendRole(\"example\",\n    backend=aws.path,\n    role=\"test-role\",\n    auth_type=\"ec2\",\n    bound_ami_id=\"ami-8c1be5f6\",\n    bound_account_id=\"123456789012\",\n    bound_vpc_id=\"vpc-b61106d4\",\n    bound_subnet_id=\"vpc-133128f1\",\n    bound_iam_instance_profile_arns=[\"arn:aws:iam::123456789012:instance-profile/MyProfile\"],\n    ttl=60,\n    max_ttl=120,\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n    opts = pulumi.ResourceOptions(depends_on=[example]))\nexample_auth_backend_login = vault.aws.AuthBackendLogin(\"example\",\n    backend=example_vault_auth_backend[\"path\"],\n    role=example_auth_backend_role.role,\n    identity=\"BASE64ENCODEDIDENTITYDOCUMENT\",\n    signature=\"BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.AuthBackend(\"aws\", new()\n    {\n        Type = \"aws\",\n        Path = \"aws\",\n    });\n\n    var example = new Vault.Aws.AuthBackendClient(\"example\", new()\n    {\n        Backend = aws.Path,\n        AccessKey = \"123456789012\",\n        SecretKey = \"AWSSECRETKEYGOESHERE\",\n    });\n\n    var exampleAuthBackendRole = new Vault.Aws.AuthBackendRole(\"example\", new()\n    {\n        Backend = aws.Path,\n        Role = \"test-role\",\n        AuthType = \"ec2\",\n        BoundAmiId = \"ami-8c1be5f6\",\n        BoundAccountId = \"123456789012\",\n        BoundVpcId = \"vpc-b61106d4\",\n        BoundSubnetId = \"vpc-133128f1\",\n        BoundIamInstanceProfileArns = new[]\n        {\n            \"arn:aws:iam::123456789012:instance-profile/MyProfile\",\n        },\n        Ttl = 60,\n        MaxTtl = 120,\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            example,\n        },\n    });\n\n    var exampleAuthBackendLogin = new Vault.Aws.AuthBackendLogin(\"example\", new()\n    {\n        Backend = exampleVaultAuthBackend.Path,\n        Role = exampleAuthBackendRole.Role,\n        Identity = \"BASE64ENCODEDIDENTITYDOCUMENT\",\n        Signature = \"BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := vault.NewAuthBackend(ctx, \"aws\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"aws\"),\n\t\t\tPath: pulumi.String(\"aws\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texample, err := aws.NewAuthBackendClient(ctx, \"example\", \u0026aws.AuthBackendClientArgs{\n\t\t\tBackend:   aws.Path,\n\t\t\tAccessKey: pulumi.String(\"123456789012\"),\n\t\t\tSecretKey: pulumi.String(\"AWSSECRETKEYGOESHERE\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleAuthBackendRole, err := aws.NewAuthBackendRole(ctx, \"example\", \u0026aws.AuthBackendRoleArgs{\n\t\t\tBackend:        aws.Path,\n\t\t\tRole:           pulumi.String(\"test-role\"),\n\t\t\tAuthType:       pulumi.String(\"ec2\"),\n\t\t\tBoundAmiId:     \"ami-8c1be5f6\",\n\t\t\tBoundAccountId: \"123456789012\",\n\t\t\tBoundVpcId:     \"vpc-b61106d4\",\n\t\t\tBoundSubnetId:  \"vpc-133128f1\",\n\t\t\tBoundIamInstanceProfileArns: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"arn:aws:iam::123456789012:instance-profile/MyProfile\"),\n\t\t\t},\n\t\t\tTtl:    60,\n\t\t\tMaxTtl: 120,\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\texample,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewAuthBackendLogin(ctx, \"example\", \u0026aws.AuthBackendLoginArgs{\n\t\t\tBackend:   pulumi.Any(exampleVaultAuthBackend.Path),\n\t\t\tRole:      exampleAuthBackendRole.Role,\n\t\t\tIdentity:  pulumi.String(\"BASE64ENCODEDIDENTITYDOCUMENT\"),\n\t\t\tSignature: pulumi.String(\"BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.aws.AuthBackendClient;\nimport com.pulumi.vault.aws.AuthBackendClientArgs;\nimport com.pulumi.vault.aws.AuthBackendRole;\nimport com.pulumi.vault.aws.AuthBackendRoleArgs;\nimport com.pulumi.vault.aws.AuthBackendLogin;\nimport com.pulumi.vault.aws.AuthBackendLoginArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new AuthBackend(\"aws\", AuthBackendArgs.builder()\n            .type(\"aws\")\n            .path(\"aws\")\n            .build());\n\n        var example = new AuthBackendClient(\"example\", AuthBackendClientArgs.builder()\n            .backend(aws.path())\n            .accessKey(\"123456789012\")\n            .secretKey(\"AWSSECRETKEYGOESHERE\")\n            .build());\n\n        var exampleAuthBackendRole = new AuthBackendRole(\"exampleAuthBackendRole\", AuthBackendRoleArgs.builder()\n            .backend(aws.path())\n            .role(\"test-role\")\n            .authType(\"ec2\")\n            .boundAmiId(\"ami-8c1be5f6\")\n            .boundAccountId(\"123456789012\")\n            .boundVpcId(\"vpc-b61106d4\")\n            .boundSubnetId(\"vpc-133128f1\")\n            .boundIamInstanceProfileArns(\"arn:aws:iam::123456789012:instance-profile/MyProfile\")\n            .ttl(60)\n            .maxTtl(120)\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(example)\n                .build());\n\n        var exampleAuthBackendLogin = new AuthBackendLogin(\"exampleAuthBackendLogin\", AuthBackendLoginArgs.builder()\n            .backend(exampleVaultAuthBackend.path())\n            .role(exampleAuthBackendRole.role())\n            .identity(\"BASE64ENCODEDIDENTITYDOCUMENT\")\n            .signature(\"BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:AuthBackend\n    properties:\n      type: aws\n      path: aws\n  example:\n    type: vault:aws:AuthBackendClient\n    properties:\n      backend: ${aws.path}\n      accessKey: '123456789012'\n      secretKey: AWSSECRETKEYGOESHERE\n  exampleAuthBackendRole:\n    type: vault:aws:AuthBackendRole\n    name: example\n    properties:\n      backend: ${aws.path}\n      role: test-role\n      authType: ec2\n      boundAmiId: ami-8c1be5f6\n      boundAccountId: '123456789012'\n      boundVpcId: vpc-b61106d4\n      boundSubnetId: vpc-133128f1\n      boundIamInstanceProfileArns:\n        - arn:aws:iam::123456789012:instance-profile/MyProfile\n      ttl: 60\n      maxTtl: 120\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n    options:\n      dependsOn:\n        - ${example}\n  exampleAuthBackendLogin:\n    type: vault:aws:AuthBackendLogin\n    name: example\n    properties:\n      backend: ${exampleVaultAuthBackend.path}\n      role: ${exampleAuthBackendRole.role}\n      identity: BASE64ENCODEDIDENTITYDOCUMENT\n      signature: BASE64ENCODEDSHA256IDENTITYDOCUMENTSIGNATURE\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"accessor":{"type":"string","description":"The token's accessor.\n"},"authType":{"type":"string","description":"The authentication type used to generate this token.\n"},"backend":{"type":"string","description":"The unique name of the AWS auth backend. Defaults to\n'aws'.\n"},"clientToken":{"type":"string","description":"The token returned by Vault.\n","secret":true},"iamHttpRequestMethod":{"type":"string","description":"The HTTP method used in the signed IAM\nrequest.\n"},"iamRequestBody":{"type":"string","description":"The base64-encoded body of the signed\nrequest.\n"},"iamRequestHeaders":{"type":"string","description":"The base64-encoded, JSON serialized\nrepresentation of the GetCallerIdentity HTTP request headers.\n"},"iamRequestUrl":{"type":"string","description":"The base64-encoded HTTP URL used in the signed\nrequest.\n"},"identity":{"type":"string","description":"The base64-encoded EC2 instance identity document to\nauthenticate with. Can be retrieved from the EC2 metadata server.\n"},"leaseDuration":{"type":"integer","description":"The duration in seconds the token will be valid, relative\nto the time in \u003cspan pulumi-lang-nodejs=\"`leaseStartTime`\" pulumi-lang-dotnet=\"`LeaseStartTime`\" pulumi-lang-go=\"`leaseStartTime`\" pulumi-lang-python=\"`lease_start_time`\" pulumi-lang-yaml=\"`leaseStartTime`\" pulumi-lang-java=\"`leaseStartTime`\"\u003e`lease_start_time`\u003c/span\u003e.\n"},"leaseStartTime":{"type":"string"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of information returned by the Vault server about the\nauthentication used to generate this token.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"nonce":{"type":"string","description":"The unique nonce to be used for login requests. Can be\nset to a user-specified value, or will contain the server-generated value\nonce a token is issued. EC2 instances can only acquire a single token until\nthe whitelist is tidied again unless they keep track of this nonce.\n"},"pkcs7":{"type":"string","description":"The PKCS#7 signature of the identity document to\nauthenticate with, with all newline characters removed. Can be retrieved from\nthe EC2 metadata server.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"The Vault policies assigned to this token.\n"},"renewable":{"type":"boolean","description":"Set to true if the token can be extended through renewal.\n"},"role":{"type":"string","description":"The name of the AWS auth backend role to create tokens\nagainst.\n"},"signature":{"type":"string","description":"The base64-encoded SHA256 RSA signature of the\ninstance identity document to authenticate with, with all newline characters\nremoved. Can be retrieved from the EC2 metadata server.\n"}},"required":["accessor","authType","clientToken","leaseDuration","leaseStartTime","metadata","nonce","policies","renewable","role"],"inputProperties":{"backend":{"type":"string","description":"The unique name of the AWS auth backend. Defaults to\n'aws'.\n","willReplaceOnChanges":true},"iamHttpRequestMethod":{"type":"string","description":"The HTTP method used in the signed IAM\nrequest.\n","willReplaceOnChanges":true},"iamRequestBody":{"type":"string","description":"The base64-encoded body of the signed\nrequest.\n","willReplaceOnChanges":true},"iamRequestHeaders":{"type":"string","description":"The base64-encoded, JSON serialized\nrepresentation of the GetCallerIdentity HTTP request headers.\n","willReplaceOnChanges":true},"iamRequestUrl":{"type":"string","description":"The base64-encoded HTTP URL used in the signed\nrequest.\n","willReplaceOnChanges":true},"identity":{"type":"string","description":"The base64-encoded EC2 instance identity document to\nauthenticate with. Can be retrieved from the EC2 metadata server.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"nonce":{"type":"string","description":"The unique nonce to be used for login requests. Can be\nset to a user-specified value, or will contain the server-generated value\nonce a token is issued. EC2 instances can only acquire a single token until\nthe whitelist is tidied again unless they keep track of this nonce.\n","willReplaceOnChanges":true},"pkcs7":{"type":"string","description":"The PKCS#7 signature of the identity document to\nauthenticate with, with all newline characters removed. Can be retrieved from\nthe EC2 metadata server.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name of the AWS auth backend role to create tokens\nagainst.\n","willReplaceOnChanges":true},"signature":{"type":"string","description":"The base64-encoded SHA256 RSA signature of the\ninstance identity document to authenticate with, with all newline characters\nremoved. Can be retrieved from the EC2 metadata server.\n","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendLogin resources.\n","properties":{"accessor":{"type":"string","description":"The token's accessor.\n"},"authType":{"type":"string","description":"The authentication type used to generate this token.\n"},"backend":{"type":"string","description":"The unique name of the AWS auth backend. Defaults to\n'aws'.\n","willReplaceOnChanges":true},"clientToken":{"type":"string","description":"The token returned by Vault.\n","secret":true},"iamHttpRequestMethod":{"type":"string","description":"The HTTP method used in the signed IAM\nrequest.\n","willReplaceOnChanges":true},"iamRequestBody":{"type":"string","description":"The base64-encoded body of the signed\nrequest.\n","willReplaceOnChanges":true},"iamRequestHeaders":{"type":"string","description":"The base64-encoded, JSON serialized\nrepresentation of the GetCallerIdentity HTTP request headers.\n","willReplaceOnChanges":true},"iamRequestUrl":{"type":"string","description":"The base64-encoded HTTP URL used in the signed\nrequest.\n","willReplaceOnChanges":true},"identity":{"type":"string","description":"The base64-encoded EC2 instance identity document to\nauthenticate with. Can be retrieved from the EC2 metadata server.\n","willReplaceOnChanges":true},"leaseDuration":{"type":"integer","description":"The duration in seconds the token will be valid, relative\nto the time in \u003cspan pulumi-lang-nodejs=\"`leaseStartTime`\" pulumi-lang-dotnet=\"`LeaseStartTime`\" pulumi-lang-go=\"`leaseStartTime`\" pulumi-lang-python=\"`lease_start_time`\" pulumi-lang-yaml=\"`leaseStartTime`\" pulumi-lang-java=\"`leaseStartTime`\"\u003e`lease_start_time`\u003c/span\u003e.\n"},"leaseStartTime":{"type":"string"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of information returned by the Vault server about the\nauthentication used to generate this token.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"nonce":{"type":"string","description":"The unique nonce to be used for login requests. Can be\nset to a user-specified value, or will contain the server-generated value\nonce a token is issued. EC2 instances can only acquire a single token until\nthe whitelist is tidied again unless they keep track of this nonce.\n","willReplaceOnChanges":true},"pkcs7":{"type":"string","description":"The PKCS#7 signature of the identity document to\nauthenticate with, with all newline characters removed. Can be retrieved from\nthe EC2 metadata server.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"The Vault policies assigned to this token.\n"},"renewable":{"type":"boolean","description":"Set to true if the token can be extended through renewal.\n"},"role":{"type":"string","description":"The name of the AWS auth backend role to create tokens\nagainst.\n","willReplaceOnChanges":true},"signature":{"type":"string","description":"The base64-encoded SHA256 RSA signature of the\ninstance identity document to authenticate with, with all newline characters\nremoved. Can be retrieved from the EC2 metadata server.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:aws/authBackendRole:AuthBackendRole":{"description":"Manages an AWS auth backend role in a Vault server. Roles constrain the\ninstances or principals that can perform the login operation against the\nbackend. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/aws.html) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.AuthBackend(\"aws\", {type: \"aws\"});\nconst example = new vault.aws.AuthBackendRole(\"example\", {\n    backend: aws.path,\n    role: \"test-role\",\n    authType: \"iam\",\n    boundAmiIds: [\"ami-8c1be5f6\"],\n    boundAccountIds: [\"123456789012\"],\n    boundVpcIds: [\"vpc-b61106d4\"],\n    boundSubnetIds: [\"vpc-133128f1\"],\n    boundIamRoleArns: [\"arn:aws:iam::123456789012:role/MyRole\"],\n    boundIamInstanceProfileArns: [\"arn:aws:iam::123456789012:instance-profile/MyProfile\"],\n    inferredEntityType: \"ec2_instance\",\n    inferredAwsRegion: \"us-east-1\",\n    tokenTtl: 60,\n    tokenMaxTtl: 120,\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.AuthBackend(\"aws\", type=\"aws\")\nexample = vault.aws.AuthBackendRole(\"example\",\n    backend=aws.path,\n    role=\"test-role\",\n    auth_type=\"iam\",\n    bound_ami_ids=[\"ami-8c1be5f6\"],\n    bound_account_ids=[\"123456789012\"],\n    bound_vpc_ids=[\"vpc-b61106d4\"],\n    bound_subnet_ids=[\"vpc-133128f1\"],\n    bound_iam_role_arns=[\"arn:aws:iam::123456789012:role/MyRole\"],\n    bound_iam_instance_profile_arns=[\"arn:aws:iam::123456789012:instance-profile/MyProfile\"],\n    inferred_entity_type=\"ec2_instance\",\n    inferred_aws_region=\"us-east-1\",\n    token_ttl=60,\n    token_max_ttl=120,\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.AuthBackend(\"aws\", new()\n    {\n        Type = \"aws\",\n    });\n\n    var example = new Vault.Aws.AuthBackendRole(\"example\", new()\n    {\n        Backend = aws.Path,\n        Role = \"test-role\",\n        AuthType = \"iam\",\n        BoundAmiIds = new[]\n        {\n            \"ami-8c1be5f6\",\n        },\n        BoundAccountIds = new[]\n        {\n            \"123456789012\",\n        },\n        BoundVpcIds = new[]\n        {\n            \"vpc-b61106d4\",\n        },\n        BoundSubnetIds = new[]\n        {\n            \"vpc-133128f1\",\n        },\n        BoundIamRoleArns = new[]\n        {\n            \"arn:aws:iam::123456789012:role/MyRole\",\n        },\n        BoundIamInstanceProfileArns = new[]\n        {\n            \"arn:aws:iam::123456789012:instance-profile/MyProfile\",\n        },\n        InferredEntityType = \"ec2_instance\",\n        InferredAwsRegion = \"us-east-1\",\n        TokenTtl = 60,\n        TokenMaxTtl = 120,\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := vault.NewAuthBackend(ctx, \"aws\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"aws\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewAuthBackendRole(ctx, \"example\", \u0026aws.AuthBackendRoleArgs{\n\t\t\tBackend:  aws.Path,\n\t\t\tRole:     pulumi.String(\"test-role\"),\n\t\t\tAuthType: pulumi.String(\"iam\"),\n\t\t\tBoundAmiIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ami-8c1be5f6\"),\n\t\t\t},\n\t\t\tBoundAccountIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"123456789012\"),\n\t\t\t},\n\t\t\tBoundVpcIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"vpc-b61106d4\"),\n\t\t\t},\n\t\t\tBoundSubnetIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"vpc-133128f1\"),\n\t\t\t},\n\t\t\tBoundIamRoleArns: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"arn:aws:iam::123456789012:role/MyRole\"),\n\t\t\t},\n\t\t\tBoundIamInstanceProfileArns: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"arn:aws:iam::123456789012:instance-profile/MyProfile\"),\n\t\t\t},\n\t\t\tInferredEntityType: pulumi.String(\"ec2_instance\"),\n\t\t\tInferredAwsRegion:  pulumi.String(\"us-east-1\"),\n\t\t\tTokenTtl:           pulumi.Int(60),\n\t\t\tTokenMaxTtl:        pulumi.Int(120),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.aws.AuthBackendRole;\nimport com.pulumi.vault.aws.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new AuthBackend(\"aws\", AuthBackendArgs.builder()\n            .type(\"aws\")\n            .build());\n\n        var example = new AuthBackendRole(\"example\", AuthBackendRoleArgs.builder()\n            .backend(aws.path())\n            .role(\"test-role\")\n            .authType(\"iam\")\n            .boundAmiIds(\"ami-8c1be5f6\")\n            .boundAccountIds(\"123456789012\")\n            .boundVpcIds(\"vpc-b61106d4\")\n            .boundSubnetIds(\"vpc-133128f1\")\n            .boundIamRoleArns(\"arn:aws:iam::123456789012:role/MyRole\")\n            .boundIamInstanceProfileArns(\"arn:aws:iam::123456789012:instance-profile/MyProfile\")\n            .inferredEntityType(\"ec2_instance\")\n            .inferredAwsRegion(\"us-east-1\")\n            .tokenTtl(60)\n            .tokenMaxTtl(120)\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:AuthBackend\n    properties:\n      type: aws\n  example:\n    type: vault:aws:AuthBackendRole\n    properties:\n      backend: ${aws.path}\n      role: test-role\n      authType: iam\n      boundAmiIds:\n        - ami-8c1be5f6\n      boundAccountIds:\n        - '123456789012'\n      boundVpcIds:\n        - vpc-b61106d4\n      boundSubnetIds:\n        - vpc-133128f1\n      boundIamRoleArns:\n        - arn:aws:iam::123456789012:role/MyRole\n      boundIamInstanceProfileArns:\n        - arn:aws:iam::123456789012:instance-profile/MyProfile\n      inferredEntityType: ec2_instance\n      inferredAwsRegion: us-east-1\n      tokenTtl: 60\n      tokenMaxTtl: 120\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAWS auth backend roles can be imported using `auth/`, the `backend` path, `/role/`, and the `role` name e.g.\n\n```sh\n$ pulumi import vault:aws/authBackendRole:AuthBackendRole example auth/aws/role/test-role\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowInstanceMigration":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, allows migration of\nthe underlying instance where the client resides.\n"},"authType":{"type":"string","description":"The auth type permitted for this role. Valid choices\nare \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n"},"backend":{"type":"string","description":"Path to the mounted aws auth backend.\n"},"boundAccountIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they should be using the\naccount ID specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundAmiIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that they should be using the AMI ID\nspecified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundEc2InstanceIds":{"type":"array","items":{"type":"string"},"description":"Only EC2 instances that match this instance ID will be permitted to log in."},"boundIamInstanceProfileArns":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on\nthe EC2 instances that can perform the login operation that they must be\nassociated with an IAM instance profile ARN which has a prefix that matches\nthe value specified by this field. The value is prefix-matched as though it\nwere a glob ending in `*`. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundIamPrincipalArns":{"type":"array","items":{"type":"string"},"description":"If set, defines the IAM principal that\nmust be authenticated when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. Wildcards are\nsupported at the end of the ARN.\n"},"boundIamRoleArns":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they must match the IAM\nrole ARN specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundRegions":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that the region in their identity\ndocument must match the one specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set\nto \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this\nconstraint.\n"},"boundSubnetIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they be associated with\nthe subnet ID that matches the value specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e\nmust be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e\nto use this constraint.\n"},"boundVpcIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that they be associated with the VPC ID\nthat matches the value specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to\n\u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this\nconstraint.\n"},"disallowReauthentication":{"type":"boolean","description":"IF set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, only allows a\nsingle token to be granted per instance ID. This can only be set when\n\u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e.\n"},"inferredAwsRegion":{"type":"string","description":"When \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e is set, this\nis the region to search for the inferred entities. Required if\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e is set. This only applies when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to\n\u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n"},"inferredEntityType":{"type":"string","description":"If set, instructs Vault to turn on\ninferencing. The only valid value is \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e, which instructs Vault to\ninfer that the role comes from an EC2 instance in an IAM instance profile.\nThis only applies when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"resolveAwsUniqueIds":{"type":"boolean","description":"Only valid when\n\u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the \u003cspan pulumi-lang-nodejs=\"`boundIamPrincipalArns`\" pulumi-lang-dotnet=\"`BoundIamPrincipalArns`\" pulumi-lang-go=\"`boundIamPrincipalArns`\" pulumi-lang-python=\"`bound_iam_principal_arns`\" pulumi-lang-yaml=\"`boundIamPrincipalArns`\" pulumi-lang-java=\"`boundIamPrincipalArns`\"\u003e`bound_iam_principal_arns`\u003c/span\u003e are\nresolved to [AWS Unique\nIDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)\nfor the bound principal ARN. This field is ignored when a\n\u003cspan pulumi-lang-nodejs=\"`boundIamPrincipalArn`\" pulumi-lang-dotnet=\"`BoundIamPrincipalArn`\" pulumi-lang-go=\"`boundIamPrincipalArn`\" pulumi-lang-python=\"`bound_iam_principal_arn`\" pulumi-lang-yaml=\"`boundIamPrincipalArn`\" pulumi-lang-java=\"`boundIamPrincipalArn`\"\u003e`bound_iam_principal_arn`\u003c/span\u003e ends in a wildcard. Resolving to unique IDs more\nclosely mimics the behavior of AWS services in that if an IAM user or role is\ndeleted and a new one is recreated with the same name, those new users or\nroles won't get access to roles in Vault that were permissioned to the prior\nprincipals of the same name. Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\nOnce set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this cannot be changed to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e without recreating the role.\n"},"role":{"type":"string","description":"The name of the role.\n"},"roleId":{"type":"string","description":"The Vault generated role ID.\n"},"roleTag":{"type":"string","description":"If set, enable role tags for this role. The value set\nfor this field should be the key of the tag on the EC2 instance. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e\nmust be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e\nto use this constraint.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["role","roleId"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowInstanceMigration":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, allows migration of\nthe underlying instance where the client resides.\n"},"authType":{"type":"string","description":"The auth type permitted for this role. Valid choices\nare \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"Path to the mounted aws auth backend.\n","willReplaceOnChanges":true},"boundAccountIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they should be using the\naccount ID specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundAmiIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that they should be using the AMI ID\nspecified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundEc2InstanceIds":{"type":"array","items":{"type":"string"},"description":"Only EC2 instances that match this instance ID will be permitted to log in."},"boundIamInstanceProfileArns":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on\nthe EC2 instances that can perform the login operation that they must be\nassociated with an IAM instance profile ARN which has a prefix that matches\nthe value specified by this field. The value is prefix-matched as though it\nwere a glob ending in `*`. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundIamPrincipalArns":{"type":"array","items":{"type":"string"},"description":"If set, defines the IAM principal that\nmust be authenticated when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. Wildcards are\nsupported at the end of the ARN.\n"},"boundIamRoleArns":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they must match the IAM\nrole ARN specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundRegions":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that the region in their identity\ndocument must match the one specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set\nto \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this\nconstraint.\n"},"boundSubnetIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they be associated with\nthe subnet ID that matches the value specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e\nmust be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e\nto use this constraint.\n"},"boundVpcIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that they be associated with the VPC ID\nthat matches the value specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to\n\u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this\nconstraint.\n"},"disallowReauthentication":{"type":"boolean","description":"IF set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, only allows a\nsingle token to be granted per instance ID. This can only be set when\n\u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e.\n"},"inferredAwsRegion":{"type":"string","description":"When \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e is set, this\nis the region to search for the inferred entities. Required if\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e is set. This only applies when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to\n\u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n"},"inferredEntityType":{"type":"string","description":"If set, instructs Vault to turn on\ninferencing. The only valid value is \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e, which instructs Vault to\ninfer that the role comes from an EC2 instance in an IAM instance profile.\nThis only applies when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"resolveAwsUniqueIds":{"type":"boolean","description":"Only valid when\n\u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the \u003cspan pulumi-lang-nodejs=\"`boundIamPrincipalArns`\" pulumi-lang-dotnet=\"`BoundIamPrincipalArns`\" pulumi-lang-go=\"`boundIamPrincipalArns`\" pulumi-lang-python=\"`bound_iam_principal_arns`\" pulumi-lang-yaml=\"`boundIamPrincipalArns`\" pulumi-lang-java=\"`boundIamPrincipalArns`\"\u003e`bound_iam_principal_arns`\u003c/span\u003e are\nresolved to [AWS Unique\nIDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)\nfor the bound principal ARN. This field is ignored when a\n\u003cspan pulumi-lang-nodejs=\"`boundIamPrincipalArn`\" pulumi-lang-dotnet=\"`BoundIamPrincipalArn`\" pulumi-lang-go=\"`boundIamPrincipalArn`\" pulumi-lang-python=\"`bound_iam_principal_arn`\" pulumi-lang-yaml=\"`boundIamPrincipalArn`\" pulumi-lang-java=\"`boundIamPrincipalArn`\"\u003e`bound_iam_principal_arn`\u003c/span\u003e ends in a wildcard. Resolving to unique IDs more\nclosely mimics the behavior of AWS services in that if an IAM user or role is\ndeleted and a new one is recreated with the same name, those new users or\nroles won't get access to roles in Vault that were permissioned to the prior\nprincipals of the same name. Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\nOnce set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this cannot be changed to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e without recreating the role.\n"},"role":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"roleTag":{"type":"string","description":"If set, enable role tags for this role. The value set\nfor this field should be the key of the tag on the EC2 instance. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e\nmust be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e\nto use this constraint.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["role"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowInstanceMigration":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, allows migration of\nthe underlying instance where the client resides.\n"},"authType":{"type":"string","description":"The auth type permitted for this role. Valid choices\nare \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"Path to the mounted aws auth backend.\n","willReplaceOnChanges":true},"boundAccountIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they should be using the\naccount ID specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundAmiIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that they should be using the AMI ID\nspecified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundEc2InstanceIds":{"type":"array","items":{"type":"string"},"description":"Only EC2 instances that match this instance ID will be permitted to log in."},"boundIamInstanceProfileArns":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on\nthe EC2 instances that can perform the login operation that they must be\nassociated with an IAM instance profile ARN which has a prefix that matches\nthe value specified by this field. The value is prefix-matched as though it\nwere a glob ending in `*`. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundIamPrincipalArns":{"type":"array","items":{"type":"string"},"description":"If set, defines the IAM principal that\nmust be authenticated when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. Wildcards are\nsupported at the end of the ARN.\n"},"boundIamRoleArns":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they must match the IAM\nrole ARN specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this constraint.\n"},"boundRegions":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that the region in their identity\ndocument must match the one specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set\nto \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this\nconstraint.\n"},"boundSubnetIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2\ninstances that can perform the login operation that they be associated with\nthe subnet ID that matches the value specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e\nmust be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e\nto use this constraint.\n"},"boundVpcIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the EC2 instances\nthat can perform the login operation that they be associated with the VPC ID\nthat matches the value specified by this field. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e must be set to\n\u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e to use this\nconstraint.\n"},"disallowReauthentication":{"type":"boolean","description":"IF set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, only allows a\nsingle token to be granted per instance ID. This can only be set when\n\u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e.\n"},"inferredAwsRegion":{"type":"string","description":"When \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e is set, this\nis the region to search for the inferred entities. Required if\n\u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e is set. This only applies when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to\n\u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n"},"inferredEntityType":{"type":"string","description":"If set, instructs Vault to turn on\ninferencing. The only valid value is \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e, which instructs Vault to\ninfer that the role comes from an EC2 instance in an IAM instance profile.\nThis only applies when \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"resolveAwsUniqueIds":{"type":"boolean","description":"Only valid when\n\u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the \u003cspan pulumi-lang-nodejs=\"`boundIamPrincipalArns`\" pulumi-lang-dotnet=\"`BoundIamPrincipalArns`\" pulumi-lang-go=\"`boundIamPrincipalArns`\" pulumi-lang-python=\"`bound_iam_principal_arns`\" pulumi-lang-yaml=\"`boundIamPrincipalArns`\" pulumi-lang-java=\"`boundIamPrincipalArns`\"\u003e`bound_iam_principal_arns`\u003c/span\u003e are\nresolved to [AWS Unique\nIDs](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids)\nfor the bound principal ARN. This field is ignored when a\n\u003cspan pulumi-lang-nodejs=\"`boundIamPrincipalArn`\" pulumi-lang-dotnet=\"`BoundIamPrincipalArn`\" pulumi-lang-go=\"`boundIamPrincipalArn`\" pulumi-lang-python=\"`bound_iam_principal_arn`\" pulumi-lang-yaml=\"`boundIamPrincipalArn`\" pulumi-lang-java=\"`boundIamPrincipalArn`\"\u003e`bound_iam_principal_arn`\u003c/span\u003e ends in a wildcard. Resolving to unique IDs more\nclosely mimics the behavior of AWS services in that if an IAM user or role is\ndeleted and a new one is recreated with the same name, those new users or\nroles won't get access to roles in Vault that were permissioned to the prior\nprincipals of the same name. Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\nOnce set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this cannot be changed to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e without recreating the role.\n"},"role":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"roleId":{"type":"string","description":"The Vault generated role ID.\n"},"roleTag":{"type":"string","description":"If set, enable role tags for this role. The value set\nfor this field should be the key of the tag on the EC2 instance. \u003cspan pulumi-lang-nodejs=\"`authType`\" pulumi-lang-dotnet=\"`AuthType`\" pulumi-lang-go=\"`authType`\" pulumi-lang-python=\"`auth_type`\" pulumi-lang-yaml=\"`authType`\" pulumi-lang-java=\"`authType`\"\u003e`auth_type`\u003c/span\u003e\nmust be set to \u003cspan pulumi-lang-nodejs=\"`ec2`\" pulumi-lang-dotnet=\"`Ec2`\" pulumi-lang-go=\"`ec2`\" pulumi-lang-python=\"`ec2`\" pulumi-lang-yaml=\"`ec2`\" pulumi-lang-java=\"`ec2`\"\u003e`ec2`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`inferredEntityType`\" pulumi-lang-dotnet=\"`InferredEntityType`\" pulumi-lang-go=\"`inferredEntityType`\" pulumi-lang-python=\"`inferred_entity_type`\" pulumi-lang-yaml=\"`inferredEntityType`\" pulumi-lang-java=\"`inferredEntityType`\"\u003e`inferred_entity_type`\u003c/span\u003e must be set to \u003cspan pulumi-lang-nodejs=\"`ec2Instance`\" pulumi-lang-dotnet=\"`Ec2Instance`\" pulumi-lang-go=\"`ec2Instance`\" pulumi-lang-python=\"`ec2_instance`\" pulumi-lang-yaml=\"`ec2Instance`\" pulumi-lang-java=\"`ec2Instance`\"\u003e`ec2_instance`\u003c/span\u003e\nto use this constraint.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:aws/authBackendRoleTag:AuthBackendRoleTag":{"description":"Reads role tag information from an AWS auth backend in Vault. \n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.AuthBackend(\"aws\", {\n    path: \"%s\",\n    type: \"aws\",\n});\nconst role = new vault.aws.AuthBackendRole(\"role\", {\n    backend: aws.path,\n    role: \"%s\",\n    authType: \"ec2\",\n    boundAccountId: \"123456789012\",\n    policies: [\n        \"dev\",\n        \"prod\",\n        \"qa\",\n        \"test\",\n    ],\n    roleTag: \"VaultRoleTag\",\n});\nconst test = new vault.aws.AuthBackendRoleTag(\"test\", {\n    backend: aws.path,\n    role: role.role,\n    policies: [\n        \"prod\",\n        \"dev\",\n        \"test\",\n    ],\n    maxTtl: \"1h\",\n    instanceId: \"i-1234567\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.AuthBackend(\"aws\",\n    path=\"%s\",\n    type=\"aws\")\nrole = vault.aws.AuthBackendRole(\"role\",\n    backend=aws.path,\n    role=\"%s\",\n    auth_type=\"ec2\",\n    bound_account_id=\"123456789012\",\n    policies=[\n        \"dev\",\n        \"prod\",\n        \"qa\",\n        \"test\",\n    ],\n    role_tag=\"VaultRoleTag\")\ntest = vault.aws.AuthBackendRoleTag(\"test\",\n    backend=aws.path,\n    role=role.role,\n    policies=[\n        \"prod\",\n        \"dev\",\n        \"test\",\n    ],\n    max_ttl=\"1h\",\n    instance_id=\"i-1234567\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.AuthBackend(\"aws\", new()\n    {\n        Path = \"%s\",\n        Type = \"aws\",\n    });\n\n    var role = new Vault.Aws.AuthBackendRole(\"role\", new()\n    {\n        Backend = aws.Path,\n        Role = \"%s\",\n        AuthType = \"ec2\",\n        BoundAccountId = \"123456789012\",\n        Policies = new[]\n        {\n            \"dev\",\n            \"prod\",\n            \"qa\",\n            \"test\",\n        },\n        RoleTag = \"VaultRoleTag\",\n    });\n\n    var test = new Vault.Aws.AuthBackendRoleTag(\"test\", new()\n    {\n        Backend = aws.Path,\n        Role = role.Role,\n        Policies = new[]\n        {\n            \"prod\",\n            \"dev\",\n            \"test\",\n        },\n        MaxTtl = \"1h\",\n        InstanceId = \"i-1234567\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := vault.NewAuthBackend(ctx, \"aws\", \u0026vault.AuthBackendArgs{\n\t\t\tPath: pulumi.String(\"%s\"),\n\t\t\tType: pulumi.String(\"aws\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := aws.NewAuthBackendRole(ctx, \"role\", \u0026aws.AuthBackendRoleArgs{\n\t\t\tBackend:        aws.Path,\n\t\t\tRole:           pulumi.String(\"%s\"),\n\t\t\tAuthType:       pulumi.String(\"ec2\"),\n\t\t\tBoundAccountId: \"123456789012\",\n\t\t\tPolicies: []string{\n\t\t\t\t\"dev\",\n\t\t\t\t\"prod\",\n\t\t\t\t\"qa\",\n\t\t\t\t\"test\",\n\t\t\t},\n\t\t\tRoleTag: pulumi.String(\"VaultRoleTag\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewAuthBackendRoleTag(ctx, \"test\", \u0026aws.AuthBackendRoleTagArgs{\n\t\t\tBackend: aws.Path,\n\t\t\tRole:    role.Role,\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tMaxTtl:     pulumi.String(\"1h\"),\n\t\t\tInstanceId: pulumi.String(\"i-1234567\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.aws.AuthBackendRole;\nimport com.pulumi.vault.aws.AuthBackendRoleArgs;\nimport com.pulumi.vault.aws.AuthBackendRoleTag;\nimport com.pulumi.vault.aws.AuthBackendRoleTagArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new AuthBackend(\"aws\", AuthBackendArgs.builder()\n            .path(\"%s\")\n            .type(\"aws\")\n            .build());\n\n        var role = new AuthBackendRole(\"role\", AuthBackendRoleArgs.builder()\n            .backend(aws.path())\n            .role(\"%s\")\n            .authType(\"ec2\")\n            .boundAccountId(\"123456789012\")\n            .policies(List.of(            \n                \"dev\",\n                \"prod\",\n                \"qa\",\n                \"test\"))\n            .roleTag(\"VaultRoleTag\")\n            .build());\n\n        var test = new AuthBackendRoleTag(\"test\", AuthBackendRoleTagArgs.builder()\n            .backend(aws.path())\n            .role(role.role())\n            .policies(            \n                \"prod\",\n                \"dev\",\n                \"test\")\n            .maxTtl(\"1h\")\n            .instanceId(\"i-1234567\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:AuthBackend\n    properties:\n      path: '%s'\n      type: aws\n  role:\n    type: vault:aws:AuthBackendRole\n    properties:\n      backend: ${aws.path}\n      role: '%s'\n      authType: ec2\n      boundAccountId: '123456789012'\n      policies:\n        - dev\n        - prod\n        - qa\n        - test\n      roleTag: VaultRoleTag\n  test:\n    type: vault:aws:AuthBackendRoleTag\n    properties:\n      backend: ${aws.path}\n      role: ${role.role}\n      policies:\n        - prod\n        - dev\n        - test\n      maxTtl: 1h\n      instanceId: i-1234567\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"allowInstanceMigration":{"type":"boolean","description":"If set, allows migration of the underlying instances where the client resides. Use with caution.\n"},"backend":{"type":"string","description":"The path to the AWS auth backend to\nread role tags from, with no leading or trailing `/`s. Defaults to \"aws\".\n"},"disallowReauthentication":{"type":"boolean","description":"If set, only allows a single token to be granted per instance ID.\n"},"instanceId":{"type":"string","description":"Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.\n"},"maxTtl":{"type":"string","description":"The maximum TTL of the tokens issued using this role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"The policies to be associated with the tag. Must be a subset of the policies associated with the role.\n"},"role":{"type":"string","description":"The name of the AWS auth backend role to read\nrole tags from, with no leading or trailing `/`s.\n"},"tagKey":{"type":"string","description":"The key of the role tag.\n"},"tagValue":{"type":"string","description":"The value to set the role key.\n"}},"required":["role","tagKey","tagValue"],"inputProperties":{"allowInstanceMigration":{"type":"boolean","description":"If set, allows migration of the underlying instances where the client resides. Use with caution.\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The path to the AWS auth backend to\nread role tags from, with no leading or trailing `/`s. Defaults to \"aws\".\n","willReplaceOnChanges":true},"disallowReauthentication":{"type":"boolean","description":"If set, only allows a single token to be granted per instance ID.\n","willReplaceOnChanges":true},"instanceId":{"type":"string","description":"Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.\n","willReplaceOnChanges":true},"maxTtl":{"type":"string","description":"The maximum TTL of the tokens issued using this role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"The policies to be associated with the tag. Must be a subset of the policies associated with the role.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name of the AWS auth backend role to read\nrole tags from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true}},"requiredInputs":["role"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRoleTag resources.\n","properties":{"allowInstanceMigration":{"type":"boolean","description":"If set, allows migration of the underlying instances where the client resides. Use with caution.\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The path to the AWS auth backend to\nread role tags from, with no leading or trailing `/`s. Defaults to \"aws\".\n","willReplaceOnChanges":true},"disallowReauthentication":{"type":"boolean","description":"If set, only allows a single token to be granted per instance ID.\n","willReplaceOnChanges":true},"instanceId":{"type":"string","description":"Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.\n","willReplaceOnChanges":true},"maxTtl":{"type":"string","description":"The maximum TTL of the tokens issued using this role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"The policies to be associated with the tag. Must be a subset of the policies associated with the role.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name of the AWS auth backend role to read\nrole tags from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"tagKey":{"type":"string","description":"The key of the role tag.\n"},"tagValue":{"type":"string","description":"The value to set the role key.\n"}},"type":"object"}},"vault:aws/authBackendRoletagBlacklist:AuthBackendRoletagBlacklist":{"description":"Configures the periodic tidying operation of the blacklisted role tag entries.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.AuthBackend(\"example\", {type: \"aws\"});\nconst exampleAuthBackendRoletagBlacklist = new vault.aws.AuthBackendRoletagBlacklist(\"example\", {\n    backend: example.path,\n    safetyBuffer: 360,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.AuthBackend(\"example\", type=\"aws\")\nexample_auth_backend_roletag_blacklist = vault.aws.AuthBackendRoletagBlacklist(\"example\",\n    backend=example.path,\n    safety_buffer=360)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.AuthBackend(\"example\", new()\n    {\n        Type = \"aws\",\n    });\n\n    var exampleAuthBackendRoletagBlacklist = new Vault.Aws.AuthBackendRoletagBlacklist(\"example\", new()\n    {\n        Backend = example.Path,\n        SafetyBuffer = 360,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := vault.NewAuthBackend(ctx, \"example\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"aws\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewAuthBackendRoletagBlacklist(ctx, \"example\", \u0026aws.AuthBackendRoletagBlacklistArgs{\n\t\t\tBackend:      example.Path,\n\t\t\tSafetyBuffer: pulumi.Int(360),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.aws.AuthBackendRoletagBlacklist;\nimport com.pulumi.vault.aws.AuthBackendRoletagBlacklistArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .type(\"aws\")\n            .build());\n\n        var exampleAuthBackendRoletagBlacklist = new AuthBackendRoletagBlacklist(\"exampleAuthBackendRoletagBlacklist\", AuthBackendRoletagBlacklistArgs.builder()\n            .backend(example.path())\n            .safetyBuffer(360)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:AuthBackend\n    properties:\n      type: aws\n  exampleAuthBackendRoletagBlacklist:\n    type: vault:aws:AuthBackendRoletagBlacklist\n    name: example\n    properties:\n      backend: ${example.path}\n      safetyBuffer: 360\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.\n"},"disablePeriodicTidy":{"type":"boolean","description":"If set to true, disables the periodic\ntidying of the roletag blacklist entries. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"safetyBuffer":{"type":"integer","description":"The amount of extra time that must have passed\nbeyond the roletag expiration, before it is removed from the backend storage.\nDefaults to 259,200 seconds, or 72 hours.\n"}},"required":["backend"],"inputProperties":{"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.\n","willReplaceOnChanges":true},"disablePeriodicTidy":{"type":"boolean","description":"If set to true, disables the periodic\ntidying of the roletag blacklist entries. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"safetyBuffer":{"type":"integer","description":"The amount of extra time that must have passed\nbeyond the roletag expiration, before it is removed from the backend storage.\nDefaults to 259,200 seconds, or 72 hours.\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRoletagBlacklist resources.\n","properties":{"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.\n","willReplaceOnChanges":true},"disablePeriodicTidy":{"type":"boolean","description":"If set to true, disables the periodic\ntidying of the roletag blacklist entries. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"safetyBuffer":{"type":"integer","description":"The amount of extra time that must have passed\nbeyond the roletag expiration, before it is removed from the backend storage.\nDefaults to 259,200 seconds, or 72 hours.\n"}},"type":"object"}},"vault:aws/authBackendStsRole:AuthBackendStsRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.AuthBackend(\"aws\", {type: \"aws\"});\nconst role = new vault.aws.AuthBackendStsRole(\"role\", {\n    backend: aws.path,\n    accountId: \"1234567890\",\n    stsRole: \"arn:aws:iam::1234567890:role/my-role\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.AuthBackend(\"aws\", type=\"aws\")\nrole = vault.aws.AuthBackendStsRole(\"role\",\n    backend=aws.path,\n    account_id=\"1234567890\",\n    sts_role=\"arn:aws:iam::1234567890:role/my-role\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.AuthBackend(\"aws\", new()\n    {\n        Type = \"aws\",\n    });\n\n    var role = new Vault.Aws.AuthBackendStsRole(\"role\", new()\n    {\n        Backend = aws.Path,\n        AccountId = \"1234567890\",\n        StsRole = \"arn:aws:iam::1234567890:role/my-role\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := vault.NewAuthBackend(ctx, \"aws\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"aws\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewAuthBackendStsRole(ctx, \"role\", \u0026aws.AuthBackendStsRoleArgs{\n\t\t\tBackend:   aws.Path,\n\t\t\tAccountId: pulumi.String(\"1234567890\"),\n\t\t\tStsRole:   pulumi.String(\"arn:aws:iam::1234567890:role/my-role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.aws.AuthBackendStsRole;\nimport com.pulumi.vault.aws.AuthBackendStsRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new AuthBackend(\"aws\", AuthBackendArgs.builder()\n            .type(\"aws\")\n            .build());\n\n        var role = new AuthBackendStsRole(\"role\", AuthBackendStsRoleArgs.builder()\n            .backend(aws.path())\n            .accountId(\"1234567890\")\n            .stsRole(\"arn:aws:iam::1234567890:role/my-role\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:AuthBackend\n    properties:\n      type: aws\n  role:\n    type: vault:aws:AuthBackendStsRole\n    properties:\n      backend: ${aws.path}\n      accountId: '1234567890'\n      stsRole: arn:aws:iam::1234567890:role/my-role\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAWS auth backend STS roles can be imported using `auth/`, the `backend` path, `/config/sts/`, and the `account_id` e.g.\n\n```sh\n$ pulumi import vault:aws/authBackendStsRole:AuthBackendStsRole example auth/aws/config/sts/1234567890\n```\n","properties":{"accountId":{"type":"string","description":"The AWS account ID to configure the STS role for.\n"},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n"},"externalId":{"type":"string","description":"External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"stsRole":{"type":"string","description":"The STS role to assume when verifying requests made\nby EC2 instances in the account specified by \u003cspan pulumi-lang-nodejs=\"`accountId`\" pulumi-lang-dotnet=\"`AccountId`\" pulumi-lang-go=\"`accountId`\" pulumi-lang-python=\"`account_id`\" pulumi-lang-yaml=\"`accountId`\" pulumi-lang-java=\"`accountId`\"\u003e`account_id`\u003c/span\u003e.\n"}},"required":["accountId","stsRole"],"inputProperties":{"accountId":{"type":"string","description":"The AWS account ID to configure the STS role for.\n"},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n","willReplaceOnChanges":true},"externalId":{"type":"string","description":"External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"stsRole":{"type":"string","description":"The STS role to assume when verifying requests made\nby EC2 instances in the account specified by \u003cspan pulumi-lang-nodejs=\"`accountId`\" pulumi-lang-dotnet=\"`AccountId`\" pulumi-lang-go=\"`accountId`\" pulumi-lang-python=\"`account_id`\" pulumi-lang-yaml=\"`accountId`\" pulumi-lang-java=\"`accountId`\"\u003e`account_id`\u003c/span\u003e.\n"}},"requiredInputs":["accountId","stsRole"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendStsRole resources.\n","properties":{"accountId":{"type":"string","description":"The AWS account ID to configure the STS role for.\n"},"backend":{"type":"string","description":"The path the AWS auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n","willReplaceOnChanges":true},"externalId":{"type":"string","description":"External ID expected by the STS role. The associated STS role must be configured to require the external ID. Requires Vault 1.17+.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"stsRole":{"type":"string","description":"The STS role to assume when verifying requests made\nby EC2 instances in the account specified by \u003cspan pulumi-lang-nodejs=\"`accountId`\" pulumi-lang-dotnet=\"`AccountId`\" pulumi-lang-go=\"`accountId`\" pulumi-lang-python=\"`account_id`\" pulumi-lang-yaml=\"`accountId`\" pulumi-lang-java=\"`accountId`\"\u003e`account_id`\u003c/span\u003e.\n"}},"type":"object"}},"vault:aws/secretBackend:SecretBackend":{"description":"\n\n## Import\n\nAWS secret backends can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:aws/secretBackend:SecretBackend aws aws\n```\n","properties":{"accessKey":{"type":"string","description":"The AWS Access Key ID this backend should use to\nissue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.\n","secret":true},"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"iamEndpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value. Requires Vault 1.16+.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.16+.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Specifies if the secret backend is local only"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"maxRetries":{"type":"integer","description":"Number of max retries the client should use for recoverable errors.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1."},"roleArn":{"type":"string","description":"Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential. \nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"secretKey":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","secret":true},"secretKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe AWS Secret Access Key to use when generating new credentials. This is a write-only field and will not be read back from Vault.","secret":true},"secretKeyWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" secretKeyWo \" pulumi-lang-dotnet=\" SecretKeyWo \" pulumi-lang-go=\" secretKeyWo \" pulumi-lang-python=\" secret_key_wo \" pulumi-lang-yaml=\" secretKeyWo \" pulumi-lang-java=\" secretKeyWo \"\u003e secret_key_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the secret_key."},"stsEndpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.\n"},"stsFallbackEndpoints":{"type":"array","items":{"type":"string"},"description":"Ordered list of \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003es to try if the defined one fails. Requires Vault 1.19+\n"},"stsFallbackRegions":{"type":"array","items":{"type":"string"},"description":"Ordered list of \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003es matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+\n"},"stsRegion":{"type":"string","description":"Specifies the region of the STS endpoint. Should be included if \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e is supplied. Requires Vault 1.19+\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:\n\n```\n{{ if (eq .Type \"STS\") }}\n{{ printf \"vault-%s-%s\" (unix_time) (random 20) | truncate 32 }}\n{{ else }}\n{{ printf \"vault-%s-%s-%s\" (printf \"%s-%s\" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}\n{{ end }}\n\n```\n"}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","defaultLeaseTtlSeconds","forceNoCache","identityTokenTtl","maxLeaseTtlSeconds","region","sealWrap","usernameTemplate"],"inputProperties":{"accessKey":{"type":"string","description":"The AWS Access Key ID this backend should use to\nissue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.\n","secret":true},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"iamEndpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value. Requires Vault 1.16+.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.16+.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Specifies if the secret backend is local only","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"maxRetries":{"type":"integer","description":"Number of max retries the client should use for recoverable errors.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1."},"roleArn":{"type":"string","description":"Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential. \nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"secretKey":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","secret":true},"secretKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe AWS Secret Access Key to use when generating new credentials. This is a write-only field and will not be read back from Vault.","secret":true},"secretKeyWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" secretKeyWo \" pulumi-lang-dotnet=\" SecretKeyWo \" pulumi-lang-go=\" secretKeyWo \" pulumi-lang-python=\" secret_key_wo \" pulumi-lang-yaml=\" secretKeyWo \" pulumi-lang-java=\" secretKeyWo \"\u003e secret_key_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the secret_key."},"stsEndpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.\n"},"stsFallbackEndpoints":{"type":"array","items":{"type":"string"},"description":"Ordered list of \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003es to try if the defined one fails. Requires Vault 1.19+\n"},"stsFallbackRegions":{"type":"array","items":{"type":"string"},"description":"Ordered list of \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003es matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+\n"},"stsRegion":{"type":"string","description":"Specifies the region of the STS endpoint. Should be included if \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e is supplied. Requires Vault 1.19+\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:\n\n```\n{{ if (eq .Type \"STS\") }}\n{{ printf \"vault-%s-%s\" (unix_time) (random 20) | truncate 32 }}\n{{ else }}\n{{ printf \"vault-%s-%s-%s\" (printf \"%s-%s\" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}\n{{ end }}\n\n```\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"accessKey":{"type":"string","description":"The AWS Access Key ID this backend should use to\nissue new credentials. Vault uses the official AWS SDK to authenticate, and thus can also use standard AWS environment credentials, shared file credentials or IAM role/ECS task credentials.\n","secret":true},"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"iamEndpoint":{"type":"string","description":"Specifies a custom HTTP IAM endpoint to use.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value. Requires Vault 1.16+.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.16+.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Specifies if the secret backend is local only","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"maxRetries":{"type":"integer","description":"Number of max retries the client should use for recoverable errors.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"region":{"type":"string","description":"The AWS region to make API calls against. Defaults to us-east-1."},"roleArn":{"type":"string","description":"Role ARN to assume for plugin identity token federation. Requires Vault 1.16+.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential. \nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"secretKey":{"type":"string","description":"The AWS Secret Access Key to use when generating new credentials.","secret":true},"secretKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe AWS Secret Access Key to use when generating new credentials. This is a write-only field and will not be read back from Vault.","secret":true},"secretKeyWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" secretKeyWo \" pulumi-lang-dotnet=\" SecretKeyWo \" pulumi-lang-go=\" secretKeyWo \" pulumi-lang-python=\" secret_key_wo \" pulumi-lang-yaml=\" secretKeyWo \" pulumi-lang-java=\" secretKeyWo \"\u003e secret_key_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the secret_key."},"stsEndpoint":{"type":"string","description":"Specifies a custom HTTP STS endpoint to use.\n"},"stsFallbackEndpoints":{"type":"array","items":{"type":"string"},"description":"Ordered list of \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003es to try if the defined one fails. Requires Vault 1.19+\n"},"stsFallbackRegions":{"type":"array","items":{"type":"string"},"description":"Ordered list of \u003cspan pulumi-lang-nodejs=\"`stsRegion`\" pulumi-lang-dotnet=\"`StsRegion`\" pulumi-lang-go=\"`stsRegion`\" pulumi-lang-python=\"`sts_region`\" pulumi-lang-yaml=\"`stsRegion`\" pulumi-lang-java=\"`stsRegion`\"\u003e`sts_region`\u003c/span\u003es matching the fallback endpoints. Should correspond in order with those endpoints. Requires Vault 1.19+\n"},"stsRegion":{"type":"string","description":"Specifies the region of the STS endpoint. Should be included if \u003cspan pulumi-lang-nodejs=\"`stsEndpoint`\" pulumi-lang-dotnet=\"`StsEndpoint`\" pulumi-lang-go=\"`stsEndpoint`\" pulumi-lang-python=\"`sts_endpoint`\" pulumi-lang-yaml=\"`stsEndpoint`\" pulumi-lang-java=\"`stsEndpoint`\"\u003e`sts_endpoint`\u003c/span\u003e is supplied. Requires Vault 1.19+\n"},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters) and STS usernames (capped at 32 characters). If no template is provided the field defaults to the template:\n\n```\n{{ if (eq .Type \"STS\") }}\n{{ printf \"vault-%s-%s\" (unix_time) (random 20) | truncate 32 }}\n{{ else }}\n{{ printf \"vault-%s-%s-%s\" (printf \"%s-%s\" (.DisplayName) (.PolicyName) | truncate 42) (unix_time) (random 20) | truncate 64 }}\n{{ end }}\n\n```\n"}},"type":"object"}},"vault:aws/secretBackendRole:SecretBackendRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.aws.SecretBackend(\"aws\", {\n    accessKey: \"AKIA.....\",\n    secretKey: \"AWS secret key\",\n});\nconst role = new vault.aws.SecretBackendRole(\"role\", {\n    backend: aws.path,\n    name: \"deploy\",\n    credentialType: \"iam_user\",\n    policyDocument: `{\n  \\\\\"Version\\\\\": \\\\\"2012-10-17\\\\\",\n  \\\\\"Statement\\\\\": [\n    {\n      \\\\\"Effect\\\\\": \\\\\"Allow\\\\\",\n      \\\\\"Action\\\\\": \\\\\"iam:*\\\\\",\n      \\\\\"Resource\\\\\": \\\\\"*\\\\\"\n    }\n  ]\n}\n`,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.aws.SecretBackend(\"aws\",\n    access_key=\"AKIA.....\",\n    secret_key=\"AWS secret key\")\nrole = vault.aws.SecretBackendRole(\"role\",\n    backend=aws.path,\n    name=\"deploy\",\n    credential_type=\"iam_user\",\n    policy_document=\"\"\"{\n  \\\"Version\\\": \\\"2012-10-17\\\",\n  \\\"Statement\\\": [\n    {\n      \\\"Effect\\\": \\\"Allow\\\",\n      \\\"Action\\\": \\\"iam:*\\\",\n      \\\"Resource\\\": \\\"*\\\"\n    }\n  ]\n}\n\"\"\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.Aws.SecretBackend(\"aws\", new()\n    {\n        AccessKey = \"AKIA.....\",\n        SecretKey = \"AWS secret key\",\n    });\n\n    var role = new Vault.Aws.SecretBackendRole(\"role\", new()\n    {\n        Backend = aws.Path,\n        Name = \"deploy\",\n        CredentialType = \"iam_user\",\n        PolicyDocument = @\"{\n  \\\"\"Version\\\"\": \\\"\"2012-10-17\\\"\",\n  \\\"\"Statement\\\"\": [\n    {\n      \\\"\"Effect\\\"\": \\\"\"Allow\\\"\",\n      \\\"\"Action\\\"\": \\\"\"iam:*\\\"\",\n      \\\"\"Resource\\\"\": \\\"\"*\\\"\"\n    }\n  ]\n}\n\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := aws.NewSecretBackend(ctx, \"aws\", \u0026aws.SecretBackendArgs{\n\t\t\tAccessKey: pulumi.String(\"AKIA.....\"),\n\t\t\tSecretKey: pulumi.String(\"AWS secret key\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewSecretBackendRole(ctx, \"role\", \u0026aws.SecretBackendRoleArgs{\n\t\t\tBackend:        aws.Path,\n\t\t\tName:           pulumi.String(\"deploy\"),\n\t\t\tCredentialType: pulumi.String(\"iam_user\"),\n\t\t\tPolicyDocument: pulumi.String(`{\n  \\\"Version\\\": \\\"2012-10-17\\\",\n  \\\"Statement\\\": [\n    {\n      \\\"Effect\\\": \\\"Allow\\\",\n      \\\"Action\\\": \\\"iam:*\\\",\n      \\\"Resource\\\": \\\"*\\\"\n    }\n  ]\n}\n`),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.aws.SecretBackend;\nimport com.pulumi.vault.aws.SecretBackendArgs;\nimport com.pulumi.vault.aws.SecretBackendRole;\nimport com.pulumi.vault.aws.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new SecretBackend(\"aws\", SecretBackendArgs.builder()\n            .accessKey(\"AKIA.....\")\n            .secretKey(\"AWS secret key\")\n            .build());\n\n        var role = new SecretBackendRole(\"role\", SecretBackendRoleArgs.builder()\n            .backend(aws.path())\n            .name(\"deploy\")\n            .credentialType(\"iam_user\")\n            .policyDocument(\"\"\"\n{\n  \\\"Version\\\": \\\"2012-10-17\\\",\n  \\\"Statement\\\": [\n    {\n      \\\"Effect\\\": \\\"Allow\\\",\n      \\\"Action\\\": \\\"iam:*\\\",\n      \\\"Resource\\\": \\\"*\\\"\n    }\n  ]\n}\n            \"\"\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:aws:SecretBackend\n    properties:\n      accessKey: AKIA.....\n      secretKey: AWS secret key\n  role:\n    type: vault:aws:SecretBackendRole\n    properties:\n      backend: ${aws.path}\n      name: deploy\n      credentialType: iam_user\n      policyDocument: |\n        {\n          \\\"Version\\\": \\\"2012-10-17\\\",\n          \\\"Statement\\\": [\n            {\n              \\\"Effect\\\": \\\"Allow\\\",\n              \\\"Action\\\": \\\"iam:*\\\",\n              \\\"Resource\\\": \\\"*\\\"\n            }\n          ]\n        }\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAWS secret backend roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:aws/secretBackendRole:SecretBackendRole role aws/roles/deploy\n```\n","properties":{"backend":{"type":"string","description":"The path the AWS secret backend is mounted at,\nwith no leading or trailing `/`s.\n"},"credentialType":{"type":"string","description":"Specifies the type of credential to be used when\nretrieving credentials from the role. Must be one of \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e, or\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"defaultStsTtl":{"type":"integer","description":"The default TTL in seconds for STS credentials.\nWhen a TTL is not specified when STS credentials are requested,\nand a default TTL is specified on the role,\nthen this default TTL will be used. Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is one of\n\u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"externalId":{"type":"string","description":"External ID to set for assume role creds. \nValid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e.\n"},"iamGroups":{"type":"array","items":{"type":"string"},"description":"A list of IAM group names. IAM users generated\nagainst this vault role will be added to these IAM Groups. For a credential\ntype of \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policies sent to the\ncorresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the\npolicies from each group in \u003cspan pulumi-lang-nodejs=\"`iamGroups`\" pulumi-lang-dotnet=\"`IamGroups`\" pulumi-lang-go=\"`iamGroups`\" pulumi-lang-python=\"`iam_groups`\" pulumi-lang-yaml=\"`iamGroups`\" pulumi-lang-java=\"`iamGroups`\"\u003e`iam_groups`\u003c/span\u003e combined with the \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e\nand \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e parameters.\n"},"iamTags":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of strings representing key/value pairs\nto be used as tags for any IAM user that is created by this role.\n"},"maxStsTtl":{"type":"integer","description":"The max allowed TTL in seconds for STS credentials\n(credentials TTL are capped to \u003cspan pulumi-lang-nodejs=\"`maxStsTtl`\" pulumi-lang-dotnet=\"`MaxStsTtl`\" pulumi-lang-go=\"`maxStsTtl`\" pulumi-lang-python=\"`max_sts_ttl`\" pulumi-lang-yaml=\"`maxStsTtl`\" pulumi-lang-java=\"`maxStsTtl`\"\u003e`max_sts_ttl`\u003c/span\u003e). Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is\none of \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"mfaSerialNumber":{"type":"string","description":"The ARN or hardware device number of the device configured to the IAM user for multi-factor authentication. Only required if the IAM user has an MFA device set up in AWS.\n"},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"permissionsBoundaryArn":{"type":"string","description":"The ARN of the AWS Permissions \nBoundary to attach to IAM users created in the role. Valid only when\n\u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e. If not specified, then no permissions boundary\npolicy will be attached.\n"},"policyArns":{"type":"array","items":{"type":"string"},"description":"Specifies a list of AWS managed policy ARNs. The\nbehavior depends on the credential type. With \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, the policies will be\nattached to IAM users when they are requested. With \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policy ARNs will act as a filter on what the credentials\ncan do, similar to \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e. When \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, at least one of \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e must\nbe specified.\n"},"policyDocument":{"type":"string","description":"The IAM policy document for the role. The\nbehavior depends on the credential type. With \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, the policy document\nwill be attached to the IAM user generated and augment the permissions the IAM\nuser has. With \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policy document will\nact as a filter on what the credentials can do, similar to \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e.\n"},"roleArns":{"type":"array","items":{"type":"string"},"description":"Specifies the ARNs of the AWS roles this Vault role\nis allowed to assume. Required when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and\nprohibited otherwise.\n"},"sessionTags":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of strings representing key/value pairs to be set\nduring assume role creds creation. Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is set to\n\u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e.\n"},"userPath":{"type":"string","description":"The path for the user name. Valid only when \n\u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e. Default is `/`.\n"}},"required":["backend","credentialType","defaultStsTtl","maxStsTtl","name"],"inputProperties":{"backend":{"type":"string","description":"The path the AWS secret backend is mounted at,\nwith no leading or trailing `/`s.\n","willReplaceOnChanges":true},"credentialType":{"type":"string","description":"Specifies the type of credential to be used when\nretrieving credentials from the role. Must be one of \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e, or\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"defaultStsTtl":{"type":"integer","description":"The default TTL in seconds for STS credentials.\nWhen a TTL is not specified when STS credentials are requested,\nand a default TTL is specified on the role,\nthen this default TTL will be used. Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is one of\n\u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"externalId":{"type":"string","description":"External ID to set for assume role creds. \nValid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e.\n"},"iamGroups":{"type":"array","items":{"type":"string"},"description":"A list of IAM group names. IAM users generated\nagainst this vault role will be added to these IAM Groups. For a credential\ntype of \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policies sent to the\ncorresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the\npolicies from each group in \u003cspan pulumi-lang-nodejs=\"`iamGroups`\" pulumi-lang-dotnet=\"`IamGroups`\" pulumi-lang-go=\"`iamGroups`\" pulumi-lang-python=\"`iam_groups`\" pulumi-lang-yaml=\"`iamGroups`\" pulumi-lang-java=\"`iamGroups`\"\u003e`iam_groups`\u003c/span\u003e combined with the \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e\nand \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e parameters.\n"},"iamTags":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of strings representing key/value pairs\nto be used as tags for any IAM user that is created by this role.\n"},"maxStsTtl":{"type":"integer","description":"The max allowed TTL in seconds for STS credentials\n(credentials TTL are capped to \u003cspan pulumi-lang-nodejs=\"`maxStsTtl`\" pulumi-lang-dotnet=\"`MaxStsTtl`\" pulumi-lang-go=\"`maxStsTtl`\" pulumi-lang-python=\"`max_sts_ttl`\" pulumi-lang-yaml=\"`maxStsTtl`\" pulumi-lang-java=\"`maxStsTtl`\"\u003e`max_sts_ttl`\u003c/span\u003e). Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is\none of \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"mfaSerialNumber":{"type":"string","description":"The ARN or hardware device number of the device configured to the IAM user for multi-factor authentication. Only required if the IAM user has an MFA device set up in AWS.\n"},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"permissionsBoundaryArn":{"type":"string","description":"The ARN of the AWS Permissions \nBoundary to attach to IAM users created in the role. Valid only when\n\u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e. If not specified, then no permissions boundary\npolicy will be attached.\n"},"policyArns":{"type":"array","items":{"type":"string"},"description":"Specifies a list of AWS managed policy ARNs. The\nbehavior depends on the credential type. With \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, the policies will be\nattached to IAM users when they are requested. With \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policy ARNs will act as a filter on what the credentials\ncan do, similar to \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e. When \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, at least one of \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e must\nbe specified.\n"},"policyDocument":{"type":"string","description":"The IAM policy document for the role. The\nbehavior depends on the credential type. With \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, the policy document\nwill be attached to the IAM user generated and augment the permissions the IAM\nuser has. With \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policy document will\nact as a filter on what the credentials can do, similar to \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e.\n"},"roleArns":{"type":"array","items":{"type":"string"},"description":"Specifies the ARNs of the AWS roles this Vault role\nis allowed to assume. Required when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and\nprohibited otherwise.\n","willReplaceOnChanges":true},"sessionTags":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of strings representing key/value pairs to be set\nduring assume role creds creation. Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is set to\n\u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e.\n"},"userPath":{"type":"string","description":"The path for the user name. Valid only when \n\u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e. Default is `/`.\n"}},"requiredInputs":["backend","credentialType"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRole resources.\n","properties":{"backend":{"type":"string","description":"The path the AWS secret backend is mounted at,\nwith no leading or trailing `/`s.\n","willReplaceOnChanges":true},"credentialType":{"type":"string","description":"Specifies the type of credential to be used when\nretrieving credentials from the role. Must be one of \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e, or\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"defaultStsTtl":{"type":"integer","description":"The default TTL in seconds for STS credentials.\nWhen a TTL is not specified when STS credentials are requested,\nand a default TTL is specified on the role,\nthen this default TTL will be used. Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is one of\n\u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"externalId":{"type":"string","description":"External ID to set for assume role creds. \nValid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e.\n"},"iamGroups":{"type":"array","items":{"type":"string"},"description":"A list of IAM group names. IAM users generated\nagainst this vault role will be added to these IAM Groups. For a credential\ntype of \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policies sent to the\ncorresponding AWS call (sts:AssumeRole or sts:GetFederation) will be the\npolicies from each group in \u003cspan pulumi-lang-nodejs=\"`iamGroups`\" pulumi-lang-dotnet=\"`IamGroups`\" pulumi-lang-go=\"`iamGroups`\" pulumi-lang-python=\"`iam_groups`\" pulumi-lang-yaml=\"`iamGroups`\" pulumi-lang-java=\"`iamGroups`\"\u003e`iam_groups`\u003c/span\u003e combined with the \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e\nand \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e parameters.\n"},"iamTags":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of strings representing key/value pairs\nto be used as tags for any IAM user that is created by this role.\n"},"maxStsTtl":{"type":"integer","description":"The max allowed TTL in seconds for STS credentials\n(credentials TTL are capped to \u003cspan pulumi-lang-nodejs=\"`maxStsTtl`\" pulumi-lang-dotnet=\"`MaxStsTtl`\" pulumi-lang-go=\"`maxStsTtl`\" pulumi-lang-python=\"`max_sts_ttl`\" pulumi-lang-yaml=\"`maxStsTtl`\" pulumi-lang-java=\"`maxStsTtl`\"\u003e`max_sts_ttl`\u003c/span\u003e). Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is\none of \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e.\n"},"mfaSerialNumber":{"type":"string","description":"The ARN or hardware device number of the device configured to the IAM user for multi-factor authentication. Only required if the IAM user has an MFA device set up in AWS.\n"},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"permissionsBoundaryArn":{"type":"string","description":"The ARN of the AWS Permissions \nBoundary to attach to IAM users created in the role. Valid only when\n\u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e. If not specified, then no permissions boundary\npolicy will be attached.\n"},"policyArns":{"type":"array","items":{"type":"string"},"description":"Specifies a list of AWS managed policy ARNs. The\nbehavior depends on the credential type. With \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, the policies will be\nattached to IAM users when they are requested. With \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policy ARNs will act as a filter on what the credentials\ncan do, similar to \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e. When \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e or\n\u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, at least one of \u003cspan pulumi-lang-nodejs=\"`policyDocument`\" pulumi-lang-dotnet=\"`PolicyDocument`\" pulumi-lang-go=\"`policyDocument`\" pulumi-lang-python=\"`policy_document`\" pulumi-lang-yaml=\"`policyDocument`\" pulumi-lang-java=\"`policyDocument`\"\u003e`policy_document`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e must\nbe specified.\n"},"policyDocument":{"type":"string","description":"The IAM policy document for the role. The\nbehavior depends on the credential type. With \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e, the policy document\nwill be attached to the IAM user generated and augment the permissions the IAM\nuser has. With \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e, the policy document will\nact as a filter on what the credentials can do, similar to \u003cspan pulumi-lang-nodejs=\"`policyArns`\" pulumi-lang-dotnet=\"`PolicyArns`\" pulumi-lang-go=\"`policyArns`\" pulumi-lang-python=\"`policy_arns`\" pulumi-lang-yaml=\"`policyArns`\" pulumi-lang-java=\"`policyArns`\"\u003e`policy_arns`\u003c/span\u003e.\n"},"roleArns":{"type":"array","items":{"type":"string"},"description":"Specifies the ARNs of the AWS roles this Vault role\nis allowed to assume. Required when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e and\nprohibited otherwise.\n","willReplaceOnChanges":true},"sessionTags":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of strings representing key/value pairs to be set\nduring assume role creds creation. Valid only when \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is set to\n\u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e.\n"},"userPath":{"type":"string","description":"The path for the user name. Valid only when \n\u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iamUser`\" pulumi-lang-dotnet=\"`IamUser`\" pulumi-lang-go=\"`iamUser`\" pulumi-lang-python=\"`iam_user`\" pulumi-lang-yaml=\"`iamUser`\" pulumi-lang-java=\"`iamUser`\"\u003e`iam_user`\u003c/span\u003e. Default is `/`.\n"}},"type":"object"}},"vault:aws/secretBackendStaticRole:SecretBackendStaticRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.aws.SecretBackend(\"aws\", {\n    path: \"my-aws\",\n    description: \"Obtain AWS credentials.\",\n});\nconst role = new vault.aws.SecretBackendStaticRole(\"role\", {\n    backend: aws.path,\n    name: \"test\",\n    username: \"my-test-user\",\n    rotationPeriod: 3600,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.aws.SecretBackend(\"aws\",\n    path=\"my-aws\",\n    description=\"Obtain AWS credentials.\")\nrole = vault.aws.SecretBackendStaticRole(\"role\",\n    backend=aws.path,\n    name=\"test\",\n    username=\"my-test-user\",\n    rotation_period=3600)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.Aws.SecretBackend(\"aws\", new()\n    {\n        Path = \"my-aws\",\n        Description = \"Obtain AWS credentials.\",\n    });\n\n    var role = new Vault.Aws.SecretBackendStaticRole(\"role\", new()\n    {\n        Backend = aws.Path,\n        Name = \"test\",\n        Username = \"my-test-user\",\n        RotationPeriod = 3600,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := aws.NewSecretBackend(ctx, \"aws\", \u0026aws.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"my-aws\"),\n\t\t\tDescription: pulumi.String(\"Obtain AWS credentials.\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewSecretBackendStaticRole(ctx, \"role\", \u0026aws.SecretBackendStaticRoleArgs{\n\t\t\tBackend:        aws.Path,\n\t\t\tName:           pulumi.String(\"test\"),\n\t\t\tUsername:       pulumi.String(\"my-test-user\"),\n\t\t\tRotationPeriod: pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.aws.SecretBackend;\nimport com.pulumi.vault.aws.SecretBackendArgs;\nimport com.pulumi.vault.aws.SecretBackendStaticRole;\nimport com.pulumi.vault.aws.SecretBackendStaticRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new SecretBackend(\"aws\", SecretBackendArgs.builder()\n            .path(\"my-aws\")\n            .description(\"Obtain AWS credentials.\")\n            .build());\n\n        var role = new SecretBackendStaticRole(\"role\", SecretBackendStaticRoleArgs.builder()\n            .backend(aws.path())\n            .name(\"test\")\n            .username(\"my-test-user\")\n            .rotationPeriod(3600)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:aws:SecretBackend\n    properties:\n      path: my-aws\n      description: Obtain AWS credentials.\n  role:\n    type: vault:aws:SecretBackendStaticRole\n    properties:\n      backend: ${aws.path}\n      name: test\n      username: my-test-user\n      rotationPeriod: '3600'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.aws.SecretBackend(\"aws\", {\n    path: \"my-aws\",\n    description: \"Obtain AWS credentials.\",\n});\nconst assume_role = new vault.aws.SecretBackendStaticRole(\"assume-role\", {\n    backend: aws.path,\n    name: \"assume-role-test\",\n    username: \"my-assume-role-user\",\n    assumeRoleArn: \"arn:aws:iam::123456789012:role/assume-role\",\n    assumeRoleSessionName: \"assume-role-session\",\n    externalId: \"test-id\",\n    rotationPeriod: 3600,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.aws.SecretBackend(\"aws\",\n    path=\"my-aws\",\n    description=\"Obtain AWS credentials.\")\nassume_role = vault.aws.SecretBackendStaticRole(\"assume-role\",\n    backend=aws.path,\n    name=\"assume-role-test\",\n    username=\"my-assume-role-user\",\n    assume_role_arn=\"arn:aws:iam::123456789012:role/assume-role\",\n    assume_role_session_name=\"assume-role-session\",\n    external_id=\"test-id\",\n    rotation_period=3600)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.Aws.SecretBackend(\"aws\", new()\n    {\n        Path = \"my-aws\",\n        Description = \"Obtain AWS credentials.\",\n    });\n\n    var assume_role = new Vault.Aws.SecretBackendStaticRole(\"assume-role\", new()\n    {\n        Backend = aws.Path,\n        Name = \"assume-role-test\",\n        Username = \"my-assume-role-user\",\n        AssumeRoleArn = \"arn:aws:iam::123456789012:role/assume-role\",\n        AssumeRoleSessionName = \"assume-role-session\",\n        ExternalId = \"test-id\",\n        RotationPeriod = 3600,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := aws.NewSecretBackend(ctx, \"aws\", \u0026aws.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"my-aws\"),\n\t\t\tDescription: pulumi.String(\"Obtain AWS credentials.\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = aws.NewSecretBackendStaticRole(ctx, \"assume-role\", \u0026aws.SecretBackendStaticRoleArgs{\n\t\t\tBackend:               aws.Path,\n\t\t\tName:                  pulumi.String(\"assume-role-test\"),\n\t\t\tUsername:              pulumi.String(\"my-assume-role-user\"),\n\t\t\tAssumeRoleArn:         pulumi.String(\"arn:aws:iam::123456789012:role/assume-role\"),\n\t\t\tAssumeRoleSessionName: pulumi.String(\"assume-role-session\"),\n\t\t\tExternalId:            pulumi.String(\"test-id\"),\n\t\t\tRotationPeriod:        pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.aws.SecretBackend;\nimport com.pulumi.vault.aws.SecretBackendArgs;\nimport com.pulumi.vault.aws.SecretBackendStaticRole;\nimport com.pulumi.vault.aws.SecretBackendStaticRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new SecretBackend(\"aws\", SecretBackendArgs.builder()\n            .path(\"my-aws\")\n            .description(\"Obtain AWS credentials.\")\n            .build());\n\n        var assume_role = new SecretBackendStaticRole(\"assume-role\", SecretBackendStaticRoleArgs.builder()\n            .backend(aws.path())\n            .name(\"assume-role-test\")\n            .username(\"my-assume-role-user\")\n            .assumeRoleArn(\"arn:aws:iam::123456789012:role/assume-role\")\n            .assumeRoleSessionName(\"assume-role-session\")\n            .externalId(\"test-id\")\n            .rotationPeriod(3600)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:aws:SecretBackend\n    properties:\n      path: my-aws\n      description: Obtain AWS credentials.\n  assume-role:\n    type: vault:aws:SecretBackendStaticRole\n    properties:\n      backend: ${aws.path}\n      name: assume-role-test\n      username: my-assume-role-user\n      assumeRoleArn: arn:aws:iam::123456789012:role/assume-role\n      assumeRoleSessionName: assume-role-session\n      externalId: test-id\n      rotationPeriod: '3600'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAWS secret backend static role can be imported using the full path to the role\nof the form: `\u003cmount_path\u003e/static-roles/\u003crole_name\u003e` e.g.\n\n```sh\n$ pulumi import vault:aws/secretBackendStaticRole:SecretBackendStaticRole role aws/static-roles/example-role\n```\n","properties":{"assumeRoleArn":{"type":"string","description":"Specifies the ARN of the role that Vault should assume.\nWhen provided, Vault will use AWS STS to assume this role and generate temporary credentials.\nIf \u003cspan pulumi-lang-nodejs=\"`assumeRoleArn`\" pulumi-lang-dotnet=\"`AssumeRoleArn`\" pulumi-lang-go=\"`assumeRoleArn`\" pulumi-lang-python=\"`assume_role_arn`\" pulumi-lang-yaml=\"`assumeRoleArn`\" pulumi-lang-java=\"`assumeRoleArn`\"\u003e`assume_role_arn`\u003c/span\u003e is provided, \u003cspan pulumi-lang-nodejs=\"`assumeRoleSessionName`\" pulumi-lang-dotnet=\"`AssumeRoleSessionName`\" pulumi-lang-go=\"`assumeRoleSessionName`\" pulumi-lang-python=\"`assume_role_session_name`\" pulumi-lang-yaml=\"`assumeRoleSessionName`\" pulumi-lang-java=\"`assumeRoleSessionName`\"\u003e`assume_role_session_name`\u003c/span\u003e must also be provided.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"assumeRoleSessionName":{"type":"string","description":"Specifies the session name to use when assuming the role.\nIf \u003cspan pulumi-lang-nodejs=\"`assumeRoleSessionName`\" pulumi-lang-dotnet=\"`AssumeRoleSessionName`\" pulumi-lang-go=\"`assumeRoleSessionName`\" pulumi-lang-python=\"`assume_role_session_name`\" pulumi-lang-yaml=\"`assumeRoleSessionName`\" pulumi-lang-java=\"`assumeRoleSessionName`\"\u003e`assume_role_session_name`\u003c/span\u003e is provided, \u003cspan pulumi-lang-nodejs=\"`assumeRoleArn`\" pulumi-lang-dotnet=\"`AssumeRoleArn`\" pulumi-lang-go=\"`assumeRoleArn`\" pulumi-lang-python=\"`assume_role_arn`\" pulumi-lang-yaml=\"`assumeRoleArn`\" pulumi-lang-java=\"`assumeRoleArn`\"\u003e`assume_role_arn`\u003c/span\u003e must also be provided.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e\n"},"externalId":{"type":"string","description":"Specifies the external ID to use when assuming the role.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"rotationPeriod":{"type":"integer","description":"How often Vault should rotate the password of the user entry.\n"},"username":{"type":"string","description":"The username of the existing AWS IAM to manage password rotation for.\n"}},"required":["name","rotationPeriod","username"],"inputProperties":{"assumeRoleArn":{"type":"string","description":"Specifies the ARN of the role that Vault should assume.\nWhen provided, Vault will use AWS STS to assume this role and generate temporary credentials.\nIf \u003cspan pulumi-lang-nodejs=\"`assumeRoleArn`\" pulumi-lang-dotnet=\"`AssumeRoleArn`\" pulumi-lang-go=\"`assumeRoleArn`\" pulumi-lang-python=\"`assume_role_arn`\" pulumi-lang-yaml=\"`assumeRoleArn`\" pulumi-lang-java=\"`assumeRoleArn`\"\u003e`assume_role_arn`\u003c/span\u003e is provided, \u003cspan pulumi-lang-nodejs=\"`assumeRoleSessionName`\" pulumi-lang-dotnet=\"`AssumeRoleSessionName`\" pulumi-lang-go=\"`assumeRoleSessionName`\" pulumi-lang-python=\"`assume_role_session_name`\" pulumi-lang-yaml=\"`assumeRoleSessionName`\" pulumi-lang-java=\"`assumeRoleSessionName`\"\u003e`assume_role_session_name`\u003c/span\u003e must also be provided.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"assumeRoleSessionName":{"type":"string","description":"Specifies the session name to use when assuming the role.\nIf \u003cspan pulumi-lang-nodejs=\"`assumeRoleSessionName`\" pulumi-lang-dotnet=\"`AssumeRoleSessionName`\" pulumi-lang-go=\"`assumeRoleSessionName`\" pulumi-lang-python=\"`assume_role_session_name`\" pulumi-lang-yaml=\"`assumeRoleSessionName`\" pulumi-lang-java=\"`assumeRoleSessionName`\"\u003e`assume_role_session_name`\u003c/span\u003e is provided, \u003cspan pulumi-lang-nodejs=\"`assumeRoleArn`\" pulumi-lang-dotnet=\"`AssumeRoleArn`\" pulumi-lang-go=\"`assumeRoleArn`\" pulumi-lang-python=\"`assume_role_arn`\" pulumi-lang-yaml=\"`assumeRoleArn`\" pulumi-lang-java=\"`assumeRoleArn`\"\u003e`assume_role_arn`\u003c/span\u003e must also be provided.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e\n"},"externalId":{"type":"string","description":"Specifies the external ID to use when assuming the role.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"rotationPeriod":{"type":"integer","description":"How often Vault should rotate the password of the user entry.\n"},"username":{"type":"string","description":"The username of the existing AWS IAM to manage password rotation for.\n","willReplaceOnChanges":true}},"requiredInputs":["rotationPeriod","username"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendStaticRole resources.\n","properties":{"assumeRoleArn":{"type":"string","description":"Specifies the ARN of the role that Vault should assume.\nWhen provided, Vault will use AWS STS to assume this role and generate temporary credentials.\nIf \u003cspan pulumi-lang-nodejs=\"`assumeRoleArn`\" pulumi-lang-dotnet=\"`AssumeRoleArn`\" pulumi-lang-go=\"`assumeRoleArn`\" pulumi-lang-python=\"`assume_role_arn`\" pulumi-lang-yaml=\"`assumeRoleArn`\" pulumi-lang-java=\"`assumeRoleArn`\"\u003e`assume_role_arn`\u003c/span\u003e is provided, \u003cspan pulumi-lang-nodejs=\"`assumeRoleSessionName`\" pulumi-lang-dotnet=\"`AssumeRoleSessionName`\" pulumi-lang-go=\"`assumeRoleSessionName`\" pulumi-lang-python=\"`assume_role_session_name`\" pulumi-lang-yaml=\"`assumeRoleSessionName`\" pulumi-lang-java=\"`assumeRoleSessionName`\"\u003e`assume_role_session_name`\u003c/span\u003e must also be provided.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"assumeRoleSessionName":{"type":"string","description":"Specifies the session name to use when assuming the role.\nIf \u003cspan pulumi-lang-nodejs=\"`assumeRoleSessionName`\" pulumi-lang-dotnet=\"`AssumeRoleSessionName`\" pulumi-lang-go=\"`assumeRoleSessionName`\" pulumi-lang-python=\"`assume_role_session_name`\" pulumi-lang-yaml=\"`assumeRoleSessionName`\" pulumi-lang-java=\"`assumeRoleSessionName`\"\u003e`assume_role_session_name`\u003c/span\u003e is provided, \u003cspan pulumi-lang-nodejs=\"`assumeRoleArn`\" pulumi-lang-dotnet=\"`AssumeRoleArn`\" pulumi-lang-go=\"`assumeRoleArn`\" pulumi-lang-python=\"`assume_role_arn`\" pulumi-lang-yaml=\"`assumeRoleArn`\" pulumi-lang-java=\"`assumeRoleArn`\"\u003e`assume_role_arn`\u003c/span\u003e must also be provided.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`aws`\" pulumi-lang-dotnet=\"`Aws`\" pulumi-lang-go=\"`aws`\" pulumi-lang-python=\"`aws`\" pulumi-lang-yaml=\"`aws`\" pulumi-lang-java=\"`aws`\"\u003e`aws`\u003c/span\u003e\n"},"externalId":{"type":"string","description":"Specifies the external ID to use when assuming the role.\nRequires Vault 1.19+. *Available only for Vault Enterprise*.\n"},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"rotationPeriod":{"type":"integer","description":"How often Vault should rotate the password of the user entry.\n"},"username":{"type":"string","description":"The username of the existing AWS IAM to manage password rotation for.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:azure/authBackendConfig:AuthBackendConfig":{"description":"\n\n## Import\n\nAzure auth backends can be imported using `auth/`, the `backend` path, and `/config` e.g.\n\n```sh\n$ pulumi import vault:azure/authBackendConfig:AuthBackendConfig example auth/azure/config\n```\n","properties":{"backend":{"type":"string","description":"The path the Azure auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`azure`\" pulumi-lang-dotnet=\"`Azure`\" pulumi-lang-go=\"`azure`\" pulumi-lang-python=\"`azure`\" pulumi-lang-yaml=\"`azure`\" pulumi-lang-java=\"`azure`\"\u003e`azure`\u003c/span\u003e.\n"},"clientId":{"type":"string","description":"The client id for credentials to query the Azure APIs.\nCurrently read permissions to query compute resources are required.\n","secret":true},"clientSecret":{"type":"string","description":"The client secret for credentials to query the Azure APIs. Mutually exclusive with 'client_secret_wo'.","secret":true},"clientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe client secret for credentials to query the Azure APIs. This field is write-only and will never be stored in state. Mutually exclusive with 'client_secret'. Requires 'client_secret_wo_version' to trigger updates.","secret":true},"clientSecretWoVersion":{"type":"integer","description":"Version counter for the write-only client secret.\nIncrement this value to trigger an update of the client secret in Vault.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`clientSecretWo`\" pulumi-lang-dotnet=\"`ClientSecretWo`\" pulumi-lang-go=\"`clientSecretWo`\" pulumi-lang-python=\"`client_secret_wo`\" pulumi-lang-yaml=\"`clientSecretWo`\" pulumi-lang-java=\"`clientSecretWo`\"\u003e`client_secret_wo`\u003c/span\u003e.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"environment":{"type":"string","description":"The Azure cloud environment. Valid values:\nAzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,\nAzureGermanCloud.  Defaults to `AzurePublicCloud`.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity tokens. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds."},"maxRetries":{"type":"integer","description":"Maximum number of retries for Azure API requests. \nDefaults to \u003cspan pulumi-lang-nodejs=\"`3`\" pulumi-lang-dotnet=\"`3`\" pulumi-lang-go=\"`3`\" pulumi-lang-python=\"`3`\" pulumi-lang-yaml=\"`3`\" pulumi-lang-java=\"`3`\"\u003e`3`\u003c/span\u003e.\n"},"maxRetryDelay":{"type":"integer","description":"The maximum delay in seconds between retries for Azure API requests.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`60`\" pulumi-lang-dotnet=\"`60`\" pulumi-lang-go=\"`60`\" pulumi-lang-python=\"`60`\" pulumi-lang-yaml=\"`60`\" pulumi-lang-java=\"`60`\"\u003e`60`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"resource":{"type":"string","description":"The configured URL for the application registered in\nAzure Active Directory.\n"},"retryDelay":{"type":"integer","description":"The initial delay in seconds between retries for Azure API requests.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`4`\" pulumi-lang-dotnet=\"`4`\" pulumi-lang-go=\"`4`\" pulumi-lang-python=\"`4`\" pulumi-lang-yaml=\"`4`\" pulumi-lang-java=\"`4`\"\u003e`4`\u003c/span\u003e.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"tenantId":{"type":"string","description":"The tenant id for the Azure Active Directory\norganization.\n","secret":true}},"required":["identityTokenTtl","resource","tenantId"],"inputProperties":{"backend":{"type":"string","description":"The path the Azure auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`azure`\" pulumi-lang-dotnet=\"`Azure`\" pulumi-lang-go=\"`azure`\" pulumi-lang-python=\"`azure`\" pulumi-lang-yaml=\"`azure`\" pulumi-lang-java=\"`azure`\"\u003e`azure`\u003c/span\u003e.\n","willReplaceOnChanges":true},"clientId":{"type":"string","description":"The client id for credentials to query the Azure APIs.\nCurrently read permissions to query compute resources are required.\n","secret":true},"clientSecret":{"type":"string","description":"The client secret for credentials to query the Azure APIs. Mutually exclusive with 'client_secret_wo'.","secret":true},"clientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe client secret for credentials to query the Azure APIs. This field is write-only and will never be stored in state. Mutually exclusive with 'client_secret'. Requires 'client_secret_wo_version' to trigger updates.","secret":true},"clientSecretWoVersion":{"type":"integer","description":"Version counter for the write-only client secret.\nIncrement this value to trigger an update of the client secret in Vault.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`clientSecretWo`\" pulumi-lang-dotnet=\"`ClientSecretWo`\" pulumi-lang-go=\"`clientSecretWo`\" pulumi-lang-python=\"`client_secret_wo`\" pulumi-lang-yaml=\"`clientSecretWo`\" pulumi-lang-java=\"`clientSecretWo`\"\u003e`client_secret_wo`\u003c/span\u003e.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"environment":{"type":"string","description":"The Azure cloud environment. Valid values:\nAzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,\nAzureGermanCloud.  Defaults to `AzurePublicCloud`.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity tokens. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds."},"maxRetries":{"type":"integer","description":"Maximum number of retries for Azure API requests. \nDefaults to \u003cspan pulumi-lang-nodejs=\"`3`\" pulumi-lang-dotnet=\"`3`\" pulumi-lang-go=\"`3`\" pulumi-lang-python=\"`3`\" pulumi-lang-yaml=\"`3`\" pulumi-lang-java=\"`3`\"\u003e`3`\u003c/span\u003e.\n"},"maxRetryDelay":{"type":"integer","description":"The maximum delay in seconds between retries for Azure API requests.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`60`\" pulumi-lang-dotnet=\"`60`\" pulumi-lang-go=\"`60`\" pulumi-lang-python=\"`60`\" pulumi-lang-yaml=\"`60`\" pulumi-lang-java=\"`60`\"\u003e`60`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"resource":{"type":"string","description":"The configured URL for the application registered in\nAzure Active Directory.\n"},"retryDelay":{"type":"integer","description":"The initial delay in seconds between retries for Azure API requests.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`4`\" pulumi-lang-dotnet=\"`4`\" pulumi-lang-go=\"`4`\" pulumi-lang-python=\"`4`\" pulumi-lang-yaml=\"`4`\" pulumi-lang-java=\"`4`\"\u003e`4`\u003c/span\u003e.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"tenantId":{"type":"string","description":"The tenant id for the Azure Active Directory\norganization.\n","secret":true}},"requiredInputs":["resource","tenantId"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendConfig resources.\n","properties":{"backend":{"type":"string","description":"The path the Azure auth backend being configured was\nmounted at.  Defaults to \u003cspan pulumi-lang-nodejs=\"`azure`\" pulumi-lang-dotnet=\"`Azure`\" pulumi-lang-go=\"`azure`\" pulumi-lang-python=\"`azure`\" pulumi-lang-yaml=\"`azure`\" pulumi-lang-java=\"`azure`\"\u003e`azure`\u003c/span\u003e.\n","willReplaceOnChanges":true},"clientId":{"type":"string","description":"The client id for credentials to query the Azure APIs.\nCurrently read permissions to query compute resources are required.\n","secret":true},"clientSecret":{"type":"string","description":"The client secret for credentials to query the Azure APIs. Mutually exclusive with 'client_secret_wo'.","secret":true},"clientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe client secret for credentials to query the Azure APIs. This field is write-only and will never be stored in state. Mutually exclusive with 'client_secret'. Requires 'client_secret_wo_version' to trigger updates.","secret":true},"clientSecretWoVersion":{"type":"integer","description":"Version counter for the write-only client secret.\nIncrement this value to trigger an update of the client secret in Vault.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`clientSecretWo`\" pulumi-lang-dotnet=\"`ClientSecretWo`\" pulumi-lang-go=\"`clientSecretWo`\" pulumi-lang-python=\"`client_secret_wo`\" pulumi-lang-yaml=\"`clientSecretWo`\" pulumi-lang-java=\"`clientSecretWo`\"\u003e`client_secret_wo`\u003c/span\u003e.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"environment":{"type":"string","description":"The Azure cloud environment. Valid values:\nAzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud,\nAzureGermanCloud.  Defaults to `AzurePublicCloud`.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity tokens. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds."},"maxRetries":{"type":"integer","description":"Maximum number of retries for Azure API requests. \nDefaults to \u003cspan pulumi-lang-nodejs=\"`3`\" pulumi-lang-dotnet=\"`3`\" pulumi-lang-go=\"`3`\" pulumi-lang-python=\"`3`\" pulumi-lang-yaml=\"`3`\" pulumi-lang-java=\"`3`\"\u003e`3`\u003c/span\u003e.\n"},"maxRetryDelay":{"type":"integer","description":"The maximum delay in seconds between retries for Azure API requests.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`60`\" pulumi-lang-dotnet=\"`60`\" pulumi-lang-go=\"`60`\" pulumi-lang-python=\"`60`\" pulumi-lang-yaml=\"`60`\" pulumi-lang-java=\"`60`\"\u003e`60`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"resource":{"type":"string","description":"The configured URL for the application registered in\nAzure Active Directory.\n"},"retryDelay":{"type":"integer","description":"The initial delay in seconds between retries for Azure API requests.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`4`\" pulumi-lang-dotnet=\"`4`\" pulumi-lang-go=\"`4`\" pulumi-lang-python=\"`4`\" pulumi-lang-yaml=\"`4`\" pulumi-lang-java=\"`4`\"\u003e`4`\u003c/span\u003e.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"tenantId":{"type":"string","description":"The tenant id for the Azure Active Directory\norganization.\n","secret":true}},"type":"object"}},"vault:azure/authBackendRole:AuthBackendRole":{"description":"Manages an Azure auth backend role in a Vault server. Roles constrain the\ninstances or principals that can perform the login operation against the\nbackend. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/azure.html) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst azure = new vault.AuthBackend(\"azure\", {type: \"azure\"});\nconst example = new vault.azure.AuthBackendRole(\"example\", {\n    backend: azure.path,\n    role: \"test-role\",\n    boundSubscriptionIds: [\"11111111-2222-3333-4444-555555555555\"],\n    boundResourceGroups: [\"123456789012\"],\n    tokenTtl: 60,\n    tokenMaxTtl: 120,\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nazure = vault.AuthBackend(\"azure\", type=\"azure\")\nexample = vault.azure.AuthBackendRole(\"example\",\n    backend=azure.path,\n    role=\"test-role\",\n    bound_subscription_ids=[\"11111111-2222-3333-4444-555555555555\"],\n    bound_resource_groups=[\"123456789012\"],\n    token_ttl=60,\n    token_max_ttl=120,\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var azure = new Vault.AuthBackend(\"azure\", new()\n    {\n        Type = \"azure\",\n    });\n\n    var example = new Vault.Azure.AuthBackendRole(\"example\", new()\n    {\n        Backend = azure.Path,\n        Role = \"test-role\",\n        BoundSubscriptionIds = new[]\n        {\n            \"11111111-2222-3333-4444-555555555555\",\n        },\n        BoundResourceGroups = new[]\n        {\n            \"123456789012\",\n        },\n        TokenTtl = 60,\n        TokenMaxTtl = 120,\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/azure\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tazure, err := vault.NewAuthBackend(ctx, \"azure\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"azure\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azure.NewAuthBackendRole(ctx, \"example\", \u0026azure.AuthBackendRoleArgs{\n\t\t\tBackend: azure.Path,\n\t\t\tRole:    pulumi.String(\"test-role\"),\n\t\t\tBoundSubscriptionIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"11111111-2222-3333-4444-555555555555\"),\n\t\t\t},\n\t\t\tBoundResourceGroups: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"123456789012\"),\n\t\t\t},\n\t\t\tTokenTtl:    pulumi.Int(60),\n\t\t\tTokenMaxTtl: pulumi.Int(120),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.azure.AuthBackendRole;\nimport com.pulumi.vault.azure.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var azure = new AuthBackend(\"azure\", AuthBackendArgs.builder()\n            .type(\"azure\")\n            .build());\n\n        var example = new AuthBackendRole(\"example\", AuthBackendRoleArgs.builder()\n            .backend(azure.path())\n            .role(\"test-role\")\n            .boundSubscriptionIds(\"11111111-2222-3333-4444-555555555555\")\n            .boundResourceGroups(\"123456789012\")\n            .tokenTtl(60)\n            .tokenMaxTtl(120)\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  azure:\n    type: vault:AuthBackend\n    properties:\n      type: azure\n  example:\n    type: vault:azure:AuthBackendRole\n    properties:\n      backend: ${azure.path}\n      role: test-role\n      boundSubscriptionIds:\n        - 11111111-2222-3333-4444-555555555555\n      boundResourceGroups:\n        - '123456789012'\n      tokenTtl: 60\n      tokenMaxTtl: 120\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAzure auth backend roles can be imported using `auth/`, the `backend` path, `/role/`, and the `role` name e.g.\n\n```sh\n$ pulumi import vault:azure/authBackendRole:AuthBackendRole example auth/azure/role/test-role\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"Unique name of the auth backend to configure."},"boundGroupIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the groups\nthat can perform the login operation that they should be using the group\nID specified by this field.\n"},"boundLocations":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual machines\nthat can perform the login operation that the location in their identity\ndocument must match the one specified by this field.\n"},"boundResourceGroups":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual\nmachines that can perform the login operation that they be associated with\nthe resource group that matches the value specified by this field.\n"},"boundScaleSets":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual\nmachines that can perform the login operation that they must match the scale set\nspecified by this field.\n"},"boundServicePrincipalIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the\nservice principals that can perform the login operation that they should be possess\nthe ids specified by this field.\n"},"boundSubscriptionIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the subscriptions\nthat can perform the login operation to ones which  matches the value specified by this\nfield.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"role":{"type":"string","description":"The name of the role.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["role"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","willReplaceOnChanges":true},"boundGroupIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the groups\nthat can perform the login operation that they should be using the group\nID specified by this field.\n"},"boundLocations":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual machines\nthat can perform the login operation that the location in their identity\ndocument must match the one specified by this field.\n"},"boundResourceGroups":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual\nmachines that can perform the login operation that they be associated with\nthe resource group that matches the value specified by this field.\n"},"boundScaleSets":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual\nmachines that can perform the login operation that they must match the scale set\nspecified by this field.\n"},"boundServicePrincipalIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the\nservice principals that can perform the login operation that they should be possess\nthe ids specified by this field.\n"},"boundSubscriptionIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the subscriptions\nthat can perform the login operation to ones which  matches the value specified by this\nfield.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["role"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","willReplaceOnChanges":true},"boundGroupIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the groups\nthat can perform the login operation that they should be using the group\nID specified by this field.\n"},"boundLocations":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual machines\nthat can perform the login operation that the location in their identity\ndocument must match the one specified by this field.\n"},"boundResourceGroups":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual\nmachines that can perform the login operation that they be associated with\nthe resource group that matches the value specified by this field.\n"},"boundScaleSets":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the virtual\nmachines that can perform the login operation that they must match the scale set\nspecified by this field.\n"},"boundServicePrincipalIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the\nservice principals that can perform the login operation that they should be possess\nthe ids specified by this field.\n"},"boundSubscriptionIds":{"type":"array","items":{"type":"string"},"description":"If set, defines a constraint on the subscriptions\nthat can perform the login operation to ones which  matches the value specified by this\nfield.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:azure/backend:Backend":{"properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"clientId":{"type":"string","description":"The OAuth2 client id to connect to Azure.\n","secret":true},"clientSecret":{"type":"string","description":"The OAuth2 client secret to connect to Azure.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`clientSecretWo`\" pulumi-lang-dotnet=\"`ClientSecretWo`\" pulumi-lang-go=\"`clientSecretWo`\" pulumi-lang-python=\"`client_secret_wo`\" pulumi-lang-yaml=\"`clientSecretWo`\" pulumi-lang-java=\"`clientSecretWo`\"\u003e`client_secret_wo`\u003c/span\u003e.\n","secret":true},"clientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe client secret for credentials to query the Azure APIs. This is a write-only field and will not be read back from Vault.","secret":true},"clientSecretWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" clientSecretWo \" pulumi-lang-dotnet=\" ClientSecretWo \" pulumi-lang-go=\" clientSecretWo \" pulumi-lang-python=\" client_secret_wo \" pulumi-lang-yaml=\" clientSecretWo \" pulumi-lang-java=\" clientSecretWo \"\u003e client_secret_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the client secret."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"environment":{"type":"string","description":"The Azure environment.\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenAudience":{"type":"string","description":"The audience claim value. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Defaults to \u003cspan pulumi-lang-nodejs=\"`azure`\" pulumi-lang-dotnet=\"`Azure`\" pulumi-lang-go=\"`azure`\" pulumi-lang-python=\"`azure`\" pulumi-lang-yaml=\"`azure`\" pulumi-lang-java=\"`azure`\"\u003e`azure`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"rootPasswordTtl":{"type":"integer","description":"Specifies the TTL of the root password when rotate-root generates a new client secret. Requires Vault 1.15+.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"subscriptionId":{"type":"string","description":"The subscription id for the Azure Active Directory.\n","secret":true},"tenantId":{"type":"string","description":"The tenant id for the Azure Active Directory.\n","secret":true}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","defaultLeaseTtlSeconds","forceNoCache","identityTokenTtl","maxLeaseTtlSeconds","rootPasswordTtl","sealWrap","subscriptionId","tenantId"],"inputProperties":{"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"clientId":{"type":"string","description":"The OAuth2 client id to connect to Azure.\n","secret":true},"clientSecret":{"type":"string","description":"The OAuth2 client secret to connect to Azure.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`clientSecretWo`\" pulumi-lang-dotnet=\"`ClientSecretWo`\" pulumi-lang-go=\"`clientSecretWo`\" pulumi-lang-python=\"`client_secret_wo`\" pulumi-lang-yaml=\"`clientSecretWo`\" pulumi-lang-java=\"`clientSecretWo`\"\u003e`client_secret_wo`\u003c/span\u003e.\n","secret":true},"clientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe client secret for credentials to query the Azure APIs. This is a write-only field and will not be read back from Vault.","secret":true},"clientSecretWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" clientSecretWo \" pulumi-lang-dotnet=\" ClientSecretWo \" pulumi-lang-go=\" clientSecretWo \" pulumi-lang-python=\" client_secret_wo \" pulumi-lang-yaml=\" clientSecretWo \" pulumi-lang-java=\" clientSecretWo \"\u003e client_secret_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the client secret."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"environment":{"type":"string","description":"The Azure environment.\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenAudience":{"type":"string","description":"The audience claim value. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Defaults to \u003cspan pulumi-lang-nodejs=\"`azure`\" pulumi-lang-dotnet=\"`Azure`\" pulumi-lang-go=\"`azure`\" pulumi-lang-python=\"`azure`\" pulumi-lang-yaml=\"`azure`\" pulumi-lang-java=\"`azure`\"\u003e`azure`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"rootPasswordTtl":{"type":"integer","description":"Specifies the TTL of the root password when rotate-root generates a new client secret. Requires Vault 1.15+.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"subscriptionId":{"type":"string","description":"The subscription id for the Azure Active Directory.\n","secret":true,"willReplaceOnChanges":true},"tenantId":{"type":"string","description":"The tenant id for the Azure Active Directory.\n","secret":true}},"requiredInputs":["subscriptionId","tenantId"],"stateInputs":{"description":"Input properties used for looking up and filtering Backend resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"clientId":{"type":"string","description":"The OAuth2 client id to connect to Azure.\n","secret":true},"clientSecret":{"type":"string","description":"The OAuth2 client secret to connect to Azure.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`clientSecretWo`\" pulumi-lang-dotnet=\"`ClientSecretWo`\" pulumi-lang-go=\"`clientSecretWo`\" pulumi-lang-python=\"`client_secret_wo`\" pulumi-lang-yaml=\"`clientSecretWo`\" pulumi-lang-java=\"`clientSecretWo`\"\u003e`client_secret_wo`\u003c/span\u003e.\n","secret":true},"clientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe client secret for credentials to query the Azure APIs. This is a write-only field and will not be read back from Vault.","secret":true},"clientSecretWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" clientSecretWo \" pulumi-lang-dotnet=\" ClientSecretWo \" pulumi-lang-go=\" clientSecretWo \" pulumi-lang-python=\" client_secret_wo \" pulumi-lang-yaml=\" clientSecretWo \" pulumi-lang-java=\" clientSecretWo \"\u003e client_secret_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the client secret."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"environment":{"type":"string","description":"The Azure environment.\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenAudience":{"type":"string","description":"The audience claim value. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated identity tokens in seconds. Requires Vault 1.17+.\n*Available only for Vault Enterprise*\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Defaults to \u003cspan pulumi-lang-nodejs=\"`azure`\" pulumi-lang-dotnet=\"`Azure`\" pulumi-lang-go=\"`azure`\" pulumi-lang-python=\"`azure`\" pulumi-lang-yaml=\"`azure`\" pulumi-lang-java=\"`azure`\"\u003e`azure`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"rootPasswordTtl":{"type":"integer","description":"Specifies the TTL of the root password when rotate-root generates a new client secret. Requires Vault 1.15+.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"subscriptionId":{"type":"string","description":"The subscription id for the Azure Active Directory.\n","secret":true,"willReplaceOnChanges":true},"tenantId":{"type":"string","description":"The tenant id for the Azure Active Directory.\n","secret":true}},"type":"object"}},"vault:azure/backendRole:BackendRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst azure = new vault.azure.Backend(\"azure\", {\n    subscriptionId: subscriptionId,\n    tenantId: tenantId,\n    clientSecret: clientSecret,\n    clientId: clientId,\n});\nconst generatedRole = new vault.azure.BackendRole(\"generated_role\", {\n    backend: azure.path,\n    role: \"generated_role\",\n    signInAudience: \"AzureADMyOrg\",\n    tags: [\n        \"team:engineering\",\n        \"environment:development\",\n    ],\n    ttl: \"300\",\n    maxTtl: \"600\",\n    azureRoles: [{\n        roleName: \"Reader\",\n        scope: `/subscriptions/${subscriptionId}/resourceGroups/azure-vault-group`,\n    }],\n});\nconst existingObjectId = new vault.azure.BackendRole(\"existing_object_id\", {\n    backend: azure.path,\n    role: \"existing_object_id\",\n    applicationObjectId: \"11111111-2222-3333-4444-44444444444\",\n    ttl: \"300\",\n    maxTtl: \"600\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nazure = vault.azure.Backend(\"azure\",\n    subscription_id=subscription_id,\n    tenant_id=tenant_id,\n    client_secret=client_secret,\n    client_id=client_id)\ngenerated_role = vault.azure.BackendRole(\"generated_role\",\n    backend=azure.path,\n    role=\"generated_role\",\n    sign_in_audience=\"AzureADMyOrg\",\n    tags=[\n        \"team:engineering\",\n        \"environment:development\",\n    ],\n    ttl=\"300\",\n    max_ttl=\"600\",\n    azure_roles=[{\n        \"role_name\": \"Reader\",\n        \"scope\": f\"/subscriptions/{subscription_id}/resourceGroups/azure-vault-group\",\n    }])\nexisting_object_id = vault.azure.BackendRole(\"existing_object_id\",\n    backend=azure.path,\n    role=\"existing_object_id\",\n    application_object_id=\"11111111-2222-3333-4444-44444444444\",\n    ttl=\"300\",\n    max_ttl=\"600\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var azure = new Vault.Azure.Backend(\"azure\", new()\n    {\n        SubscriptionId = subscriptionId,\n        TenantId = tenantId,\n        ClientSecret = clientSecret,\n        ClientId = clientId,\n    });\n\n    var generatedRole = new Vault.Azure.BackendRole(\"generated_role\", new()\n    {\n        Backend = azure.Path,\n        Role = \"generated_role\",\n        SignInAudience = \"AzureADMyOrg\",\n        Tags = new[]\n        {\n            \"team:engineering\",\n            \"environment:development\",\n        },\n        Ttl = \"300\",\n        MaxTtl = \"600\",\n        AzureRoles = new[]\n        {\n            new Vault.Azure.Inputs.BackendRoleAzureRoleArgs\n            {\n                RoleName = \"Reader\",\n                Scope = $\"/subscriptions/{subscriptionId}/resourceGroups/azure-vault-group\",\n            },\n        },\n    });\n\n    var existingObjectId = new Vault.Azure.BackendRole(\"existing_object_id\", new()\n    {\n        Backend = azure.Path,\n        Role = \"existing_object_id\",\n        ApplicationObjectId = \"11111111-2222-3333-4444-44444444444\",\n        Ttl = \"300\",\n        MaxTtl = \"600\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/azure\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tazure, err := azure.NewBackend(ctx, \"azure\", \u0026azure.BackendArgs{\n\t\t\tSubscriptionId: pulumi.Any(subscriptionId),\n\t\t\tTenantId:       pulumi.Any(tenantId),\n\t\t\tClientSecret:   pulumi.Any(clientSecret),\n\t\t\tClientId:       pulumi.Any(clientId),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azure.NewBackendRole(ctx, \"generated_role\", \u0026azure.BackendRoleArgs{\n\t\t\tBackend:        azure.Path,\n\t\t\tRole:           pulumi.String(\"generated_role\"),\n\t\t\tSignInAudience: pulumi.String(\"AzureADMyOrg\"),\n\t\t\tTags: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"team:engineering\"),\n\t\t\t\tpulumi.String(\"environment:development\"),\n\t\t\t},\n\t\t\tTtl:    pulumi.String(\"300\"),\n\t\t\tMaxTtl: pulumi.String(\"600\"),\n\t\t\tAzureRoles: azure.BackendRoleAzureRoleArray{\n\t\t\t\t\u0026azure.BackendRoleAzureRoleArgs{\n\t\t\t\t\tRoleName: pulumi.String(\"Reader\"),\n\t\t\t\t\tScope:    pulumi.Sprintf(\"/subscriptions/%v/resourceGroups/azure-vault-group\", subscriptionId),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azure.NewBackendRole(ctx, \"existing_object_id\", \u0026azure.BackendRoleArgs{\n\t\t\tBackend:             azure.Path,\n\t\t\tRole:                pulumi.String(\"existing_object_id\"),\n\t\t\tApplicationObjectId: pulumi.String(\"11111111-2222-3333-4444-44444444444\"),\n\t\t\tTtl:                 pulumi.String(\"300\"),\n\t\t\tMaxTtl:              pulumi.String(\"600\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.azure.Backend;\nimport com.pulumi.vault.azure.BackendArgs;\nimport com.pulumi.vault.azure.BackendRole;\nimport com.pulumi.vault.azure.BackendRoleArgs;\nimport com.pulumi.vault.azure.inputs.BackendRoleAzureRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var azure = new Backend(\"azure\", BackendArgs.builder()\n            .subscriptionId(subscriptionId)\n            .tenantId(tenantId)\n            .clientSecret(clientSecret)\n            .clientId(clientId)\n            .build());\n\n        var generatedRole = new BackendRole(\"generatedRole\", BackendRoleArgs.builder()\n            .backend(azure.path())\n            .role(\"generated_role\")\n            .signInAudience(\"AzureADMyOrg\")\n            .tags(            \n                \"team:engineering\",\n                \"environment:development\")\n            .ttl(\"300\")\n            .maxTtl(\"600\")\n            .azureRoles(BackendRoleAzureRoleArgs.builder()\n                .roleName(\"Reader\")\n                .scope(String.format(\"/subscriptions/%s/resourceGroups/azure-vault-group\", subscriptionId))\n                .build())\n            .build());\n\n        var existingObjectId = new BackendRole(\"existingObjectId\", BackendRoleArgs.builder()\n            .backend(azure.path())\n            .role(\"existing_object_id\")\n            .applicationObjectId(\"11111111-2222-3333-4444-44444444444\")\n            .ttl(\"300\")\n            .maxTtl(\"600\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  azure:\n    type: vault:azure:Backend\n    properties:\n      subscriptionId: ${subscriptionId}\n      tenantId: ${tenantId}\n      clientSecret: ${clientSecret}\n      clientId: ${clientId}\n  generatedRole:\n    type: vault:azure:BackendRole\n    name: generated_role\n    properties:\n      backend: ${azure.path}\n      role: generated_role\n      signInAudience: AzureADMyOrg\n      tags:\n        - team:engineering\n        - environment:development\n      ttl: 300\n      maxTtl: 600\n      azureRoles:\n        - roleName: Reader\n          scope: /subscriptions/${subscriptionId}/resourceGroups/azure-vault-group\n  existingObjectId:\n    type: vault:azure:BackendRole\n    name: existing_object_id\n    properties:\n      backend: ${azure.path}\n      role: existing_object_id\n      applicationObjectId: 11111111-2222-3333-4444-44444444444\n      ttl: 300\n      maxTtl: 600\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"applicationObjectId":{"type":"string","description":"Application Object ID for an existing service principal that will\nbe used instead of creating dynamic service principals. If present, \u003cspan pulumi-lang-nodejs=\"`azureRoles`\" pulumi-lang-dotnet=\"`AzureRoles`\" pulumi-lang-go=\"`azureRoles`\" pulumi-lang-python=\"`azure_roles`\" pulumi-lang-yaml=\"`azureRoles`\" pulumi-lang-java=\"`azureRoles`\"\u003e`azure_roles`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`permanentlyDelete`\" pulumi-lang-dotnet=\"`PermanentlyDelete`\" pulumi-lang-go=\"`permanentlyDelete`\" pulumi-lang-python=\"`permanently_delete`\" pulumi-lang-yaml=\"`permanentlyDelete`\" pulumi-lang-java=\"`permanentlyDelete`\"\u003e`permanently_delete`\u003c/span\u003e will be ignored.\n"},"azureGroups":{"type":"array","items":{"$ref":"#/types/vault:azure/BackendRoleAzureGroup:BackendRoleAzureGroup"},"description":"List of Azure groups to be assigned to the generated service principal.\n"},"azureRoles":{"type":"array","items":{"$ref":"#/types/vault:azure/BackendRoleAzureRole:BackendRoleAzureRole"},"description":"List of Azure roles to be assigned to the generated service principal.\n"},"backend":{"type":"string","description":"Path to the mounted Azure auth backend\n"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"explicitMaxTtl":{"type":"string","description":"Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.\n"},"maxTtl":{"type":"string","description":"Specifies the maximum TTL for service principals generated using this role. Accepts time\nsuffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine max TTL time.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"permanentlyDelete":{"type":"boolean","description":"Indicates whether the applications and service principals created by Vault will be permanently\ndeleted when the corresponding leases expire. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. For Vault v1.12+.\n"},"persistApp":{"type":"boolean","description":"If set to true, persists the created service principal and application for the lifetime of the role\n"},"role":{"type":"string","description":"Name of the Azure role\n"},"signInAudience":{"type":"string","description":"Specifies the security principal types that are allowed to sign in to the application.\nValid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.\n"},"tags":{"type":"array","items":{"type":"string"},"description":"A list of Azure tags to attach to an application. Requires Vault 1.16+.\n"},"ttl":{"type":"string","description":"Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n"}},"required":["permanentlyDelete","role"],"inputProperties":{"applicationObjectId":{"type":"string","description":"Application Object ID for an existing service principal that will\nbe used instead of creating dynamic service principals. If present, \u003cspan pulumi-lang-nodejs=\"`azureRoles`\" pulumi-lang-dotnet=\"`AzureRoles`\" pulumi-lang-go=\"`azureRoles`\" pulumi-lang-python=\"`azure_roles`\" pulumi-lang-yaml=\"`azureRoles`\" pulumi-lang-java=\"`azureRoles`\"\u003e`azure_roles`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`permanentlyDelete`\" pulumi-lang-dotnet=\"`PermanentlyDelete`\" pulumi-lang-go=\"`permanentlyDelete`\" pulumi-lang-python=\"`permanently_delete`\" pulumi-lang-yaml=\"`permanentlyDelete`\" pulumi-lang-java=\"`permanentlyDelete`\"\u003e`permanently_delete`\u003c/span\u003e will be ignored.\n"},"azureGroups":{"type":"array","items":{"$ref":"#/types/vault:azure/BackendRoleAzureGroup:BackendRoleAzureGroup"},"description":"List of Azure groups to be assigned to the generated service principal.\n"},"azureRoles":{"type":"array","items":{"$ref":"#/types/vault:azure/BackendRoleAzureRole:BackendRoleAzureRole"},"description":"List of Azure roles to be assigned to the generated service principal.\n"},"backend":{"type":"string","description":"Path to the mounted Azure auth backend\n","willReplaceOnChanges":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"explicitMaxTtl":{"type":"string","description":"Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.\n"},"maxTtl":{"type":"string","description":"Specifies the maximum TTL for service principals generated using this role. Accepts time\nsuffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine max TTL time.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"permanentlyDelete":{"type":"boolean","description":"Indicates whether the applications and service principals created by Vault will be permanently\ndeleted when the corresponding leases expire. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. For Vault v1.12+.\n"},"persistApp":{"type":"boolean","description":"If set to true, persists the created service principal and application for the lifetime of the role\n"},"role":{"type":"string","description":"Name of the Azure role\n","willReplaceOnChanges":true},"signInAudience":{"type":"string","description":"Specifies the security principal types that are allowed to sign in to the application.\nValid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.\n"},"tags":{"type":"array","items":{"type":"string"},"description":"A list of Azure tags to attach to an application. Requires Vault 1.16+.\n"},"ttl":{"type":"string","description":"Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n"}},"requiredInputs":["role"],"stateInputs":{"description":"Input properties used for looking up and filtering BackendRole resources.\n","properties":{"applicationObjectId":{"type":"string","description":"Application Object ID for an existing service principal that will\nbe used instead of creating dynamic service principals. If present, \u003cspan pulumi-lang-nodejs=\"`azureRoles`\" pulumi-lang-dotnet=\"`AzureRoles`\" pulumi-lang-go=\"`azureRoles`\" pulumi-lang-python=\"`azure_roles`\" pulumi-lang-yaml=\"`azureRoles`\" pulumi-lang-java=\"`azureRoles`\"\u003e`azure_roles`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`permanentlyDelete`\" pulumi-lang-dotnet=\"`PermanentlyDelete`\" pulumi-lang-go=\"`permanentlyDelete`\" pulumi-lang-python=\"`permanently_delete`\" pulumi-lang-yaml=\"`permanentlyDelete`\" pulumi-lang-java=\"`permanentlyDelete`\"\u003e`permanently_delete`\u003c/span\u003e will be ignored.\n"},"azureGroups":{"type":"array","items":{"$ref":"#/types/vault:azure/BackendRoleAzureGroup:BackendRoleAzureGroup"},"description":"List of Azure groups to be assigned to the generated service principal.\n"},"azureRoles":{"type":"array","items":{"$ref":"#/types/vault:azure/BackendRoleAzureRole:BackendRoleAzureRole"},"description":"List of Azure roles to be assigned to the generated service principal.\n"},"backend":{"type":"string","description":"Path to the mounted Azure auth backend\n","willReplaceOnChanges":true},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"explicitMaxTtl":{"type":"string","description":"Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years). Requires Vault 1.18+.\n"},"maxTtl":{"type":"string","description":"Specifies the maximum TTL for service principals generated using this role. Accepts time\nsuffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine max TTL time.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"permanentlyDelete":{"type":"boolean","description":"Indicates whether the applications and service principals created by Vault will be permanently\ndeleted when the corresponding leases expire. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. For Vault v1.12+.\n"},"persistApp":{"type":"boolean","description":"If set to true, persists the created service principal and application for the lifetime of the role\n"},"role":{"type":"string","description":"Name of the Azure role\n","willReplaceOnChanges":true},"signInAudience":{"type":"string","description":"Specifies the security principal types that are allowed to sign in to the application.\nValid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.\n"},"tags":{"type":"array","items":{"type":"string"},"description":"A list of Azure tags to attach to an application. Requires Vault 1.16+.\n"},"ttl":{"type":"string","description":"Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n"}},"type":"object"}},"vault:config/uiCustomMessage:UiCustomMessage":{"properties":{"authenticated":{"type":"boolean","description":"A flag indicating whether the custom message is displayed pre-login (false) or post-login (true)"},"endTime":{"type":"string","description":"The ending time of the active period of the custom message. Can be omitted for non-expiring message"},"link":{"$ref":"#/types/vault:config/UiCustomMessageLink:UiCustomMessageLink","description":"A block containing a hyperlink associated with the custom message"},"messageBase64":{"type":"string","description":"The base64-encoded content of the custom message"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"A map containing additional options for the custom message"},"startTime":{"type":"string","description":"The starting time of the active period of the custom message"},"title":{"type":"string","description":"The title of the custom message"},"type":{"type":"string","description":"The display type of custom message. Allowed values are banner and modal"}},"required":["messageBase64","startTime","title"],"inputProperties":{"authenticated":{"type":"boolean","description":"A flag indicating whether the custom message is displayed pre-login (false) or post-login (true)"},"endTime":{"type":"string","description":"The ending time of the active period of the custom message. Can be omitted for non-expiring message"},"link":{"$ref":"#/types/vault:config/UiCustomMessageLink:UiCustomMessageLink","description":"A block containing a hyperlink associated with the custom message"},"messageBase64":{"type":"string","description":"The base64-encoded content of the custom message"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"A map containing additional options for the custom message"},"startTime":{"type":"string","description":"The starting time of the active period of the custom message"},"title":{"type":"string","description":"The title of the custom message"},"type":{"type":"string","description":"The display type of custom message. Allowed values are banner and modal"}},"requiredInputs":["messageBase64","startTime","title"],"stateInputs":{"description":"Input properties used for looking up and filtering UiCustomMessage resources.\n","properties":{"authenticated":{"type":"boolean","description":"A flag indicating whether the custom message is displayed pre-login (false) or post-login (true)"},"endTime":{"type":"string","description":"The ending time of the active period of the custom message. Can be omitted for non-expiring message"},"link":{"$ref":"#/types/vault:config/UiCustomMessageLink:UiCustomMessageLink","description":"A block containing a hyperlink associated with the custom message"},"messageBase64":{"type":"string","description":"The base64-encoded content of the custom message"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"A map containing additional options for the custom message"},"startTime":{"type":"string","description":"The starting time of the active period of the custom message"},"title":{"type":"string","description":"The title of the custom message"},"type":{"type":"string","description":"The display type of custom message. Allowed values are banner and modal"}},"type":"object"}},"vault:consul/secretBackend:SecretBackend":{"description":"\n\n## Import\n\nConsul secret backends can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:consul/secretBackend:SecretBackend example consul\n```\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"bootstrap":{"type":"boolean","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap."},"caCert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.\n"},"clientCert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if\nthis is set you need to also set client_key.\n","secret":true},"clientKey":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. Mutually exclusive with 'client_key_wo'.","secret":true},"clientKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nClient key used for Consul's TLS communication, must be x509 PEM encoded. This field is write-only and will never be stored in state. Mutually exclusive with 'client_key'. Requires 'client_key_wo_version' to trigger updates.","secret":true},"clientKeyWoVersion":{"type":"integer","description":"Version counter for the write-only client key. Increment this value to trigger \nan update of the client key in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"A human-friendly description for this backend.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Specifies if the secret backend is local only"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique location this backend should be mounted at. Must not begin or end with a `/`. Defaults\nto \u003cspan pulumi-lang-nodejs=\"`consul`\" pulumi-lang-dotnet=\"`Consul`\" pulumi-lang-go=\"`consul`\" pulumi-lang-python=\"`consul`\" pulumi-lang-yaml=\"`consul`\" pulumi-lang-java=\"`consul`\"\u003e`consul`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \u003cspan pulumi-lang-nodejs=\"`http`\" pulumi-lang-dotnet=\"`Http`\" pulumi-lang-go=\"`http`\" pulumi-lang-python=\"`http`\" pulumi-lang-yaml=\"`http`\" pulumi-lang-java=\"`http`\"\u003e`http`\u003c/span\u003e.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens. Mutually exclusive with 'token_wo'.","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nSpecifies the Consul token to use when managing or issuing new tokens. This field is write-only and will never be stored in state. Mutually exclusive with 'token'. Requires 'token_wo_version' to trigger updates.","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for the write-only token. Increment this value to trigger an update \nof the token in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n"}},"required":["accessor","address","auditNonHmacRequestKeys","auditNonHmacResponseKeys","forceNoCache","sealWrap"],"inputProperties":{"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"bootstrap":{"type":"boolean","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap."},"caCert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.\n"},"clientCert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if\nthis is set you need to also set client_key.\n","secret":true},"clientKey":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. Mutually exclusive with 'client_key_wo'.","secret":true},"clientKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nClient key used for Consul's TLS communication, must be x509 PEM encoded. This field is write-only and will never be stored in state. Mutually exclusive with 'client_key'. Requires 'client_key_wo_version' to trigger updates.","secret":true},"clientKeyWoVersion":{"type":"integer","description":"Version counter for the write-only client key. Increment this value to trigger \nan update of the client key in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"A human-friendly description for this backend.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Specifies if the secret backend is local only","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique location this backend should be mounted at. Must not begin or end with a `/`. Defaults\nto \u003cspan pulumi-lang-nodejs=\"`consul`\" pulumi-lang-dotnet=\"`Consul`\" pulumi-lang-go=\"`consul`\" pulumi-lang-python=\"`consul`\" pulumi-lang-yaml=\"`consul`\" pulumi-lang-java=\"`consul`\"\u003e`consul`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \u003cspan pulumi-lang-nodejs=\"`http`\" pulumi-lang-dotnet=\"`Http`\" pulumi-lang-go=\"`http`\" pulumi-lang-python=\"`http`\" pulumi-lang-yaml=\"`http`\" pulumi-lang-java=\"`http`\"\u003e`http`\u003c/span\u003e.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens. Mutually exclusive with 'token_wo'.","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nSpecifies the Consul token to use when managing or issuing new tokens. This field is write-only and will never be stored in state. Mutually exclusive with 'token'. Requires 'token_wo_version' to trigger updates.","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for the write-only token. Increment this value to trigger an update \nof the token in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n"}},"requiredInputs":["address"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"address":{"type":"string","description":"Specifies the address of the Consul instance, provided as \"host:port\" like \"127.0.0.1:8500\".\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"bootstrap":{"type":"boolean","description":"Denotes a backend resource that is used to bootstrap the Consul ACL system. Only one resource may be used to bootstrap."},"caCert":{"type":"string","description":"CA certificate to use when verifying Consul server certificate, must be x509 PEM encoded.\n"},"clientCert":{"type":"string","description":"Client certificate used for Consul's TLS communication, must be x509 PEM encoded and if\nthis is set you need to also set client_key.\n","secret":true},"clientKey":{"type":"string","description":"Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert. Mutually exclusive with 'client_key_wo'.","secret":true},"clientKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nClient key used for Consul's TLS communication, must be x509 PEM encoded. This field is write-only and will never be stored in state. Mutually exclusive with 'client_key'. Requires 'client_key_wo_version' to trigger updates.","secret":true},"clientKeyWoVersion":{"type":"integer","description":"Version counter for the write-only client key. Increment this value to trigger \nan update of the client key in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"A human-friendly description for this backend.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Specifies if the secret backend is local only","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique location this backend should be mounted at. Must not begin or end with a `/`. Defaults\nto \u003cspan pulumi-lang-nodejs=\"`consul`\" pulumi-lang-dotnet=\"`Consul`\" pulumi-lang-go=\"`consul`\" pulumi-lang-python=\"`consul`\" pulumi-lang-yaml=\"`consul`\" pulumi-lang-java=\"`consul`\"\u003e`consul`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"scheme":{"type":"string","description":"Specifies the URL scheme to use. Defaults to \u003cspan pulumi-lang-nodejs=\"`http`\" pulumi-lang-dotnet=\"`Http`\" pulumi-lang-go=\"`http`\" pulumi-lang-python=\"`http`\" pulumi-lang-yaml=\"`http`\" pulumi-lang-java=\"`http`\"\u003e`http`\u003c/span\u003e.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"token":{"type":"string","description":"Specifies the Consul token to use when managing or issuing new tokens. Mutually exclusive with 'token_wo'.","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nSpecifies the Consul token to use when managing or issuing new tokens. This field is write-only and will never be stored in state. Mutually exclusive with 'token'. Requires 'token_wo_version' to trigger updates.","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for the write-only token. Increment this value to trigger an update \nof the token in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n"}},"type":"object"}},"vault:consul/secretBackendRole:SecretBackendRole":{"description":"Manages a Consul secrets role for a Consul secrets engine in Vault. Consul secret backends can then issue Consul tokens.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.consul.SecretBackend(\"test\", {\n    path: \"consul\",\n    description: \"Manages the Consul backend\",\n    address: \"127.0.0.1:8500\",\n    token: \"4240861b-ce3d-8530-115a-521ff070dd29\",\n});\nconst example = new vault.consul.SecretBackendRole(\"example\", {\n    name: \"test-role\",\n    backend: test.path,\n    consulPolicies: [\"example-policy\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.consul.SecretBackend(\"test\",\n    path=\"consul\",\n    description=\"Manages the Consul backend\",\n    address=\"127.0.0.1:8500\",\n    token=\"4240861b-ce3d-8530-115a-521ff070dd29\")\nexample = vault.consul.SecretBackendRole(\"example\",\n    name=\"test-role\",\n    backend=test.path,\n    consul_policies=[\"example-policy\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Consul.SecretBackend(\"test\", new()\n    {\n        Path = \"consul\",\n        Description = \"Manages the Consul backend\",\n        Address = \"127.0.0.1:8500\",\n        Token = \"4240861b-ce3d-8530-115a-521ff070dd29\",\n    });\n\n    var example = new Vault.Consul.SecretBackendRole(\"example\", new()\n    {\n        Name = \"test-role\",\n        Backend = test.Path,\n        ConsulPolicies = new[]\n        {\n            \"example-policy\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/consul\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttest, err := consul.NewSecretBackend(ctx, \"test\", \u0026consul.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"consul\"),\n\t\t\tDescription: pulumi.String(\"Manages the Consul backend\"),\n\t\t\tAddress:     pulumi.String(\"127.0.0.1:8500\"),\n\t\t\tToken:       pulumi.String(\"4240861b-ce3d-8530-115a-521ff070dd29\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = consul.NewSecretBackendRole(ctx, \"example\", \u0026consul.SecretBackendRoleArgs{\n\t\t\tName:    pulumi.String(\"test-role\"),\n\t\t\tBackend: test.Path,\n\t\t\tConsulPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"example-policy\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.consul.SecretBackend;\nimport com.pulumi.vault.consul.SecretBackendArgs;\nimport com.pulumi.vault.consul.SecretBackendRole;\nimport com.pulumi.vault.consul.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new SecretBackend(\"test\", SecretBackendArgs.builder()\n            .path(\"consul\")\n            .description(\"Manages the Consul backend\")\n            .address(\"127.0.0.1:8500\")\n            .token(\"4240861b-ce3d-8530-115a-521ff070dd29\")\n            .build());\n\n        var example = new SecretBackendRole(\"example\", SecretBackendRoleArgs.builder()\n            .name(\"test-role\")\n            .backend(test.path())\n            .consulPolicies(\"example-policy\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:consul:SecretBackend\n    properties:\n      path: consul\n      description: Manages the Consul backend\n      address: 127.0.0.1:8500\n      token: 4240861b-ce3d-8530-115a-521ff070dd29\n  example:\n    type: vault:consul:SecretBackendRole\n    properties:\n      name: test-role\n      backend: ${test.path}\n      consulPolicies:\n        - example-policy\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Note About Required Arguments\n\n*At least one* of the four arguments \u003cspan pulumi-lang-nodejs=\"`consulPolicies`\" pulumi-lang-dotnet=\"`ConsulPolicies`\" pulumi-lang-go=\"`consulPolicies`\" pulumi-lang-python=\"`consul_policies`\" pulumi-lang-yaml=\"`consulPolicies`\" pulumi-lang-java=\"`consulPolicies`\"\u003e`consul_policies`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`consulRoles`\" pulumi-lang-dotnet=\"`ConsulRoles`\" pulumi-lang-go=\"`consulRoles`\" pulumi-lang-python=\"`consul_roles`\" pulumi-lang-yaml=\"`consulRoles`\" pulumi-lang-java=\"`consulRoles`\"\u003e`consul_roles`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceIdentities`\" pulumi-lang-dotnet=\"`ServiceIdentities`\" pulumi-lang-go=\"`serviceIdentities`\" pulumi-lang-python=\"`service_identities`\" pulumi-lang-yaml=\"`serviceIdentities`\" pulumi-lang-java=\"`serviceIdentities`\"\u003e`service_identities`\u003c/span\u003e, or\n\u003cspan pulumi-lang-nodejs=\"`nodeIdentities`\" pulumi-lang-dotnet=\"`NodeIdentities`\" pulumi-lang-go=\"`nodeIdentities`\" pulumi-lang-python=\"`node_identities`\" pulumi-lang-yaml=\"`nodeIdentities`\" pulumi-lang-java=\"`nodeIdentities`\"\u003e`node_identities`\u003c/span\u003e is required for a token. If desired, any combination of the four arguments up-to and\nincluding all four, is valid.\n\n## Import\n\nConsul secret backend roles can be imported using the `backend`, `/roles/`, and the `name` e.g.\n\n```sh\n$ pulumi import vault:consul/secretBackendRole:SecretBackendRole example consul/roles/my-role\n```\n","properties":{"backend":{"type":"string","description":"The unique name of an existing Consul secrets backend mount. Must not begin or end with a `/`. One of \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`backend`\" pulumi-lang-dotnet=\"`Backend`\" pulumi-lang-go=\"`backend`\" pulumi-lang-python=\"`backend`\" pulumi-lang-yaml=\"`backend`\" pulumi-lang-java=\"`backend`\"\u003e`backend`\u003c/span\u003e is required.\n"},"consulNamespace":{"type":"string","description":"The Consul namespace that the token will be created in.\nApplicable for Vault 1.10+ and Consul 1.7+\".\n"},"consulPolicies":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e The list of Consul ACL policies to associate with these roles.\n"},"consulRoles":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul roles to attach to the token.\nApplicable for Vault 1.10+ with Consul 1.5+.\n"},"local":{"type":"boolean","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.\n"},"maxTtl":{"type":"integer","description":"Maximum TTL for leases associated with this role, in seconds.\n"},"name":{"type":"string","description":"The name of the Consul secrets engine role to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"nodeIdentities":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul node\nidentities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+.\n"},"partition":{"type":"string","description":"The admin partition that the token will be created in.\nApplicable for Vault 1.10+ and Consul 1.11+\".\n"},"policies":{"type":"array","items":{"type":"string"},"description":"The list of Consul ACL policies to associate with these roles.\n**NOTE:** The new parameter \u003cspan pulumi-lang-nodejs=\"`consulPolicies`\" pulumi-lang-dotnet=\"`ConsulPolicies`\" pulumi-lang-go=\"`consulPolicies`\" pulumi-lang-python=\"`consul_policies`\" pulumi-lang-yaml=\"`consulPolicies`\" pulumi-lang-java=\"`consulPolicies`\"\u003e`consul_policies`\u003c/span\u003e should be used in favor of this. This parameter,\n\u003cspan pulumi-lang-nodejs=\"`policies`\" pulumi-lang-dotnet=\"`Policies`\" pulumi-lang-go=\"`policies`\" pulumi-lang-python=\"`policies`\" pulumi-lang-yaml=\"`policies`\" pulumi-lang-java=\"`policies`\"\u003e`policies`\u003c/span\u003e, remains supported for legacy users, but Vault has deprecated this field.\n"},"serviceIdentities":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul\nservice identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+.\n"},"ttl":{"type":"integer","description":"Specifies the TTL for this role.\n"}},"required":["consulNamespace","name","partition"],"inputProperties":{"backend":{"type":"string","description":"The unique name of an existing Consul secrets backend mount. Must not begin or end with a `/`. One of \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`backend`\" pulumi-lang-dotnet=\"`Backend`\" pulumi-lang-go=\"`backend`\" pulumi-lang-python=\"`backend`\" pulumi-lang-yaml=\"`backend`\" pulumi-lang-java=\"`backend`\"\u003e`backend`\u003c/span\u003e is required.\n","willReplaceOnChanges":true},"consulNamespace":{"type":"string","description":"The Consul namespace that the token will be created in.\nApplicable for Vault 1.10+ and Consul 1.7+\".\n"},"consulPolicies":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e The list of Consul ACL policies to associate with these roles.\n"},"consulRoles":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul roles to attach to the token.\nApplicable for Vault 1.10+ with Consul 1.5+.\n"},"local":{"type":"boolean","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.\n"},"maxTtl":{"type":"integer","description":"Maximum TTL for leases associated with this role, in seconds.\n"},"name":{"type":"string","description":"The name of the Consul secrets engine role to create.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"nodeIdentities":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul node\nidentities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+.\n"},"partition":{"type":"string","description":"The admin partition that the token will be created in.\nApplicable for Vault 1.10+ and Consul 1.11+\".\n"},"policies":{"type":"array","items":{"type":"string"},"description":"The list of Consul ACL policies to associate with these roles.\n**NOTE:** The new parameter \u003cspan pulumi-lang-nodejs=\"`consulPolicies`\" pulumi-lang-dotnet=\"`ConsulPolicies`\" pulumi-lang-go=\"`consulPolicies`\" pulumi-lang-python=\"`consul_policies`\" pulumi-lang-yaml=\"`consulPolicies`\" pulumi-lang-java=\"`consulPolicies`\"\u003e`consul_policies`\u003c/span\u003e should be used in favor of this. This parameter,\n\u003cspan pulumi-lang-nodejs=\"`policies`\" pulumi-lang-dotnet=\"`Policies`\" pulumi-lang-go=\"`policies`\" pulumi-lang-python=\"`policies`\" pulumi-lang-yaml=\"`policies`\" pulumi-lang-java=\"`policies`\"\u003e`policies`\u003c/span\u003e, remains supported for legacy users, but Vault has deprecated this field.\n"},"serviceIdentities":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul\nservice identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+.\n"},"ttl":{"type":"integer","description":"Specifies the TTL for this role.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRole resources.\n","properties":{"backend":{"type":"string","description":"The unique name of an existing Consul secrets backend mount. Must not begin or end with a `/`. One of \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`backend`\" pulumi-lang-dotnet=\"`Backend`\" pulumi-lang-go=\"`backend`\" pulumi-lang-python=\"`backend`\" pulumi-lang-yaml=\"`backend`\" pulumi-lang-java=\"`backend`\"\u003e`backend`\u003c/span\u003e is required.\n","willReplaceOnChanges":true},"consulNamespace":{"type":"string","description":"The Consul namespace that the token will be created in.\nApplicable for Vault 1.10+ and Consul 1.7+\".\n"},"consulPolicies":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e The list of Consul ACL policies to associate with these roles.\n"},"consulRoles":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul roles to attach to the token.\nApplicable for Vault 1.10+ with Consul 1.5+.\n"},"local":{"type":"boolean","description":"Indicates that the token should not be replicated globally and instead be local to the current datacenter.\n"},"maxTtl":{"type":"integer","description":"Maximum TTL for leases associated with this role, in seconds.\n"},"name":{"type":"string","description":"The name of the Consul secrets engine role to create.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"nodeIdentities":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul node\nidentities to attach to the token. Applicable for Vault 1.11+ with Consul 1.8+.\n"},"partition":{"type":"string","description":"The admin partition that the token will be created in.\nApplicable for Vault 1.10+ and Consul 1.11+\".\n"},"policies":{"type":"array","items":{"type":"string"},"description":"The list of Consul ACL policies to associate with these roles.\n**NOTE:** The new parameter \u003cspan pulumi-lang-nodejs=\"`consulPolicies`\" pulumi-lang-dotnet=\"`ConsulPolicies`\" pulumi-lang-go=\"`consulPolicies`\" pulumi-lang-python=\"`consul_policies`\" pulumi-lang-yaml=\"`consulPolicies`\" pulumi-lang-java=\"`consulPolicies`\"\u003e`consul_policies`\u003c/span\u003e should be used in favor of this. This parameter,\n\u003cspan pulumi-lang-nodejs=\"`policies`\" pulumi-lang-dotnet=\"`Policies`\" pulumi-lang-go=\"`policies`\" pulumi-lang-python=\"`policies`\" pulumi-lang-yaml=\"`policies`\" pulumi-lang-java=\"`policies`\"\u003e`policies`\u003c/span\u003e, remains supported for legacy users, but Vault has deprecated this field.\n"},"serviceIdentities":{"type":"array","items":{"type":"string"},"description":"\u003csup\u003e\u003ca href=\"#note-about-required-arguments\"\u003eSEE NOTE\u003c/a\u003e\u003c/sup\u003e Set of Consul\nservice identities to attach to the token. Applicable for Vault 1.11+ with Consul 1.5+.\n"},"ttl":{"type":"integer","description":"Specifies the TTL for this role.\n"}},"type":"object"}},"vault:database/secretBackendConnection:SecretBackendConnection":{"description":"## Example Usage\n\n### PostgreSQL Connection\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst db = new vault.Mount(\"db\", {\n    path: \"postgres\",\n    type: \"database\",\n});\nconst postgres = new vault.database.SecretBackendConnection(\"postgres\", {\n    backend: db.path,\n    name: \"postgres\",\n    allowedRoles: [\n        \"dev\",\n        \"prod\",\n    ],\n    rotationSchedule: \"0 * * * SAT\",\n    rotationWindow: 3600,\n    postgresql: {\n        connectionUrl: \"postgres://username:password@host:port/database\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ndb = vault.Mount(\"db\",\n    path=\"postgres\",\n    type=\"database\")\npostgres = vault.database.SecretBackendConnection(\"postgres\",\n    backend=db.path,\n    name=\"postgres\",\n    allowed_roles=[\n        \"dev\",\n        \"prod\",\n    ],\n    rotation_schedule=\"0 * * * SAT\",\n    rotation_window=3600,\n    postgresql={\n        \"connection_url\": \"postgres://username:password@host:port/database\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var db = new Vault.Mount(\"db\", new()\n    {\n        Path = \"postgres\",\n        Type = \"database\",\n    });\n\n    var postgres = new Vault.Database.SecretBackendConnection(\"postgres\", new()\n    {\n        Backend = db.Path,\n        Name = \"postgres\",\n        AllowedRoles = new[]\n        {\n            \"dev\",\n            \"prod\",\n        },\n        RotationSchedule = \"0 * * * SAT\",\n        RotationWindow = 3600,\n        Postgresql = new Vault.Database.Inputs.SecretBackendConnectionPostgresqlArgs\n        {\n            ConnectionUrl = \"postgres://username:password@host:port/database\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/database\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tdb, err := vault.NewMount(ctx, \"db\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"postgres\"),\n\t\t\tType: pulumi.String(\"database\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = database.NewSecretBackendConnection(ctx, \"postgres\", \u0026database.SecretBackendConnectionArgs{\n\t\t\tBackend: db.Path,\n\t\t\tName:    pulumi.String(\"postgres\"),\n\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t\tRotationSchedule: pulumi.String(\"0 * * * SAT\"),\n\t\t\tRotationWindow:   pulumi.Int(3600),\n\t\t\tPostgresql: \u0026database.SecretBackendConnectionPostgresqlArgs{\n\t\t\t\tConnectionUrl: pulumi.String(\"postgres://username:password@host:port/database\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.database.SecretBackendConnection;\nimport com.pulumi.vault.database.SecretBackendConnectionArgs;\nimport com.pulumi.vault.database.inputs.SecretBackendConnectionPostgresqlArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var db = new Mount(\"db\", MountArgs.builder()\n            .path(\"postgres\")\n            .type(\"database\")\n            .build());\n\n        var postgres = new SecretBackendConnection(\"postgres\", SecretBackendConnectionArgs.builder()\n            .backend(db.path())\n            .name(\"postgres\")\n            .allowedRoles(            \n                \"dev\",\n                \"prod\")\n            .rotationSchedule(\"0 * * * SAT\")\n            .rotationWindow(3600)\n            .postgresql(SecretBackendConnectionPostgresqlArgs.builder()\n                .connectionUrl(\"postgres://username:password@host:port/database\")\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  db:\n    type: vault:Mount\n    properties:\n      path: postgres\n      type: database\n  postgres:\n    type: vault:database:SecretBackendConnection\n    properties:\n      backend: ${db.path}\n      name: postgres\n      allowedRoles:\n        - dev\n        - prod\n      rotationSchedule: 0 * * * SAT\n      rotationWindow: 3600\n      postgresql:\n        connectionUrl: postgres://username:password@host:port/database\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Oracle Connection with Self-Managed Mode (Rootless)\n\nFor Vault 1.18+ Enterprise, you can configure Oracle connections in self-managed mode,\nwhich allows a static role to manage its own database credentials without requiring root access:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst db = new vault.Mount(\"db\", {\n    path: \"database\",\n    type: \"database\",\n});\nconst oracle = new vault.database.SecretBackendConnection(\"oracle\", {\n    backend: db.path,\n    name: \"oracle\",\n    allowedRoles: [\"my-role\"],\n    oracle: {\n        connectionUrl: \"{{username}}/{{password}}@//host:port/service\",\n        selfManaged: true,\n        pluginName: \"vault-plugin-database-oracle\",\n    },\n});\nconst oracleRole = new vault.database.SecretBackendStaticRole(\"oracle_role\", {\n    backend: db.path,\n    name: \"my-role\",\n    dbName: oracle.name,\n    username: \"vault_user\",\n    passwordWo: \"initial-password\",\n    passwordWoVersion: 1,\n    rotationPeriod: 3600,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ndb = vault.Mount(\"db\",\n    path=\"database\",\n    type=\"database\")\noracle = vault.database.SecretBackendConnection(\"oracle\",\n    backend=db.path,\n    name=\"oracle\",\n    allowed_roles=[\"my-role\"],\n    oracle={\n        \"connection_url\": \"{{username}}/{{password}}@//host:port/service\",\n        \"self_managed\": True,\n        \"plugin_name\": \"vault-plugin-database-oracle\",\n    })\noracle_role = vault.database.SecretBackendStaticRole(\"oracle_role\",\n    backend=db.path,\n    name=\"my-role\",\n    db_name=oracle.name,\n    username=\"vault_user\",\n    password_wo=\"initial-password\",\n    password_wo_version=1,\n    rotation_period=3600)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var db = new Vault.Mount(\"db\", new()\n    {\n        Path = \"database\",\n        Type = \"database\",\n    });\n\n    var oracle = new Vault.Database.SecretBackendConnection(\"oracle\", new()\n    {\n        Backend = db.Path,\n        Name = \"oracle\",\n        AllowedRoles = new[]\n        {\n            \"my-role\",\n        },\n        Oracle = new Vault.Database.Inputs.SecretBackendConnectionOracleArgs\n        {\n            ConnectionUrl = \"{{username}}/{{password}}@//host:port/service\",\n            SelfManaged = true,\n            PluginName = \"vault-plugin-database-oracle\",\n        },\n    });\n\n    var oracleRole = new Vault.Database.SecretBackendStaticRole(\"oracle_role\", new()\n    {\n        Backend = db.Path,\n        Name = \"my-role\",\n        DbName = oracle.Name,\n        Username = \"vault_user\",\n        PasswordWo = \"initial-password\",\n        PasswordWoVersion = 1,\n        RotationPeriod = 3600,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/database\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tdb, err := vault.NewMount(ctx, \"db\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"database\"),\n\t\t\tType: pulumi.String(\"database\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\toracle, err := database.NewSecretBackendConnection(ctx, \"oracle\", \u0026database.SecretBackendConnectionArgs{\n\t\t\tBackend: db.Path,\n\t\t\tName:    pulumi.String(\"oracle\"),\n\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"my-role\"),\n\t\t\t},\n\t\t\tOracle: \u0026database.SecretBackendConnectionOracleArgs{\n\t\t\t\tConnectionUrl: pulumi.String(\"{{username}}/{{password}}@//host:port/service\"),\n\t\t\t\tSelfManaged:   pulumi.Bool(true),\n\t\t\t\tPluginName:    \"vault-plugin-database-oracle\",\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = database.NewSecretBackendStaticRole(ctx, \"oracle_role\", \u0026database.SecretBackendStaticRoleArgs{\n\t\t\tBackend:           db.Path,\n\t\t\tName:              pulumi.String(\"my-role\"),\n\t\t\tDbName:            oracle.Name,\n\t\t\tUsername:          pulumi.String(\"vault_user\"),\n\t\t\tPasswordWo:        pulumi.String(\"initial-password\"),\n\t\t\tPasswordWoVersion: pulumi.Int(1),\n\t\t\tRotationPeriod:    pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.database.SecretBackendConnection;\nimport com.pulumi.vault.database.SecretBackendConnectionArgs;\nimport com.pulumi.vault.database.inputs.SecretBackendConnectionOracleArgs;\nimport com.pulumi.vault.database.SecretBackendStaticRole;\nimport com.pulumi.vault.database.SecretBackendStaticRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var db = new Mount(\"db\", MountArgs.builder()\n            .path(\"database\")\n            .type(\"database\")\n            .build());\n\n        var oracle = new SecretBackendConnection(\"oracle\", SecretBackendConnectionArgs.builder()\n            .backend(db.path())\n            .name(\"oracle\")\n            .allowedRoles(\"my-role\")\n            .oracle(SecretBackendConnectionOracleArgs.builder()\n                .connectionUrl(\"{{username}}/{{password}}@//host:port/service\")\n                .selfManaged(true)\n                .pluginName(\"vault-plugin-database-oracle\")\n                .build())\n            .build());\n\n        var oracleRole = new SecretBackendStaticRole(\"oracleRole\", SecretBackendStaticRoleArgs.builder()\n            .backend(db.path())\n            .name(\"my-role\")\n            .dbName(oracle.name())\n            .username(\"vault_user\")\n            .passwordWo(\"initial-password\")\n            .passwordWoVersion(1)\n            .rotationPeriod(3600)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  db:\n    type: vault:Mount\n    properties:\n      path: database\n      type: database\n  oracle:\n    type: vault:database:SecretBackendConnection\n    properties:\n      backend: ${db.path}\n      name: oracle\n      allowedRoles:\n        - my-role\n      oracle:\n        connectionUrl: '{{username}}/{{password}}@//host:port/service'\n        selfManaged: true\n        pluginName: vault-plugin-database-oracle\n  oracleRole:\n    type: vault:database:SecretBackendStaticRole\n    name: oracle_role\n    properties:\n      backend: ${db.path}\n      name: my-role\n      dbName: ${oracle.name}\n      username: vault_user\n      passwordWo: initial-password\n      passwordWoVersion: 1\n      rotationPeriod: 3600\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported for all DBs that support username/password:\n\n* \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e - (Optional) The password for the user. Can be updated.\n  **Note**: This property is write-only and will not be read from the API.\n\nThe following write-only attribute is supported only for Snowflake DB:\n\n* \u003cspan pulumi-lang-nodejs=\"`privateKeyWo`\" pulumi-lang-dotnet=\"`PrivateKeyWo`\" pulumi-lang-go=\"`privateKeyWo`\" pulumi-lang-python=\"`private_key_wo`\" pulumi-lang-yaml=\"`privateKeyWo`\" pulumi-lang-java=\"`privateKeyWo`\"\u003e`private_key_wo`\u003c/span\u003e - (Optional) The private key associated with the Snowflake user.\n  **Note**: This property is write-only and will not be read from the API.\n\n## Import\n\nDatabase secret backend connections can be imported using the `backend`, `/config/`, and the `name` e.g.\n\n```sh\n$ pulumi import vault:database/secretBackendConnection:SecretBackendConnection example postgres/config/postgres\n```\n","properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n"},"cassandra":{"$ref":"#/types/vault:database/SecretBackendConnectionCassandra:SecretBackendConnectionCassandra","description":"A nested block containing configuration options for Cassandra connections.\n"},"couchbase":{"$ref":"#/types/vault:database/SecretBackendConnectionCouchbase:SecretBackendConnectionCouchbase","description":"A nested block containing configuration options for Couchbase connections.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"elasticsearch":{"$ref":"#/types/vault:database/SecretBackendConnectionElasticsearch:SecretBackendConnectionElasticsearch","description":"A nested block containing configuration options for Elasticsearch connections.\n"},"hana":{"$ref":"#/types/vault:database/SecretBackendConnectionHana:SecretBackendConnectionHana","description":"A nested block containing configuration options for SAP HanaDB connections.\n"},"influxdb":{"$ref":"#/types/vault:database/SecretBackendConnectionInfluxdb:SecretBackendConnectionInfluxdb","description":"A nested block containing configuration options for InfluxDB connections.\n"},"mongodb":{"$ref":"#/types/vault:database/SecretBackendConnectionMongodb:SecretBackendConnectionMongodb","description":"A nested block containing configuration options for MongoDB connections.\n"},"mongodbatlas":{"$ref":"#/types/vault:database/SecretBackendConnectionMongodbatlas:SecretBackendConnectionMongodbatlas","description":"A nested block containing configuration options for MongoDB Atlas connections.\n"},"mssql":{"$ref":"#/types/vault:database/SecretBackendConnectionMssql:SecretBackendConnectionMssql","description":"A nested block containing configuration options for MSSQL connections.\n"},"mysql":{"$ref":"#/types/vault:database/SecretBackendConnectionMysql:SecretBackendConnectionMysql","description":"A nested block containing configuration options for MySQL connections.\n"},"mysqlAurora":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlAurora:SecretBackendConnectionMysqlAurora","description":"A nested block containing configuration options for Aurora MySQL connections.\n"},"mysqlLegacy":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlLegacy:SecretBackendConnectionMysqlLegacy","description":"A nested block containing configuration options for legacy MySQL connections.\n"},"mysqlRds":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlRds:SecretBackendConnectionMysqlRds","description":"A nested block containing configuration options for RDS MySQL connections.\n"},"name":{"type":"string","description":"A unique name to give the database connection.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n"},"oracle":{"$ref":"#/types/vault:database/SecretBackendConnectionOracle:SecretBackendConnectionOracle","description":"A nested block containing configuration options for Oracle connections.\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"postgresql":{"$ref":"#/types/vault:database/SecretBackendConnectionPostgresql:SecretBackendConnectionPostgresql","description":"A nested block containing configuration options for PostgreSQL connections.\n"},"redis":{"$ref":"#/types/vault:database/SecretBackendConnectionRedis:SecretBackendConnectionRedis","description":"A nested block containing configuration options for Redis connections.\n"},"redisElasticache":{"$ref":"#/types/vault:database/SecretBackendConnectionRedisElasticache:SecretBackendConnectionRedisElasticache","description":"A nested block containing configuration options for Redis ElastiCache connections.\n\nExactly one of the nested blocks of configuration options must be supplied.\n"},"redshift":{"$ref":"#/types/vault:database/SecretBackendConnectionRedshift:SecretBackendConnectionRedshift","description":"Connection parameters for the redshift-database-plugin plugin."},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"snowflake":{"$ref":"#/types/vault:database/SecretBackendConnectionSnowflake:SecretBackendConnectionSnowflake","description":"A nested block containing configuration options for Snowflake connections.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"required":["backend","name","pluginName"],"inputProperties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n","willReplaceOnChanges":true},"cassandra":{"$ref":"#/types/vault:database/SecretBackendConnectionCassandra:SecretBackendConnectionCassandra","description":"A nested block containing configuration options for Cassandra connections.\n"},"couchbase":{"$ref":"#/types/vault:database/SecretBackendConnectionCouchbase:SecretBackendConnectionCouchbase","description":"A nested block containing configuration options for Couchbase connections.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"elasticsearch":{"$ref":"#/types/vault:database/SecretBackendConnectionElasticsearch:SecretBackendConnectionElasticsearch","description":"A nested block containing configuration options for Elasticsearch connections.\n"},"hana":{"$ref":"#/types/vault:database/SecretBackendConnectionHana:SecretBackendConnectionHana","description":"A nested block containing configuration options for SAP HanaDB connections.\n"},"influxdb":{"$ref":"#/types/vault:database/SecretBackendConnectionInfluxdb:SecretBackendConnectionInfluxdb","description":"A nested block containing configuration options for InfluxDB connections.\n"},"mongodb":{"$ref":"#/types/vault:database/SecretBackendConnectionMongodb:SecretBackendConnectionMongodb","description":"A nested block containing configuration options for MongoDB connections.\n"},"mongodbatlas":{"$ref":"#/types/vault:database/SecretBackendConnectionMongodbatlas:SecretBackendConnectionMongodbatlas","description":"A nested block containing configuration options for MongoDB Atlas connections.\n"},"mssql":{"$ref":"#/types/vault:database/SecretBackendConnectionMssql:SecretBackendConnectionMssql","description":"A nested block containing configuration options for MSSQL connections.\n"},"mysql":{"$ref":"#/types/vault:database/SecretBackendConnectionMysql:SecretBackendConnectionMysql","description":"A nested block containing configuration options for MySQL connections.\n"},"mysqlAurora":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlAurora:SecretBackendConnectionMysqlAurora","description":"A nested block containing configuration options for Aurora MySQL connections.\n"},"mysqlLegacy":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlLegacy:SecretBackendConnectionMysqlLegacy","description":"A nested block containing configuration options for legacy MySQL connections.\n"},"mysqlRds":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlRds:SecretBackendConnectionMysqlRds","description":"A nested block containing configuration options for RDS MySQL connections.\n"},"name":{"type":"string","description":"A unique name to give the database connection.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"oracle":{"$ref":"#/types/vault:database/SecretBackendConnectionOracle:SecretBackendConnectionOracle","description":"A nested block containing configuration options for Oracle connections.\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"postgresql":{"$ref":"#/types/vault:database/SecretBackendConnectionPostgresql:SecretBackendConnectionPostgresql","description":"A nested block containing configuration options for PostgreSQL connections.\n"},"redis":{"$ref":"#/types/vault:database/SecretBackendConnectionRedis:SecretBackendConnectionRedis","description":"A nested block containing configuration options for Redis connections.\n"},"redisElasticache":{"$ref":"#/types/vault:database/SecretBackendConnectionRedisElasticache:SecretBackendConnectionRedisElasticache","description":"A nested block containing configuration options for Redis ElastiCache connections.\n\nExactly one of the nested blocks of configuration options must be supplied.\n"},"redshift":{"$ref":"#/types/vault:database/SecretBackendConnectionRedshift:SecretBackendConnectionRedshift","description":"Connection parameters for the redshift-database-plugin plugin."},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"snowflake":{"$ref":"#/types/vault:database/SecretBackendConnectionSnowflake:SecretBackendConnectionSnowflake","description":"A nested block containing configuration options for Snowflake connections.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendConnection resources.\n","properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"A list of roles that are allowed to use this\nconnection.\n"},"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n","willReplaceOnChanges":true},"cassandra":{"$ref":"#/types/vault:database/SecretBackendConnectionCassandra:SecretBackendConnectionCassandra","description":"A nested block containing configuration options for Cassandra connections.\n"},"couchbase":{"$ref":"#/types/vault:database/SecretBackendConnectionCouchbase:SecretBackendConnectionCouchbase","description":"A nested block containing configuration options for Couchbase connections.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A map of sensitive data to pass to the endpoint. Useful for templated connection strings.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"elasticsearch":{"$ref":"#/types/vault:database/SecretBackendConnectionElasticsearch:SecretBackendConnectionElasticsearch","description":"A nested block containing configuration options for Elasticsearch connections.\n"},"hana":{"$ref":"#/types/vault:database/SecretBackendConnectionHana:SecretBackendConnectionHana","description":"A nested block containing configuration options for SAP HanaDB connections.\n"},"influxdb":{"$ref":"#/types/vault:database/SecretBackendConnectionInfluxdb:SecretBackendConnectionInfluxdb","description":"A nested block containing configuration options for InfluxDB connections.\n"},"mongodb":{"$ref":"#/types/vault:database/SecretBackendConnectionMongodb:SecretBackendConnectionMongodb","description":"A nested block containing configuration options for MongoDB connections.\n"},"mongodbatlas":{"$ref":"#/types/vault:database/SecretBackendConnectionMongodbatlas:SecretBackendConnectionMongodbatlas","description":"A nested block containing configuration options for MongoDB Atlas connections.\n"},"mssql":{"$ref":"#/types/vault:database/SecretBackendConnectionMssql:SecretBackendConnectionMssql","description":"A nested block containing configuration options for MSSQL connections.\n"},"mysql":{"$ref":"#/types/vault:database/SecretBackendConnectionMysql:SecretBackendConnectionMysql","description":"A nested block containing configuration options for MySQL connections.\n"},"mysqlAurora":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlAurora:SecretBackendConnectionMysqlAurora","description":"A nested block containing configuration options for Aurora MySQL connections.\n"},"mysqlLegacy":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlLegacy:SecretBackendConnectionMysqlLegacy","description":"A nested block containing configuration options for legacy MySQL connections.\n"},"mysqlRds":{"$ref":"#/types/vault:database/SecretBackendConnectionMysqlRds:SecretBackendConnectionMysqlRds","description":"A nested block containing configuration options for RDS MySQL connections.\n"},"name":{"type":"string","description":"A unique name to give the database connection.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"oracle":{"$ref":"#/types/vault:database/SecretBackendConnectionOracle:SecretBackendConnectionOracle","description":"A nested block containing configuration options for Oracle connections.\n"},"pluginName":{"type":"string","description":"Specifies the name of the plugin to use.\n"},"postgresql":{"$ref":"#/types/vault:database/SecretBackendConnectionPostgresql:SecretBackendConnectionPostgresql","description":"A nested block containing configuration options for PostgreSQL connections.\n"},"redis":{"$ref":"#/types/vault:database/SecretBackendConnectionRedis:SecretBackendConnectionRedis","description":"A nested block containing configuration options for Redis connections.\n"},"redisElasticache":{"$ref":"#/types/vault:database/SecretBackendConnectionRedisElasticache:SecretBackendConnectionRedisElasticache","description":"A nested block containing configuration options for Redis ElastiCache connections.\n\nExactly one of the nested blocks of configuration options must be supplied.\n"},"redshift":{"$ref":"#/types/vault:database/SecretBackendConnectionRedshift:SecretBackendConnectionRedshift","description":"Connection parameters for the redshift-database-plugin plugin."},"rootRotationStatements":{"type":"array","items":{"type":"string"},"description":"A list of database statements to be executed to rotate the root user's credentials.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"snowflake":{"$ref":"#/types/vault:database/SecretBackendConnectionSnowflake:SecretBackendConnectionSnowflake","description":"A nested block containing configuration options for Snowflake connections.\n"},"verifyConnection":{"type":"boolean","description":"Whether the connection should be verified on\ninitial configuration or not.\n"}},"type":"object"}},"vault:database/secretBackendRole:SecretBackendRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst db = new vault.Mount(\"db\", {\n    path: \"postgres\",\n    type: \"database\",\n});\nconst postgres = new vault.database.SecretBackendConnection(\"postgres\", {\n    backend: db.path,\n    name: \"postgres\",\n    allowedRoles: [\n        \"dev\",\n        \"prod\",\n    ],\n    postgresql: {\n        connectionUrl: \"postgres://username:password@host:port/database\",\n    },\n});\nconst role = new vault.database.SecretBackendRole(\"role\", {\n    backend: db.path,\n    name: \"dev\",\n    dbName: postgres.name,\n    creationStatements: [\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ndb = vault.Mount(\"db\",\n    path=\"postgres\",\n    type=\"database\")\npostgres = vault.database.SecretBackendConnection(\"postgres\",\n    backend=db.path,\n    name=\"postgres\",\n    allowed_roles=[\n        \"dev\",\n        \"prod\",\n    ],\n    postgresql={\n        \"connection_url\": \"postgres://username:password@host:port/database\",\n    })\nrole = vault.database.SecretBackendRole(\"role\",\n    backend=db.path,\n    name=\"dev\",\n    db_name=postgres.name,\n    creation_statements=[\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var db = new Vault.Mount(\"db\", new()\n    {\n        Path = \"postgres\",\n        Type = \"database\",\n    });\n\n    var postgres = new Vault.Database.SecretBackendConnection(\"postgres\", new()\n    {\n        Backend = db.Path,\n        Name = \"postgres\",\n        AllowedRoles = new[]\n        {\n            \"dev\",\n            \"prod\",\n        },\n        Postgresql = new Vault.Database.Inputs.SecretBackendConnectionPostgresqlArgs\n        {\n            ConnectionUrl = \"postgres://username:password@host:port/database\",\n        },\n    });\n\n    var role = new Vault.Database.SecretBackendRole(\"role\", new()\n    {\n        Backend = db.Path,\n        Name = \"dev\",\n        DbName = postgres.Name,\n        CreationStatements = new[]\n        {\n            \"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/database\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tdb, err := vault.NewMount(ctx, \"db\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"postgres\"),\n\t\t\tType: pulumi.String(\"database\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpostgres, err := database.NewSecretBackendConnection(ctx, \"postgres\", \u0026database.SecretBackendConnectionArgs{\n\t\t\tBackend: db.Path,\n\t\t\tName:    pulumi.String(\"postgres\"),\n\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t\tPostgresql: \u0026database.SecretBackendConnectionPostgresqlArgs{\n\t\t\t\tConnectionUrl: pulumi.String(\"postgres://username:password@host:port/database\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = database.NewSecretBackendRole(ctx, \"role\", \u0026database.SecretBackendRoleArgs{\n\t\t\tBackend: db.Path,\n\t\t\tName:    pulumi.String(\"dev\"),\n\t\t\tDbName:  postgres.Name,\n\t\t\tCreationStatements: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.database.SecretBackendConnection;\nimport com.pulumi.vault.database.SecretBackendConnectionArgs;\nimport com.pulumi.vault.database.inputs.SecretBackendConnectionPostgresqlArgs;\nimport com.pulumi.vault.database.SecretBackendRole;\nimport com.pulumi.vault.database.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var db = new Mount(\"db\", MountArgs.builder()\n            .path(\"postgres\")\n            .type(\"database\")\n            .build());\n\n        var postgres = new SecretBackendConnection(\"postgres\", SecretBackendConnectionArgs.builder()\n            .backend(db.path())\n            .name(\"postgres\")\n            .allowedRoles(            \n                \"dev\",\n                \"prod\")\n            .postgresql(SecretBackendConnectionPostgresqlArgs.builder()\n                .connectionUrl(\"postgres://username:password@host:port/database\")\n                .build())\n            .build());\n\n        var role = new SecretBackendRole(\"role\", SecretBackendRoleArgs.builder()\n            .backend(db.path())\n            .name(\"dev\")\n            .dbName(postgres.name())\n            .creationStatements(\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  db:\n    type: vault:Mount\n    properties:\n      path: postgres\n      type: database\n  postgres:\n    type: vault:database:SecretBackendConnection\n    properties:\n      backend: ${db.path}\n      name: postgres\n      allowedRoles:\n        - dev\n        - prod\n      postgresql:\n        connectionUrl: postgres://username:password@host:port/database\n  role:\n    type: vault:database:SecretBackendRole\n    properties:\n      backend: ${db.path}\n      name: dev\n      dbName: ${postgres.name}\n      creationStatements:\n        - CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nDatabase secret backend roles can be imported using the `backend`, `/roles/`, and the `name` e.g.\n\n```sh\n$ pulumi import vault:database/secretBackendRole:SecretBackendRole example postgres/roles/my-role\n```\n","properties":{"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n"},"creationStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\ncreating a user.\n"},"credentialConfig":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies the configuration\nfor the given \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e.\n\nThe following options are available for each \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e value:\n"},"credentialType":{"type":"string","description":"Specifies the type of credential that\nwill be generated for the role. Options include: \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`rsaPrivateKey`\" pulumi-lang-dotnet=\"`RsaPrivateKey`\" pulumi-lang-go=\"`rsaPrivateKey`\" pulumi-lang-python=\"`rsa_private_key`\" pulumi-lang-yaml=\"`rsaPrivateKey`\" pulumi-lang-java=\"`rsaPrivateKey`\"\u003e`rsa_private_key`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`clientCertificate`\" pulumi-lang-dotnet=\"`ClientCertificate`\" pulumi-lang-go=\"`clientCertificate`\" pulumi-lang-python=\"`client_certificate`\" pulumi-lang-yaml=\"`clientCertificate`\" pulumi-lang-java=\"`clientCertificate`\"\u003e`client_certificate`\u003c/span\u003e.\nSee the plugin's API page for credential types supported by individual databases.\n"},"dbName":{"type":"string","description":"The unique name of the database connection to use for\nthe role.\n"},"defaultTtl":{"type":"integer","description":"The default number of seconds for leases for this\nrole.\n"},"maxTtl":{"type":"integer","description":"The maximum number of seconds for leases for this\nrole.\n"},"name":{"type":"string","description":"A unique name to give the role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n"},"renewStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrenewing a user.\n"},"revocationStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrevoking a user.\n"},"rollbackStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrolling back creation due to an error.\n"}},"required":["backend","creationStatements","credentialType","dbName","name"],"inputProperties":{"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n","willReplaceOnChanges":true},"creationStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\ncreating a user.\n"},"credentialConfig":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies the configuration\nfor the given \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e.\n\nThe following options are available for each \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e value:\n"},"credentialType":{"type":"string","description":"Specifies the type of credential that\nwill be generated for the role. Options include: \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`rsaPrivateKey`\" pulumi-lang-dotnet=\"`RsaPrivateKey`\" pulumi-lang-go=\"`rsaPrivateKey`\" pulumi-lang-python=\"`rsa_private_key`\" pulumi-lang-yaml=\"`rsaPrivateKey`\" pulumi-lang-java=\"`rsaPrivateKey`\"\u003e`rsa_private_key`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`clientCertificate`\" pulumi-lang-dotnet=\"`ClientCertificate`\" pulumi-lang-go=\"`clientCertificate`\" pulumi-lang-python=\"`client_certificate`\" pulumi-lang-yaml=\"`clientCertificate`\" pulumi-lang-java=\"`clientCertificate`\"\u003e`client_certificate`\u003c/span\u003e.\nSee the plugin's API page for credential types supported by individual databases.\n"},"dbName":{"type":"string","description":"The unique name of the database connection to use for\nthe role.\n","willReplaceOnChanges":true},"defaultTtl":{"type":"integer","description":"The default number of seconds for leases for this\nrole.\n"},"maxTtl":{"type":"integer","description":"The maximum number of seconds for leases for this\nrole.\n"},"name":{"type":"string","description":"A unique name to give the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"renewStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrenewing a user.\n"},"revocationStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrevoking a user.\n"},"rollbackStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrolling back creation due to an error.\n"}},"requiredInputs":["backend","creationStatements","dbName"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRole resources.\n","properties":{"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n","willReplaceOnChanges":true},"creationStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\ncreating a user.\n"},"credentialConfig":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies the configuration\nfor the given \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e.\n\nThe following options are available for each \u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e value:\n"},"credentialType":{"type":"string","description":"Specifies the type of credential that\nwill be generated for the role. Options include: \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`rsaPrivateKey`\" pulumi-lang-dotnet=\"`RsaPrivateKey`\" pulumi-lang-go=\"`rsaPrivateKey`\" pulumi-lang-python=\"`rsa_private_key`\" pulumi-lang-yaml=\"`rsaPrivateKey`\" pulumi-lang-java=\"`rsaPrivateKey`\"\u003e`rsa_private_key`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`clientCertificate`\" pulumi-lang-dotnet=\"`ClientCertificate`\" pulumi-lang-go=\"`clientCertificate`\" pulumi-lang-python=\"`client_certificate`\" pulumi-lang-yaml=\"`clientCertificate`\" pulumi-lang-java=\"`clientCertificate`\"\u003e`client_certificate`\u003c/span\u003e.\nSee the plugin's API page for credential types supported by individual databases.\n"},"dbName":{"type":"string","description":"The unique name of the database connection to use for\nthe role.\n","willReplaceOnChanges":true},"defaultTtl":{"type":"integer","description":"The default number of seconds for leases for this\nrole.\n"},"maxTtl":{"type":"integer","description":"The maximum number of seconds for leases for this\nrole.\n"},"name":{"type":"string","description":"A unique name to give the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"renewStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrenewing a user.\n"},"revocationStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrevoking a user.\n"},"rollbackStatements":{"type":"array","items":{"type":"string"},"description":"The database statements to execute when\nrolling back creation due to an error.\n"}},"type":"object"}},"vault:database/secretBackendStaticRole:SecretBackendStaticRole":{"description":"Creates a Database Secret Backend static role in Vault. Database secret backend\nstatic roles can be used to manage 1-to-1 mapping of a Vault Role to a user in a\ndatabase for the database.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst db = new vault.Mount(\"db\", {\n    path: \"postgres\",\n    type: \"database\",\n});\nconst postgres = new vault.database.SecretBackendConnection(\"postgres\", {\n    backend: db.path,\n    name: \"postgres\",\n    allowedRoles: [\"*\"],\n    postgresql: {\n        connectionUrl: \"postgres://username:password@host:port/database\",\n    },\n});\n// configure a static role with period-based rotations\nconst periodRole = new vault.database.SecretBackendStaticRole(\"period_role\", {\n    backend: db.path,\n    name: \"my-period-role\",\n    dbName: postgres.name,\n    username: \"example\",\n    rotationPeriod: 3600,\n    rotationStatements: [\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"],\n});\n// configure a static role with schedule-based rotations\nconst scheduleRole = new vault.database.SecretBackendStaticRole(\"schedule_role\", {\n    backend: db.path,\n    name: \"my-schedule-role\",\n    dbName: postgres.name,\n    username: \"example\",\n    rotationSchedule: \"0 0 * * SAT\",\n    rotationWindow: 172800,\n    rotationStatements: [\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"],\n});\n// configure a static role with a password (Vault 1.19+)\nconst passwordRole = new vault.database.SecretBackendStaticRole(\"password_role\", {\n    backend: db.path,\n    name: \"my-password-role\",\n    dbName: postgres.name,\n    username: \"example\",\n    passwordWo: \"my-password\",\n    passwordWoVersion: 1,\n    rotationPeriod: 3600,\n    rotationStatements: [\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ndb = vault.Mount(\"db\",\n    path=\"postgres\",\n    type=\"database\")\npostgres = vault.database.SecretBackendConnection(\"postgres\",\n    backend=db.path,\n    name=\"postgres\",\n    allowed_roles=[\"*\"],\n    postgresql={\n        \"connection_url\": \"postgres://username:password@host:port/database\",\n    })\n# configure a static role with period-based rotations\nperiod_role = vault.database.SecretBackendStaticRole(\"period_role\",\n    backend=db.path,\n    name=\"my-period-role\",\n    db_name=postgres.name,\n    username=\"example\",\n    rotation_period=3600,\n    rotation_statements=[\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"])\n# configure a static role with schedule-based rotations\nschedule_role = vault.database.SecretBackendStaticRole(\"schedule_role\",\n    backend=db.path,\n    name=\"my-schedule-role\",\n    db_name=postgres.name,\n    username=\"example\",\n    rotation_schedule=\"0 0 * * SAT\",\n    rotation_window=172800,\n    rotation_statements=[\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"])\n# configure a static role with a password (Vault 1.19+)\npassword_role = vault.database.SecretBackendStaticRole(\"password_role\",\n    backend=db.path,\n    name=\"my-password-role\",\n    db_name=postgres.name,\n    username=\"example\",\n    password_wo=\"my-password\",\n    password_wo_version=1,\n    rotation_period=3600,\n    rotation_statements=[\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var db = new Vault.Mount(\"db\", new()\n    {\n        Path = \"postgres\",\n        Type = \"database\",\n    });\n\n    var postgres = new Vault.Database.SecretBackendConnection(\"postgres\", new()\n    {\n        Backend = db.Path,\n        Name = \"postgres\",\n        AllowedRoles = new[]\n        {\n            \"*\",\n        },\n        Postgresql = new Vault.Database.Inputs.SecretBackendConnectionPostgresqlArgs\n        {\n            ConnectionUrl = \"postgres://username:password@host:port/database\",\n        },\n    });\n\n    // configure a static role with period-based rotations\n    var periodRole = new Vault.Database.SecretBackendStaticRole(\"period_role\", new()\n    {\n        Backend = db.Path,\n        Name = \"my-period-role\",\n        DbName = postgres.Name,\n        Username = \"example\",\n        RotationPeriod = 3600,\n        RotationStatements = new[]\n        {\n            \"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\",\n        },\n    });\n\n    // configure a static role with schedule-based rotations\n    var scheduleRole = new Vault.Database.SecretBackendStaticRole(\"schedule_role\", new()\n    {\n        Backend = db.Path,\n        Name = \"my-schedule-role\",\n        DbName = postgres.Name,\n        Username = \"example\",\n        RotationSchedule = \"0 0 * * SAT\",\n        RotationWindow = 172800,\n        RotationStatements = new[]\n        {\n            \"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\",\n        },\n    });\n\n    // configure a static role with a password (Vault 1.19+)\n    var passwordRole = new Vault.Database.SecretBackendStaticRole(\"password_role\", new()\n    {\n        Backend = db.Path,\n        Name = \"my-password-role\",\n        DbName = postgres.Name,\n        Username = \"example\",\n        PasswordWo = \"my-password\",\n        PasswordWoVersion = 1,\n        RotationPeriod = 3600,\n        RotationStatements = new[]\n        {\n            \"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/database\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tdb, err := vault.NewMount(ctx, \"db\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"postgres\"),\n\t\t\tType: pulumi.String(\"database\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpostgres, err := database.NewSecretBackendConnection(ctx, \"postgres\", \u0026database.SecretBackendConnectionArgs{\n\t\t\tBackend: db.Path,\n\t\t\tName:    pulumi.String(\"postgres\"),\n\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tPostgresql: \u0026database.SecretBackendConnectionPostgresqlArgs{\n\t\t\t\tConnectionUrl: pulumi.String(\"postgres://username:password@host:port/database\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// configure a static role with period-based rotations\n\t\t_, err = database.NewSecretBackendStaticRole(ctx, \"period_role\", \u0026database.SecretBackendStaticRoleArgs{\n\t\t\tBackend:        db.Path,\n\t\t\tName:           pulumi.String(\"my-period-role\"),\n\t\t\tDbName:         postgres.Name,\n\t\t\tUsername:       pulumi.String(\"example\"),\n\t\t\tRotationPeriod: pulumi.Int(3600),\n\t\t\tRotationStatements: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// configure a static role with schedule-based rotations\n\t\t_, err = database.NewSecretBackendStaticRole(ctx, \"schedule_role\", \u0026database.SecretBackendStaticRoleArgs{\n\t\t\tBackend:          db.Path,\n\t\t\tName:             pulumi.String(\"my-schedule-role\"),\n\t\t\tDbName:           postgres.Name,\n\t\t\tUsername:         pulumi.String(\"example\"),\n\t\t\tRotationSchedule: pulumi.String(\"0 0 * * SAT\"),\n\t\t\tRotationWindow:   pulumi.Int(172800),\n\t\t\tRotationStatements: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// configure a static role with a password (Vault 1.19+)\n\t\t_, err = database.NewSecretBackendStaticRole(ctx, \"password_role\", \u0026database.SecretBackendStaticRoleArgs{\n\t\t\tBackend:           db.Path,\n\t\t\tName:              pulumi.String(\"my-password-role\"),\n\t\t\tDbName:            postgres.Name,\n\t\t\tUsername:          pulumi.String(\"example\"),\n\t\t\tPasswordWo:        pulumi.String(\"my-password\"),\n\t\t\tPasswordWoVersion: pulumi.Int(1),\n\t\t\tRotationPeriod:    pulumi.Int(3600),\n\t\t\tRotationStatements: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.database.SecretBackendConnection;\nimport com.pulumi.vault.database.SecretBackendConnectionArgs;\nimport com.pulumi.vault.database.inputs.SecretBackendConnectionPostgresqlArgs;\nimport com.pulumi.vault.database.SecretBackendStaticRole;\nimport com.pulumi.vault.database.SecretBackendStaticRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var db = new Mount(\"db\", MountArgs.builder()\n            .path(\"postgres\")\n            .type(\"database\")\n            .build());\n\n        var postgres = new SecretBackendConnection(\"postgres\", SecretBackendConnectionArgs.builder()\n            .backend(db.path())\n            .name(\"postgres\")\n            .allowedRoles(\"*\")\n            .postgresql(SecretBackendConnectionPostgresqlArgs.builder()\n                .connectionUrl(\"postgres://username:password@host:port/database\")\n                .build())\n            .build());\n\n        // configure a static role with period-based rotations\n        var periodRole = new SecretBackendStaticRole(\"periodRole\", SecretBackendStaticRoleArgs.builder()\n            .backend(db.path())\n            .name(\"my-period-role\")\n            .dbName(postgres.name())\n            .username(\"example\")\n            .rotationPeriod(3600)\n            .rotationStatements(\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\")\n            .build());\n\n        // configure a static role with schedule-based rotations\n        var scheduleRole = new SecretBackendStaticRole(\"scheduleRole\", SecretBackendStaticRoleArgs.builder()\n            .backend(db.path())\n            .name(\"my-schedule-role\")\n            .dbName(postgres.name())\n            .username(\"example\")\n            .rotationSchedule(\"0 0 * * SAT\")\n            .rotationWindow(172800)\n            .rotationStatements(\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\")\n            .build());\n\n        // configure a static role with a password (Vault 1.19+)\n        var passwordRole = new SecretBackendStaticRole(\"passwordRole\", SecretBackendStaticRoleArgs.builder()\n            .backend(db.path())\n            .name(\"my-password-role\")\n            .dbName(postgres.name())\n            .username(\"example\")\n            .passwordWo(\"my-password\")\n            .passwordWoVersion(1)\n            .rotationPeriod(3600)\n            .rotationStatements(\"ALTER USER \\\"{{name}}\\\" WITH PASSWORD '{{password}}';\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  db:\n    type: vault:Mount\n    properties:\n      path: postgres\n      type: database\n  postgres:\n    type: vault:database:SecretBackendConnection\n    properties:\n      backend: ${db.path}\n      name: postgres\n      allowedRoles:\n        - '*'\n      postgresql:\n        connectionUrl: postgres://username:password@host:port/database\n  # configure a static role with period-based rotations\n  periodRole:\n    type: vault:database:SecretBackendStaticRole\n    name: period_role\n    properties:\n      backend: ${db.path}\n      name: my-period-role\n      dbName: ${postgres.name}\n      username: example\n      rotationPeriod: '3600'\n      rotationStatements:\n        - ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';\n  # configure a static role with schedule-based rotations\n  scheduleRole:\n    type: vault:database:SecretBackendStaticRole\n    name: schedule_role\n    properties:\n      backend: ${db.path}\n      name: my-schedule-role\n      dbName: ${postgres.name}\n      username: example\n      rotationSchedule: 0 0 * * SAT\n      rotationWindow: '172800'\n      rotationStatements:\n        - ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';\n  # configure a static role with a password (Vault 1.19+)\n  passwordRole:\n    type: vault:database:SecretBackendStaticRole\n    name: password_role\n    properties:\n      backend: ${db.path}\n      name: my-password-role\n      dbName: ${postgres.name}\n      username: example\n      passwordWo: my-password\n      passwordWoVersion: 1\n      rotationPeriod: '3600'\n      rotationStatements:\n        - ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nDatabase secret backend static roles can be imported using the `backend`, `/static-roles/`, and the `name` e.g.\n\n```sh\n$ pulumi import vault:database/secretBackendStaticRole:SecretBackendStaticRole example postgres/static-roles/my-role\n```\n","properties":{"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n"},"credentialConfig":{"type":"object","additionalProperties":{"type":"string"}},"credentialType":{"type":"string","description":"The credential type for the user, can be one of \"password\", \u003cspan pulumi-lang-nodejs=\"\"rsaPrivateKey\"\" pulumi-lang-dotnet=\"\"RsaPrivateKey\"\" pulumi-lang-go=\"\"rsaPrivateKey\"\" pulumi-lang-python=\"\"rsa_private_key\"\" pulumi-lang-yaml=\"\"rsaPrivateKey\"\" pulumi-lang-java=\"\"rsaPrivateKey\"\"\u003e\"rsa_private_key\"\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"\"clientCertificate\"\" pulumi-lang-dotnet=\"\"ClientCertificate\"\" pulumi-lang-go=\"\"clientCertificate\"\" pulumi-lang-python=\"\"client_certificate\"\" pulumi-lang-yaml=\"\"clientCertificate\"\" pulumi-lang-java=\"\"clientCertificate\"\"\u003e\"client_certificate\"\u003c/span\u003e.The configuration can be done in \u003cspan pulumi-lang-nodejs=\"`credentialConfig`\" pulumi-lang-dotnet=\"`CredentialConfig`\" pulumi-lang-go=\"`credentialConfig`\" pulumi-lang-python=\"`credential_config`\" pulumi-lang-yaml=\"`credentialConfig`\" pulumi-lang-java=\"`credentialConfig`\"\u003e`credential_config`\u003c/span\u003e."},"dbName":{"type":"string","description":"The unique name of the database connection to use for the static role.\n"},"name":{"type":"string","description":"A unique name to give the static role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n"},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe password corresponding to the username in the database.\nThis is a write-only field. Requires Vault 1.19+. Deprecates \u003cspan pulumi-lang-nodejs=\"`selfManagedPassword`\" pulumi-lang-dotnet=\"`SelfManagedPassword`\" pulumi-lang-go=\"`selfManagedPassword`\" pulumi-lang-python=\"`self_managed_password`\" pulumi-lang-yaml=\"`selfManagedPassword`\" pulumi-lang-java=\"`selfManagedPassword`\"\u003e`self_managed_password`\u003c/span\u003e which was introduced in Vault 1.18.\nCannot be used with \u003cspan pulumi-lang-nodejs=\"`selfManagedPassword`\" pulumi-lang-dotnet=\"`SelfManagedPassword`\" pulumi-lang-go=\"`selfManagedPassword`\" pulumi-lang-python=\"`self_managed_password`\" pulumi-lang-yaml=\"`selfManagedPassword`\" pulumi-lang-java=\"`selfManagedPassword`\"\u003e`self_managed_password`\u003c/span\u003e.\n","secret":true},"passwordWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e field. \nUsed for tracking changes to the write-only password field. For more info see\nupdating write-only attributes.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time Vault should wait before rotating the password, in seconds.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e.\n"},"rotationSchedule":{"type":"string","description":"A cron-style string that will define the schedule on which rotations should occur.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`rotationPeriod`\" pulumi-lang-dotnet=\"`RotationPeriod`\" pulumi-lang-go=\"`rotationPeriod`\" pulumi-lang-python=\"`rotation_period`\" pulumi-lang-yaml=\"`rotationPeriod`\" pulumi-lang-java=\"`rotationPeriod`\"\u003e`rotation_period`\u003c/span\u003e.\n\n**Warning**: The \u003cspan pulumi-lang-nodejs=\"`rotationPeriod`\" pulumi-lang-dotnet=\"`RotationPeriod`\" pulumi-lang-go=\"`rotationPeriod`\" pulumi-lang-python=\"`rotation_period`\" pulumi-lang-yaml=\"`rotationPeriod`\" pulumi-lang-java=\"`rotationPeriod`\"\u003e`rotation_period`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e fields are\nmutually exclusive. One of them must be set but not both.\n"},"rotationStatements":{"type":"array","items":{"type":"string"},"description":"Database statements to execute to rotate the password for the configured database user.\n"},"rotationWindow":{"type":"integer","description":"The amount of time, in seconds, in which rotations are allowed to occur starting\nfrom a given \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e.\n"},"selfManagedPassword":{"type":"string","description":"The password corresponding to the username in the database.\nRequired when using the Rootless Password Rotation workflow for static roles. Only enabled for\nselect DB engines (Postgres). Requires Vault 1.18+ Enterprise.\n**Deprecated**: Use \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e instead. This field will be removed in a future version.\n","secret":true},"skipImportRotation":{"type":"boolean","description":"If set to true, Vault will skip the\ninitial secret rotation on import. Requires Vault 1.18+ Enterprise.\n"},"username":{"type":"string","description":"The database username that this static role corresponds to.\n"}},"required":["backend","credentialType","dbName","name","username"],"inputProperties":{"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n","willReplaceOnChanges":true},"credentialConfig":{"type":"object","additionalProperties":{"type":"string"}},"credentialType":{"type":"string","description":"The credential type for the user, can be one of \"password\", \u003cspan pulumi-lang-nodejs=\"\"rsaPrivateKey\"\" pulumi-lang-dotnet=\"\"RsaPrivateKey\"\" pulumi-lang-go=\"\"rsaPrivateKey\"\" pulumi-lang-python=\"\"rsa_private_key\"\" pulumi-lang-yaml=\"\"rsaPrivateKey\"\" pulumi-lang-java=\"\"rsaPrivateKey\"\"\u003e\"rsa_private_key\"\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"\"clientCertificate\"\" pulumi-lang-dotnet=\"\"ClientCertificate\"\" pulumi-lang-go=\"\"clientCertificate\"\" pulumi-lang-python=\"\"client_certificate\"\" pulumi-lang-yaml=\"\"clientCertificate\"\" pulumi-lang-java=\"\"clientCertificate\"\"\u003e\"client_certificate\"\u003c/span\u003e.The configuration can be done in \u003cspan pulumi-lang-nodejs=\"`credentialConfig`\" pulumi-lang-dotnet=\"`CredentialConfig`\" pulumi-lang-go=\"`credentialConfig`\" pulumi-lang-python=\"`credential_config`\" pulumi-lang-yaml=\"`credentialConfig`\" pulumi-lang-java=\"`credentialConfig`\"\u003e`credential_config`\u003c/span\u003e."},"dbName":{"type":"string","description":"The unique name of the database connection to use for the static role.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"A unique name to give the static role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe password corresponding to the username in the database.\nThis is a write-only field. Requires Vault 1.19+. Deprecates \u003cspan pulumi-lang-nodejs=\"`selfManagedPassword`\" pulumi-lang-dotnet=\"`SelfManagedPassword`\" pulumi-lang-go=\"`selfManagedPassword`\" pulumi-lang-python=\"`self_managed_password`\" pulumi-lang-yaml=\"`selfManagedPassword`\" pulumi-lang-java=\"`selfManagedPassword`\"\u003e`self_managed_password`\u003c/span\u003e which was introduced in Vault 1.18.\nCannot be used with \u003cspan pulumi-lang-nodejs=\"`selfManagedPassword`\" pulumi-lang-dotnet=\"`SelfManagedPassword`\" pulumi-lang-go=\"`selfManagedPassword`\" pulumi-lang-python=\"`self_managed_password`\" pulumi-lang-yaml=\"`selfManagedPassword`\" pulumi-lang-java=\"`selfManagedPassword`\"\u003e`self_managed_password`\u003c/span\u003e.\n","secret":true},"passwordWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e field. \nUsed for tracking changes to the write-only password field. For more info see\nupdating write-only attributes.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time Vault should wait before rotating the password, in seconds.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e.\n"},"rotationSchedule":{"type":"string","description":"A cron-style string that will define the schedule on which rotations should occur.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`rotationPeriod`\" pulumi-lang-dotnet=\"`RotationPeriod`\" pulumi-lang-go=\"`rotationPeriod`\" pulumi-lang-python=\"`rotation_period`\" pulumi-lang-yaml=\"`rotationPeriod`\" pulumi-lang-java=\"`rotationPeriod`\"\u003e`rotation_period`\u003c/span\u003e.\n\n**Warning**: The \u003cspan pulumi-lang-nodejs=\"`rotationPeriod`\" pulumi-lang-dotnet=\"`RotationPeriod`\" pulumi-lang-go=\"`rotationPeriod`\" pulumi-lang-python=\"`rotation_period`\" pulumi-lang-yaml=\"`rotationPeriod`\" pulumi-lang-java=\"`rotationPeriod`\"\u003e`rotation_period`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e fields are\nmutually exclusive. One of them must be set but not both.\n"},"rotationStatements":{"type":"array","items":{"type":"string"},"description":"Database statements to execute to rotate the password for the configured database user.\n"},"rotationWindow":{"type":"integer","description":"The amount of time, in seconds, in which rotations are allowed to occur starting\nfrom a given \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e.\n"},"selfManagedPassword":{"type":"string","description":"The password corresponding to the username in the database.\nRequired when using the Rootless Password Rotation workflow for static roles. Only enabled for\nselect DB engines (Postgres). Requires Vault 1.18+ Enterprise.\n**Deprecated**: Use \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e instead. This field will be removed in a future version.\n","secret":true},"skipImportRotation":{"type":"boolean","description":"If set to true, Vault will skip the\ninitial secret rotation on import. Requires Vault 1.18+ Enterprise.\n"},"username":{"type":"string","description":"The database username that this static role corresponds to.\n","willReplaceOnChanges":true}},"requiredInputs":["backend","dbName","username"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendStaticRole resources.\n","properties":{"backend":{"type":"string","description":"The unique name of the Vault mount to configure.\n","willReplaceOnChanges":true},"credentialConfig":{"type":"object","additionalProperties":{"type":"string"}},"credentialType":{"type":"string","description":"The credential type for the user, can be one of \"password\", \u003cspan pulumi-lang-nodejs=\"\"rsaPrivateKey\"\" pulumi-lang-dotnet=\"\"RsaPrivateKey\"\" pulumi-lang-go=\"\"rsaPrivateKey\"\" pulumi-lang-python=\"\"rsa_private_key\"\" pulumi-lang-yaml=\"\"rsaPrivateKey\"\" pulumi-lang-java=\"\"rsaPrivateKey\"\"\u003e\"rsa_private_key\"\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"\"clientCertificate\"\" pulumi-lang-dotnet=\"\"ClientCertificate\"\" pulumi-lang-go=\"\"clientCertificate\"\" pulumi-lang-python=\"\"client_certificate\"\" pulumi-lang-yaml=\"\"clientCertificate\"\" pulumi-lang-java=\"\"clientCertificate\"\"\u003e\"client_certificate\"\u003c/span\u003e.The configuration can be done in \u003cspan pulumi-lang-nodejs=\"`credentialConfig`\" pulumi-lang-dotnet=\"`CredentialConfig`\" pulumi-lang-go=\"`credentialConfig`\" pulumi-lang-python=\"`credential_config`\" pulumi-lang-yaml=\"`credentialConfig`\" pulumi-lang-java=\"`credentialConfig`\"\u003e`credential_config`\u003c/span\u003e."},"dbName":{"type":"string","description":"The unique name of the database connection to use for the static role.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"A unique name to give the static role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe password corresponding to the username in the database.\nThis is a write-only field. Requires Vault 1.19+. Deprecates \u003cspan pulumi-lang-nodejs=\"`selfManagedPassword`\" pulumi-lang-dotnet=\"`SelfManagedPassword`\" pulumi-lang-go=\"`selfManagedPassword`\" pulumi-lang-python=\"`self_managed_password`\" pulumi-lang-yaml=\"`selfManagedPassword`\" pulumi-lang-java=\"`selfManagedPassword`\"\u003e`self_managed_password`\u003c/span\u003e which was introduced in Vault 1.18.\nCannot be used with \u003cspan pulumi-lang-nodejs=\"`selfManagedPassword`\" pulumi-lang-dotnet=\"`SelfManagedPassword`\" pulumi-lang-go=\"`selfManagedPassword`\" pulumi-lang-python=\"`self_managed_password`\" pulumi-lang-yaml=\"`selfManagedPassword`\" pulumi-lang-java=\"`selfManagedPassword`\"\u003e`self_managed_password`\u003c/span\u003e.\n","secret":true},"passwordWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e field. \nUsed for tracking changes to the write-only password field. For more info see\nupdating write-only attributes.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time Vault should wait before rotating the password, in seconds.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e.\n"},"rotationSchedule":{"type":"string","description":"A cron-style string that will define the schedule on which rotations should occur.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`rotationPeriod`\" pulumi-lang-dotnet=\"`RotationPeriod`\" pulumi-lang-go=\"`rotationPeriod`\" pulumi-lang-python=\"`rotation_period`\" pulumi-lang-yaml=\"`rotationPeriod`\" pulumi-lang-java=\"`rotationPeriod`\"\u003e`rotation_period`\u003c/span\u003e.\n\n**Warning**: The \u003cspan pulumi-lang-nodejs=\"`rotationPeriod`\" pulumi-lang-dotnet=\"`RotationPeriod`\" pulumi-lang-go=\"`rotationPeriod`\" pulumi-lang-python=\"`rotation_period`\" pulumi-lang-yaml=\"`rotationPeriod`\" pulumi-lang-java=\"`rotationPeriod`\"\u003e`rotation_period`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e fields are\nmutually exclusive. One of them must be set but not both.\n"},"rotationStatements":{"type":"array","items":{"type":"string"},"description":"Database statements to execute to rotate the password for the configured database user.\n"},"rotationWindow":{"type":"integer","description":"The amount of time, in seconds, in which rotations are allowed to occur starting\nfrom a given \u003cspan pulumi-lang-nodejs=\"`rotationSchedule`\" pulumi-lang-dotnet=\"`RotationSchedule`\" pulumi-lang-go=\"`rotationSchedule`\" pulumi-lang-python=\"`rotation_schedule`\" pulumi-lang-yaml=\"`rotationSchedule`\" pulumi-lang-java=\"`rotationSchedule`\"\u003e`rotation_schedule`\u003c/span\u003e.\n"},"selfManagedPassword":{"type":"string","description":"The password corresponding to the username in the database.\nRequired when using the Rootless Password Rotation workflow for static roles. Only enabled for\nselect DB engines (Postgres). Requires Vault 1.18+ Enterprise.\n**Deprecated**: Use \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e instead. This field will be removed in a future version.\n","secret":true},"skipImportRotation":{"type":"boolean","description":"If set to true, Vault will skip the\ninitial secret rotation on import. Requires Vault 1.18+ Enterprise.\n"},"username":{"type":"string","description":"The database username that this static role corresponds to.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:database/secretsMount:SecretsMount":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst db = new vault.database.SecretsMount(\"db\", {\n    path: \"db\",\n    mssqls: [{\n        name: \"db1\",\n        username: \"sa\",\n        password: \"super_secret_1\",\n        connectionUrl: \"sqlserver://{{username}}:{{password}}@127.0.0.1:1433\",\n        allowedRoles: [\"dev1\"],\n        rotationSchedule: \"0 * * * SAT\",\n        rotationWindow: 3600,\n    }],\n    postgresqls: [{\n        name: \"db2\",\n        username: \"postgres\",\n        password: \"super_secret_2\",\n        connectionUrl: \"postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres\",\n        verifyConnection: true,\n        allowedRoles: [\"dev2\"],\n        rotationSchedule: \"0 * * * SAT\",\n        rotationWindow: 3600,\n    }],\n});\nconst dev1 = new vault.database.SecretBackendRole(\"dev1\", {\n    name: \"dev1\",\n    backend: db.path,\n    dbName: db.mssqls.apply(mssqls =\u003e mssqls?.[0]?.name),\n    creationStatements: [\n        \"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\",\n        \"CREATE USER [{{name}}] FOR LOGIN [{{name}}];\",\n        \"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];\",\n    ],\n});\nconst dev2 = new vault.database.SecretBackendRole(\"dev2\", {\n    name: \"dev2\",\n    backend: db.path,\n    dbName: db.postgresqls.apply(postgresqls =\u003e postgresqls?.[0]?.name),\n    creationStatements: [\n        \"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\",\n        \"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \\\"{{name}}\\\";\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ndb = vault.database.SecretsMount(\"db\",\n    path=\"db\",\n    mssqls=[{\n        \"name\": \"db1\",\n        \"username\": \"sa\",\n        \"password\": \"super_secret_1\",\n        \"connection_url\": \"sqlserver://{{username}}:{{password}}@127.0.0.1:1433\",\n        \"allowed_roles\": [\"dev1\"],\n        \"rotation_schedule\": \"0 * * * SAT\",\n        \"rotation_window\": 3600,\n    }],\n    postgresqls=[{\n        \"name\": \"db2\",\n        \"username\": \"postgres\",\n        \"password\": \"super_secret_2\",\n        \"connection_url\": \"postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres\",\n        \"verify_connection\": True,\n        \"allowed_roles\": [\"dev2\"],\n        \"rotation_schedule\": \"0 * * * SAT\",\n        \"rotation_window\": 3600,\n    }])\ndev1 = vault.database.SecretBackendRole(\"dev1\",\n    name=\"dev1\",\n    backend=db.path,\n    db_name=db.mssqls[0].name,\n    creation_statements=[\n        \"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\",\n        \"CREATE USER [{{name}}] FOR LOGIN [{{name}}];\",\n        \"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];\",\n    ])\ndev2 = vault.database.SecretBackendRole(\"dev2\",\n    name=\"dev2\",\n    backend=db.path,\n    db_name=db.postgresqls[0].name,\n    creation_statements=[\n        \"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\",\n        \"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \\\"{{name}}\\\";\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var db = new Vault.Database.SecretsMount(\"db\", new()\n    {\n        Path = \"db\",\n        Mssqls = new[]\n        {\n            new Vault.Database.Inputs.SecretsMountMssqlArgs\n            {\n                Name = \"db1\",\n                Username = \"sa\",\n                Password = \"super_secret_1\",\n                ConnectionUrl = \"sqlserver://{{username}}:{{password}}@127.0.0.1:1433\",\n                AllowedRoles = new[]\n                {\n                    \"dev1\",\n                },\n                RotationSchedule = \"0 * * * SAT\",\n                RotationWindow = 3600,\n            },\n        },\n        Postgresqls = new[]\n        {\n            new Vault.Database.Inputs.SecretsMountPostgresqlArgs\n            {\n                Name = \"db2\",\n                Username = \"postgres\",\n                Password = \"super_secret_2\",\n                ConnectionUrl = \"postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres\",\n                VerifyConnection = true,\n                AllowedRoles = new[]\n                {\n                    \"dev2\",\n                },\n                RotationSchedule = \"0 * * * SAT\",\n                RotationWindow = 3600,\n            },\n        },\n    });\n\n    var dev1 = new Vault.Database.SecretBackendRole(\"dev1\", new()\n    {\n        Name = \"dev1\",\n        Backend = db.Path,\n        DbName = db.Mssqls.Apply(mssqls =\u003e mssqls[0]?.Name),\n        CreationStatements = new[]\n        {\n            \"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\",\n            \"CREATE USER [{{name}}] FOR LOGIN [{{name}}];\",\n            \"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];\",\n        },\n    });\n\n    var dev2 = new Vault.Database.SecretBackendRole(\"dev2\", new()\n    {\n        Name = \"dev2\",\n        Backend = db.Path,\n        DbName = db.Postgresqls.Apply(postgresqls =\u003e postgresqls[0]?.Name),\n        CreationStatements = new[]\n        {\n            \"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\",\n            \"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \\\"{{name}}\\\";\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/database\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tdb, err := database.NewSecretsMount(ctx, \"db\", \u0026database.SecretsMountArgs{\n\t\t\tPath: pulumi.String(\"db\"),\n\t\t\tMssqls: database.SecretsMountMssqlArray{\n\t\t\t\t\u0026database.SecretsMountMssqlArgs{\n\t\t\t\t\tName:          pulumi.String(\"db1\"),\n\t\t\t\t\tUsername:      pulumi.String(\"sa\"),\n\t\t\t\t\tPassword:      pulumi.String(\"super_secret_1\"),\n\t\t\t\t\tConnectionUrl: pulumi.String(\"sqlserver://{{username}}:{{password}}@127.0.0.1:1433\"),\n\t\t\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"dev1\"),\n\t\t\t\t\t},\n\t\t\t\t\tRotationSchedule: pulumi.String(\"0 * * * SAT\"),\n\t\t\t\t\tRotationWindow:   pulumi.Int(3600),\n\t\t\t\t},\n\t\t\t},\n\t\t\tPostgresqls: database.SecretsMountPostgresqlArray{\n\t\t\t\t\u0026database.SecretsMountPostgresqlArgs{\n\t\t\t\t\tName:             pulumi.String(\"db2\"),\n\t\t\t\t\tUsername:         pulumi.String(\"postgres\"),\n\t\t\t\t\tPassword:         pulumi.String(\"super_secret_2\"),\n\t\t\t\t\tConnectionUrl:    pulumi.String(\"postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres\"),\n\t\t\t\t\tVerifyConnection: pulumi.Bool(true),\n\t\t\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"dev2\"),\n\t\t\t\t\t},\n\t\t\t\t\tRotationSchedule: pulumi.String(\"0 * * * SAT\"),\n\t\t\t\t\tRotationWindow:   pulumi.Int(3600),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = database.NewSecretBackendRole(ctx, \"dev1\", \u0026database.SecretBackendRoleArgs{\n\t\t\tName:    pulumi.String(\"dev1\"),\n\t\t\tBackend: db.Path,\n\t\t\tDbName: pulumi.String(db.Mssqls.ApplyT(func(mssqls []database.SecretsMountMssql) (*string, error) {\n\t\t\t\treturn \u0026mssqls[0].Name, nil\n\t\t\t}).(pulumi.StringPtrOutput)),\n\t\t\tCreationStatements: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\"),\n\t\t\t\tpulumi.String(\"CREATE USER [{{name}}] FOR LOGIN [{{name}}];\"),\n\t\t\t\tpulumi.String(\"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = database.NewSecretBackendRole(ctx, \"dev2\", \u0026database.SecretBackendRoleArgs{\n\t\t\tName:    pulumi.String(\"dev2\"),\n\t\t\tBackend: db.Path,\n\t\t\tDbName: pulumi.String(db.Postgresqls.ApplyT(func(postgresqls []database.SecretsMountPostgresql) (*string, error) {\n\t\t\t\treturn \u0026postgresqls[0].Name, nil\n\t\t\t}).(pulumi.StringPtrOutput)),\n\t\t\tCreationStatements: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\"),\n\t\t\t\tpulumi.String(\"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \\\"{{name}}\\\";\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.database.SecretsMount;\nimport com.pulumi.vault.database.SecretsMountArgs;\nimport com.pulumi.vault.database.inputs.SecretsMountMssqlArgs;\nimport com.pulumi.vault.database.inputs.SecretsMountPostgresqlArgs;\nimport com.pulumi.vault.database.SecretBackendRole;\nimport com.pulumi.vault.database.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var db = new SecretsMount(\"db\", SecretsMountArgs.builder()\n            .path(\"db\")\n            .mssqls(SecretsMountMssqlArgs.builder()\n                .name(\"db1\")\n                .username(\"sa\")\n                .password(\"super_secret_1\")\n                .connectionUrl(\"sqlserver://{{username}}:{{password}}@127.0.0.1:1433\")\n                .allowedRoles(\"dev1\")\n                .rotationSchedule(\"0 * * * SAT\")\n                .rotationWindow(3600)\n                .build())\n            .postgresqls(SecretsMountPostgresqlArgs.builder()\n                .name(\"db2\")\n                .username(\"postgres\")\n                .password(\"super_secret_2\")\n                .connectionUrl(\"postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres\")\n                .verifyConnection(true)\n                .allowedRoles(\"dev2\")\n                .rotationSchedule(\"0 * * * SAT\")\n                .rotationWindow(3600)\n                .build())\n            .build());\n\n        var dev1 = new SecretBackendRole(\"dev1\", SecretBackendRoleArgs.builder()\n            .name(\"dev1\")\n            .backend(db.path())\n            .dbName(db.mssqls().applyValue(_mssqls -\u003e _mssqls[0].name()))\n            .creationStatements(            \n                \"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\",\n                \"CREATE USER [{{name}}] FOR LOGIN [{{name}}];\",\n                \"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];\")\n            .build());\n\n        var dev2 = new SecretBackendRole(\"dev2\", SecretBackendRoleArgs.builder()\n            .name(\"dev2\")\n            .backend(db.path())\n            .dbName(db.postgresqls().applyValue(_postgresqls -\u003e _postgresqls[0].name()))\n            .creationStatements(            \n                \"CREATE ROLE \\\"{{name}}\\\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\",\n                \"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \\\"{{name}}\\\";\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  db:\n    type: vault:database:SecretsMount\n    properties:\n      path: db\n      mssqls:\n        - name: db1\n          username: sa\n          password: super_secret_1\n          connectionUrl: sqlserver://{{username}}:{{password}}@127.0.0.1:1433\n          allowedRoles:\n            - dev1\n          rotationSchedule: 0 * * * SAT\n          rotationWindow: 3600\n      postgresqls:\n        - name: db2\n          username: postgres\n          password: super_secret_2\n          connectionUrl: postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres\n          verifyConnection: true\n          allowedRoles:\n            - dev2\n          rotationSchedule: 0 * * * SAT\n          rotationWindow: 3600\n  dev1:\n    type: vault:database:SecretBackendRole\n    properties:\n      name: dev1\n      backend: ${db.path}\n      dbName: ${db.mssqls[0].name}\n      creationStatements:\n        - CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\n        - CREATE USER [{{name}}] FOR LOGIN [{{name}}];\n        - GRANT SELECT ON SCHEMA::dbo TO [{{name}}];\n  dev2:\n    type: vault:database:SecretBackendRole\n    properties:\n      name: dev2\n      backend: ${db.path}\n      dbName: ${db.postgresqls[0].name}\n      creationStatements:\n        - CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\n        - GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported for all DBs that support username/password:\n\n* \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e - (Optional) The password for the user. Can be updated.\n  **Note**: This property is write-only and will not be read from the API.\n\n## Import\n\nDatabase secret backend connections can be imported using the `path` e.g.\n\n```sh\n$ pulumi import vault:database/secretsMount:SecretsMount db db\n```\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"Set of managed key registry entry names that the mount in question is allowed to access\n\nThe following arguments are common to all database engines:\n"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.\n"},"cassandras":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountCassandra:SecretsMountCassandra"},"description":"A nested block containing configuration options for Cassandra connections.  \n*See Configuration Options for more info*\n"},"couchbases":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountCouchbase:SecretsMountCouchbase"},"description":"A nested block containing configuration options for Couchbase connections.  \n*See Configuration Options for more info*\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds\n"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount\n"},"elasticsearches":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountElasticsearch:SecretsMountElasticsearch"},"description":"A nested block containing configuration options for Elasticsearch connections.  \n*See Configuration Options for more info*\n"},"engineCount":{"type":"integer","description":"The total number of database secrets engines configured.\n"},"externalEntropyAccess":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source\n"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"hanas":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountHana:SecretsMountHana"},"description":"A nested block containing configuration options for SAP HanaDB connections.  \n*See Configuration Options for more info*\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"influxdbs":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountInfluxdb:SecretsMountInfluxdb"},"description":"A nested block containing configuration options for InfluxDB connections.  \n*See Configuration Options for more info*\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enforce local mount in HA environment\n"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds\n"},"mongodbatlas":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMongodbatla:SecretsMountMongodbatla"},"description":"A nested block containing configuration options for MongoDB Atlas connections.  \n*See Configuration Options for more info*\n"},"mongodbs":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMongodb:SecretsMountMongodb"},"description":"A nested block containing configuration options for MongoDB connections.  \n*See Configuration Options for more info*\n"},"mssqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMssql:SecretsMountMssql"},"description":"A nested block containing configuration options for MSSQL connections.  \n*See Configuration Options for more info*\n"},"mysqlAuroras":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlAurora:SecretsMountMysqlAurora"},"description":"A nested block containing configuration options for Aurora MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqlLegacies":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlLegacy:SecretsMountMysqlLegacy"},"description":"A nested block containing configuration options for legacy MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqlRds":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlRd:SecretsMountMysqlRd"},"description":"A nested block containing configuration options for RDS MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysql:SecretsMountMysql"},"description":"A nested block containing configuration options for MySQL connections.  \n*See Configuration Options for more info*\n"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend\n"},"oracles":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountOracle:SecretsMountOracle"},"description":"A nested block containing configuration options for Oracle connections.  \n*See Configuration Options for more info*\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"Where the secret backend will be mounted\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"postgresqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountPostgresql:SecretsMountPostgresql"},"description":"A nested block containing configuration options for PostgreSQL connections.  \n*See Configuration Options for more info*\n"},"redis":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedi:SecretsMountRedi"},"description":"A nested block containing configuration options for Redis connections.  \n*See Configuration Options for more info*\n"},"redisElasticaches":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedisElasticache:SecretsMountRedisElasticache"},"description":"A nested block containing configuration options for Redis ElastiCache connections.  \n*See Configuration Options for more info*\n"},"redshifts":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedshift:SecretsMountRedshift"},"description":"A nested block containing configuration options for AWS Redshift connections.  \n*See Configuration Options for more info*\n"},"sealWrap":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability\n"},"snowflakes":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountSnowflake:SecretsMountSnowflake"},"description":"A nested block containing configuration options for Snowflake connections.  \n*See Configuration Options for more info*\n"}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","defaultLeaseTtlSeconds","engineCount","forceNoCache","maxLeaseTtlSeconds","path","sealWrap"],"inputProperties":{"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"Set of managed key registry entry names that the mount in question is allowed to access\n\nThe following arguments are common to all database engines:\n"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.\n"},"cassandras":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountCassandra:SecretsMountCassandra"},"description":"A nested block containing configuration options for Cassandra connections.  \n*See Configuration Options for more info*\n"},"couchbases":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountCouchbase:SecretsMountCouchbase"},"description":"A nested block containing configuration options for Couchbase connections.  \n*See Configuration Options for more info*\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds\n"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount\n"},"elasticsearches":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountElasticsearch:SecretsMountElasticsearch"},"description":"A nested block containing configuration options for Elasticsearch connections.  \n*See Configuration Options for more info*\n"},"externalEntropyAccess":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source\n","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"hanas":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountHana:SecretsMountHana"},"description":"A nested block containing configuration options for SAP HanaDB connections.  \n*See Configuration Options for more info*\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"influxdbs":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountInfluxdb:SecretsMountInfluxdb"},"description":"A nested block containing configuration options for InfluxDB connections.  \n*See Configuration Options for more info*\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enforce local mount in HA environment\n","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds\n"},"mongodbatlas":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMongodbatla:SecretsMountMongodbatla"},"description":"A nested block containing configuration options for MongoDB Atlas connections.  \n*See Configuration Options for more info*\n"},"mongodbs":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMongodb:SecretsMountMongodb"},"description":"A nested block containing configuration options for MongoDB connections.  \n*See Configuration Options for more info*\n"},"mssqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMssql:SecretsMountMssql"},"description":"A nested block containing configuration options for MSSQL connections.  \n*See Configuration Options for more info*\n"},"mysqlAuroras":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlAurora:SecretsMountMysqlAurora"},"description":"A nested block containing configuration options for Aurora MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqlLegacies":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlLegacy:SecretsMountMysqlLegacy"},"description":"A nested block containing configuration options for legacy MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqlRds":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlRd:SecretsMountMysqlRd"},"description":"A nested block containing configuration options for RDS MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysql:SecretsMountMysql"},"description":"A nested block containing configuration options for MySQL connections.  \n*See Configuration Options for more info*\n"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend\n"},"oracles":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountOracle:SecretsMountOracle"},"description":"A nested block containing configuration options for Oracle connections.  \n*See Configuration Options for more info*\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"Where the secret backend will be mounted\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"postgresqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountPostgresql:SecretsMountPostgresql"},"description":"A nested block containing configuration options for PostgreSQL connections.  \n*See Configuration Options for more info*\n"},"redis":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedi:SecretsMountRedi"},"description":"A nested block containing configuration options for Redis connections.  \n*See Configuration Options for more info*\n"},"redisElasticaches":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedisElasticache:SecretsMountRedisElasticache"},"description":"A nested block containing configuration options for Redis ElastiCache connections.  \n*See Configuration Options for more info*\n"},"redshifts":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedshift:SecretsMountRedshift"},"description":"A nested block containing configuration options for AWS Redshift connections.  \n*See Configuration Options for more info*\n"},"sealWrap":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability\n","willReplaceOnChanges":true},"snowflakes":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountSnowflake:SecretsMountSnowflake"},"description":"A nested block containing configuration options for Snowflake connections.  \n*See Configuration Options for more info*\n"}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretsMount resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"Set of managed key registry entry names that the mount in question is allowed to access\n\nThe following arguments are common to all database engines:\n"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.\n"},"cassandras":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountCassandra:SecretsMountCassandra"},"description":"A nested block containing configuration options for Cassandra connections.  \n*See Configuration Options for more info*\n"},"couchbases":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountCouchbase:SecretsMountCouchbase"},"description":"A nested block containing configuration options for Couchbase connections.  \n*See Configuration Options for more info*\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds\n"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount\n"},"elasticsearches":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountElasticsearch:SecretsMountElasticsearch"},"description":"A nested block containing configuration options for Elasticsearch connections.  \n*See Configuration Options for more info*\n"},"engineCount":{"type":"integer","description":"The total number of database secrets engines configured.\n"},"externalEntropyAccess":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source\n","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"hanas":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountHana:SecretsMountHana"},"description":"A nested block containing configuration options for SAP HanaDB connections.  \n*See Configuration Options for more info*\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"influxdbs":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountInfluxdb:SecretsMountInfluxdb"},"description":"A nested block containing configuration options for InfluxDB connections.  \n*See Configuration Options for more info*\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enforce local mount in HA environment\n","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds\n"},"mongodbatlas":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMongodbatla:SecretsMountMongodbatla"},"description":"A nested block containing configuration options for MongoDB Atlas connections.  \n*See Configuration Options for more info*\n"},"mongodbs":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMongodb:SecretsMountMongodb"},"description":"A nested block containing configuration options for MongoDB connections.  \n*See Configuration Options for more info*\n"},"mssqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMssql:SecretsMountMssql"},"description":"A nested block containing configuration options for MSSQL connections.  \n*See Configuration Options for more info*\n"},"mysqlAuroras":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlAurora:SecretsMountMysqlAurora"},"description":"A nested block containing configuration options for Aurora MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqlLegacies":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlLegacy:SecretsMountMysqlLegacy"},"description":"A nested block containing configuration options for legacy MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqlRds":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysqlRd:SecretsMountMysqlRd"},"description":"A nested block containing configuration options for RDS MySQL connections.  \n*See Configuration Options for more info*\n"},"mysqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountMysql:SecretsMountMysql"},"description":"A nested block containing configuration options for MySQL connections.  \n*See Configuration Options for more info*\n"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend\n"},"oracles":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountOracle:SecretsMountOracle"},"description":"A nested block containing configuration options for Oracle connections.  \n*See Configuration Options for more info*\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"Where the secret backend will be mounted\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"postgresqls":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountPostgresql:SecretsMountPostgresql"},"description":"A nested block containing configuration options for PostgreSQL connections.  \n*See Configuration Options for more info*\n"},"redis":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedi:SecretsMountRedi"},"description":"A nested block containing configuration options for Redis connections.  \n*See Configuration Options for more info*\n"},"redisElasticaches":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedisElasticache:SecretsMountRedisElasticache"},"description":"A nested block containing configuration options for Redis ElastiCache connections.  \n*See Configuration Options for more info*\n"},"redshifts":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountRedshift:SecretsMountRedshift"},"description":"A nested block containing configuration options for AWS Redshift connections.  \n*See Configuration Options for more info*\n"},"sealWrap":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability\n","willReplaceOnChanges":true},"snowflakes":{"type":"array","items":{"$ref":"#/types/vault:database/SecretsMountSnowflake:SecretsMountSnowflake"},"description":"A nested block containing configuration options for Snowflake connections.  \n*See Configuration Options for more info*\n"}},"type":"object"}},"vault:gcp/authBackend:AuthBackend":{"description":"Provides a resource to configure the [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).\n\n## Example Usage\n\nYou can setup the GCP auth backend with Workload Identity Federation (WIF) for a secret-less configuration:\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcp = new vault.gcp.AuthBackend(\"gcp\", {\n    identityTokenKey: \"example-key\",\n    identityTokenTtl: 1800,\n    identityTokenAudience: \"\u003cTOKEN_AUDIENCE\u003e\",\n    serviceAccountEmail: \"\u003cSERVICE_ACCOUNT_EMAIL\u003e\",\n    rotationSchedule: \"0 * * * SAT\",\n    rotationWindow: 3600,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ngcp = vault.gcp.AuthBackend(\"gcp\",\n    identity_token_key=\"example-key\",\n    identity_token_ttl=1800,\n    identity_token_audience=\"\u003cTOKEN_AUDIENCE\u003e\",\n    service_account_email=\"\u003cSERVICE_ACCOUNT_EMAIL\u003e\",\n    rotation_schedule=\"0 * * * SAT\",\n    rotation_window=3600)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcp = new Vault.Gcp.AuthBackend(\"gcp\", new()\n    {\n        IdentityTokenKey = \"example-key\",\n        IdentityTokenTtl = 1800,\n        IdentityTokenAudience = \"\u003cTOKEN_AUDIENCE\u003e\",\n        ServiceAccountEmail = \"\u003cSERVICE_ACCOUNT_EMAIL\u003e\",\n        RotationSchedule = \"0 * * * SAT\",\n        RotationWindow = 3600,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := gcp.NewAuthBackend(ctx, \"gcp\", \u0026gcp.AuthBackendArgs{\n\t\t\tIdentityTokenKey:      pulumi.String(\"example-key\"),\n\t\t\tIdentityTokenTtl:      pulumi.Int(1800),\n\t\t\tIdentityTokenAudience: pulumi.String(\"\u003cTOKEN_AUDIENCE\u003e\"),\n\t\t\tServiceAccountEmail:   pulumi.String(\"\u003cSERVICE_ACCOUNT_EMAIL\u003e\"),\n\t\t\tRotationSchedule:      pulumi.String(\"0 * * * SAT\"),\n\t\t\tRotationWindow:        pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.gcp.AuthBackend;\nimport com.pulumi.vault.gcp.AuthBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcp = new AuthBackend(\"gcp\", AuthBackendArgs.builder()\n            .identityTokenKey(\"example-key\")\n            .identityTokenTtl(1800)\n            .identityTokenAudience(\"\u003cTOKEN_AUDIENCE\u003e\")\n            .serviceAccountEmail(\"\u003cSERVICE_ACCOUNT_EMAIL\u003e\")\n            .rotationSchedule(\"0 * * * SAT\")\n            .rotationWindow(3600)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcp:\n    type: vault:gcp:AuthBackend\n    properties:\n      identityTokenKey: example-key\n      identityTokenTtl: 1800\n      identityTokenAudience: \u003cTOKEN_AUDIENCE\u003e\n      serviceAccountEmail: \u003cSERVICE_ACCOUNT_EMAIL\u003e\n      rotationSchedule: 0 * * * SAT\n      rotationWindow: 3600\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcp = new vault.gcp.AuthBackend(\"gcp\", {\n    credentials: std.file({\n        input: \"vault-gcp-credentials.json\",\n    }).then(invoke =\u003e invoke.result),\n    rotationSchedule: \"0 * * * SAT\",\n    rotationWindow: 3600,\n    customEndpoint: {\n        api: \"www.googleapis.com\",\n        iam: \"iam.googleapis.com\",\n        crm: \"cloudresourcemanager.googleapis.com\",\n        compute: \"compute.googleapis.com\",\n    }[0],\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\ngcp = vault.gcp.AuthBackend(\"gcp\",\n    credentials=std.file(input=\"vault-gcp-credentials.json\").result,\n    rotation_schedule=\"0 * * * SAT\",\n    rotation_window=3600,\n    custom_endpoint={\n        \"api\": \"www.googleapis.com\",\n        \"iam\": \"iam.googleapis.com\",\n        \"crm\": \"cloudresourcemanager.googleapis.com\",\n        \"compute\": \"compute.googleapis.com\",\n    }[0])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcp = new Vault.Gcp.AuthBackend(\"gcp\", new()\n    {\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = \"vault-gcp-credentials.json\",\n        }).Apply(invoke =\u003e invoke.Result),\n        RotationSchedule = \"0 * * * SAT\",\n        RotationWindow = 3600,\n        CustomEndpoint = \n        {\n            { \"api\", \"www.googleapis.com\" },\n            { \"iam\", \"iam.googleapis.com\" },\n            { \"crm\", \"cloudresourcemanager.googleapis.com\" },\n            { \"compute\", \"compute.googleapis.com\" },\n        }[0],\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"vault-gcp-credentials.json\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = gcp.NewAuthBackend(ctx, \"gcp\", \u0026gcp.AuthBackendArgs{\n\t\t\tCredentials:      pulumi.String(invokeFile.Result),\n\t\t\tRotationSchedule: pulumi.String(\"0 * * * SAT\"),\n\t\t\tRotationWindow:   pulumi.Int(3600),\n\t\t\tCustomEndpoint: map[string]interface{}{\n\t\t\t\t\"api\":     \"www.googleapis.com\",\n\t\t\t\t\"iam\":     \"iam.googleapis.com\",\n\t\t\t\t\"crm\":     \"cloudresourcemanager.googleapis.com\",\n\t\t\t\t\"compute\": \"compute.googleapis.com\",\n\t\t\t}[0],\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.gcp.AuthBackend;\nimport com.pulumi.vault.gcp.AuthBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcp = new AuthBackend(\"gcp\", AuthBackendArgs.builder()\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(\"vault-gcp-credentials.json\")\n                .build()).result())\n            .rotationSchedule(\"0 * * * SAT\")\n            .rotationWindow(3600)\n            .customEndpoint(AuthBackendCustomEndpointArgs.builder()\n                .api(\"www.googleapis.com\")\n                .iam(\"iam.googleapis.com\")\n                .crm(\"cloudresourcemanager.googleapis.com\")\n                .compute(\"compute.googleapis.com\")\n                .build()[0])\n            .build());\n\n    }\n}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported:\n\n* \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e - (Optional) A JSON string containing the contents of a GCP credentials file. Can be updated. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentials`\" pulumi-lang-dotnet=\"`Credentials`\" pulumi-lang-go=\"`credentials`\" pulumi-lang-python=\"`credentials`\" pulumi-lang-yaml=\"`credentials`\" pulumi-lang-java=\"`credentials`\"\u003e`credentials`\u003c/span\u003e.\n  If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running.\n  **Note**: This property is write-only and will not be read from the API.\n\n## Import\n\nGCP authentication backends can be imported using the backend name, e.g.\n\n```sh\n$ pulumi import vault:gcp/authBackend:AuthBackend gcp gcp\n```\n","properties":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).\n"},"clientEmail":{"type":"string","description":"The clients email associated with the credentials\n"},"clientId":{"type":"string","description":"The Client ID of the credentials\n"},"credentials":{"type":"string","description":"A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e.\n","secret":true},"credentialsWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nJSON-encoded credentials to use to connect to GCP. This field is write-only and the value cannot be read back.","secret":true},"credentialsWoVersion":{"type":"integer","description":"A version counter for write-only credentials. Incrementing this value will cause the provider to send the credentials to Vault. Required with \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e.\nFor more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"customEndpoint":{"$ref":"#/types/vault:gcp/AuthBackendCustomEndpoint:AuthBackendCustomEndpoint","description":"Specifies overrides to\n[service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)\nused when making API requests. This allows specific requests made during authentication\nto target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)\nenvironments. Requires Vault 1.11+.\n\nOverrides are set at the subdomain level using the following keys:\n"},"description":{"type":"string","description":"A description of the auth method.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"gceAlias":{"type":"string","description":"Defines what alias needs to be used during login and refelects the same in token metadata and audit logs.\n"},"gceMetadatas":{"type":"array","items":{"type":"string"},"description":"Controls which instance metadata fields from the GCE login are captured into Vault's token metadata or audit logs.\n"},"iamAlias":{"type":"string","description":"Defines what alias needs to be used during login and refelects the same in token metadata and audit logs.\n"},"iamMetadatas":{"type":"array","items":{"type":"string"},"description":"Controls the metadata to include on the token returned by the login endpoint.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity\ntokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentials`\" pulumi-lang-dotnet=\"`Credentials`\" pulumi-lang-go=\"`credentials`\" pulumi-lang-python=\"`credentials`\" pulumi-lang-yaml=\"`credentials`\" pulumi-lang-java=\"`credentials`\"\u003e`credentials`\u003c/span\u003e.  Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin identity\ntokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated tokens."},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"The path to mount the auth method — this defaults to 'gcp'.\n"},"privateKeyId":{"type":"string","description":"The ID of the private key from the credentials\n"},"projectId":{"type":"string","description":"The GCP Project ID\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"serviceAccountEmail":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.\nRequired with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"tune":{"$ref":"#/types/vault:gcp/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"required":["accessor","clientEmail","clientId","gceAlias","gceMetadatas","iamAlias","iamMetadatas","privateKeyId","projectId","tune"],"inputProperties":{"clientEmail":{"type":"string","description":"The clients email associated with the credentials\n"},"clientId":{"type":"string","description":"The Client ID of the credentials\n"},"credentials":{"type":"string","description":"A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e.\n","secret":true},"credentialsWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nJSON-encoded credentials to use to connect to GCP. This field is write-only and the value cannot be read back.","secret":true},"credentialsWoVersion":{"type":"integer","description":"A version counter for write-only credentials. Incrementing this value will cause the provider to send the credentials to Vault. Required with \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e.\nFor more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"customEndpoint":{"$ref":"#/types/vault:gcp/AuthBackendCustomEndpoint:AuthBackendCustomEndpoint","description":"Specifies overrides to\n[service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)\nused when making API requests. This allows specific requests made during authentication\nto target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)\nenvironments. Requires Vault 1.11+.\n\nOverrides are set at the subdomain level using the following keys:\n"},"description":{"type":"string","description":"A description of the auth method.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"gceAlias":{"type":"string","description":"Defines what alias needs to be used during login and refelects the same in token metadata and audit logs.\n"},"gceMetadatas":{"type":"array","items":{"type":"string"},"description":"Controls which instance metadata fields from the GCE login are captured into Vault's token metadata or audit logs.\n"},"iamAlias":{"type":"string","description":"Defines what alias needs to be used during login and refelects the same in token metadata and audit logs.\n"},"iamMetadatas":{"type":"array","items":{"type":"string"},"description":"Controls the metadata to include on the token returned by the login endpoint.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity\ntokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentials`\" pulumi-lang-dotnet=\"`Credentials`\" pulumi-lang-go=\"`credentials`\" pulumi-lang-python=\"`credentials`\" pulumi-lang-yaml=\"`credentials`\" pulumi-lang-java=\"`credentials`\"\u003e`credentials`\u003c/span\u003e.  Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin identity\ntokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated tokens."},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path to mount the auth method — this defaults to 'gcp'.\n"},"privateKeyId":{"type":"string","description":"The ID of the private key from the credentials\n"},"projectId":{"type":"string","description":"The GCP Project ID\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"serviceAccountEmail":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.\nRequired with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"tune":{"$ref":"#/types/vault:gcp/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackend resources.\n","properties":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).\n"},"clientEmail":{"type":"string","description":"The clients email associated with the credentials\n"},"clientId":{"type":"string","description":"The Client ID of the credentials\n"},"credentials":{"type":"string","description":"A JSON string containing the contents of a GCP credentials file. If this value is empty, Vault will try to use Application Default Credentials from the machine on which the Vault server is running. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e.\n","secret":true},"credentialsWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nJSON-encoded credentials to use to connect to GCP. This field is write-only and the value cannot be read back.","secret":true},"credentialsWoVersion":{"type":"integer","description":"A version counter for write-only credentials. Incrementing this value will cause the provider to send the credentials to Vault. Required with \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e.\nFor more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"customEndpoint":{"$ref":"#/types/vault:gcp/AuthBackendCustomEndpoint:AuthBackendCustomEndpoint","description":"Specifies overrides to\n[service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)\nused when making API requests. This allows specific requests made during authentication\nto target alternative service endpoints for use in [Private Google Access](https://cloud.google.com/vpc/docs/configure-private-google-access)\nenvironments. Requires Vault 1.11+.\n\nOverrides are set at the subdomain level using the following keys:\n"},"description":{"type":"string","description":"A description of the auth method.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"gceAlias":{"type":"string","description":"Defines what alias needs to be used during login and refelects the same in token metadata and audit logs.\n"},"gceMetadatas":{"type":"array","items":{"type":"string"},"description":"Controls which instance metadata fields from the GCE login are captured into Vault's token metadata or audit logs.\n"},"iamAlias":{"type":"string","description":"Defines what alias needs to be used during login and refelects the same in token metadata and audit logs.\n"},"iamMetadatas":{"type":"array","items":{"type":"string"},"description":"Controls the metadata to include on the token returned by the login endpoint.\n"},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity\ntokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentials`\" pulumi-lang-dotnet=\"`Credentials`\" pulumi-lang-go=\"`credentials`\" pulumi-lang-python=\"`credentials`\" pulumi-lang-yaml=\"`credentials`\" pulumi-lang-java=\"`credentials`\"\u003e`credentials`\u003c/span\u003e.  Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin identity\ntokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenTtl":{"type":"integer","description":"The TTL of generated tokens."},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path to mount the auth method — this defaults to 'gcp'.\n"},"privateKeyId":{"type":"string","description":"The ID of the private key from the credentials\n"},"projectId":{"type":"string","description":"The GCP Project ID\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"serviceAccountEmail":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.\nRequired with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"tune":{"$ref":"#/types/vault:gcp/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"type":"object"}},"vault:gcp/authBackendRole:AuthBackendRole":{"description":"Provides a resource to create a role in an [GCP auth backend within Vault](https://www.vaultproject.io/docs/auth/gcp.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcp = new vault.AuthBackend(\"gcp\", {\n    path: \"gcp\",\n    type: \"gcp\",\n});\nconst test = new vault.gcp.AuthBackendRole(\"test\", {\n    backend: gcp.path,\n    role: \"test\",\n    type: \"iam\",\n    boundServiceAccounts: [\"test\"],\n    boundProjects: [\"test\"],\n    tokenTtl: 300,\n    tokenMaxTtl: 600,\n    tokenPolicies: [\n        \"policy_a\",\n        \"policy_b\",\n    ],\n    addGroupAliases: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ngcp = vault.AuthBackend(\"gcp\",\n    path=\"gcp\",\n    type=\"gcp\")\ntest = vault.gcp.AuthBackendRole(\"test\",\n    backend=gcp.path,\n    role=\"test\",\n    type=\"iam\",\n    bound_service_accounts=[\"test\"],\n    bound_projects=[\"test\"],\n    token_ttl=300,\n    token_max_ttl=600,\n    token_policies=[\n        \"policy_a\",\n        \"policy_b\",\n    ],\n    add_group_aliases=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcp = new Vault.AuthBackend(\"gcp\", new()\n    {\n        Path = \"gcp\",\n        Type = \"gcp\",\n    });\n\n    var test = new Vault.Gcp.AuthBackendRole(\"test\", new()\n    {\n        Backend = gcp.Path,\n        Role = \"test\",\n        Type = \"iam\",\n        BoundServiceAccounts = new[]\n        {\n            \"test\",\n        },\n        BoundProjects = new[]\n        {\n            \"test\",\n        },\n        TokenTtl = 300,\n        TokenMaxTtl = 600,\n        TokenPolicies = new[]\n        {\n            \"policy_a\",\n            \"policy_b\",\n        },\n        AddGroupAliases = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tgcp, err := vault.NewAuthBackend(ctx, \"gcp\", \u0026vault.AuthBackendArgs{\n\t\t\tPath: pulumi.String(\"gcp\"),\n\t\t\tType: pulumi.String(\"gcp\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = gcp.NewAuthBackendRole(ctx, \"test\", \u0026gcp.AuthBackendRoleArgs{\n\t\t\tBackend: gcp.Path,\n\t\t\tRole:    pulumi.String(\"test\"),\n\t\t\tType:    pulumi.String(\"iam\"),\n\t\t\tBoundServiceAccounts: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tBoundProjects: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tTokenTtl:    pulumi.Int(300),\n\t\t\tTokenMaxTtl: pulumi.Int(600),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"policy_a\"),\n\t\t\t\tpulumi.String(\"policy_b\"),\n\t\t\t},\n\t\t\tAddGroupAliases: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.gcp.AuthBackendRole;\nimport com.pulumi.vault.gcp.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcp = new AuthBackend(\"gcp\", AuthBackendArgs.builder()\n            .path(\"gcp\")\n            .type(\"gcp\")\n            .build());\n\n        var test = new AuthBackendRole(\"test\", AuthBackendRoleArgs.builder()\n            .backend(gcp.path())\n            .role(\"test\")\n            .type(\"iam\")\n            .boundServiceAccounts(\"test\")\n            .boundProjects(\"test\")\n            .tokenTtl(300)\n            .tokenMaxTtl(600)\n            .tokenPolicies(            \n                \"policy_a\",\n                \"policy_b\")\n            .addGroupAliases(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcp:\n    type: vault:AuthBackend\n    properties:\n      path: gcp\n      type: gcp\n  test:\n    type: vault:gcp:AuthBackendRole\n    properties:\n      backend: ${gcp.path}\n      role: test\n      type: iam\n      boundServiceAccounts:\n        - test\n      boundProjects:\n        - test\n      tokenTtl: 300\n      tokenMaxTtl: 600\n      tokenPolicies:\n        - policy_a\n        - policy_b\n      addGroupAliases: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nGCP authentication roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:gcp/authBackendRole:AuthBackendRole my_role auth/gcp/role/my_role\n```\n","properties":{"addGroupAliases":{"type":"boolean"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowGceInference":{"type":"boolean"},"backend":{"type":"string","description":"Path to the mounted GCP auth backend\n"},"boundInstanceGroups":{"type":"array","items":{"type":"string"}},"boundLabels":{"type":"array","items":{"type":"string"}},"boundProjects":{"type":"array","items":{"type":"string"},"description":"An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.\n"},"boundRegions":{"type":"array","items":{"type":"string"}},"boundServiceAccounts":{"type":"array","items":{"type":"string"},"description":"GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e)\n"},"boundZones":{"type":"array","items":{"type":"string"}},"maxJwtExp":{"type":"string"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"role":{"type":"string","description":"Name of the GCP role\n"},"roleId":{"type":"string","description":"The\u003cspan pulumi-lang-nodejs=\" roleId \" pulumi-lang-dotnet=\" RoleId \" pulumi-lang-go=\" roleId \" pulumi-lang-python=\" role_id \" pulumi-lang-yaml=\" roleId \" pulumi-lang-java=\" roleId \"\u003e role_id \u003c/span\u003eis the stable, unique identifier for the role generated by vault.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"type":{"type":"string","description":"Type of GCP authentication role (either \u003cspan pulumi-lang-nodejs=\"`gce`\" pulumi-lang-dotnet=\"`Gce`\" pulumi-lang-go=\"`gce`\" pulumi-lang-python=\"`gce`\" pulumi-lang-yaml=\"`gce`\" pulumi-lang-java=\"`gce`\"\u003e`gce`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e)\n"}},"required":["addGroupAliases","allowGceInference","boundInstanceGroups","boundLabels","boundRegions","boundServiceAccounts","boundZones","maxJwtExp","role","roleId","type"],"inputProperties":{"addGroupAliases":{"type":"boolean"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowGceInference":{"type":"boolean"},"backend":{"type":"string","description":"Path to the mounted GCP auth backend\n","willReplaceOnChanges":true},"boundInstanceGroups":{"type":"array","items":{"type":"string"}},"boundLabels":{"type":"array","items":{"type":"string"}},"boundProjects":{"type":"array","items":{"type":"string"},"description":"An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.\n","willReplaceOnChanges":true},"boundRegions":{"type":"array","items":{"type":"string"}},"boundServiceAccounts":{"type":"array","items":{"type":"string"},"description":"GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e)\n"},"boundZones":{"type":"array","items":{"type":"string"}},"maxJwtExp":{"type":"string"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"Name of the GCP role\n","willReplaceOnChanges":true},"roleId":{"type":"string","description":"The\u003cspan pulumi-lang-nodejs=\" roleId \" pulumi-lang-dotnet=\" RoleId \" pulumi-lang-go=\" roleId \" pulumi-lang-python=\" role_id \" pulumi-lang-yaml=\" roleId \" pulumi-lang-java=\" roleId \"\u003e role_id \u003c/span\u003eis the stable, unique identifier for the role generated by vault.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"type":{"type":"string","description":"Type of GCP authentication role (either \u003cspan pulumi-lang-nodejs=\"`gce`\" pulumi-lang-dotnet=\"`Gce`\" pulumi-lang-go=\"`gce`\" pulumi-lang-python=\"`gce`\" pulumi-lang-yaml=\"`gce`\" pulumi-lang-java=\"`gce`\"\u003e`gce`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e)\n","willReplaceOnChanges":true}},"requiredInputs":["role","type"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"addGroupAliases":{"type":"boolean"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowGceInference":{"type":"boolean"},"backend":{"type":"string","description":"Path to the mounted GCP auth backend\n","willReplaceOnChanges":true},"boundInstanceGroups":{"type":"array","items":{"type":"string"}},"boundLabels":{"type":"array","items":{"type":"string"}},"boundProjects":{"type":"array","items":{"type":"string"},"description":"An array of GCP project IDs. Only entities belonging to this project can authenticate under the role.\n","willReplaceOnChanges":true},"boundRegions":{"type":"array","items":{"type":"string"}},"boundServiceAccounts":{"type":"array","items":{"type":"string"},"description":"GCP Service Accounts allowed to issue tokens under this role. (Note: **Required** if role is \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e)\n"},"boundZones":{"type":"array","items":{"type":"string"}},"maxJwtExp":{"type":"string"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"Name of the GCP role\n","willReplaceOnChanges":true},"roleId":{"type":"string","description":"The\u003cspan pulumi-lang-nodejs=\" roleId \" pulumi-lang-dotnet=\" RoleId \" pulumi-lang-go=\" roleId \" pulumi-lang-python=\" role_id \" pulumi-lang-yaml=\" roleId \" pulumi-lang-java=\" roleId \"\u003e role_id \u003c/span\u003eis the stable, unique identifier for the role generated by vault.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"type":{"type":"string","description":"Type of GCP authentication role (either \u003cspan pulumi-lang-nodejs=\"`gce`\" pulumi-lang-dotnet=\"`Gce`\" pulumi-lang-go=\"`gce`\" pulumi-lang-python=\"`gce`\" pulumi-lang-yaml=\"`gce`\" pulumi-lang-java=\"`gce`\"\u003e`gce`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e)\n","willReplaceOnChanges":true}},"type":"object"}},"vault:gcp/secretBackend:SecretBackend":{"description":"## Example Usage\n\nYou can setup the GCP secret backend with Workload Identity Federation (WIF) for a secret-less configuration:\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcp = new vault.gcp.SecretBackend(\"gcp\", {\n    identityTokenKey: \"example-key\",\n    identityTokenTtl: 1800,\n    identityTokenAudience: \"\u003cTOKEN_AUDIENCE\u003e\",\n    serviceAccountEmail: \"\u003cSERVICE_ACCOUNT_EMAIL\u003e\",\n    rotationSchedule: \"0 * * * SAT\",\n    rotationWindow: 3600,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ngcp = vault.gcp.SecretBackend(\"gcp\",\n    identity_token_key=\"example-key\",\n    identity_token_ttl=1800,\n    identity_token_audience=\"\u003cTOKEN_AUDIENCE\u003e\",\n    service_account_email=\"\u003cSERVICE_ACCOUNT_EMAIL\u003e\",\n    rotation_schedule=\"0 * * * SAT\",\n    rotation_window=3600)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcp = new Vault.Gcp.SecretBackend(\"gcp\", new()\n    {\n        IdentityTokenKey = \"example-key\",\n        IdentityTokenTtl = 1800,\n        IdentityTokenAudience = \"\u003cTOKEN_AUDIENCE\u003e\",\n        ServiceAccountEmail = \"\u003cSERVICE_ACCOUNT_EMAIL\u003e\",\n        RotationSchedule = \"0 * * * SAT\",\n        RotationWindow = 3600,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := gcp.NewSecretBackend(ctx, \"gcp\", \u0026gcp.SecretBackendArgs{\n\t\t\tIdentityTokenKey:      pulumi.String(\"example-key\"),\n\t\t\tIdentityTokenTtl:      pulumi.Int(1800),\n\t\t\tIdentityTokenAudience: pulumi.String(\"\u003cTOKEN_AUDIENCE\u003e\"),\n\t\t\tServiceAccountEmail:   pulumi.String(\"\u003cSERVICE_ACCOUNT_EMAIL\u003e\"),\n\t\t\tRotationSchedule:      pulumi.String(\"0 * * * SAT\"),\n\t\t\tRotationWindow:        pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.gcp.SecretBackend;\nimport com.pulumi.vault.gcp.SecretBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcp = new SecretBackend(\"gcp\", SecretBackendArgs.builder()\n            .identityTokenKey(\"example-key\")\n            .identityTokenTtl(1800)\n            .identityTokenAudience(\"\u003cTOKEN_AUDIENCE\u003e\")\n            .serviceAccountEmail(\"\u003cSERVICE_ACCOUNT_EMAIL\u003e\")\n            .rotationSchedule(\"0 * * * SAT\")\n            .rotationWindow(3600)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcp:\n    type: vault:gcp:SecretBackend\n    properties:\n      identityTokenKey: example-key\n      identityTokenTtl: 1800\n      identityTokenAudience: \u003cTOKEN_AUDIENCE\u003e\n      serviceAccountEmail: \u003cSERVICE_ACCOUNT_EMAIL\u003e\n      rotationSchedule: 0 * * * SAT\n      rotationWindow: 3600\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcp = new vault.gcp.SecretBackend(\"gcp\", {\n    credentials: std.file({\n        input: \"credentials.json\",\n    }).then(invoke =\u003e invoke.result),\n    rotationSchedule: \"0 * * * SAT\",\n    rotationWindow: 3600,\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\ngcp = vault.gcp.SecretBackend(\"gcp\",\n    credentials=std.file(input=\"credentials.json\").result,\n    rotation_schedule=\"0 * * * SAT\",\n    rotation_window=3600)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcp = new Vault.Gcp.SecretBackend(\"gcp\", new()\n    {\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = \"credentials.json\",\n        }).Apply(invoke =\u003e invoke.Result),\n        RotationSchedule = \"0 * * * SAT\",\n        RotationWindow = 3600,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"credentials.json\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = gcp.NewSecretBackend(ctx, \"gcp\", \u0026gcp.SecretBackendArgs{\n\t\t\tCredentials:      pulumi.String(invokeFile.Result),\n\t\t\tRotationSchedule: pulumi.String(\"0 * * * SAT\"),\n\t\t\tRotationWindow:   pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.gcp.SecretBackend;\nimport com.pulumi.vault.gcp.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcp = new SecretBackend(\"gcp\", SecretBackendArgs.builder()\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(\"credentials.json\")\n                .build()).result())\n            .rotationSchedule(\"0 * * * SAT\")\n            .rotationWindow(3600)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcp:\n    type: vault:gcp:SecretBackend\n    properties:\n      credentials:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: credentials.json\n          return: result\n      rotationSchedule: 0 * * * SAT\n      rotationWindow: 3600\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported:\n\n* \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e - (Optional) The GCP service account credentials in JSON format. Can be updated.\n  **Note**: This property is write-only and will not be read from the API.\n","properties":{"accessor":{"type":"string","description":"The accessor of the created GCP mount.\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","secret":true},"credentialsWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only JSON-encoded credentials to use to connect to GCP","secret":true},"credentialsWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity\ntokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentials`\" pulumi-lang-dotnet=\"`Credentials`\" pulumi-lang-go=\"`credentials`\" pulumi-lang-python=\"`credentials`\" pulumi-lang-yaml=\"`credentials`\" pulumi-lang-java=\"`credentials`\"\u003e`credentials`\u003c/span\u003e.  Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated tokens."},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"maxTtl":{"type":"integer","description":"The maximum TTL for long-lived credentials (i.e. service account keys)."},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`gcp`\" pulumi-lang-dotnet=\"`Gcp`\" pulumi-lang-go=\"`gcp`\" pulumi-lang-python=\"`gcp`\" pulumi-lang-yaml=\"`gcp`\" pulumi-lang-java=\"`gcp`\"\u003e`gcp`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"serviceAccountEmail":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.\nRequired with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"ttl":{"type":"integer","description":"The default TTL for long-lived credentials (i.e. service account keys)."}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","forceNoCache","sealWrap"],"inputProperties":{"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","secret":true},"credentialsWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only JSON-encoded credentials to use to connect to GCP","secret":true},"credentialsWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity\ntokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentials`\" pulumi-lang-dotnet=\"`Credentials`\" pulumi-lang-go=\"`credentials`\" pulumi-lang-python=\"`credentials`\" pulumi-lang-yaml=\"`credentials`\" pulumi-lang-java=\"`credentials`\"\u003e`credentials`\u003c/span\u003e.  Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated tokens."},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"maxTtl":{"type":"integer","description":"The maximum TTL for long-lived credentials (i.e. service account keys)."},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`gcp`\" pulumi-lang-dotnet=\"`Gcp`\" pulumi-lang-go=\"`gcp`\" pulumi-lang-python=\"`gcp`\" pulumi-lang-yaml=\"`gcp`\" pulumi-lang-java=\"`gcp`\"\u003e`gcp`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"serviceAccountEmail":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.\nRequired with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"ttl":{"type":"integer","description":"The default TTL for long-lived credentials (i.e. service account keys)."}},"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"accessor":{"type":"string","description":"The accessor of the created GCP mount.\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP","secret":true},"credentialsWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only JSON-encoded credentials to use to connect to GCP","secret":true},"credentialsWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`credentialsWo`\" pulumi-lang-dotnet=\"`CredentialsWo`\" pulumi-lang-go=\"`credentialsWo`\" pulumi-lang-python=\"`credentials_wo`\" pulumi-lang-yaml=\"`credentialsWo`\" pulumi-lang-java=\"`credentialsWo`\"\u003e`credentials_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenAudience":{"type":"string","description":"The audience claim value for plugin identity\ntokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`credentials`\" pulumi-lang-dotnet=\"`Credentials`\" pulumi-lang-go=\"`credentials`\" pulumi-lang-python=\"`credentials`\" pulumi-lang-yaml=\"`credentials`\" pulumi-lang-java=\"`credentials`\"\u003e`credentials`\u003c/span\u003e.  Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"identityTokenTtl":{"type":"integer","description":"The TTL of generated tokens."},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"maxTtl":{"type":"integer","description":"The maximum TTL for long-lived credentials (i.e. service account keys)."},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`gcp`\" pulumi-lang-dotnet=\"`Gcp`\" pulumi-lang-go=\"`gcp`\" pulumi-lang-python=\"`gcp`\" pulumi-lang-yaml=\"`gcp`\" pulumi-lang-java=\"`gcp`\"\u003e`gcp`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n*Available only for Vault Enterprise*.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+. *Available only for Vault Enterprise*.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"serviceAccountEmail":{"type":"string","description":"Service Account to impersonate for plugin workload identity federation.\nRequired with \u003cspan pulumi-lang-nodejs=\"`identityTokenAudience`\" pulumi-lang-dotnet=\"`IdentityTokenAudience`\" pulumi-lang-go=\"`identityTokenAudience`\" pulumi-lang-python=\"`identity_token_audience`\" pulumi-lang-yaml=\"`identityTokenAudience`\" pulumi-lang-java=\"`identityTokenAudience`\"\u003e`identity_token_audience`\u003c/span\u003e. Requires Vault 1.17+. *Available only for Vault Enterprise*.\n"},"ttl":{"type":"integer","description":"The default TTL for long-lived credentials (i.e. service account keys)."}},"type":"object"}},"vault:gcp/secretImpersonatedAccount:SecretImpersonatedAccount":{"description":"Creates a Impersonated Account in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault.\n\nEach [impersonated account](https://www.vaultproject.io/docs/secrets/gcp/index.html#impersonated-accounts) is tied to a separately managed\nService Account.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as google from \"@pulumi/google\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst _this = new google.index.ServiceAccount(\"this\", {accountId: \"my-awesome-account\"});\nconst gcp = new vault.gcp.SecretBackend(\"gcp\", {\n    path: \"gcp\",\n    credentials: std.file({\n        input: \"credentials.json\",\n    }).then(invoke =\u003e invoke.result),\n});\nconst impersonatedAccount = new vault.gcp.SecretImpersonatedAccount(\"impersonated_account\", {\n    backend: gcp.path,\n    impersonatedAccount: \"this\",\n    serviceAccountEmail: _this.email,\n    tokenScopes: [\"https://www.googleapis.com/auth/cloud-platform\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_google as google\nimport pulumi_std as std\nimport pulumi_vault as vault\n\nthis = google.index.ServiceAccount(\"this\", account_id=my-awesome-account)\ngcp = vault.gcp.SecretBackend(\"gcp\",\n    path=\"gcp\",\n    credentials=std.file(input=\"credentials.json\").result)\nimpersonated_account = vault.gcp.SecretImpersonatedAccount(\"impersonated_account\",\n    backend=gcp.path,\n    impersonated_account=\"this\",\n    service_account_email=this[\"email\"],\n    token_scopes=[\"https://www.googleapis.com/auth/cloud-platform\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Google = Pulumi.Google;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @this = new Google.Index.ServiceAccount(\"this\", new()\n    {\n        AccountId = \"my-awesome-account\",\n    });\n\n    var gcp = new Vault.Gcp.SecretBackend(\"gcp\", new()\n    {\n        Path = \"gcp\",\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = \"credentials.json\",\n        }).Apply(invoke =\u003e invoke.Result),\n    });\n\n    var impersonatedAccount = new Vault.Gcp.SecretImpersonatedAccount(\"impersonated_account\", new()\n    {\n        Backend = gcp.Path,\n        ImpersonatedAccount = \"this\",\n        ServiceAccountEmail = @this.Email,\n        TokenScopes = new[]\n        {\n            \"https://www.googleapis.com/auth/cloud-platform\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-google/sdk/go/google\"\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tthis, err := google.NewServiceAccount(ctx, \"this\", \u0026google.ServiceAccountArgs{\n\t\t\tAccountId: \"my-awesome-account\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"credentials.json\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgcp, err := gcp.NewSecretBackend(ctx, \"gcp\", \u0026gcp.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"gcp\"),\n\t\t\tCredentials: pulumi.String(invokeFile.Result),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = gcp.NewSecretImpersonatedAccount(ctx, \"impersonated_account\", \u0026gcp.SecretImpersonatedAccountArgs{\n\t\t\tBackend:             gcp.Path,\n\t\t\tImpersonatedAccount: pulumi.String(\"this\"),\n\t\t\tServiceAccountEmail: this.Email,\n\t\t\tTokenScopes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"https://www.googleapis.com/auth/cloud-platform\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.google.ServiceAccount;\nimport com.pulumi.google.ServiceAccountArgs;\nimport com.pulumi.vault.gcp.SecretBackend;\nimport com.pulumi.vault.gcp.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport com.pulumi.vault.gcp.SecretImpersonatedAccount;\nimport com.pulumi.vault.gcp.SecretImpersonatedAccountArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var this_ = new ServiceAccount(\"this\", ServiceAccountArgs.builder()\n            .accountId(\"my-awesome-account\")\n            .build());\n\n        var gcp = new SecretBackend(\"gcp\", SecretBackendArgs.builder()\n            .path(\"gcp\")\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(\"credentials.json\")\n                .build()).result())\n            .build());\n\n        var impersonatedAccount = new SecretImpersonatedAccount(\"impersonatedAccount\", SecretImpersonatedAccountArgs.builder()\n            .backend(gcp.path())\n            .impersonatedAccount(\"this\")\n            .serviceAccountEmail(this_.email())\n            .tokenScopes(\"https://www.googleapis.com/auth/cloud-platform\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  this:\n    type: google:ServiceAccount\n    properties:\n      accountId: my-awesome-account\n  gcp:\n    type: vault:gcp:SecretBackend\n    properties:\n      path: gcp\n      credentials:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: credentials.json\n          return: result\n  impersonatedAccount:\n    type: vault:gcp:SecretImpersonatedAccount\n    name: impersonated_account\n    properties:\n      backend: ${gcp.path}\n      impersonatedAccount: this\n      serviceAccountEmail: ${this.email}\n      tokenScopes:\n        - https://www.googleapis.com/auth/cloud-platform\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nA impersonated account can be imported using its Vault Path. For example, referencing the example above,\n\n```sh\n$ pulumi import vault:gcp/secretImpersonatedAccount:SecretImpersonatedAccount impersonated_account gcp/impersonated-account/project_viewer\n```\n","properties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n"},"impersonatedAccount":{"type":"string","description":"Name of the Impersonated Account to create\n"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)"},"serviceAccountEmail":{"type":"string","description":"Email of the GCP service account to impersonate.\n"},"serviceAccountProject":{"type":"string","description":"Project the service account belongs to.\n"},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to access tokens generated under this impersonated account.\n"},"ttl":{"type":"string","description":"Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n"}},"required":["backend","impersonatedAccount","serviceAccountEmail","serviceAccountProject","ttl"],"inputProperties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n","willReplaceOnChanges":true},"impersonatedAccount":{"type":"string","description":"Name of the Impersonated Account to create\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true},"serviceAccountEmail":{"type":"string","description":"Email of the GCP service account to impersonate.\n","willReplaceOnChanges":true},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to access tokens generated under this impersonated account.\n"},"ttl":{"type":"string","description":"Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n"}},"requiredInputs":["backend","impersonatedAccount","serviceAccountEmail"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretImpersonatedAccount resources.\n","properties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n","willReplaceOnChanges":true},"impersonatedAccount":{"type":"string","description":"Name of the Impersonated Account to create\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true},"serviceAccountEmail":{"type":"string","description":"Email of the GCP service account to impersonate.\n","willReplaceOnChanges":true},"serviceAccountProject":{"type":"string","description":"Project the service account belongs to.\n"},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to access tokens generated under this impersonated account.\n"},"ttl":{"type":"string","description":"Specifies the default TTL for service principals generated using this role.\nAccepts time suffixed strings (\"1h\") or an integer number of seconds. Defaults to the system/engine default TTL time.\n"}},"type":"object"}},"vault:gcp/secretRoleset:SecretRoleset":{"description":"Creates a Roleset in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault.\n\nEach Roleset is [tied](https://www.vaultproject.io/docs/secrets/gcp/index.html#service-accounts-are-tied-to-rolesets) to a Service Account, and can have one or more [bindings](https://www.vaultproject.io/docs/secrets/gcp/index.html#roleset-bindings) associated with it.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst project = \"my-awesome-project\";\nconst gcp = new vault.gcp.SecretBackend(\"gcp\", {\n    path: \"gcp\",\n    credentials: std.file({\n        input: \"credentials.json\",\n    }).then(invoke =\u003e invoke.result),\n});\nconst roleset = new vault.gcp.SecretRoleset(\"roleset\", {\n    backend: gcp.path,\n    roleset: \"project_viewer\",\n    secretType: \"access_token\",\n    project: project,\n    tokenScopes: [\"https://www.googleapis.com/auth/cloud-platform\"],\n    bindings: [{\n        resource: `//cloudresourcemanager.googleapis.com/projects/${project}`,\n        roles: [\"roles/viewer\"],\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\nproject = \"my-awesome-project\"\ngcp = vault.gcp.SecretBackend(\"gcp\",\n    path=\"gcp\",\n    credentials=std.file(input=\"credentials.json\").result)\nroleset = vault.gcp.SecretRoleset(\"roleset\",\n    backend=gcp.path,\n    roleset=\"project_viewer\",\n    secret_type=\"access_token\",\n    project=project,\n    token_scopes=[\"https://www.googleapis.com/auth/cloud-platform\"],\n    bindings=[{\n        \"resource\": f\"//cloudresourcemanager.googleapis.com/projects/{project}\",\n        \"roles\": [\"roles/viewer\"],\n    }])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var project = \"my-awesome-project\";\n\n    var gcp = new Vault.Gcp.SecretBackend(\"gcp\", new()\n    {\n        Path = \"gcp\",\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = \"credentials.json\",\n        }).Apply(invoke =\u003e invoke.Result),\n    });\n\n    var roleset = new Vault.Gcp.SecretRoleset(\"roleset\", new()\n    {\n        Backend = gcp.Path,\n        Roleset = \"project_viewer\",\n        SecretType = \"access_token\",\n        Project = project,\n        TokenScopes = new[]\n        {\n            \"https://www.googleapis.com/auth/cloud-platform\",\n        },\n        Bindings = new[]\n        {\n            new Vault.Gcp.Inputs.SecretRolesetBindingArgs\n            {\n                Resource = $\"//cloudresourcemanager.googleapis.com/projects/{project}\",\n                Roles = new[]\n                {\n                    \"roles/viewer\",\n                },\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tproject := \"my-awesome-project\"\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"credentials.json\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgcp, err := gcp.NewSecretBackend(ctx, \"gcp\", \u0026gcp.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"gcp\"),\n\t\t\tCredentials: pulumi.String(invokeFile.Result),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = gcp.NewSecretRoleset(ctx, \"roleset\", \u0026gcp.SecretRolesetArgs{\n\t\t\tBackend:    gcp.Path,\n\t\t\tRoleset:    pulumi.String(\"project_viewer\"),\n\t\t\tSecretType: pulumi.String(\"access_token\"),\n\t\t\tProject:    pulumi.String(project),\n\t\t\tTokenScopes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"https://www.googleapis.com/auth/cloud-platform\"),\n\t\t\t},\n\t\t\tBindings: gcp.SecretRolesetBindingArray{\n\t\t\t\t\u0026gcp.SecretRolesetBindingArgs{\n\t\t\t\t\tResource: pulumi.Sprintf(\"//cloudresourcemanager.googleapis.com/projects/%v\", project),\n\t\t\t\t\tRoles: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"roles/viewer\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.gcp.SecretBackend;\nimport com.pulumi.vault.gcp.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport com.pulumi.vault.gcp.SecretRoleset;\nimport com.pulumi.vault.gcp.SecretRolesetArgs;\nimport com.pulumi.vault.gcp.inputs.SecretRolesetBindingArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var project = \"my-awesome-project\";\n\n        var gcp = new SecretBackend(\"gcp\", SecretBackendArgs.builder()\n            .path(\"gcp\")\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(\"credentials.json\")\n                .build()).result())\n            .build());\n\n        var roleset = new SecretRoleset(\"roleset\", SecretRolesetArgs.builder()\n            .backend(gcp.path())\n            .roleset(\"project_viewer\")\n            .secretType(\"access_token\")\n            .project(project)\n            .tokenScopes(\"https://www.googleapis.com/auth/cloud-platform\")\n            .bindings(SecretRolesetBindingArgs.builder()\n                .resource(String.format(\"//cloudresourcemanager.googleapis.com/projects/%s\", project))\n                .roles(\"roles/viewer\")\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcp:\n    type: vault:gcp:SecretBackend\n    properties:\n      path: gcp\n      credentials:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: credentials.json\n          return: result\n  roleset:\n    type: vault:gcp:SecretRoleset\n    properties:\n      backend: ${gcp.path}\n      roleset: project_viewer\n      secretType: access_token\n      project: ${project}\n      tokenScopes:\n        - https://www.googleapis.com/auth/cloud-platform\n      bindings:\n        - resource: //cloudresourcemanager.googleapis.com/projects/${project}\n          roles:\n            - roles/viewer\nvariables:\n  project: my-awesome-project\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nA roleset can be imported using its Vault Path. For example, referencing the example above,\n\n```sh\n$ pulumi import vault:gcp/secretRoleset:SecretRoleset roleset gcp/roleset/project_viewer\n```\n","properties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n"},"bindings":{"type":"array","items":{"$ref":"#/types/vault:gcp/SecretRolesetBinding:SecretRolesetBinding"},"description":"Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.\n"},"roleset":{"type":"string","description":"Name of the Roleset to create\n"},"secretType":{"type":"string","description":"Type of secret generated for this role set. Accepted values: \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceAccountKey`\" pulumi-lang-dotnet=\"`ServiceAccountKey`\" pulumi-lang-go=\"`serviceAccountKey`\" pulumi-lang-python=\"`service_account_key`\" pulumi-lang-yaml=\"`serviceAccountKey`\" pulumi-lang-java=\"`serviceAccountKey`\"\u003e`service_account_key`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e.\n"},"serviceAccountEmail":{"type":"string","description":"Email of the service account created by Vault for this Roleset.\n"},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e secrets generated under this role set (\u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e role sets only).\n"}},"required":["backend","bindings","project","roleset","secretType","serviceAccountEmail"],"inputProperties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n","willReplaceOnChanges":true},"bindings":{"type":"array","items":{"$ref":"#/types/vault:gcp/SecretRolesetBinding:SecretRolesetBinding"},"description":"Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.\n","willReplaceOnChanges":true},"roleset":{"type":"string","description":"Name of the Roleset to create\n","willReplaceOnChanges":true},"secretType":{"type":"string","description":"Type of secret generated for this role set. Accepted values: \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceAccountKey`\" pulumi-lang-dotnet=\"`ServiceAccountKey`\" pulumi-lang-go=\"`serviceAccountKey`\" pulumi-lang-python=\"`service_account_key`\" pulumi-lang-yaml=\"`serviceAccountKey`\" pulumi-lang-java=\"`serviceAccountKey`\"\u003e`service_account_key`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e.\n","willReplaceOnChanges":true},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e secrets generated under this role set (\u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e role sets only).\n"}},"requiredInputs":["backend","bindings","project","roleset"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretRoleset resources.\n","properties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n","willReplaceOnChanges":true},"bindings":{"type":"array","items":{"$ref":"#/types/vault:gcp/SecretRolesetBinding:SecretRolesetBinding"},"description":"Bindings to create for this roleset. This can be specified multiple times for multiple bindings. Structure is documented below.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"project":{"type":"string","description":"Name of the GCP project that this roleset's service account will belong to.\n","willReplaceOnChanges":true},"roleset":{"type":"string","description":"Name of the Roleset to create\n","willReplaceOnChanges":true},"secretType":{"type":"string","description":"Type of secret generated for this role set. Accepted values: \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceAccountKey`\" pulumi-lang-dotnet=\"`ServiceAccountKey`\" pulumi-lang-go=\"`serviceAccountKey`\" pulumi-lang-python=\"`service_account_key`\" pulumi-lang-yaml=\"`serviceAccountKey`\" pulumi-lang-java=\"`serviceAccountKey`\"\u003e`service_account_key`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e.\n","willReplaceOnChanges":true},"serviceAccountEmail":{"type":"string","description":"Email of the service account created by Vault for this Roleset.\n"},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e secrets generated under this role set (\u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e role sets only).\n"}},"type":"object"}},"vault:gcp/secretStaticAccount:SecretStaticAccount":{"description":"Creates a Static Account in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault.\n\nEach [static account](https://www.vaultproject.io/docs/secrets/gcp/index.html#static-accounts) is tied to a separately managed\nService Account, and can have one or more [bindings](https://www.vaultproject.io/docs/secrets/gcp/index.html#bindings) associated with it.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as google from \"@pulumi/google\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst _this = new google.index.ServiceAccount(\"this\", {accountId: \"my-awesome-account\"});\nconst gcp = new vault.gcp.SecretBackend(\"gcp\", {\n    path: \"gcp\",\n    credentials: std.file({\n        input: \"credentials.json\",\n    }).then(invoke =\u003e invoke.result),\n});\nconst staticAccount = new vault.gcp.SecretStaticAccount(\"static_account\", {\n    backend: gcp.path,\n    staticAccount: \"project_viewer\",\n    secretType: \"access_token\",\n    tokenScopes: [\"https://www.googleapis.com/auth/cloud-platform\"],\n    serviceAccountEmail: _this.email,\n    bindings: [{\n        resource: `//cloudresourcemanager.googleapis.com/projects/${_this.project}`,\n        roles: [\"roles/viewer\"],\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_google as google\nimport pulumi_std as std\nimport pulumi_vault as vault\n\nthis = google.index.ServiceAccount(\"this\", account_id=my-awesome-account)\ngcp = vault.gcp.SecretBackend(\"gcp\",\n    path=\"gcp\",\n    credentials=std.file(input=\"credentials.json\").result)\nstatic_account = vault.gcp.SecretStaticAccount(\"static_account\",\n    backend=gcp.path,\n    static_account=\"project_viewer\",\n    secret_type=\"access_token\",\n    token_scopes=[\"https://www.googleapis.com/auth/cloud-platform\"],\n    service_account_email=this[\"email\"],\n    bindings=[{\n        \"resource\": f\"//cloudresourcemanager.googleapis.com/projects/{this['project']}\",\n        \"roles\": [\"roles/viewer\"],\n    }])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Google = Pulumi.Google;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @this = new Google.Index.ServiceAccount(\"this\", new()\n    {\n        AccountId = \"my-awesome-account\",\n    });\n\n    var gcp = new Vault.Gcp.SecretBackend(\"gcp\", new()\n    {\n        Path = \"gcp\",\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = \"credentials.json\",\n        }).Apply(invoke =\u003e invoke.Result),\n    });\n\n    var staticAccount = new Vault.Gcp.SecretStaticAccount(\"static_account\", new()\n    {\n        Backend = gcp.Path,\n        StaticAccount = \"project_viewer\",\n        SecretType = \"access_token\",\n        TokenScopes = new[]\n        {\n            \"https://www.googleapis.com/auth/cloud-platform\",\n        },\n        ServiceAccountEmail = @this.Email,\n        Bindings = new[]\n        {\n            new Vault.Gcp.Inputs.SecretStaticAccountBindingArgs\n            {\n                Resource = $\"//cloudresourcemanager.googleapis.com/projects/{@this.Project}\",\n                Roles = new[]\n                {\n                    \"roles/viewer\",\n                },\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-google/sdk/go/google\"\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tthis, err := google.NewServiceAccount(ctx, \"this\", \u0026google.ServiceAccountArgs{\n\t\t\tAccountId: \"my-awesome-account\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"credentials.json\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgcp, err := gcp.NewSecretBackend(ctx, \"gcp\", \u0026gcp.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"gcp\"),\n\t\t\tCredentials: pulumi.String(invokeFile.Result),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = gcp.NewSecretStaticAccount(ctx, \"static_account\", \u0026gcp.SecretStaticAccountArgs{\n\t\t\tBackend:       gcp.Path,\n\t\t\tStaticAccount: pulumi.String(\"project_viewer\"),\n\t\t\tSecretType:    pulumi.String(\"access_token\"),\n\t\t\tTokenScopes: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"https://www.googleapis.com/auth/cloud-platform\"),\n\t\t\t},\n\t\t\tServiceAccountEmail: this.Email,\n\t\t\tBindings: gcp.SecretStaticAccountBindingArray{\n\t\t\t\t\u0026gcp.SecretStaticAccountBindingArgs{\n\t\t\t\t\tResource: pulumi.Sprintf(\"//cloudresourcemanager.googleapis.com/projects/%v\", this.Project),\n\t\t\t\t\tRoles: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"roles/viewer\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.google.ServiceAccount;\nimport com.pulumi.google.ServiceAccountArgs;\nimport com.pulumi.vault.gcp.SecretBackend;\nimport com.pulumi.vault.gcp.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport com.pulumi.vault.gcp.SecretStaticAccount;\nimport com.pulumi.vault.gcp.SecretStaticAccountArgs;\nimport com.pulumi.vault.gcp.inputs.SecretStaticAccountBindingArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var this_ = new ServiceAccount(\"this\", ServiceAccountArgs.builder()\n            .accountId(\"my-awesome-account\")\n            .build());\n\n        var gcp = new SecretBackend(\"gcp\", SecretBackendArgs.builder()\n            .path(\"gcp\")\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(\"credentials.json\")\n                .build()).result())\n            .build());\n\n        var staticAccount = new SecretStaticAccount(\"staticAccount\", SecretStaticAccountArgs.builder()\n            .backend(gcp.path())\n            .staticAccount(\"project_viewer\")\n            .secretType(\"access_token\")\n            .tokenScopes(\"https://www.googleapis.com/auth/cloud-platform\")\n            .serviceAccountEmail(this_.email())\n            .bindings(SecretStaticAccountBindingArgs.builder()\n                .resource(String.format(\"//cloudresourcemanager.googleapis.com/projects/%s\", this_.project()))\n                .roles(\"roles/viewer\")\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  this:\n    type: google:ServiceAccount\n    properties:\n      accountId: my-awesome-account\n  gcp:\n    type: vault:gcp:SecretBackend\n    properties:\n      path: gcp\n      credentials:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: credentials.json\n          return: result\n  staticAccount:\n    type: vault:gcp:SecretStaticAccount\n    name: static_account\n    properties:\n      backend: ${gcp.path}\n      staticAccount: project_viewer\n      secretType: access_token\n      tokenScopes:\n        - https://www.googleapis.com/auth/cloud-platform\n      serviceAccountEmail: ${this.email}\n      bindings:\n        - resource: //cloudresourcemanager.googleapis.com/projects/${this.project}\n          roles:\n            - roles/viewer\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nA static account can be imported using its Vault Path. For example, referencing the example above,\n\n```sh\n$ pulumi import vault:gcp/secretStaticAccount:SecretStaticAccount static_account gcp/static-account/project_viewer\n```\n","properties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n"},"bindings":{"type":"array","items":{"$ref":"#/types/vault:gcp/SecretStaticAccountBinding:SecretStaticAccountBinding"},"description":"Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"secretType":{"type":"string","description":"Type of secret generated for this static account. Accepted values: \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceAccountKey`\" pulumi-lang-dotnet=\"`ServiceAccountKey`\" pulumi-lang-go=\"`serviceAccountKey`\" pulumi-lang-python=\"`service_account_key`\" pulumi-lang-yaml=\"`serviceAccountKey`\" pulumi-lang-java=\"`serviceAccountKey`\"\u003e`service_account_key`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e.\n"},"serviceAccountEmail":{"type":"string","description":"Email of the GCP service account to manage.\n"},"serviceAccountProject":{"type":"string","description":"Project the service account belongs to.\n"},"staticAccount":{"type":"string","description":"Name of the Static Account to create\n"},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e secrets generated under this static account (\u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e static accounts only).\n"}},"required":["backend","secretType","serviceAccountEmail","serviceAccountProject","staticAccount"],"inputProperties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n","willReplaceOnChanges":true},"bindings":{"type":"array","items":{"$ref":"#/types/vault:gcp/SecretStaticAccountBinding:SecretStaticAccountBinding"},"description":"Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"secretType":{"type":"string","description":"Type of secret generated for this static account. Accepted values: \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceAccountKey`\" pulumi-lang-dotnet=\"`ServiceAccountKey`\" pulumi-lang-go=\"`serviceAccountKey`\" pulumi-lang-python=\"`service_account_key`\" pulumi-lang-yaml=\"`serviceAccountKey`\" pulumi-lang-java=\"`serviceAccountKey`\"\u003e`service_account_key`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e.\n","willReplaceOnChanges":true},"serviceAccountEmail":{"type":"string","description":"Email of the GCP service account to manage.\n","willReplaceOnChanges":true},"staticAccount":{"type":"string","description":"Name of the Static Account to create\n","willReplaceOnChanges":true},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e secrets generated under this static account (\u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e static accounts only).\n"}},"requiredInputs":["backend","serviceAccountEmail","staticAccount"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretStaticAccount resources.\n","properties":{"backend":{"type":"string","description":"Path where the GCP Secrets Engine is mounted\n","willReplaceOnChanges":true},"bindings":{"type":"array","items":{"$ref":"#/types/vault:gcp/SecretStaticAccountBinding:SecretStaticAccountBinding"},"description":"Bindings to create for this static account. This can be specified multiple times for multiple bindings. Structure is documented below.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"secretType":{"type":"string","description":"Type of secret generated for this static account. Accepted values: \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceAccountKey`\" pulumi-lang-dotnet=\"`ServiceAccountKey`\" pulumi-lang-go=\"`serviceAccountKey`\" pulumi-lang-python=\"`service_account_key`\" pulumi-lang-yaml=\"`serviceAccountKey`\" pulumi-lang-java=\"`serviceAccountKey`\"\u003e`service_account_key`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e.\n","willReplaceOnChanges":true},"serviceAccountEmail":{"type":"string","description":"Email of the GCP service account to manage.\n","willReplaceOnChanges":true},"serviceAccountProject":{"type":"string","description":"Project the service account belongs to.\n"},"staticAccount":{"type":"string","description":"Name of the Static Account to create\n","willReplaceOnChanges":true},"tokenScopes":{"type":"array","items":{"type":"string"},"description":"List of OAuth scopes to assign to \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e secrets generated under this static account (\u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e static accounts only).\n"}},"type":"object"}},"vault:generic/endpoint:Endpoint":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst userpass = new vault.AuthBackend(\"userpass\", {type: \"userpass\"});\nconst u1 = new vault.generic.Endpoint(\"u1\", {\n    path: \"auth/userpass/users/u1\",\n    ignoreAbsentFields: true,\n    dataJson: `{\n  \\\\\"policies\\\\\": [\\\\\"p1\\\\\"],\n  \\\\\"password\\\\\": \\\\\"changeme\\\\\"\n}\n`,\n}, {\n    dependsOn: [userpass],\n});\nconst u1Token = new vault.generic.Endpoint(\"u1_token\", {\n    path: \"auth/userpass/login/u1\",\n    disableRead: true,\n    disableDelete: true,\n    dataJson: `{\n  \\\\\"password\\\\\": \\\\\"changeme\\\\\"\n}\n`,\n}, {\n    dependsOn: [u1],\n});\nconst u1Entity = new vault.generic.Endpoint(\"u1_entity\", {\n    disableRead: true,\n    disableDelete: true,\n    path: \"identity/lookup/entity\",\n    ignoreAbsentFields: true,\n    writeFields: [\"id\"],\n    dataJson: `{\n  \\\\\"alias_name\\\\\": \\\\\"u1\\\\\",\n  \\\\\"alias_mount_accessor\\\\\": vault_auth_backend.userpass.accessor\n}\n`,\n}, {\n    dependsOn: [u1Token],\n});\nexport const u1Id = u1Entity.writeData.id;\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nuserpass = vault.AuthBackend(\"userpass\", type=\"userpass\")\nu1 = vault.generic.Endpoint(\"u1\",\n    path=\"auth/userpass/users/u1\",\n    ignore_absent_fields=True,\n    data_json=\"\"\"{\n  \\\"policies\\\": [\\\"p1\\\"],\n  \\\"password\\\": \\\"changeme\\\"\n}\n\"\"\",\n    opts = pulumi.ResourceOptions(depends_on=[userpass]))\nu1_token = vault.generic.Endpoint(\"u1_token\",\n    path=\"auth/userpass/login/u1\",\n    disable_read=True,\n    disable_delete=True,\n    data_json=\"\"\"{\n  \\\"password\\\": \\\"changeme\\\"\n}\n\"\"\",\n    opts = pulumi.ResourceOptions(depends_on=[u1]))\nu1_entity = vault.generic.Endpoint(\"u1_entity\",\n    disable_read=True,\n    disable_delete=True,\n    path=\"identity/lookup/entity\",\n    ignore_absent_fields=True,\n    write_fields=[\"id\"],\n    data_json=\"\"\"{\n  \\\"alias_name\\\": \\\"u1\\\",\n  \\\"alias_mount_accessor\\\": vault_auth_backend.userpass.accessor\n}\n\"\"\",\n    opts = pulumi.ResourceOptions(depends_on=[u1_token]))\npulumi.export(\"u1Id\", u1_entity.write_data[\"id\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var userpass = new Vault.AuthBackend(\"userpass\", new()\n    {\n        Type = \"userpass\",\n    });\n\n    var u1 = new Vault.Generic.Endpoint(\"u1\", new()\n    {\n        Path = \"auth/userpass/users/u1\",\n        IgnoreAbsentFields = true,\n        DataJson = @\"{\n  \\\"\"policies\\\"\": [\\\"\"p1\\\"\"],\n  \\\"\"password\\\"\": \\\"\"changeme\\\"\"\n}\n\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            userpass,\n        },\n    });\n\n    var u1Token = new Vault.Generic.Endpoint(\"u1_token\", new()\n    {\n        Path = \"auth/userpass/login/u1\",\n        DisableRead = true,\n        DisableDelete = true,\n        DataJson = @\"{\n  \\\"\"password\\\"\": \\\"\"changeme\\\"\"\n}\n\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            u1,\n        },\n    });\n\n    var u1Entity = new Vault.Generic.Endpoint(\"u1_entity\", new()\n    {\n        DisableRead = true,\n        DisableDelete = true,\n        Path = \"identity/lookup/entity\",\n        IgnoreAbsentFields = true,\n        WriteFields = new[]\n        {\n            \"id\",\n        },\n        DataJson = @\"{\n  \\\"\"alias_name\\\"\": \\\"\"u1\\\"\",\n  \\\"\"alias_mount_accessor\\\"\": vault_auth_backend.userpass.accessor\n}\n\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            u1Token,\n        },\n    });\n\n    return new Dictionary\u003cstring, object?\u003e\n    {\n        [\"u1Id\"] = u1Entity.WriteData.Apply(writeData =\u003e writeData.Id),\n    };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/generic\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tuserpass, err := vault.NewAuthBackend(ctx, \"userpass\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"userpass\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tu1, err := generic.NewEndpoint(ctx, \"u1\", \u0026generic.EndpointArgs{\n\t\t\tPath:               pulumi.String(\"auth/userpass/users/u1\"),\n\t\t\tIgnoreAbsentFields: pulumi.Bool(true),\n\t\t\tDataJson:           pulumi.String(\"{\\n  \\\\\\\"policies\\\\\\\": [\\\\\\\"p1\\\\\\\"],\\n  \\\\\\\"password\\\\\\\": \\\\\\\"changeme\\\\\\\"\\n}\\n\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tuserpass,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tu1Token, err := generic.NewEndpoint(ctx, \"u1_token\", \u0026generic.EndpointArgs{\n\t\t\tPath:          pulumi.String(\"auth/userpass/login/u1\"),\n\t\t\tDisableRead:   pulumi.Bool(true),\n\t\t\tDisableDelete: pulumi.Bool(true),\n\t\t\tDataJson:      pulumi.String(\"{\\n  \\\\\\\"password\\\\\\\": \\\\\\\"changeme\\\\\\\"\\n}\\n\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tu1,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tu1Entity, err := generic.NewEndpoint(ctx, \"u1_entity\", \u0026generic.EndpointArgs{\n\t\t\tDisableRead:        pulumi.Bool(true),\n\t\t\tDisableDelete:      pulumi.Bool(true),\n\t\t\tPath:               pulumi.String(\"identity/lookup/entity\"),\n\t\t\tIgnoreAbsentFields: pulumi.Bool(true),\n\t\t\tWriteFields: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"id\"),\n\t\t\t},\n\t\t\tDataJson: pulumi.String(\"{\\n  \\\\\\\"alias_name\\\\\\\": \\\\\\\"u1\\\\\\\",\\n  \\\\\\\"alias_mount_accessor\\\\\\\": vault_auth_backend.userpass.accessor\\n}\\n\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tu1Token,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"u1Id\", u1Entity.WriteData.ApplyT(func(writeData map[string]string) (string, error) {\n\t\t\treturn writeData.Id, nil\n\t\t}).(pulumi.StringOutput))\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.generic.Endpoint;\nimport com.pulumi.vault.generic.EndpointArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var userpass = new AuthBackend(\"userpass\", AuthBackendArgs.builder()\n            .type(\"userpass\")\n            .build());\n\n        var u1 = new Endpoint(\"u1\", EndpointArgs.builder()\n            .path(\"auth/userpass/users/u1\")\n            .ignoreAbsentFields(true)\n            .dataJson(\"\"\"\n{\n  \\\"policies\\\": [\\\"p1\\\"],\n  \\\"password\\\": \\\"changeme\\\"\n}\n            \"\"\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(userpass)\n                .build());\n\n        var u1Token = new Endpoint(\"u1Token\", EndpointArgs.builder()\n            .path(\"auth/userpass/login/u1\")\n            .disableRead(true)\n            .disableDelete(true)\n            .dataJson(\"\"\"\n{\n  \\\"password\\\": \\\"changeme\\\"\n}\n            \"\"\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(u1)\n                .build());\n\n        var u1Entity = new Endpoint(\"u1Entity\", EndpointArgs.builder()\n            .disableRead(true)\n            .disableDelete(true)\n            .path(\"identity/lookup/entity\")\n            .ignoreAbsentFields(true)\n            .writeFields(\"id\")\n            .dataJson(\"\"\"\n{\n  \\\"alias_name\\\": \\\"u1\\\",\n  \\\"alias_mount_accessor\\\": vault_auth_backend.userpass.accessor\n}\n            \"\"\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(u1Token)\n                .build());\n\n        ctx.export(\"u1Id\", u1Entity.writeData().applyValue(_writeData -\u003e _writeData.id()));\n    }\n}\n```\n```yaml\nresources:\n  userpass:\n    type: vault:AuthBackend\n    properties:\n      type: userpass\n  u1:\n    type: vault:generic:Endpoint\n    properties:\n      path: auth/userpass/users/u1\n      ignoreAbsentFields: true\n      dataJson: |\n        {\n          \\\"policies\\\": [\\\"p1\\\"],\n          \\\"password\\\": \\\"changeme\\\"\n        }\n    options:\n      dependsOn:\n        - ${userpass}\n  u1Token:\n    type: vault:generic:Endpoint\n    name: u1_token\n    properties:\n      path: auth/userpass/login/u1\n      disableRead: true\n      disableDelete: true\n      dataJson: |\n        {\n          \\\"password\\\": \\\"changeme\\\"\n        }\n    options:\n      dependsOn:\n        - ${u1}\n  u1Entity:\n    type: vault:generic:Endpoint\n    name: u1_entity\n    properties:\n      disableRead: true\n      disableDelete: true\n      path: identity/lookup/entity\n      ignoreAbsentFields: true\n      writeFields:\n        - id\n      dataJson: |\n        {\n          \\\"alias_name\\\": \\\"u1\\\",\n          \\\"alias_mount_accessor\\\": vault_auth_backend.userpass.accessor\n        }\n    options:\n      dependsOn:\n        - ${u1Token}\noutputs:\n  u1Id: ${u1Entity.writeData.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`create`\" pulumi-lang-dotnet=\"`Create`\" pulumi-lang-go=\"`create`\" pulumi-lang-python=\"`create`\" pulumi-lang-yaml=\"`create`\" pulumi-lang-java=\"`create`\"\u003e`create`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`update`\" pulumi-lang-dotnet=\"`Update`\" pulumi-lang-go=\"`update`\" pulumi-lang-python=\"`update`\" pulumi-lang-yaml=\"`update`\" pulumi-lang-java=\"`update`\"\u003e`update`\u003c/span\u003e capability\n(depending on whether the resource already exists) on the given path. If\n\u003cspan pulumi-lang-nodejs=\"`disableDelete`\" pulumi-lang-dotnet=\"`DisableDelete`\" pulumi-lang-go=\"`disableDelete`\" pulumi-lang-python=\"`disable_delete`\" pulumi-lang-yaml=\"`disableDelete`\" pulumi-lang-java=\"`disableDelete`\"\u003e`disable_delete`\u003c/span\u003e is false, the \u003cspan pulumi-lang-nodejs=\"`delete`\" pulumi-lang-dotnet=\"`Delete`\" pulumi-lang-go=\"`delete`\" pulumi-lang-python=\"`delete`\" pulumi-lang-yaml=\"`delete`\" pulumi-lang-java=\"`delete`\"\u003e`delete`\u003c/span\u003e capability is also required. If\n\u003cspan pulumi-lang-nodejs=\"`disableRead`\" pulumi-lang-dotnet=\"`DisableRead`\" pulumi-lang-go=\"`disableRead`\" pulumi-lang-python=\"`disable_read`\" pulumi-lang-yaml=\"`disableRead`\" pulumi-lang-java=\"`disableRead`\"\u003e`disable_read`\u003c/span\u003e is false, the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability is required.\n\n## Import\n\nImport is not supported for this resource.\n\n","properties":{"dataJson":{"type":"string","description":"String containing a JSON-encoded object that will be\nwritten to the given path as the secret data.\n","secret":true},"disableDelete":{"type":"boolean","description":"- (Optional) True/false. Set this to true if your\nvault authentication is not able to delete the data or if the endpoint\ndoes not support the `DELETE` method. Defaults to false.\n"},"disableRead":{"type":"boolean","description":"True/false. Set this to true if your vault\nauthentication is not able to read the data or if the endpoint does\nnot support the `GET` method. Setting this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e will break drift\ndetection. You should set this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e for endpoints that are\nwrite-only. Defaults to false.\n"},"ignoreAbsentFields":{"type":"boolean","description":"- (Optional) True/false. If set to true,\nignore any fields present when the endpoint is read but that were not\nin \u003cspan pulumi-lang-nodejs=\"`dataJson`\" pulumi-lang-dotnet=\"`DataJson`\" pulumi-lang-go=\"`dataJson`\" pulumi-lang-python=\"`data_json`\" pulumi-lang-yaml=\"`dataJson`\" pulumi-lang-java=\"`dataJson`\"\u003e`data_json`\u003c/span\u003e. Also, if a field that was written is not returned when\nthe endpoint is read, treat that field as being up to date. You should\nset this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e when writing to endpoint that, when read, returns a\ndifferent set of fields from the ones you wrote, as is common with\nmany configuration endpoints. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"The full logical path at which to write the given\ndata. Consult each backend's documentation to see which endpoints\nsupport the `PUT` methods and to determine whether they also support\n`DELETE` and `GET`.\n"},"writeData":{"type":"object","additionalProperties":{"type":"string"},"description":"- A map whose keys are the top-level data keys\nreturned from Vault by the write operation and whose values are the\ncorresponding values. This map can only represent string data, so\nany non-string values returned from Vault are serialized as JSON.\nOnly fields set in \u003cspan pulumi-lang-nodejs=\"`writeFields`\" pulumi-lang-dotnet=\"`WriteFields`\" pulumi-lang-go=\"`writeFields`\" pulumi-lang-python=\"`write_fields`\" pulumi-lang-yaml=\"`writeFields`\" pulumi-lang-java=\"`writeFields`\"\u003e`write_fields`\u003c/span\u003e are present in the JSON data.\n"},"writeDataJson":{"type":"string","description":"- The JSON data returned by the write operation.\nOnly fields set in \u003cspan pulumi-lang-nodejs=\"`writeFields`\" pulumi-lang-dotnet=\"`WriteFields`\" pulumi-lang-go=\"`writeFields`\" pulumi-lang-python=\"`write_fields`\" pulumi-lang-yaml=\"`writeFields`\" pulumi-lang-java=\"`writeFields`\"\u003e`write_fields`\u003c/span\u003e are present in the JSON data.\n"},"writeFields":{"type":"array","items":{"type":"string"},"description":"- (Optional). A list of fields that should be returned\nin \u003cspan pulumi-lang-nodejs=\"`writeDataJson`\" pulumi-lang-dotnet=\"`WriteDataJson`\" pulumi-lang-go=\"`writeDataJson`\" pulumi-lang-python=\"`write_data_json`\" pulumi-lang-yaml=\"`writeDataJson`\" pulumi-lang-java=\"`writeDataJson`\"\u003e`write_data_json`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`writeData`\" pulumi-lang-dotnet=\"`WriteData`\" pulumi-lang-go=\"`writeData`\" pulumi-lang-python=\"`write_data`\" pulumi-lang-yaml=\"`writeData`\" pulumi-lang-java=\"`writeData`\"\u003e`write_data`\u003c/span\u003e. If omitted, data returned by\nthe write operation is not available to the resource or included in\nstate. This helps to avoid accidental storage of sensitive values in\nstate. Some endpoints, such as many dynamic secrets endpoints, return\ndata from writing to an endpoint rather than reading it. You should\nuse \u003cspan pulumi-lang-nodejs=\"`writeFields`\" pulumi-lang-dotnet=\"`WriteFields`\" pulumi-lang-go=\"`writeFields`\" pulumi-lang-python=\"`write_fields`\" pulumi-lang-yaml=\"`writeFields`\" pulumi-lang-java=\"`writeFields`\"\u003e`write_fields`\u003c/span\u003e if you need information returned in this way.\n"}},"required":["dataJson","path","writeData","writeDataJson"],"inputProperties":{"dataJson":{"type":"string","description":"String containing a JSON-encoded object that will be\nwritten to the given path as the secret data.\n","secret":true},"disableDelete":{"type":"boolean","description":"- (Optional) True/false. Set this to true if your\nvault authentication is not able to delete the data or if the endpoint\ndoes not support the `DELETE` method. Defaults to false.\n"},"disableRead":{"type":"boolean","description":"True/false. Set this to true if your vault\nauthentication is not able to read the data or if the endpoint does\nnot support the `GET` method. Setting this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e will break drift\ndetection. You should set this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e for endpoints that are\nwrite-only. Defaults to false.\n"},"ignoreAbsentFields":{"type":"boolean","description":"- (Optional) True/false. If set to true,\nignore any fields present when the endpoint is read but that were not\nin \u003cspan pulumi-lang-nodejs=\"`dataJson`\" pulumi-lang-dotnet=\"`DataJson`\" pulumi-lang-go=\"`dataJson`\" pulumi-lang-python=\"`data_json`\" pulumi-lang-yaml=\"`dataJson`\" pulumi-lang-java=\"`dataJson`\"\u003e`data_json`\u003c/span\u003e. Also, if a field that was written is not returned when\nthe endpoint is read, treat that field as being up to date. You should\nset this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e when writing to endpoint that, when read, returns a\ndifferent set of fields from the ones you wrote, as is common with\nmany configuration endpoints. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The full logical path at which to write the given\ndata. Consult each backend's documentation to see which endpoints\nsupport the `PUT` methods and to determine whether they also support\n`DELETE` and `GET`.\n","willReplaceOnChanges":true},"writeFields":{"type":"array","items":{"type":"string"},"description":"- (Optional). A list of fields that should be returned\nin \u003cspan pulumi-lang-nodejs=\"`writeDataJson`\" pulumi-lang-dotnet=\"`WriteDataJson`\" pulumi-lang-go=\"`writeDataJson`\" pulumi-lang-python=\"`write_data_json`\" pulumi-lang-yaml=\"`writeDataJson`\" pulumi-lang-java=\"`writeDataJson`\"\u003e`write_data_json`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`writeData`\" pulumi-lang-dotnet=\"`WriteData`\" pulumi-lang-go=\"`writeData`\" pulumi-lang-python=\"`write_data`\" pulumi-lang-yaml=\"`writeData`\" pulumi-lang-java=\"`writeData`\"\u003e`write_data`\u003c/span\u003e. If omitted, data returned by\nthe write operation is not available to the resource or included in\nstate. This helps to avoid accidental storage of sensitive values in\nstate. Some endpoints, such as many dynamic secrets endpoints, return\ndata from writing to an endpoint rather than reading it. You should\nuse \u003cspan pulumi-lang-nodejs=\"`writeFields`\" pulumi-lang-dotnet=\"`WriteFields`\" pulumi-lang-go=\"`writeFields`\" pulumi-lang-python=\"`write_fields`\" pulumi-lang-yaml=\"`writeFields`\" pulumi-lang-java=\"`writeFields`\"\u003e`write_fields`\u003c/span\u003e if you need information returned in this way.\n"}},"requiredInputs":["dataJson","path"],"stateInputs":{"description":"Input properties used for looking up and filtering Endpoint resources.\n","properties":{"dataJson":{"type":"string","description":"String containing a JSON-encoded object that will be\nwritten to the given path as the secret data.\n","secret":true},"disableDelete":{"type":"boolean","description":"- (Optional) True/false. Set this to true if your\nvault authentication is not able to delete the data or if the endpoint\ndoes not support the `DELETE` method. Defaults to false.\n"},"disableRead":{"type":"boolean","description":"True/false. Set this to true if your vault\nauthentication is not able to read the data or if the endpoint does\nnot support the `GET` method. Setting this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e will break drift\ndetection. You should set this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e for endpoints that are\nwrite-only. Defaults to false.\n"},"ignoreAbsentFields":{"type":"boolean","description":"- (Optional) True/false. If set to true,\nignore any fields present when the endpoint is read but that were not\nin \u003cspan pulumi-lang-nodejs=\"`dataJson`\" pulumi-lang-dotnet=\"`DataJson`\" pulumi-lang-go=\"`dataJson`\" pulumi-lang-python=\"`data_json`\" pulumi-lang-yaml=\"`dataJson`\" pulumi-lang-java=\"`dataJson`\"\u003e`data_json`\u003c/span\u003e. Also, if a field that was written is not returned when\nthe endpoint is read, treat that field as being up to date. You should\nset this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e when writing to endpoint that, when read, returns a\ndifferent set of fields from the ones you wrote, as is common with\nmany configuration endpoints. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The full logical path at which to write the given\ndata. Consult each backend's documentation to see which endpoints\nsupport the `PUT` methods and to determine whether they also support\n`DELETE` and `GET`.\n","willReplaceOnChanges":true},"writeData":{"type":"object","additionalProperties":{"type":"string"},"description":"- A map whose keys are the top-level data keys\nreturned from Vault by the write operation and whose values are the\ncorresponding values. This map can only represent string data, so\nany non-string values returned from Vault are serialized as JSON.\nOnly fields set in \u003cspan pulumi-lang-nodejs=\"`writeFields`\" pulumi-lang-dotnet=\"`WriteFields`\" pulumi-lang-go=\"`writeFields`\" pulumi-lang-python=\"`write_fields`\" pulumi-lang-yaml=\"`writeFields`\" pulumi-lang-java=\"`writeFields`\"\u003e`write_fields`\u003c/span\u003e are present in the JSON data.\n"},"writeDataJson":{"type":"string","description":"- The JSON data returned by the write operation.\nOnly fields set in \u003cspan pulumi-lang-nodejs=\"`writeFields`\" pulumi-lang-dotnet=\"`WriteFields`\" pulumi-lang-go=\"`writeFields`\" pulumi-lang-python=\"`write_fields`\" pulumi-lang-yaml=\"`writeFields`\" pulumi-lang-java=\"`writeFields`\"\u003e`write_fields`\u003c/span\u003e are present in the JSON data.\n"},"writeFields":{"type":"array","items":{"type":"string"},"description":"- (Optional). A list of fields that should be returned\nin \u003cspan pulumi-lang-nodejs=\"`writeDataJson`\" pulumi-lang-dotnet=\"`WriteDataJson`\" pulumi-lang-go=\"`writeDataJson`\" pulumi-lang-python=\"`write_data_json`\" pulumi-lang-yaml=\"`writeDataJson`\" pulumi-lang-java=\"`writeDataJson`\"\u003e`write_data_json`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`writeData`\" pulumi-lang-dotnet=\"`WriteData`\" pulumi-lang-go=\"`writeData`\" pulumi-lang-python=\"`write_data`\" pulumi-lang-yaml=\"`writeData`\" pulumi-lang-java=\"`writeData`\"\u003e`write_data`\u003c/span\u003e. If omitted, data returned by\nthe write operation is not available to the resource or included in\nstate. This helps to avoid accidental storage of sensitive values in\nstate. Some endpoints, such as many dynamic secrets endpoints, return\ndata from writing to an endpoint rather than reading it. You should\nuse \u003cspan pulumi-lang-nodejs=\"`writeFields`\" pulumi-lang-dotnet=\"`WriteFields`\" pulumi-lang-go=\"`writeFields`\" pulumi-lang-python=\"`write_fields`\" pulumi-lang-yaml=\"`writeFields`\" pulumi-lang-java=\"`writeFields`\"\u003e`write_fields`\u003c/span\u003e if you need information returned in this way.\n"}},"type":"object"}},"vault:generic/secret:Secret":{"description":"\n\n## Import\n\nGeneric secrets can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:generic/secret:Secret example secret/foo\n```\n","properties":{"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only\nrepresent string data, so any non-string values returned from Vault are\nserialized as JSON.\n","secret":true},"dataJson":{"type":"string","description":"String containing a JSON-encoded object that will be\nwritten as the secret data at the given path.\n","secret":true},"deleteAllVersions":{"type":"boolean","description":"true/false.  Only applicable for kv-v2 stores.\nIf set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, permanently deletes all versions for\nthe specified key. The default behavior is to only delete the latest version of the\nsecret.\n"},"disableRead":{"type":"boolean","description":"true/false. Set this to true if your vault\nauthentication is not able to read the data. Setting this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e will\nbreak drift detection. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"The full logical path at which to write the given data.\nTo write data into the \"generic\" secret backend mounted in Vault by default,\nthis should be prefixed with `secret/`. Writing to other backends with this\nresource is possible; consult each backend's documentation to see which\nendpoints support the `PUT` and `DELETE` methods.\n"}},"required":["data","dataJson","path"],"inputProperties":{"dataJson":{"type":"string","description":"String containing a JSON-encoded object that will be\nwritten as the secret data at the given path.\n","secret":true},"deleteAllVersions":{"type":"boolean","description":"true/false.  Only applicable for kv-v2 stores.\nIf set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, permanently deletes all versions for\nthe specified key. The default behavior is to only delete the latest version of the\nsecret.\n"},"disableRead":{"type":"boolean","description":"true/false. Set this to true if your vault\nauthentication is not able to read the data. Setting this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e will\nbreak drift detection. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The full logical path at which to write the given data.\nTo write data into the \"generic\" secret backend mounted in Vault by default,\nthis should be prefixed with `secret/`. Writing to other backends with this\nresource is possible; consult each backend's documentation to see which\nendpoints support the `PUT` and `DELETE` methods.\n","willReplaceOnChanges":true}},"requiredInputs":["dataJson","path"],"stateInputs":{"description":"Input properties used for looking up and filtering Secret resources.\n","properties":{"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only\nrepresent string data, so any non-string values returned from Vault are\nserialized as JSON.\n","secret":true},"dataJson":{"type":"string","description":"String containing a JSON-encoded object that will be\nwritten as the secret data at the given path.\n","secret":true},"deleteAllVersions":{"type":"boolean","description":"true/false.  Only applicable for kv-v2 stores.\nIf set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, permanently deletes all versions for\nthe specified key. The default behavior is to only delete the latest version of the\nsecret.\n"},"disableRead":{"type":"boolean","description":"true/false. Set this to true if your vault\nauthentication is not able to read the data. Setting this to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e will\nbreak drift detection. Defaults to false.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The full logical path at which to write the given data.\nTo write data into the \"generic\" secret backend mounted in Vault by default,\nthis should be prefixed with `secret/`. Writing to other backends with this\nresource is possible; consult each backend's documentation to see which\nendpoints support the `PUT` and `DELETE` methods.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:github/authBackend:AuthBackend":{"description":"Manages a GitHub Auth mount in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/github/) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.github.AuthBackend(\"example\", {organization: \"myorg\"});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.github.AuthBackend(\"example\", organization=\"myorg\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.GitHub.AuthBackend(\"example\", new()\n    {\n        Organization = \"myorg\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/github\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := github.NewAuthBackend(ctx, \"example\", \u0026github.AuthBackendArgs{\n\t\t\tOrganization: pulumi.String(\"myorg\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.github.AuthBackend;\nimport com.pulumi.vault.github.AuthBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .organization(\"myorg\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:github:AuthBackend\n    properties:\n      organization: myorg\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nGitHub authentication mounts can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:github/authBackend:AuthBackend example github\n```\n","properties":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).\n"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"(Optional) The metadata to be tied to generated entity alias.\nThis should be a list or map containing the metadata in key value pairs.\n"},"baseUrl":{"type":"string","description":"The API endpoint to use. Useful if you\nare running GitHub Enterprise or an API-compatible authentication server.\n"},"description":{"type":"string","description":"Specifies the description of the mount.\nThis overrides the current stored value, if any.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"organization":{"type":"string","description":"The organization configured users must be part of.\n"},"organizationId":{"type":"integer","description":"The ID of the organization users must be part of.\nVault will attempt to fetch and set this value if it is not provided. (Vault 1.10+)\n"},"path":{"type":"string","description":"Path where the auth backend is mounted. Defaults to `auth/github`\nif not specified.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"(Optional) List of CIDR blocks; if set, specifies blocks of IP\naddresses which can authenticate successfully, and ties the resulting token to these blocks\nas well.\n"},"tokenExplicitMaxTtl":{"type":"integer","description":"(Optional) If set, will encode an\n[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)\nonto the token in number of seconds. This is a hard cap even if \u003cspan pulumi-lang-nodejs=\"`tokenTtl`\" pulumi-lang-dotnet=\"`TokenTtl`\" pulumi-lang-go=\"`tokenTtl`\" pulumi-lang-python=\"`token_ttl`\" pulumi-lang-yaml=\"`tokenTtl`\" pulumi-lang-java=\"`tokenTtl`\"\u003e`token_ttl`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`tokenMaxTtl`\" pulumi-lang-dotnet=\"`TokenMaxTtl`\" pulumi-lang-go=\"`tokenMaxTtl`\" pulumi-lang-python=\"`token_max_ttl`\" pulumi-lang-yaml=\"`tokenMaxTtl`\" pulumi-lang-java=\"`tokenMaxTtl`\"\u003e`token_max_ttl`\u003c/span\u003e would otherwise allow a renewal.\n"},"tokenMaxTtl":{"type":"integer","description":"(Optional) The maximum lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenNoDefaultPolicy":{"type":"boolean","description":"(Optional) If set, the default policy will not be set on\ngenerated tokens; otherwise it will be added to the policies set in token_policies.\n"},"tokenNumUses":{"type":"integer","description":"(Optional) The [maximum number](https://www.vaultproject.io/api-docs/github#token_num_uses)\nof times a generated token may be used (within its lifetime); 0 means unlimited.\n"},"tokenPeriod":{"type":"integer","description":"(Optional) If set, indicates that the\ntoken generated using this role should never expire. The token should be renewed within the\nduration specified by this value. At each renewal, the token's TTL will be set to the\nvalue of this field. Specified in seconds.\n"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"(Optional) List of policies to encode onto generated tokens. Depending\non the auth method, this list may be supplemented by user/group/other values.\n"},"tokenTtl":{"type":"integer","description":"(Optional) The incremental lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"},"tune":{"$ref":"#/types/vault:github/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"required":["accessor","organization","organizationId","tune"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"(Optional) The metadata to be tied to generated entity alias.\nThis should be a list or map containing the metadata in key value pairs.\n"},"baseUrl":{"type":"string","description":"The API endpoint to use. Useful if you\nare running GitHub Enterprise or an API-compatible authentication server.\n"},"description":{"type":"string","description":"Specifies the description of the mount.\nThis overrides the current stored value, if any.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization configured users must be part of.\n"},"organizationId":{"type":"integer","description":"The ID of the organization users must be part of.\nVault will attempt to fetch and set this value if it is not provided. (Vault 1.10+)\n"},"path":{"type":"string","description":"Path where the auth backend is mounted. Defaults to `auth/github`\nif not specified.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"(Optional) List of CIDR blocks; if set, specifies blocks of IP\naddresses which can authenticate successfully, and ties the resulting token to these blocks\nas well.\n"},"tokenExplicitMaxTtl":{"type":"integer","description":"(Optional) If set, will encode an\n[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)\nonto the token in number of seconds. This is a hard cap even if \u003cspan pulumi-lang-nodejs=\"`tokenTtl`\" pulumi-lang-dotnet=\"`TokenTtl`\" pulumi-lang-go=\"`tokenTtl`\" pulumi-lang-python=\"`token_ttl`\" pulumi-lang-yaml=\"`tokenTtl`\" pulumi-lang-java=\"`tokenTtl`\"\u003e`token_ttl`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`tokenMaxTtl`\" pulumi-lang-dotnet=\"`TokenMaxTtl`\" pulumi-lang-go=\"`tokenMaxTtl`\" pulumi-lang-python=\"`token_max_ttl`\" pulumi-lang-yaml=\"`tokenMaxTtl`\" pulumi-lang-java=\"`tokenMaxTtl`\"\u003e`token_max_ttl`\u003c/span\u003e would otherwise allow a renewal.\n"},"tokenMaxTtl":{"type":"integer","description":"(Optional) The maximum lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenNoDefaultPolicy":{"type":"boolean","description":"(Optional) If set, the default policy will not be set on\ngenerated tokens; otherwise it will be added to the policies set in token_policies.\n"},"tokenNumUses":{"type":"integer","description":"(Optional) The [maximum number](https://www.vaultproject.io/api-docs/github#token_num_uses)\nof times a generated token may be used (within its lifetime); 0 means unlimited.\n"},"tokenPeriod":{"type":"integer","description":"(Optional) If set, indicates that the\ntoken generated using this role should never expire. The token should be renewed within the\nduration specified by this value. At each renewal, the token's TTL will be set to the\nvalue of this field. Specified in seconds.\n"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"(Optional) List of policies to encode onto generated tokens. Depending\non the auth method, this list may be supplemented by user/group/other values.\n"},"tokenTtl":{"type":"integer","description":"(Optional) The incremental lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"},"tune":{"$ref":"#/types/vault:github/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"requiredInputs":["organization"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackend resources.\n","properties":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).\n"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"(Optional) The metadata to be tied to generated entity alias.\nThis should be a list or map containing the metadata in key value pairs.\n"},"baseUrl":{"type":"string","description":"The API endpoint to use. Useful if you\nare running GitHub Enterprise or an API-compatible authentication server.\n"},"description":{"type":"string","description":"Specifies the description of the mount.\nThis overrides the current stored value, if any.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization configured users must be part of.\n"},"organizationId":{"type":"integer","description":"The ID of the organization users must be part of.\nVault will attempt to fetch and set this value if it is not provided. (Vault 1.10+)\n"},"path":{"type":"string","description":"Path where the auth backend is mounted. Defaults to `auth/github`\nif not specified.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"(Optional) List of CIDR blocks; if set, specifies blocks of IP\naddresses which can authenticate successfully, and ties the resulting token to these blocks\nas well.\n"},"tokenExplicitMaxTtl":{"type":"integer","description":"(Optional) If set, will encode an\n[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)\nonto the token in number of seconds. This is a hard cap even if \u003cspan pulumi-lang-nodejs=\"`tokenTtl`\" pulumi-lang-dotnet=\"`TokenTtl`\" pulumi-lang-go=\"`tokenTtl`\" pulumi-lang-python=\"`token_ttl`\" pulumi-lang-yaml=\"`tokenTtl`\" pulumi-lang-java=\"`tokenTtl`\"\u003e`token_ttl`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`tokenMaxTtl`\" pulumi-lang-dotnet=\"`TokenMaxTtl`\" pulumi-lang-go=\"`tokenMaxTtl`\" pulumi-lang-python=\"`token_max_ttl`\" pulumi-lang-yaml=\"`tokenMaxTtl`\" pulumi-lang-java=\"`tokenMaxTtl`\"\u003e`token_max_ttl`\u003c/span\u003e would otherwise allow a renewal.\n"},"tokenMaxTtl":{"type":"integer","description":"(Optional) The maximum lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenNoDefaultPolicy":{"type":"boolean","description":"(Optional) If set, the default policy will not be set on\ngenerated tokens; otherwise it will be added to the policies set in token_policies.\n"},"tokenNumUses":{"type":"integer","description":"(Optional) The [maximum number](https://www.vaultproject.io/api-docs/github#token_num_uses)\nof times a generated token may be used (within its lifetime); 0 means unlimited.\n"},"tokenPeriod":{"type":"integer","description":"(Optional) If set, indicates that the\ntoken generated using this role should never expire. The token should be renewed within the\nduration specified by this value. At each renewal, the token's TTL will be set to the\nvalue of this field. Specified in seconds.\n"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"(Optional) List of policies to encode onto generated tokens. Depending\non the auth method, this list may be supplemented by user/group/other values.\n"},"tokenTtl":{"type":"integer","description":"(Optional) The incremental lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"},"tune":{"$ref":"#/types/vault:github/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"type":"object"}},"vault:github/team:Team":{"description":"Manages policy mappings for Github Teams authenticated via Github. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/github/) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.github.AuthBackend(\"example\", {organization: \"myorg\"});\nconst tfDevs = new vault.github.Team(\"tf_devs\", {\n    backend: example.id,\n    team: \"terraform-developers\",\n    policies: [\n        \"developer\",\n        \"read-only\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.github.AuthBackend(\"example\", organization=\"myorg\")\ntf_devs = vault.github.Team(\"tf_devs\",\n    backend=example.id,\n    team=\"terraform-developers\",\n    policies=[\n        \"developer\",\n        \"read-only\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.GitHub.AuthBackend(\"example\", new()\n    {\n        Organization = \"myorg\",\n    });\n\n    var tfDevs = new Vault.GitHub.Team(\"tf_devs\", new()\n    {\n        Backend = example.Id,\n        TeamCity = \"terraform-developers\",\n        Policies = new[]\n        {\n            \"developer\",\n            \"read-only\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/github\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := github.NewAuthBackend(ctx, \"example\", \u0026github.AuthBackendArgs{\n\t\t\tOrganization: pulumi.String(\"myorg\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = github.NewTeam(ctx, \"tf_devs\", \u0026github.TeamArgs{\n\t\t\tBackend: example.ID(),\n\t\t\tTeam:    pulumi.String(\"terraform-developers\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"developer\"),\n\t\t\t\tpulumi.String(\"read-only\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.github.AuthBackend;\nimport com.pulumi.vault.github.AuthBackendArgs;\nimport com.pulumi.vault.github.Team;\nimport com.pulumi.vault.github.TeamArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .organization(\"myorg\")\n            .build());\n\n        var tfDevs = new Team(\"tfDevs\", TeamArgs.builder()\n            .backend(example.id())\n            .team(\"terraform-developers\")\n            .policies(            \n                \"developer\",\n                \"read-only\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:github:AuthBackend\n    properties:\n      organization: myorg\n  tfDevs:\n    type: vault:github:Team\n    name: tf_devs\n    properties:\n      backend: ${example.id}\n      team: terraform-developers\n      policies:\n        - developer\n        - read-only\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nGithub team mappings can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:github/team:Team tf_devs auth/github/map/teams/terraform-developers\n```\n","properties":{"backend":{"type":"string","description":"Path where the github auth backend is mounted. Defaults to \u003cspan pulumi-lang-nodejs=\"`github`\" pulumi-lang-dotnet=\"`Github`\" pulumi-lang-go=\"`github`\" pulumi-lang-python=\"`github`\" pulumi-lang-yaml=\"`github`\" pulumi-lang-java=\"`github`\"\u003e`github`\u003c/span\u003e\nif not specified.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"An array of strings specifying the policies to be set on tokens\nissued using this role.\n"},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","language":{"csharp":{"name":"TeamCity"}}}},"required":["team"],"inputProperties":{"backend":{"type":"string","description":"Path where the github auth backend is mounted. Defaults to \u003cspan pulumi-lang-nodejs=\"`github`\" pulumi-lang-dotnet=\"`Github`\" pulumi-lang-go=\"`github`\" pulumi-lang-python=\"`github`\" pulumi-lang-yaml=\"`github`\" pulumi-lang-java=\"`github`\"\u003e`github`\u003c/span\u003e\nif not specified.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"An array of strings specifying the policies to be set on tokens\nissued using this role.\n"},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","language":{"csharp":{"name":"TeamCity"}},"willReplaceOnChanges":true}},"requiredInputs":["team"],"stateInputs":{"description":"Input properties used for looking up and filtering Team resources.\n","properties":{"backend":{"type":"string","description":"Path where the github auth backend is mounted. Defaults to \u003cspan pulumi-lang-nodejs=\"`github`\" pulumi-lang-dotnet=\"`Github`\" pulumi-lang-go=\"`github`\" pulumi-lang-python=\"`github`\" pulumi-lang-yaml=\"`github`\" pulumi-lang-java=\"`github`\"\u003e`github`\u003c/span\u003e\nif not specified.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"An array of strings specifying the policies to be set on tokens\nissued using this role.\n"},"team":{"type":"string","description":"GitHub team name in \"slugified\" format.","language":{"csharp":{"name":"TeamCity"}},"willReplaceOnChanges":true}},"type":"object"}},"vault:github/user:User":{"description":"Manages policy mappings for Github Users authenticated via Github. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/github/) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.github.AuthBackend(\"example\", {organization: \"myorg\"});\nconst tfUser = new vault.github.User(\"tf_user\", {\n    backend: example.id,\n    user: \"john.doe\",\n    policies: [\n        \"developer\",\n        \"read-only\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.github.AuthBackend(\"example\", organization=\"myorg\")\ntf_user = vault.github.User(\"tf_user\",\n    backend=example.id,\n    user=\"john.doe\",\n    policies=[\n        \"developer\",\n        \"read-only\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.GitHub.AuthBackend(\"example\", new()\n    {\n        Organization = \"myorg\",\n    });\n\n    var tfUser = new Vault.GitHub.User(\"tf_user\", new()\n    {\n        Backend = example.Id,\n        UserName = \"john.doe\",\n        Policies = new[]\n        {\n            \"developer\",\n            \"read-only\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/github\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := github.NewAuthBackend(ctx, \"example\", \u0026github.AuthBackendArgs{\n\t\t\tOrganization: pulumi.String(\"myorg\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = github.NewUser(ctx, \"tf_user\", \u0026github.UserArgs{\n\t\t\tBackend: example.ID(),\n\t\t\tUser:    pulumi.String(\"john.doe\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"developer\"),\n\t\t\t\tpulumi.String(\"read-only\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.github.AuthBackend;\nimport com.pulumi.vault.github.AuthBackendArgs;\nimport com.pulumi.vault.github.User;\nimport com.pulumi.vault.github.UserArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .organization(\"myorg\")\n            .build());\n\n        var tfUser = new User(\"tfUser\", UserArgs.builder()\n            .backend(example.id())\n            .user(\"john.doe\")\n            .policies(            \n                \"developer\",\n                \"read-only\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:github:AuthBackend\n    properties:\n      organization: myorg\n  tfUser:\n    type: vault:github:User\n    name: tf_user\n    properties:\n      backend: ${example.id}\n      user: john.doe\n      policies:\n        - developer\n        - read-only\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nGithub user mappings can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:github/user:User tf_user auth/github/map/users/john.doe\n```\n","properties":{"backend":{"type":"string","description":"Path where the github auth backend is mounted. Defaults to \u003cspan pulumi-lang-nodejs=\"`github`\" pulumi-lang-dotnet=\"`Github`\" pulumi-lang-go=\"`github`\" pulumi-lang-python=\"`github`\" pulumi-lang-yaml=\"`github`\" pulumi-lang-java=\"`github`\"\u003e`github`\u003c/span\u003e\nif not specified.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"An array of strings specifying the policies to be set on tokens issued\nusing this role.\n"},"user":{"type":"string","description":"GitHub user name.\n","language":{"csharp":{"name":"UserName"}}}},"required":["user"],"inputProperties":{"backend":{"type":"string","description":"Path where the github auth backend is mounted. Defaults to \u003cspan pulumi-lang-nodejs=\"`github`\" pulumi-lang-dotnet=\"`Github`\" pulumi-lang-go=\"`github`\" pulumi-lang-python=\"`github`\" pulumi-lang-yaml=\"`github`\" pulumi-lang-java=\"`github`\"\u003e`github`\u003c/span\u003e\nif not specified.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"An array of strings specifying the policies to be set on tokens issued\nusing this role.\n"},"user":{"type":"string","description":"GitHub user name.\n","language":{"csharp":{"name":"UserName"}},"willReplaceOnChanges":true}},"requiredInputs":["user"],"stateInputs":{"description":"Input properties used for looking up and filtering User resources.\n","properties":{"backend":{"type":"string","description":"Path where the github auth backend is mounted. Defaults to \u003cspan pulumi-lang-nodejs=\"`github`\" pulumi-lang-dotnet=\"`Github`\" pulumi-lang-go=\"`github`\" pulumi-lang-python=\"`github`\" pulumi-lang-yaml=\"`github`\" pulumi-lang-java=\"`github`\"\u003e`github`\u003c/span\u003e\nif not specified.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"An array of strings specifying the policies to be set on tokens issued\nusing this role.\n"},"user":{"type":"string","description":"GitHub user name.\n","language":{"csharp":{"name":"UserName"}},"willReplaceOnChanges":true}},"type":"object"}},"vault:identity/entity:Entity":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.identity.Entity(\"test\", {\n    name: \"tester1\",\n    policies: [\"test\"],\n    metadata: {\n        foo: \"bar\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.identity.Entity(\"test\",\n    name=\"tester1\",\n    policies=[\"test\"],\n    metadata={\n        \"foo\": \"bar\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Identity.Entity(\"test\", new()\n    {\n        Name = \"tester1\",\n        Policies = new[]\n        {\n            \"test\",\n        },\n        Metadata = \n        {\n            { \"foo\", \"bar\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewEntity(ctx, \"test\", \u0026identity.EntityArgs{\n\t\t\tName: pulumi.String(\"tester1\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"foo\": pulumi.String(\"bar\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Entity;\nimport com.pulumi.vault.identity.EntityArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new Entity(\"test\", EntityArgs.builder()\n            .name(\"tester1\")\n            .policies(\"test\")\n            .metadata(Map.of(\"foo\", \"bar\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:identity:Entity\n    properties:\n      name: tester1\n      policies:\n        - test\n      metadata:\n        foo: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nIdentity entity can be imported using the `id`, e.g.\n\n```sh\n$ pulumi import vault:identity/entity:Entity test \"ae6f8ued-0f1a-9f6b-2915-1a2be20dc053\"\n```\n","properties":{"disabled":{"type":"boolean","description":"True/false Is this entity currently disabled. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"externalPolicies":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any policies return from Vault or specified in the resource. You can use \u003cspan pulumi-lang-nodejs=\"`vault.identity.EntityPolicies`\" pulumi-lang-dotnet=\"`vault.identity.EntityPolicies`\" pulumi-lang-go=\"`identity.EntityPolicies`\" pulumi-lang-python=\"`identity.EntityPolicies`\" pulumi-lang-yaml=\"`vault.identity.EntityPolicies`\" pulumi-lang-java=\"`vault.identity.EntityPolicies`\"\u003e`vault.identity.EntityPolicies`\u003c/span\u003e to manage policies for this entity in a decoupled manner.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"A Map of additional metadata to associate with the user.\n"},"name":{"type":"string","description":"Name of the identity entity to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"A list of policies to apply to the entity.\n"}},"required":["name"],"inputProperties":{"disabled":{"type":"boolean","description":"True/false Is this entity currently disabled. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"externalPolicies":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any policies return from Vault or specified in the resource. You can use \u003cspan pulumi-lang-nodejs=\"`vault.identity.EntityPolicies`\" pulumi-lang-dotnet=\"`vault.identity.EntityPolicies`\" pulumi-lang-go=\"`identity.EntityPolicies`\" pulumi-lang-python=\"`identity.EntityPolicies`\" pulumi-lang-yaml=\"`vault.identity.EntityPolicies`\" pulumi-lang-java=\"`vault.identity.EntityPolicies`\"\u003e`vault.identity.EntityPolicies`\u003c/span\u003e to manage policies for this entity in a decoupled manner.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"A Map of additional metadata to associate with the user.\n"},"name":{"type":"string","description":"Name of the identity entity to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"A list of policies to apply to the entity.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering Entity resources.\n","properties":{"disabled":{"type":"boolean","description":"True/false Is this entity currently disabled. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"externalPolicies":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any policies return from Vault or specified in the resource. You can use \u003cspan pulumi-lang-nodejs=\"`vault.identity.EntityPolicies`\" pulumi-lang-dotnet=\"`vault.identity.EntityPolicies`\" pulumi-lang-go=\"`identity.EntityPolicies`\" pulumi-lang-python=\"`identity.EntityPolicies`\" pulumi-lang-yaml=\"`vault.identity.EntityPolicies`\" pulumi-lang-java=\"`vault.identity.EntityPolicies`\"\u003e`vault.identity.EntityPolicies`\u003c/span\u003e to manage policies for this entity in a decoupled manner.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"A Map of additional metadata to associate with the user.\n"},"name":{"type":"string","description":"Name of the identity entity to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"A list of policies to apply to the entity.\n"}},"type":"object"}},"vault:identity/entityAlias:EntityAlias":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.identity.EntityAlias(\"test\", {\n    name: \"user_1\",\n    mountAccessor: \"token_1f2bd5\",\n    canonicalId: \"49877D63-07AD-4B85-BDA8-B61626C477E8\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.identity.EntityAlias(\"test\",\n    name=\"user_1\",\n    mount_accessor=\"token_1f2bd5\",\n    canonical_id=\"49877D63-07AD-4B85-BDA8-B61626C477E8\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Identity.EntityAlias(\"test\", new()\n    {\n        Name = \"user_1\",\n        MountAccessor = \"token_1f2bd5\",\n        CanonicalId = \"49877D63-07AD-4B85-BDA8-B61626C477E8\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewEntityAlias(ctx, \"test\", \u0026identity.EntityAliasArgs{\n\t\t\tName:          pulumi.String(\"user_1\"),\n\t\t\tMountAccessor: pulumi.String(\"token_1f2bd5\"),\n\t\t\tCanonicalId:   pulumi.String(\"49877D63-07AD-4B85-BDA8-B61626C477E8\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.EntityAlias;\nimport com.pulumi.vault.identity.EntityAliasArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new EntityAlias(\"test\", EntityAliasArgs.builder()\n            .name(\"user_1\")\n            .mountAccessor(\"token_1f2bd5\")\n            .canonicalId(\"49877D63-07AD-4B85-BDA8-B61626C477E8\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:identity:EntityAlias\n    properties:\n      name: user_1\n      mountAccessor: token_1f2bd5\n      canonicalId: 49877D63-07AD-4B85-BDA8-B61626C477E8\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nIdentity entity alias can be imported using the `id`, e.g.\n\n```sh\n$ pulumi import vault:identity/entityAlias:EntityAlias test \"3856fb4d-3c91-dcaf-2401-68f446796bfb\"\n```\n","properties":{"canonicalId":{"type":"string","description":"Entity ID to which this alias belongs to.\n"},"customMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom metadata to be associated with this alias."},"mountAccessor":{"type":"string","description":"Accessor of the mount to which the alias should belong to.\n"},"name":{"type":"string","description":"Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["canonicalId","mountAccessor","name"],"inputProperties":{"canonicalId":{"type":"string","description":"Entity ID to which this alias belongs to.\n"},"customMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom metadata to be associated with this alias."},"mountAccessor":{"type":"string","description":"Accessor of the mount to which the alias should belong to.\n"},"name":{"type":"string","description":"Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["canonicalId","mountAccessor"],"stateInputs":{"description":"Input properties used for looking up and filtering EntityAlias resources.\n","properties":{"canonicalId":{"type":"string","description":"Entity ID to which this alias belongs to.\n"},"customMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom metadata to be associated with this alias."},"mountAccessor":{"type":"string","description":"Accessor of the mount to which the alias should belong to.\n"},"name":{"type":"string","description":"Name of the alias. Name should be the identifier of the client in the authentication source. For example, if the alias belongs to userpass backend, the name should be a valid username within userpass backend. If alias belongs to GitHub, it should be the GitHub username.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/entityPolicies:EntityPolicies":{"description":"Manages policies for an Identity Entity for Vault. The [Identity secrets engine](https://www.vaultproject.io/docs/secrets/identity/index.html) is the identity management solution for Vault.\n\n## Example Usage\n\n### Exclusive Policies\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst entity = new vault.identity.Entity(\"entity\", {\n    name: \"entity\",\n    externalPolicies: true,\n});\nconst policies = new vault.identity.EntityPolicies(\"policies\", {\n    policies: [\n        \"default\",\n        \"test\",\n    ],\n    exclusive: true,\n    entityId: entity.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nentity = vault.identity.Entity(\"entity\",\n    name=\"entity\",\n    external_policies=True)\npolicies = vault.identity.EntityPolicies(\"policies\",\n    policies=[\n        \"default\",\n        \"test\",\n    ],\n    exclusive=True,\n    entity_id=entity.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var entity = new Vault.Identity.Entity(\"entity\", new()\n    {\n        Name = \"entity\",\n        ExternalPolicies = true,\n    });\n\n    var policies = new Vault.Identity.EntityPolicies(\"policies\", new()\n    {\n        Policies = new[]\n        {\n            \"default\",\n            \"test\",\n        },\n        Exclusive = true,\n        EntityId = entity.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tentity, err := identity.NewEntity(ctx, \"entity\", \u0026identity.EntityArgs{\n\t\t\tName:             pulumi.String(\"entity\"),\n\t\t\tExternalPolicies: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewEntityPolicies(ctx, \"policies\", \u0026identity.EntityPoliciesArgs{\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tExclusive: pulumi.Bool(true),\n\t\t\tEntityId:  entity.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Entity;\nimport com.pulumi.vault.identity.EntityArgs;\nimport com.pulumi.vault.identity.EntityPolicies;\nimport com.pulumi.vault.identity.EntityPoliciesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var entity = new Entity(\"entity\", EntityArgs.builder()\n            .name(\"entity\")\n            .externalPolicies(true)\n            .build());\n\n        var policies = new EntityPolicies(\"policies\", EntityPoliciesArgs.builder()\n            .policies(            \n                \"default\",\n                \"test\")\n            .exclusive(true)\n            .entityId(entity.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  entity:\n    type: vault:identity:Entity\n    properties:\n      name: entity\n      externalPolicies: true\n  policies:\n    type: vault:identity:EntityPolicies\n    properties:\n      policies:\n        - default\n        - test\n      exclusive: true\n      entityId: ${entity.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Non-exclusive Policies\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst entity = new vault.identity.Entity(\"entity\", {\n    name: \"entity\",\n    externalPolicies: true,\n});\nconst _default = new vault.identity.EntityPolicies(\"default\", {\n    policies: [\n        \"default\",\n        \"test\",\n    ],\n    exclusive: false,\n    entityId: entity.id,\n});\nconst others = new vault.identity.EntityPolicies(\"others\", {\n    policies: [\"others\"],\n    exclusive: false,\n    entityId: entity.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nentity = vault.identity.Entity(\"entity\",\n    name=\"entity\",\n    external_policies=True)\ndefault = vault.identity.EntityPolicies(\"default\",\n    policies=[\n        \"default\",\n        \"test\",\n    ],\n    exclusive=False,\n    entity_id=entity.id)\nothers = vault.identity.EntityPolicies(\"others\",\n    policies=[\"others\"],\n    exclusive=False,\n    entity_id=entity.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var entity = new Vault.Identity.Entity(\"entity\", new()\n    {\n        Name = \"entity\",\n        ExternalPolicies = true,\n    });\n\n    var @default = new Vault.Identity.EntityPolicies(\"default\", new()\n    {\n        Policies = new[]\n        {\n            \"default\",\n            \"test\",\n        },\n        Exclusive = false,\n        EntityId = entity.Id,\n    });\n\n    var others = new Vault.Identity.EntityPolicies(\"others\", new()\n    {\n        Policies = new[]\n        {\n            \"others\",\n        },\n        Exclusive = false,\n        EntityId = entity.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tentity, err := identity.NewEntity(ctx, \"entity\", \u0026identity.EntityArgs{\n\t\t\tName:             pulumi.String(\"entity\"),\n\t\t\tExternalPolicies: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewEntityPolicies(ctx, \"default\", \u0026identity.EntityPoliciesArgs{\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tExclusive: pulumi.Bool(false),\n\t\t\tEntityId:  entity.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewEntityPolicies(ctx, \"others\", \u0026identity.EntityPoliciesArgs{\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"others\"),\n\t\t\t},\n\t\t\tExclusive: pulumi.Bool(false),\n\t\t\tEntityId:  entity.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Entity;\nimport com.pulumi.vault.identity.EntityArgs;\nimport com.pulumi.vault.identity.EntityPolicies;\nimport com.pulumi.vault.identity.EntityPoliciesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var entity = new Entity(\"entity\", EntityArgs.builder()\n            .name(\"entity\")\n            .externalPolicies(true)\n            .build());\n\n        var default_ = new EntityPolicies(\"default\", EntityPoliciesArgs.builder()\n            .policies(            \n                \"default\",\n                \"test\")\n            .exclusive(false)\n            .entityId(entity.id())\n            .build());\n\n        var others = new EntityPolicies(\"others\", EntityPoliciesArgs.builder()\n            .policies(\"others\")\n            .exclusive(false)\n            .entityId(entity.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  entity:\n    type: vault:identity:Entity\n    properties:\n      name: entity\n      externalPolicies: true\n  default:\n    type: vault:identity:EntityPolicies\n    properties:\n      policies:\n        - default\n        - test\n      exclusive: false\n      entityId: ${entity.id}\n  others:\n    type: vault:identity:EntityPolicies\n    properties:\n      policies:\n        - others\n      exclusive: false\n      entityId: ${entity.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"entityId":{"type":"string","description":"Entity ID to assign policies to.\n"},"entityName":{"type":"string","description":"The name of the entity that are assigned the policies.\n"},"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the policies assigned to the entity and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the policies specified in the resource are present in the entity. When destroying the resource, the resource will ensure that the policies specified in the resource are removed.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to assign to the entity\n"}},"required":["entityId","entityName","policies"],"inputProperties":{"entityId":{"type":"string","description":"Entity ID to assign policies to.\n"},"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the policies assigned to the entity and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the policies specified in the resource are present in the entity. When destroying the resource, the resource will ensure that the policies specified in the resource are removed.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to assign to the entity\n"}},"requiredInputs":["entityId","policies"],"stateInputs":{"description":"Input properties used for looking up and filtering EntityPolicies resources.\n","properties":{"entityId":{"type":"string","description":"Entity ID to assign policies to.\n"},"entityName":{"type":"string","description":"The name of the entity that are assigned the policies.\n"},"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the policies assigned to the entity and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the policies specified in the resource are present in the entity. When destroying the resource, the resource will ensure that the policies specified in the resource are removed.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to assign to the entity\n"}},"type":"object"}},"vault:identity/group:Group":{"description":"Creates an Identity Group for Vault. The [Identity secrets engine](https://www.vaultproject.io/docs/secrets/identity/index.html) is the identity management solution for Vault.\n\nA group can contain multiple entities as its members. A group can also have subgroups. Policies set on the group is granted to all members of the group. During request time, when the token's entity ID is being evaluated for the policies that it has access to; along with the policies on the entity itself, policies that are inherited due to group memberships are also granted.\n\n## Example Usage\n\n### Internal Group\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    policies: [\n        \"dev\",\n        \"test\",\n    ],\n    metadata: {\n        version: \"2\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    policies=[\n        \"dev\",\n        \"test\",\n    ],\n    metadata={\n        \"version\": \"2\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        Policies = new[]\n        {\n            \"dev\",\n            \"test\",\n        },\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName: pulumi.String(\"internal\"),\n\t\t\tType: pulumi.String(\"internal\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .policies(            \n                \"dev\",\n                \"test\")\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      policies:\n        - dev\n        - test\n      metadata:\n        version: '2'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### External Group\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst group = new vault.identity.Group(\"group\", {\n    name: \"external\",\n    type: \"external\",\n    policies: [\"test\"],\n    metadata: {\n        version: \"1\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ngroup = vault.identity.Group(\"group\",\n    name=\"external\",\n    type=\"external\",\n    policies=[\"test\"],\n    metadata={\n        \"version\": \"1\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @group = new Vault.Identity.Group(\"group\", new()\n    {\n        Name = \"external\",\n        Type = \"external\",\n        Policies = new[]\n        {\n            \"test\",\n        },\n        Metadata = \n        {\n            { \"version\", \"1\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewGroup(ctx, \"group\", \u0026identity.GroupArgs{\n\t\t\tName: pulumi.String(\"external\"),\n\t\t\tType: pulumi.String(\"external\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"1\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var group = new Group(\"group\", GroupArgs.builder()\n            .name(\"external\")\n            .type(\"external\")\n            .policies(\"test\")\n            .metadata(Map.of(\"version\", \"1\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  group:\n    type: vault:identity:Group\n    properties:\n      name: external\n      type: external\n      policies:\n        - test\n      metadata:\n        version: '1'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Caveats\n\nIt's important to note that Vault identity groups names are *case-insensitive*. For example the following resources would be equivalent.\nApplying this configuration would result in the provider failing to create one of the identity groups, since the resources share the same \u003cspan pulumi-lang-nodejs=\"`name`\" pulumi-lang-dotnet=\"`Name`\" pulumi-lang-go=\"`name`\" pulumi-lang-python=\"`name`\" pulumi-lang-yaml=\"`name`\" pulumi-lang-java=\"`name`\"\u003e`name`\u003c/span\u003e.\n\nThis sort of pattern should be avoided:\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    policies: [\n        \"dev\",\n        \"test\",\n    ],\n    metadata: {\n        version: \"2\",\n    },\n});\nconst internalGroup = new vault.identity.Group(\"Internal\", {\n    name: \"Internal\",\n    type: \"internal\",\n    policies: [\n        \"dev\",\n        \"test\",\n    ],\n    metadata: {\n        version: \"2\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    policies=[\n        \"dev\",\n        \"test\",\n    ],\n    metadata={\n        \"version\": \"2\",\n    })\ninternal_group = vault.identity.Group(\"Internal\",\n    name=\"Internal\",\n    type=\"internal\",\n    policies=[\n        \"dev\",\n        \"test\",\n    ],\n    metadata={\n        \"version\": \"2\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        Policies = new[]\n        {\n            \"dev\",\n            \"test\",\n        },\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var internalGroup = new Vault.Identity.Group(\"Internal\", new()\n    {\n        Name = \"Internal\",\n        Type = \"internal\",\n        Policies = new[]\n        {\n            \"dev\",\n            \"test\",\n        },\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName: pulumi.String(\"internal\"),\n\t\t\tType: pulumi.String(\"internal\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroup(ctx, \"Internal\", \u0026identity.GroupArgs{\n\t\t\tName: pulumi.String(\"Internal\"),\n\t\t\tType: pulumi.String(\"internal\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .policies(            \n                \"dev\",\n                \"test\")\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var internalGroup = new Group(\"internalGroup\", GroupArgs.builder()\n            .name(\"Internal\")\n            .type(\"internal\")\n            .policies(            \n                \"dev\",\n                \"test\")\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      policies:\n        - dev\n        - test\n      metadata:\n        version: '2'\n  internalGroup:\n    type: vault:identity:Group\n    name: Internal\n    properties:\n      name: Internal\n      type: internal\n      policies:\n        - dev\n        - test\n      metadata:\n        version: '2'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nIdentity group can be imported using the `id`, e.g.\n\n```sh\n$ pulumi import vault:identity/group:Group test 'fcbf1efb-2b69-4209-bed8-811e3475dad3'\n```\n","properties":{"externalMemberEntityIds":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any Entity IDs\nreturned from Vault or specified in the resource. You can use\n\u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-dotnet=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-go=\"`identity.GroupMemberEntityIds`\" pulumi-lang-python=\"`identity.GroupMemberEntityIds`\" pulumi-lang-yaml=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-java=\"`vault.identity.GroupMemberEntityIds`\"\u003e`vault.identity.GroupMemberEntityIds`\u003c/span\u003e to manage Entity IDs for this group in a\ndecoupled manner.\n"},"externalMemberGroupIds":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any Group IDs\nreturned from Vault or specified in the resource. You can use\n\u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-dotnet=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-go=\"`identity.GroupMemberGroupIds`\" pulumi-lang-python=\"`identity.GroupMemberGroupIds`\" pulumi-lang-yaml=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-java=\"`vault.identity.GroupMemberGroupIds`\"\u003e`vault.identity.GroupMemberGroupIds`\u003c/span\u003e to manage Group IDs for this group in a\ndecoupled manner.\n"},"externalPolicies":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any policies returned from\nVault or specified in the resource. You can use \u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupPolicies`\" pulumi-lang-dotnet=\"`vault.identity.GroupPolicies`\" pulumi-lang-go=\"`identity.GroupPolicies`\" pulumi-lang-python=\"`identity.GroupPolicies`\" pulumi-lang-yaml=\"`vault.identity.GroupPolicies`\" pulumi-lang-java=\"`vault.identity.GroupPolicies`\"\u003e`vault.identity.GroupPolicies`\u003c/span\u003e to manage\npolicies for this group in a decoupled manner.\n"},"memberEntityIds":{"type":"array","items":{"type":"string"},"description":"A list of Entity IDs to be assigned as group members. Not allowed on \u003cspan pulumi-lang-nodejs=\"`external`\" pulumi-lang-dotnet=\"`External`\" pulumi-lang-go=\"`external`\" pulumi-lang-python=\"`external`\" pulumi-lang-yaml=\"`external`\" pulumi-lang-java=\"`external`\"\u003e`external`\u003c/span\u003e groups.\n"},"memberGroupIds":{"type":"array","items":{"type":"string"},"description":"A list of Group IDs to be assigned as group members. Not allowed on \u003cspan pulumi-lang-nodejs=\"`external`\" pulumi-lang-dotnet=\"`External`\" pulumi-lang-go=\"`external`\" pulumi-lang-python=\"`external`\" pulumi-lang-yaml=\"`external`\" pulumi-lang-java=\"`external`\"\u003e`external`\u003c/span\u003e groups.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"A Map of additional metadata to associate with the group.\n"},"name":{"type":"string","description":"Name of the identity group to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"A list of policies to apply to the group.\n"},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to \u003cspan pulumi-lang-nodejs=\"`internal`\" pulumi-lang-dotnet=\"`Internal`\" pulumi-lang-go=\"`internal`\" pulumi-lang-python=\"`internal`\" pulumi-lang-yaml=\"`internal`\" pulumi-lang-java=\"`internal`\"\u003e`internal`\u003c/span\u003e.\n"}},"required":["name"],"inputProperties":{"externalMemberEntityIds":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any Entity IDs\nreturned from Vault or specified in the resource. You can use\n\u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-dotnet=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-go=\"`identity.GroupMemberEntityIds`\" pulumi-lang-python=\"`identity.GroupMemberEntityIds`\" pulumi-lang-yaml=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-java=\"`vault.identity.GroupMemberEntityIds`\"\u003e`vault.identity.GroupMemberEntityIds`\u003c/span\u003e to manage Entity IDs for this group in a\ndecoupled manner.\n"},"externalMemberGroupIds":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any Group IDs\nreturned from Vault or specified in the resource. You can use\n\u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-dotnet=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-go=\"`identity.GroupMemberGroupIds`\" pulumi-lang-python=\"`identity.GroupMemberGroupIds`\" pulumi-lang-yaml=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-java=\"`vault.identity.GroupMemberGroupIds`\"\u003e`vault.identity.GroupMemberGroupIds`\u003c/span\u003e to manage Group IDs for this group in a\ndecoupled manner.\n"},"externalPolicies":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any policies returned from\nVault or specified in the resource. You can use \u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupPolicies`\" pulumi-lang-dotnet=\"`vault.identity.GroupPolicies`\" pulumi-lang-go=\"`identity.GroupPolicies`\" pulumi-lang-python=\"`identity.GroupPolicies`\" pulumi-lang-yaml=\"`vault.identity.GroupPolicies`\" pulumi-lang-java=\"`vault.identity.GroupPolicies`\"\u003e`vault.identity.GroupPolicies`\u003c/span\u003e to manage\npolicies for this group in a decoupled manner.\n"},"memberEntityIds":{"type":"array","items":{"type":"string"},"description":"A list of Entity IDs to be assigned as group members. Not allowed on \u003cspan pulumi-lang-nodejs=\"`external`\" pulumi-lang-dotnet=\"`External`\" pulumi-lang-go=\"`external`\" pulumi-lang-python=\"`external`\" pulumi-lang-yaml=\"`external`\" pulumi-lang-java=\"`external`\"\u003e`external`\u003c/span\u003e groups.\n"},"memberGroupIds":{"type":"array","items":{"type":"string"},"description":"A list of Group IDs to be assigned as group members. Not allowed on \u003cspan pulumi-lang-nodejs=\"`external`\" pulumi-lang-dotnet=\"`External`\" pulumi-lang-go=\"`external`\" pulumi-lang-python=\"`external`\" pulumi-lang-yaml=\"`external`\" pulumi-lang-java=\"`external`\"\u003e`external`\u003c/span\u003e groups.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"A Map of additional metadata to associate with the group.\n"},"name":{"type":"string","description":"Name of the identity group to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"A list of policies to apply to the group.\n"},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to \u003cspan pulumi-lang-nodejs=\"`internal`\" pulumi-lang-dotnet=\"`Internal`\" pulumi-lang-go=\"`internal`\" pulumi-lang-python=\"`internal`\" pulumi-lang-yaml=\"`internal`\" pulumi-lang-java=\"`internal`\"\u003e`internal`\u003c/span\u003e.\n","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering Group resources.\n","properties":{"externalMemberEntityIds":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any Entity IDs\nreturned from Vault or specified in the resource. You can use\n\u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-dotnet=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-go=\"`identity.GroupMemberEntityIds`\" pulumi-lang-python=\"`identity.GroupMemberEntityIds`\" pulumi-lang-yaml=\"`vault.identity.GroupMemberEntityIds`\" pulumi-lang-java=\"`vault.identity.GroupMemberEntityIds`\"\u003e`vault.identity.GroupMemberEntityIds`\u003c/span\u003e to manage Entity IDs for this group in a\ndecoupled manner.\n"},"externalMemberGroupIds":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any Group IDs\nreturned from Vault or specified in the resource. You can use\n\u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-dotnet=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-go=\"`identity.GroupMemberGroupIds`\" pulumi-lang-python=\"`identity.GroupMemberGroupIds`\" pulumi-lang-yaml=\"`vault.identity.GroupMemberGroupIds`\" pulumi-lang-java=\"`vault.identity.GroupMemberGroupIds`\"\u003e`vault.identity.GroupMemberGroupIds`\u003c/span\u003e to manage Group IDs for this group in a\ndecoupled manner.\n"},"externalPolicies":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e by default. If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will ignore any policies returned from\nVault or specified in the resource. You can use \u003cspan pulumi-lang-nodejs=\"`vault.identity.GroupPolicies`\" pulumi-lang-dotnet=\"`vault.identity.GroupPolicies`\" pulumi-lang-go=\"`identity.GroupPolicies`\" pulumi-lang-python=\"`identity.GroupPolicies`\" pulumi-lang-yaml=\"`vault.identity.GroupPolicies`\" pulumi-lang-java=\"`vault.identity.GroupPolicies`\"\u003e`vault.identity.GroupPolicies`\u003c/span\u003e to manage\npolicies for this group in a decoupled manner.\n"},"memberEntityIds":{"type":"array","items":{"type":"string"},"description":"A list of Entity IDs to be assigned as group members. Not allowed on \u003cspan pulumi-lang-nodejs=\"`external`\" pulumi-lang-dotnet=\"`External`\" pulumi-lang-go=\"`external`\" pulumi-lang-python=\"`external`\" pulumi-lang-yaml=\"`external`\" pulumi-lang-java=\"`external`\"\u003e`external`\u003c/span\u003e groups.\n"},"memberGroupIds":{"type":"array","items":{"type":"string"},"description":"A list of Group IDs to be assigned as group members. Not allowed on \u003cspan pulumi-lang-nodejs=\"`external`\" pulumi-lang-dotnet=\"`External`\" pulumi-lang-go=\"`external`\" pulumi-lang-python=\"`external`\" pulumi-lang-yaml=\"`external`\" pulumi-lang-java=\"`external`\"\u003e`external`\u003c/span\u003e groups.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"A Map of additional metadata to associate with the group.\n"},"name":{"type":"string","description":"Name of the identity group to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"A list of policies to apply to the group.\n"},"type":{"type":"string","description":"Type of the group, internal or external. Defaults to \u003cspan pulumi-lang-nodejs=\"`internal`\" pulumi-lang-dotnet=\"`Internal`\" pulumi-lang-go=\"`internal`\" pulumi-lang-python=\"`internal`\" pulumi-lang-yaml=\"`internal`\" pulumi-lang-java=\"`internal`\"\u003e`internal`\u003c/span\u003e.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/groupAlias:GroupAlias":{"description":"Creates an Identity Group Alias for Vault. The [Identity secrets engine](https://www.vaultproject.io/docs/secrets/identity/index.html) is the identity management solution for Vault.\n\nGroup aliases allows entity membership in external groups to be managed semi-automatically. External group serves as a mapping to a group that is outside of the identity store. External groups can have one (and only one) alias. This alias should map to a notion of group that is outside of the identity store. For example, groups in LDAP, and teams in GitHub. A username in LDAP, belonging to a group in LDAP, can get its entity ID added as a member of a group in Vault automatically during logins and token renewals. This works only if the group in Vault is an external group and has an alias that maps to the group in LDAP. If the user is removed from the group in LDAP, that change gets reflected in Vault only upon the subsequent login or renewal operation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst group = new vault.identity.Group(\"group\", {\n    name: \"test\",\n    type: \"external\",\n    policies: [\"test\"],\n});\nconst github = new vault.AuthBackend(\"github\", {\n    type: \"github\",\n    path: \"github\",\n});\nconst group_alias = new vault.identity.GroupAlias(\"group-alias\", {\n    name: \"Github_Team_Slug\",\n    mountAccessor: github.accessor,\n    canonicalId: group.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ngroup = vault.identity.Group(\"group\",\n    name=\"test\",\n    type=\"external\",\n    policies=[\"test\"])\ngithub = vault.AuthBackend(\"github\",\n    type=\"github\",\n    path=\"github\")\ngroup_alias = vault.identity.GroupAlias(\"group-alias\",\n    name=\"Github_Team_Slug\",\n    mount_accessor=github.accessor,\n    canonical_id=group.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @group = new Vault.Identity.Group(\"group\", new()\n    {\n        Name = \"test\",\n        Type = \"external\",\n        Policies = new[]\n        {\n            \"test\",\n        },\n    });\n\n    var github = new Vault.AuthBackend(\"github\", new()\n    {\n        Type = \"github\",\n        Path = \"github\",\n    });\n\n    var group_alias = new Vault.Identity.GroupAlias(\"group-alias\", new()\n    {\n        Name = \"Github_Team_Slug\",\n        MountAccessor = github.Accessor,\n        CanonicalId = @group.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tgroup, err := identity.NewGroup(ctx, \"group\", \u0026identity.GroupArgs{\n\t\t\tName: pulumi.String(\"test\"),\n\t\t\tType: pulumi.String(\"external\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgithub, err := vault.NewAuthBackend(ctx, \"github\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"github\"),\n\t\t\tPath: pulumi.String(\"github\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupAlias(ctx, \"group-alias\", \u0026identity.GroupAliasArgs{\n\t\t\tName:          pulumi.String(\"Github_Team_Slug\"),\n\t\t\tMountAccessor: github.Accessor,\n\t\t\tCanonicalId:   group.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.identity.GroupAlias;\nimport com.pulumi.vault.identity.GroupAliasArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var group = new Group(\"group\", GroupArgs.builder()\n            .name(\"test\")\n            .type(\"external\")\n            .policies(\"test\")\n            .build());\n\n        var github = new AuthBackend(\"github\", AuthBackendArgs.builder()\n            .type(\"github\")\n            .path(\"github\")\n            .build());\n\n        var group_alias = new GroupAlias(\"group-alias\", GroupAliasArgs.builder()\n            .name(\"Github_Team_Slug\")\n            .mountAccessor(github.accessor())\n            .canonicalId(group.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  group:\n    type: vault:identity:Group\n    properties:\n      name: test\n      type: external\n      policies:\n        - test\n  github:\n    type: vault:AuthBackend\n    properties:\n      type: github\n      path: github\n  group-alias:\n    type: vault:identity:GroupAlias\n    properties:\n      name: Github_Team_Slug\n      mountAccessor: ${github.accessor}\n      canonicalId: ${group.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe group alias can be imported with the group alias `id`, for example:\n\n```sh\n$ pulumi import vault:identity/groupAlias:GroupAlias group-alias id\n```\n\nGroup aliases can also be imported using the UUID of the alias record, e.g.\n\n```sh\n$ pulumi import vault:identity/groupAlias:GroupAlias alias_name 63104e20-88e4-11eb-8d04-cf7ac9d60157\n```\n\n","properties":{"canonicalId":{"type":"string","description":"ID of the group to which this is an alias.\n"},"mountAccessor":{"type":"string","description":"Mount accessor of the authentication backend to which this alias belongs to.\n"},"name":{"type":"string","description":"Name of the group alias to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["canonicalId","mountAccessor","name"],"inputProperties":{"canonicalId":{"type":"string","description":"ID of the group to which this is an alias.\n"},"mountAccessor":{"type":"string","description":"Mount accessor of the authentication backend to which this alias belongs to.\n"},"name":{"type":"string","description":"Name of the group alias to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["canonicalId","mountAccessor","name"],"stateInputs":{"description":"Input properties used for looking up and filtering GroupAlias resources.\n","properties":{"canonicalId":{"type":"string","description":"ID of the group to which this is an alias.\n"},"mountAccessor":{"type":"string","description":"Mount accessor of the authentication backend to which this alias belongs to.\n"},"name":{"type":"string","description":"Name of the group alias to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/groupMemberEntityIds:GroupMemberEntityIds":{"description":"Manages member entities for an Identity Group for Vault. The [Identity secrets engine](https://www.vaultproject.io/docs/secrets/identity/index.html) is the identity management solution for Vault.\n\n## Example Usage\n\n### Exclusive Member Entities\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    externalMemberEntityIds: true,\n    metadata: {\n        version: \"2\",\n    },\n});\nconst user = new vault.identity.Entity(\"user\", {name: \"user\"});\nconst members = new vault.identity.GroupMemberEntityIds(\"members\", {\n    exclusive: true,\n    memberEntityIds: [user.id],\n    groupId: internal.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    external_member_entity_ids=True,\n    metadata={\n        \"version\": \"2\",\n    })\nuser = vault.identity.Entity(\"user\", name=\"user\")\nmembers = vault.identity.GroupMemberEntityIds(\"members\",\n    exclusive=True,\n    member_entity_ids=[user.id],\n    group_id=internal.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        ExternalMemberEntityIds = true,\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var user = new Vault.Identity.Entity(\"user\", new()\n    {\n        Name = \"user\",\n    });\n\n    var members = new Vault.Identity.GroupMemberEntityIds(\"members\", new()\n    {\n        Exclusive = true,\n        MemberEntityIds = new[]\n        {\n            user.Id,\n        },\n        GroupId = @internal.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinternal, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName:                    pulumi.String(\"internal\"),\n\t\t\tType:                    pulumi.String(\"internal\"),\n\t\t\tExternalMemberEntityIds: pulumi.Bool(true),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tuser, err := identity.NewEntity(ctx, \"user\", \u0026identity.EntityArgs{\n\t\t\tName: pulumi.String(\"user\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupMemberEntityIds(ctx, \"members\", \u0026identity.GroupMemberEntityIdsArgs{\n\t\t\tExclusive: pulumi.Bool(true),\n\t\t\tMemberEntityIds: pulumi.StringArray{\n\t\t\t\tuser.ID(),\n\t\t\t},\n\t\t\tGroupId: internal.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport com.pulumi.vault.identity.Entity;\nimport com.pulumi.vault.identity.EntityArgs;\nimport com.pulumi.vault.identity.GroupMemberEntityIds;\nimport com.pulumi.vault.identity.GroupMemberEntityIdsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .externalMemberEntityIds(true)\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var user = new Entity(\"user\", EntityArgs.builder()\n            .name(\"user\")\n            .build());\n\n        var members = new GroupMemberEntityIds(\"members\", GroupMemberEntityIdsArgs.builder()\n            .exclusive(true)\n            .memberEntityIds(user.id())\n            .groupId(internal.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      externalMemberEntityIds: true\n      metadata:\n        version: '2'\n  user:\n    type: vault:identity:Entity\n    properties:\n      name: user\n  members:\n    type: vault:identity:GroupMemberEntityIds\n    properties:\n      exclusive: true\n      memberEntityIds:\n        - ${user.id}\n      groupId: ${internal.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Non-exclusive Member Entities\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    externalMemberEntityIds: true,\n    metadata: {\n        version: \"2\",\n    },\n});\nconst testUser = new vault.identity.Entity(\"test_user\", {name: \"test\"});\nconst secondTestUser = new vault.identity.Entity(\"second_test_user\", {name: \"second_test\"});\nconst devUser = new vault.identity.Entity(\"dev_user\", {name: \"dev\"});\nconst test = new vault.identity.GroupMemberEntityIds(\"test\", {\n    memberEntityIds: [\n        testUser.id,\n        secondTestUser.id,\n    ],\n    exclusive: false,\n    groupId: internal.id,\n});\nconst others = new vault.identity.GroupMemberEntityIds(\"others\", {\n    memberEntityIds: [devUser.id],\n    exclusive: false,\n    groupId: internal.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    external_member_entity_ids=True,\n    metadata={\n        \"version\": \"2\",\n    })\ntest_user = vault.identity.Entity(\"test_user\", name=\"test\")\nsecond_test_user = vault.identity.Entity(\"second_test_user\", name=\"second_test\")\ndev_user = vault.identity.Entity(\"dev_user\", name=\"dev\")\ntest = vault.identity.GroupMemberEntityIds(\"test\",\n    member_entity_ids=[\n        test_user.id,\n        second_test_user.id,\n    ],\n    exclusive=False,\n    group_id=internal.id)\nothers = vault.identity.GroupMemberEntityIds(\"others\",\n    member_entity_ids=[dev_user.id],\n    exclusive=False,\n    group_id=internal.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        ExternalMemberEntityIds = true,\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var testUser = new Vault.Identity.Entity(\"test_user\", new()\n    {\n        Name = \"test\",\n    });\n\n    var secondTestUser = new Vault.Identity.Entity(\"second_test_user\", new()\n    {\n        Name = \"second_test\",\n    });\n\n    var devUser = new Vault.Identity.Entity(\"dev_user\", new()\n    {\n        Name = \"dev\",\n    });\n\n    var test = new Vault.Identity.GroupMemberEntityIds(\"test\", new()\n    {\n        MemberEntityIds = new[]\n        {\n            testUser.Id,\n            secondTestUser.Id,\n        },\n        Exclusive = false,\n        GroupId = @internal.Id,\n    });\n\n    var others = new Vault.Identity.GroupMemberEntityIds(\"others\", new()\n    {\n        MemberEntityIds = new[]\n        {\n            devUser.Id,\n        },\n        Exclusive = false,\n        GroupId = @internal.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinternal, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName:                    pulumi.String(\"internal\"),\n\t\t\tType:                    pulumi.String(\"internal\"),\n\t\t\tExternalMemberEntityIds: pulumi.Bool(true),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttestUser, err := identity.NewEntity(ctx, \"test_user\", \u0026identity.EntityArgs{\n\t\t\tName: pulumi.String(\"test\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsecondTestUser, err := identity.NewEntity(ctx, \"second_test_user\", \u0026identity.EntityArgs{\n\t\t\tName: pulumi.String(\"second_test\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdevUser, err := identity.NewEntity(ctx, \"dev_user\", \u0026identity.EntityArgs{\n\t\t\tName: pulumi.String(\"dev\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupMemberEntityIds(ctx, \"test\", \u0026identity.GroupMemberEntityIdsArgs{\n\t\t\tMemberEntityIds: pulumi.StringArray{\n\t\t\t\ttestUser.ID(),\n\t\t\t\tsecondTestUser.ID(),\n\t\t\t},\n\t\t\tExclusive: pulumi.Bool(false),\n\t\t\tGroupId:   internal.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupMemberEntityIds(ctx, \"others\", \u0026identity.GroupMemberEntityIdsArgs{\n\t\t\tMemberEntityIds: pulumi.StringArray{\n\t\t\t\tdevUser.ID(),\n\t\t\t},\n\t\t\tExclusive: pulumi.Bool(false),\n\t\t\tGroupId:   internal.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport com.pulumi.vault.identity.Entity;\nimport com.pulumi.vault.identity.EntityArgs;\nimport com.pulumi.vault.identity.GroupMemberEntityIds;\nimport com.pulumi.vault.identity.GroupMemberEntityIdsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .externalMemberEntityIds(true)\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var testUser = new Entity(\"testUser\", EntityArgs.builder()\n            .name(\"test\")\n            .build());\n\n        var secondTestUser = new Entity(\"secondTestUser\", EntityArgs.builder()\n            .name(\"second_test\")\n            .build());\n\n        var devUser = new Entity(\"devUser\", EntityArgs.builder()\n            .name(\"dev\")\n            .build());\n\n        var test = new GroupMemberEntityIds(\"test\", GroupMemberEntityIdsArgs.builder()\n            .memberEntityIds(            \n                testUser.id(),\n                secondTestUser.id())\n            .exclusive(false)\n            .groupId(internal.id())\n            .build());\n\n        var others = new GroupMemberEntityIds(\"others\", GroupMemberEntityIdsArgs.builder()\n            .memberEntityIds(devUser.id())\n            .exclusive(false)\n            .groupId(internal.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      externalMemberEntityIds: true\n      metadata:\n        version: '2'\n  testUser:\n    type: vault:identity:Entity\n    name: test_user\n    properties:\n      name: test\n  secondTestUser:\n    type: vault:identity:Entity\n    name: second_test_user\n    properties:\n      name: second_test\n  devUser:\n    type: vault:identity:Entity\n    name: dev_user\n    properties:\n      name: dev\n  test:\n    type: vault:identity:GroupMemberEntityIds\n    properties:\n      memberEntityIds:\n        - ${testUser.id}\n        - ${secondTestUser.id}\n      exclusive: false\n      groupId: ${internal.id}\n  others:\n    type: vault:identity:GroupMemberEntityIds\n    properties:\n      memberEntityIds:\n        - ${devUser.id}\n      exclusive: false\n      groupId: ${internal.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the member entities that belong to the group and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the member entities specified in the resource are present in the group. When destroying the resource, the resource will ensure that the member entities specified in the resource are removed.\n"},"groupId":{"type":"string","description":"Group ID to assign member entities to.\n"},"memberEntityIds":{"type":"array","items":{"type":"string"},"description":"List of member entities that belong to the group\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["groupId"],"inputProperties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the member entities that belong to the group and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the member entities specified in the resource are present in the group. When destroying the resource, the resource will ensure that the member entities specified in the resource are removed.\n"},"groupId":{"type":"string","description":"Group ID to assign member entities to.\n","willReplaceOnChanges":true},"memberEntityIds":{"type":"array","items":{"type":"string"},"description":"List of member entities that belong to the group\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["groupId"],"stateInputs":{"description":"Input properties used for looking up and filtering GroupMemberEntityIds resources.\n","properties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the member entities that belong to the group and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the member entities specified in the resource are present in the group. When destroying the resource, the resource will ensure that the member entities specified in the resource are removed.\n"},"groupId":{"type":"string","description":"Group ID to assign member entities to.\n","willReplaceOnChanges":true},"memberEntityIds":{"type":"array","items":{"type":"string"},"description":"List of member entities that belong to the group\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/groupMemberGroupIds:GroupMemberGroupIds":{"description":"Manages member groups for an Identity Group for Vault. The\n[Identity secrets engine](https://www.vaultproject.io/docs/secrets/identity/index.html)\nis the identity management solution for Vault.\n\n## Example Usage\n\n### Exclusive Member Groups\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    externalMemberGroupIds: true,\n    metadata: {\n        version: \"2\",\n    },\n});\nconst users = new vault.identity.Group(\"users\", {\n    name: \"users\",\n    metadata: {\n        version: \"2\",\n    },\n});\nconst members = new vault.identity.GroupMemberGroupIds(\"members\", {\n    exclusive: true,\n    memberGroupIds: [users.id],\n    groupId: internal.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    external_member_group_ids=True,\n    metadata={\n        \"version\": \"2\",\n    })\nusers = vault.identity.Group(\"users\",\n    name=\"users\",\n    metadata={\n        \"version\": \"2\",\n    })\nmembers = vault.identity.GroupMemberGroupIds(\"members\",\n    exclusive=True,\n    member_group_ids=[users.id],\n    group_id=internal.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        ExternalMemberGroupIds = true,\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var users = new Vault.Identity.Group(\"users\", new()\n    {\n        Name = \"users\",\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var members = new Vault.Identity.GroupMemberGroupIds(\"members\", new()\n    {\n        Exclusive = true,\n        MemberGroupIds = new[]\n        {\n            users.Id,\n        },\n        GroupId = @internal.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinternal, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName:                   pulumi.String(\"internal\"),\n\t\t\tType:                   pulumi.String(\"internal\"),\n\t\t\tExternalMemberGroupIds: pulumi.Bool(true),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tusers, err := identity.NewGroup(ctx, \"users\", \u0026identity.GroupArgs{\n\t\t\tName: pulumi.String(\"users\"),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupMemberGroupIds(ctx, \"members\", \u0026identity.GroupMemberGroupIdsArgs{\n\t\t\tExclusive: pulumi.Bool(true),\n\t\t\tMemberGroupIds: pulumi.StringArray{\n\t\t\t\tusers.ID(),\n\t\t\t},\n\t\t\tGroupId: internal.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport com.pulumi.vault.identity.GroupMemberGroupIds;\nimport com.pulumi.vault.identity.GroupMemberGroupIdsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .externalMemberGroupIds(true)\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var users = new Group(\"users\", GroupArgs.builder()\n            .name(\"users\")\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var members = new GroupMemberGroupIds(\"members\", GroupMemberGroupIdsArgs.builder()\n            .exclusive(true)\n            .memberGroupIds(users.id())\n            .groupId(internal.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      externalMemberGroupIds: true\n      metadata:\n        version: '2'\n  users:\n    type: vault:identity:Group\n    properties:\n      name: users\n      metadata:\n        version: '2'\n  members:\n    type: vault:identity:GroupMemberGroupIds\n    properties:\n      exclusive: true\n      memberGroupIds:\n        - ${users.id}\n      groupId: ${internal.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Non-Exclusive Member Groups\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    externalMemberGroupIds: true,\n    metadata: {\n        version: \"2\",\n    },\n});\nconst users = new vault.identity.Group(\"users\", {\n    name: \"users\",\n    metadata: {\n        version: \"2\",\n    },\n});\nconst members = new vault.identity.GroupMemberGroupIds(\"members\", {\n    exclusive: false,\n    memberGroupIds: [users.id],\n    groupId: internal.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    external_member_group_ids=True,\n    metadata={\n        \"version\": \"2\",\n    })\nusers = vault.identity.Group(\"users\",\n    name=\"users\",\n    metadata={\n        \"version\": \"2\",\n    })\nmembers = vault.identity.GroupMemberGroupIds(\"members\",\n    exclusive=False,\n    member_group_ids=[users.id],\n    group_id=internal.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        ExternalMemberGroupIds = true,\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var users = new Vault.Identity.Group(\"users\", new()\n    {\n        Name = \"users\",\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var members = new Vault.Identity.GroupMemberGroupIds(\"members\", new()\n    {\n        Exclusive = false,\n        MemberGroupIds = new[]\n        {\n            users.Id,\n        },\n        GroupId = @internal.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinternal, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName:                   pulumi.String(\"internal\"),\n\t\t\tType:                   pulumi.String(\"internal\"),\n\t\t\tExternalMemberGroupIds: pulumi.Bool(true),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tusers, err := identity.NewGroup(ctx, \"users\", \u0026identity.GroupArgs{\n\t\t\tName: pulumi.String(\"users\"),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupMemberGroupIds(ctx, \"members\", \u0026identity.GroupMemberGroupIdsArgs{\n\t\t\tExclusive: pulumi.Bool(false),\n\t\t\tMemberGroupIds: pulumi.StringArray{\n\t\t\t\tusers.ID(),\n\t\t\t},\n\t\t\tGroupId: internal.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport com.pulumi.vault.identity.GroupMemberGroupIds;\nimport com.pulumi.vault.identity.GroupMemberGroupIdsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .externalMemberGroupIds(true)\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var users = new Group(\"users\", GroupArgs.builder()\n            .name(\"users\")\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var members = new GroupMemberGroupIds(\"members\", GroupMemberGroupIdsArgs.builder()\n            .exclusive(false)\n            .memberGroupIds(users.id())\n            .groupId(internal.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      externalMemberGroupIds: true\n      metadata:\n        version: '2'\n  users:\n    type: vault:identity:Group\n    properties:\n      name: users\n      metadata:\n        version: '2'\n  members:\n    type: vault:identity:GroupMemberGroupIds\n    properties:\n      exclusive: false\n      memberGroupIds:\n        - ${users.id}\n      groupId: ${internal.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the member groups that belong to the group and will set\nit equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the member groups specified in the resource are present\nin the group. When destroying the resource, the resource will ensure that the member groups specified in the resource\nare removed.\n"},"groupId":{"type":"string","description":"Group ID to assign member entities to.\n"},"memberGroupIds":{"type":"array","items":{"type":"string"},"description":"List of member groups that belong to the group\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["groupId"],"inputProperties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the member groups that belong to the group and will set\nit equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the member groups specified in the resource are present\nin the group. When destroying the resource, the resource will ensure that the member groups specified in the resource\nare removed.\n"},"groupId":{"type":"string","description":"Group ID to assign member entities to.\n","willReplaceOnChanges":true},"memberGroupIds":{"type":"array","items":{"type":"string"},"description":"List of member groups that belong to the group\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["groupId"],"stateInputs":{"description":"Input properties used for looking up and filtering GroupMemberGroupIds resources.\n","properties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the member groups that belong to the group and will set\nit equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the member groups specified in the resource are present\nin the group. When destroying the resource, the resource will ensure that the member groups specified in the resource\nare removed.\n"},"groupId":{"type":"string","description":"Group ID to assign member entities to.\n","willReplaceOnChanges":true},"memberGroupIds":{"type":"array","items":{"type":"string"},"description":"List of member groups that belong to the group\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/groupPolicies:GroupPolicies":{"description":"Manages policies for an Identity Group for Vault. The [Identity secrets engine](https://www.vaultproject.io/docs/secrets/identity/index.html) is the identity management solution for Vault.\n\n## Example Usage\n\n### Exclusive Policies\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    externalPolicies: true,\n    metadata: {\n        version: \"2\",\n    },\n});\nconst policies = new vault.identity.GroupPolicies(\"policies\", {\n    policies: [\n        \"default\",\n        \"test\",\n    ],\n    exclusive: true,\n    groupId: internal.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    external_policies=True,\n    metadata={\n        \"version\": \"2\",\n    })\npolicies = vault.identity.GroupPolicies(\"policies\",\n    policies=[\n        \"default\",\n        \"test\",\n    ],\n    exclusive=True,\n    group_id=internal.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        ExternalPolicies = true,\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var policies = new Vault.Identity.GroupPolicies(\"policies\", new()\n    {\n        Policies = new[]\n        {\n            \"default\",\n            \"test\",\n        },\n        Exclusive = true,\n        GroupId = @internal.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinternal, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName:             pulumi.String(\"internal\"),\n\t\t\tType:             pulumi.String(\"internal\"),\n\t\t\tExternalPolicies: pulumi.Bool(true),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupPolicies(ctx, \"policies\", \u0026identity.GroupPoliciesArgs{\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tExclusive: pulumi.Bool(true),\n\t\t\tGroupId:   internal.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport com.pulumi.vault.identity.GroupPolicies;\nimport com.pulumi.vault.identity.GroupPoliciesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .externalPolicies(true)\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var policies = new GroupPolicies(\"policies\", GroupPoliciesArgs.builder()\n            .policies(            \n                \"default\",\n                \"test\")\n            .exclusive(true)\n            .groupId(internal.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      externalPolicies: true\n      metadata:\n        version: '2'\n  policies:\n    type: vault:identity:GroupPolicies\n    properties:\n      policies:\n        - default\n        - test\n      exclusive: true\n      groupId: ${internal.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Non-exclusive Policies\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    externalPolicies: true,\n    metadata: {\n        version: \"2\",\n    },\n});\nconst _default = new vault.identity.GroupPolicies(\"default\", {\n    policies: [\n        \"default\",\n        \"test\",\n    ],\n    exclusive: false,\n    groupId: internal.id,\n});\nconst others = new vault.identity.GroupPolicies(\"others\", {\n    policies: [\"others\"],\n    exclusive: false,\n    groupId: internal.id,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    external_policies=True,\n    metadata={\n        \"version\": \"2\",\n    })\ndefault = vault.identity.GroupPolicies(\"default\",\n    policies=[\n        \"default\",\n        \"test\",\n    ],\n    exclusive=False,\n    group_id=internal.id)\nothers = vault.identity.GroupPolicies(\"others\",\n    policies=[\"others\"],\n    exclusive=False,\n    group_id=internal.id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        ExternalPolicies = true,\n        Metadata = \n        {\n            { \"version\", \"2\" },\n        },\n    });\n\n    var @default = new Vault.Identity.GroupPolicies(\"default\", new()\n    {\n        Policies = new[]\n        {\n            \"default\",\n            \"test\",\n        },\n        Exclusive = false,\n        GroupId = @internal.Id,\n    });\n\n    var others = new Vault.Identity.GroupPolicies(\"others\", new()\n    {\n        Policies = new[]\n        {\n            \"others\",\n        },\n        Exclusive = false,\n        GroupId = @internal.Id,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinternal, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName:             pulumi.String(\"internal\"),\n\t\t\tType:             pulumi.String(\"internal\"),\n\t\t\tExternalPolicies: pulumi.Bool(true),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupPolicies(ctx, \"default\", \u0026identity.GroupPoliciesArgs{\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tExclusive: pulumi.Bool(false),\n\t\t\tGroupId:   internal.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewGroupPolicies(ctx, \"others\", \u0026identity.GroupPoliciesArgs{\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"others\"),\n\t\t\t},\n\t\t\tExclusive: pulumi.Bool(false),\n\t\t\tGroupId:   internal.ID(),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport com.pulumi.vault.identity.GroupPolicies;\nimport com.pulumi.vault.identity.GroupPoliciesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .externalPolicies(true)\n            .metadata(Map.of(\"version\", \"2\"))\n            .build());\n\n        var default_ = new GroupPolicies(\"default\", GroupPoliciesArgs.builder()\n            .policies(            \n                \"default\",\n                \"test\")\n            .exclusive(false)\n            .groupId(internal.id())\n            .build());\n\n        var others = new GroupPolicies(\"others\", GroupPoliciesArgs.builder()\n            .policies(\"others\")\n            .exclusive(false)\n            .groupId(internal.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      externalPolicies: true\n      metadata:\n        version: '2'\n  default:\n    type: vault:identity:GroupPolicies\n    properties:\n      policies:\n        - default\n        - test\n      exclusive: false\n      groupId: ${internal.id}\n  others:\n    type: vault:identity:GroupPolicies\n    properties:\n      policies:\n        - others\n      exclusive: false\n      groupId: ${internal.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the policies assigned to the group and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the policies specified in the resource are present in the group. When destroying the resource, the resource will ensure that the policies specified in the resource are removed.\n"},"groupId":{"type":"string","description":"Group ID to assign policies to.\n"},"groupName":{"type":"string","description":"The name of the group that are assigned the policies.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to assign to the group\n"}},"required":["groupId","groupName","policies"],"inputProperties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the policies assigned to the group and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the policies specified in the resource are present in the group. When destroying the resource, the resource will ensure that the policies specified in the resource are removed.\n"},"groupId":{"type":"string","description":"Group ID to assign policies to.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to assign to the group\n"}},"requiredInputs":["groupId","policies"],"stateInputs":{"description":"Input properties used for looking up and filtering GroupPolicies resources.\n","properties":{"exclusive":{"type":"boolean","description":"Defaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n\nIf \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, this resource will take exclusive control of the policies assigned to the group and will set it equal to what is specified in the resource.\n\nIf set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, this resource will simply ensure that the policies specified in the resource are present in the group. When destroying the resource, the resource will ensure that the policies specified in the resource are removed.\n"},"groupId":{"type":"string","description":"Group ID to assign policies to.\n"},"groupName":{"type":"string","description":"The name of the group that are assigned the policies.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to assign to the group\n"}},"type":"object"}},"vault:identity/mfaDuo:MfaDuo":{"description":"Resource for configuring the duo MFA method.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.identity.MfaDuo(\"example\", {\n    apiHostname: \"api-xxxxxxxx.duosecurity.com\",\n    secretKey: \"secret-key\",\n    integrationKey: \"secret-int-key\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.identity.MfaDuo(\"example\",\n    api_hostname=\"api-xxxxxxxx.duosecurity.com\",\n    secret_key=\"secret-key\",\n    integration_key=\"secret-int-key\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Identity.MfaDuo(\"example\", new()\n    {\n        ApiHostname = \"api-xxxxxxxx.duosecurity.com\",\n        SecretKey = \"secret-key\",\n        IntegrationKey = \"secret-int-key\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewMfaDuo(ctx, \"example\", \u0026identity.MfaDuoArgs{\n\t\t\tApiHostname:    pulumi.String(\"api-xxxxxxxx.duosecurity.com\"),\n\t\t\tSecretKey:      pulumi.String(\"secret-key\"),\n\t\t\tIntegrationKey: pulumi.String(\"secret-int-key\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.MfaDuo;\nimport com.pulumi.vault.identity.MfaDuoArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new MfaDuo(\"example\", MfaDuoArgs.builder()\n            .apiHostname(\"api-xxxxxxxx.duosecurity.com\")\n            .secretKey(\"secret-key\")\n            .integrationKey(\"secret-int-key\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:identity:MfaDuo\n    properties:\n      apiHostname: api-xxxxxxxx.duosecurity.com\n      secretKey: secret-key\n      integrationKey: secret-int-key\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nResource can be imported using its `uuid` field, e.g.\n\n```sh\n$ pulumi import vault:identity/mfaDuo:MfaDuo example 0d89c36a-4ff5-4d70-8749-bb6a5598aeec\n```\n","properties":{"apiHostname":{"type":"string","description":"API hostname for Duo\n"},"integrationKey":{"type":"string","description":"Integration key for Duo\n","secret":true},"methodId":{"type":"string","description":"Method ID.\n"},"mountAccessor":{"type":"string","description":"Mount accessor.\n"},"name":{"type":"string","description":"Method name."},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n"},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"pushInfo":{"type":"string","description":"Push information for Duo.\n"},"secretKey":{"type":"string","description":"Secret key for Duo\n","secret":true},"type":{"type":"string","description":"MFA type.\n"},"usePasscode":{"type":"boolean","description":"Require passcode upon MFA validation.\n"},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"required":["apiHostname","integrationKey","methodId","mountAccessor","name","namespaceId","namespacePath","secretKey","type","uuid"],"inputProperties":{"apiHostname":{"type":"string","description":"API hostname for Duo\n"},"integrationKey":{"type":"string","description":"Integration key for Duo\n","secret":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"pushInfo":{"type":"string","description":"Push information for Duo.\n"},"secretKey":{"type":"string","description":"Secret key for Duo\n","secret":true},"usePasscode":{"type":"boolean","description":"Require passcode upon MFA validation.\n"},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"}},"requiredInputs":["apiHostname","integrationKey","secretKey"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaDuo resources.\n","properties":{"apiHostname":{"type":"string","description":"API hostname for Duo\n"},"integrationKey":{"type":"string","description":"Integration key for Duo\n","secret":true},"methodId":{"type":"string","description":"Method ID.\n"},"mountAccessor":{"type":"string","description":"Mount accessor.\n"},"name":{"type":"string","description":"Method name."},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"pushInfo":{"type":"string","description":"Push information for Duo.\n"},"secretKey":{"type":"string","description":"Secret key for Duo\n","secret":true},"type":{"type":"string","description":"MFA type.\n"},"usePasscode":{"type":"boolean","description":"Require passcode upon MFA validation.\n"},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"type":"object"}},"vault:identity/mfaLoginEnforcement:MfaLoginEnforcement":{"description":"Resource for configuring MFA login-enforcement\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.identity.MfaDuo(\"example\", {\n    secretKey: \"secret-key\",\n    integrationKey: \"int-key\",\n    apiHostname: \"foo.baz\",\n    pushInfo: \"push-info\",\n});\nconst exampleMfaLoginEnforcement = new vault.identity.MfaLoginEnforcement(\"example\", {\n    name: \"default\",\n    mfaMethodIds: [example.methodId],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.identity.MfaDuo(\"example\",\n    secret_key=\"secret-key\",\n    integration_key=\"int-key\",\n    api_hostname=\"foo.baz\",\n    push_info=\"push-info\")\nexample_mfa_login_enforcement = vault.identity.MfaLoginEnforcement(\"example\",\n    name=\"default\",\n    mfa_method_ids=[example.method_id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Identity.MfaDuo(\"example\", new()\n    {\n        SecretKey = \"secret-key\",\n        IntegrationKey = \"int-key\",\n        ApiHostname = \"foo.baz\",\n        PushInfo = \"push-info\",\n    });\n\n    var exampleMfaLoginEnforcement = new Vault.Identity.MfaLoginEnforcement(\"example\", new()\n    {\n        Name = \"default\",\n        MfaMethodIds = new[]\n        {\n            example.MethodId,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := identity.NewMfaDuo(ctx, \"example\", \u0026identity.MfaDuoArgs{\n\t\t\tSecretKey:      pulumi.String(\"secret-key\"),\n\t\t\tIntegrationKey: pulumi.String(\"int-key\"),\n\t\t\tApiHostname:    pulumi.String(\"foo.baz\"),\n\t\t\tPushInfo:       pulumi.String(\"push-info\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewMfaLoginEnforcement(ctx, \"example\", \u0026identity.MfaLoginEnforcementArgs{\n\t\t\tName: pulumi.String(\"default\"),\n\t\t\tMfaMethodIds: pulumi.StringArray{\n\t\t\t\texample.MethodId,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.MfaDuo;\nimport com.pulumi.vault.identity.MfaDuoArgs;\nimport com.pulumi.vault.identity.MfaLoginEnforcement;\nimport com.pulumi.vault.identity.MfaLoginEnforcementArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new MfaDuo(\"example\", MfaDuoArgs.builder()\n            .secretKey(\"secret-key\")\n            .integrationKey(\"int-key\")\n            .apiHostname(\"foo.baz\")\n            .pushInfo(\"push-info\")\n            .build());\n\n        var exampleMfaLoginEnforcement = new MfaLoginEnforcement(\"exampleMfaLoginEnforcement\", MfaLoginEnforcementArgs.builder()\n            .name(\"default\")\n            .mfaMethodIds(example.methodId())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:identity:MfaDuo\n    properties:\n      secretKey: secret-key\n      integrationKey: int-key\n      apiHostname: foo.baz\n      pushInfo: push-info\n  exampleMfaLoginEnforcement:\n    type: vault:identity:MfaLoginEnforcement\n    name: example\n    properties:\n      name: default\n      mfaMethodIds:\n        - ${example.methodId}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nResource can be imported using its `name` field, e.g.\n\n```sh\n$ pulumi import vault:identity/mfaLoginEnforcement:MfaLoginEnforcement example default\n```\n","properties":{"authMethodAccessors":{"type":"array","items":{"type":"string"},"description":"Set of auth method accessor IDs.\n"},"authMethodTypes":{"type":"array","items":{"type":"string"},"description":"Set of auth method types.\n"},"identityEntityIds":{"type":"array","items":{"type":"string"},"description":"Set of identity entity IDs.\n"},"identityGroupIds":{"type":"array","items":{"type":"string"},"description":"Set of identity group IDs.\n"},"mfaMethodIds":{"type":"array","items":{"type":"string"},"description":"Set of MFA method UUIDs.\n"},"name":{"type":"string","description":"Login enforcement name.\n"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n"},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"required":["mfaMethodIds","name","namespaceId","namespacePath","uuid"],"inputProperties":{"authMethodAccessors":{"type":"array","items":{"type":"string"},"description":"Set of auth method accessor IDs.\n"},"authMethodTypes":{"type":"array","items":{"type":"string"},"description":"Set of auth method types.\n"},"identityEntityIds":{"type":"array","items":{"type":"string"},"description":"Set of identity entity IDs.\n"},"identityGroupIds":{"type":"array","items":{"type":"string"},"description":"Set of identity group IDs.\n"},"mfaMethodIds":{"type":"array","items":{"type":"string"},"description":"Set of MFA method UUIDs.\n"},"name":{"type":"string","description":"Login enforcement name.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true}},"requiredInputs":["mfaMethodIds"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaLoginEnforcement resources.\n","properties":{"authMethodAccessors":{"type":"array","items":{"type":"string"},"description":"Set of auth method accessor IDs.\n"},"authMethodTypes":{"type":"array","items":{"type":"string"},"description":"Set of auth method types.\n"},"identityEntityIds":{"type":"array","items":{"type":"string"},"description":"Set of identity entity IDs.\n"},"identityGroupIds":{"type":"array","items":{"type":"string"},"description":"Set of identity group IDs.\n"},"mfaMethodIds":{"type":"array","items":{"type":"string"},"description":"Set of MFA method UUIDs.\n"},"name":{"type":"string","description":"Login enforcement name.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"uuid":{"type":"string","description":"Resource UUID.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/mfaOkta:MfaOkta":{"description":"Resource for configuring the okta MFA method.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.identity.MfaOkta(\"example\", {\n    orgName: \"org1\",\n    apiToken: \"token1\",\n    baseUrl: \"qux.baz.com\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.identity.MfaOkta(\"example\",\n    org_name=\"org1\",\n    api_token=\"token1\",\n    base_url=\"qux.baz.com\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Identity.MfaOkta(\"example\", new()\n    {\n        OrgName = \"org1\",\n        ApiToken = \"token1\",\n        BaseUrl = \"qux.baz.com\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewMfaOkta(ctx, \"example\", \u0026identity.MfaOktaArgs{\n\t\t\tOrgName:  pulumi.String(\"org1\"),\n\t\t\tApiToken: pulumi.String(\"token1\"),\n\t\t\tBaseUrl:  pulumi.String(\"qux.baz.com\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.MfaOkta;\nimport com.pulumi.vault.identity.MfaOktaArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new MfaOkta(\"example\", MfaOktaArgs.builder()\n            .orgName(\"org1\")\n            .apiToken(\"token1\")\n            .baseUrl(\"qux.baz.com\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:identity:MfaOkta\n    properties:\n      orgName: org1\n      apiToken: token1\n      baseUrl: qux.baz.com\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nResource can be imported using its `uuid` field, e.g.\n\n```sh\n$ pulumi import vault:identity/mfaOkta:MfaOkta example 0d89c36a-4ff5-4d70-8749-bb6a5598aeec\n```\n","properties":{"apiToken":{"type":"string","description":"Okta API token.\n","secret":true},"baseUrl":{"type":"string","description":"The base domain to use for API requests.\n"},"methodId":{"type":"string","description":"Method ID.\n"},"mountAccessor":{"type":"string","description":"Mount accessor.\n"},"name":{"type":"string","description":"Method name."},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n"},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"orgName":{"type":"string","description":"Name of the organization to be used in the Okta API.\n"},"primaryEmail":{"type":"boolean","description":"Only match the primary email for the account.\n"},"type":{"type":"string","description":"MFA type.\n"},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"required":["apiToken","methodId","mountAccessor","name","namespaceId","namespacePath","orgName","type","uuid"],"inputProperties":{"apiToken":{"type":"string","description":"Okta API token.\n","secret":true},"baseUrl":{"type":"string","description":"The base domain to use for API requests.\n"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"orgName":{"type":"string","description":"Name of the organization to be used in the Okta API.\n"},"primaryEmail":{"type":"boolean","description":"Only match the primary email for the account.\n"},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"}},"requiredInputs":["apiToken","orgName"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaOkta resources.\n","properties":{"apiToken":{"type":"string","description":"Okta API token.\n","secret":true},"baseUrl":{"type":"string","description":"The base domain to use for API requests.\n"},"methodId":{"type":"string","description":"Method ID.\n"},"mountAccessor":{"type":"string","description":"Mount accessor.\n"},"name":{"type":"string","description":"Method name."},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"orgName":{"type":"string","description":"Name of the organization to be used in the Okta API.\n"},"primaryEmail":{"type":"boolean","description":"Only match the primary email for the account.\n"},"type":{"type":"string","description":"MFA type.\n"},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"type":"object"}},"vault:identity/mfaPingid:MfaPingid":{"description":"Resource for configuring the pingid MFA method.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.identity.MfaPingid(\"example\", {settingsFileBase64: \"CnVzZV9iYXNlNjR[...]HBtCg==\"});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.identity.MfaPingid(\"example\", settings_file_base64=\"CnVzZV9iYXNlNjR[...]HBtCg==\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Identity.MfaPingid(\"example\", new()\n    {\n        SettingsFileBase64 = \"CnVzZV9iYXNlNjR[...]HBtCg==\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewMfaPingid(ctx, \"example\", \u0026identity.MfaPingidArgs{\n\t\t\tSettingsFileBase64: pulumi.String(\"CnVzZV9iYXNlNjR[...]HBtCg==\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.MfaPingid;\nimport com.pulumi.vault.identity.MfaPingidArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new MfaPingid(\"example\", MfaPingidArgs.builder()\n            .settingsFileBase64(\"CnVzZV9iYXNlNjR[...]HBtCg==\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:identity:MfaPingid\n    properties:\n      settingsFileBase64: CnVzZV9iYXNlNjR[...]HBtCg==\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nResource can be imported using its `uuid` field, e.g.\n\n```sh\n$ pulumi import vault:identity/mfaPingid:MfaPingid example 0d89c36a-4ff5-4d70-8749-bb6a5598aeec\n```\n","properties":{"adminUrl":{"type":"string","description":"The admin URL, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n"},"authenticatorUrl":{"type":"string","description":"A unique identifier of the organization, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n"},"idpUrl":{"type":"string","description":"The IDP URL, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n"},"methodId":{"type":"string","description":"Method ID.\n"},"mountAccessor":{"type":"string","description":"Mount accessor.\n"},"name":{"type":"string","description":"Method name."},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n"},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"orgAlias":{"type":"string","description":"The name of the PingID client organization, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n"},"settingsFileBase64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.\n"},"type":{"type":"string","description":"MFA type.\n"},"useSignature":{"type":"boolean","description":"Use signature value, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n"},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"required":["adminUrl","authenticatorUrl","idpUrl","methodId","mountAccessor","name","namespaceId","namespacePath","orgAlias","settingsFileBase64","type","useSignature","uuid"],"inputProperties":{"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"settingsFileBase64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.\n"},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"}},"requiredInputs":["settingsFileBase64"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaPingid resources.\n","properties":{"adminUrl":{"type":"string","description":"The admin URL, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n","willReplaceOnChanges":true},"authenticatorUrl":{"type":"string","description":"A unique identifier of the organization, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n","willReplaceOnChanges":true},"idpUrl":{"type":"string","description":"The IDP URL, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n","willReplaceOnChanges":true},"methodId":{"type":"string","description":"Method ID.\n"},"mountAccessor":{"type":"string","description":"Mount accessor.\n"},"name":{"type":"string","description":"Method name."},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"orgAlias":{"type":"string","description":"The name of the PingID client organization, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n","willReplaceOnChanges":true},"settingsFileBase64":{"type":"string","description":"A base64-encoded third-party settings contents as retrieved from PingID's configuration page.\n"},"type":{"type":"string","description":"MFA type.\n"},"useSignature":{"type":"boolean","description":"Use signature value, derived from \u003cspan pulumi-lang-nodejs=\"\"settingsFileBase64\"\" pulumi-lang-dotnet=\"\"SettingsFileBase64\"\" pulumi-lang-go=\"\"settingsFileBase64\"\" pulumi-lang-python=\"\"settings_file_base64\"\" pulumi-lang-yaml=\"\"settingsFileBase64\"\" pulumi-lang-java=\"\"settingsFileBase64\"\"\u003e\"settings_file_base64\"\u003c/span\u003e\n","willReplaceOnChanges":true},"usernameFormat":{"type":"string","description":"A template string for mapping Identity names to MFA methods.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"type":"object"}},"vault:identity/mfaTotp:MfaTotp":{"description":"Resource for configuring the totp MFA method.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.identity.MfaTotp(\"example\", {issuer: \"issuer1\"});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.identity.MfaTotp(\"example\", issuer=\"issuer1\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Identity.MfaTotp(\"example\", new()\n    {\n        Issuer = \"issuer1\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewMfaTotp(ctx, \"example\", \u0026identity.MfaTotpArgs{\n\t\t\tIssuer: pulumi.String(\"issuer1\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.MfaTotp;\nimport com.pulumi.vault.identity.MfaTotpArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new MfaTotp(\"example\", MfaTotpArgs.builder()\n            .issuer(\"issuer1\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:identity:MfaTotp\n    properties:\n      issuer: issuer1\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nResource can be imported using its `uuid` field, e.g.\n\n```sh\n$ pulumi import vault:identity/mfaTotp:MfaTotp example 0d89c36a-4ff5-4d70-8749-bb6a5598aeec\n```\n","properties":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.\n"},"digits":{"type":"integer","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8\n"},"issuer":{"type":"string","description":"The name of the key's issuing organization.\n"},"keySize":{"type":"integer","description":"Specifies the size in bytes of the generated key.\n"},"maxValidationAttempts":{"type":"integer","description":"The maximum number of consecutive failed validation attempts allowed.\n"},"methodId":{"type":"string","description":"Method ID.\n"},"mountAccessor":{"type":"string","description":"Mount accessor.\n"},"name":{"type":"string","description":"Method name."},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n"},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"period":{"type":"integer","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.\n"},"qrSize":{"type":"integer","description":"The pixel size of the generated square QR code.\n"},"skew":{"type":"integer","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.\n"},"type":{"type":"string","description":"MFA type.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"required":["issuer","methodId","mountAccessor","name","namespaceId","namespacePath","qrSize","type","uuid"],"inputProperties":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.\n"},"digits":{"type":"integer","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8\n"},"issuer":{"type":"string","description":"The name of the key's issuing organization.\n"},"keySize":{"type":"integer","description":"Specifies the size in bytes of the generated key.\n"},"maxValidationAttempts":{"type":"integer","description":"The maximum number of consecutive failed validation attempts allowed.\n"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"period":{"type":"integer","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.\n"},"qrSize":{"type":"integer","description":"The pixel size of the generated square QR code.\n"},"skew":{"type":"integer","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.\n"}},"requiredInputs":["issuer"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaTotp resources.\n","properties":{"algorithm":{"type":"string","description":"Specifies the hashing algorithm used to generate the TOTP code. Options include SHA1, SHA256, SHA512.\n"},"digits":{"type":"integer","description":"The number of digits in the generated TOTP token. This value can either be 6 or 8\n"},"issuer":{"type":"string","description":"The name of the key's issuing organization.\n"},"keySize":{"type":"integer","description":"Specifies the size in bytes of the generated key.\n"},"maxValidationAttempts":{"type":"integer","description":"The maximum number of consecutive failed validation attempts allowed.\n"},"methodId":{"type":"string","description":"Method ID.\n"},"mountAccessor":{"type":"string","description":"Mount accessor.\n"},"name":{"type":"string","description":"Method name."},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)\n","willReplaceOnChanges":true},"namespaceId":{"type":"string","description":"Method's namespace ID.\n"},"namespacePath":{"type":"string","description":"Method's namespace path.\n"},"period":{"type":"integer","description":"The length of time in seconds used to generate a counter for the TOTP token calculation.\n"},"qrSize":{"type":"integer","description":"The pixel size of the generated square QR code.\n"},"skew":{"type":"integer","description":"The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.\n"},"type":{"type":"string","description":"MFA type.\n"},"uuid":{"type":"string","description":"Resource UUID.\n"}},"type":"object"}},"vault:identity/oidc:Oidc":{"description":"Configure the [Identity Tokens Backend](https://www.vaultproject.io/docs/secrets/identity/index.html#identity-tokens).\n\nThe Identity secrets engine is the identity management solution for Vault. It internally maintains\nthe clients who are recognized by Vault.\n\n\u003e **NOTE:** Each Vault server may only have one Identity Tokens Backend configuration. Multiple configurations of the resource against the same Vault server will cause a perpetual difference.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst server = new vault.identity.Oidc(\"server\", {issuer: \"https://www.acme.com\"});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nserver = vault.identity.Oidc(\"server\", issuer=\"https://www.acme.com\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var server = new Vault.Identity.Oidc(\"server\", new()\n    {\n        Issuer = \"https://www.acme.com\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewOidc(ctx, \"server\", \u0026identity.OidcArgs{\n\t\t\tIssuer: pulumi.String(\"https://www.acme.com\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Oidc;\nimport com.pulumi.vault.identity.OidcArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var server = new Oidc(\"server\", OidcArgs.builder()\n            .issuer(\"https://www.acme.com\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  server:\n    type: vault:identity:Oidc\n    properties:\n      issuer: https://www.acme.com\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's\n\u003cspan pulumi-lang-nodejs=\"`apiAddr`\" pulumi-lang-dotnet=\"`ApiAddr`\" pulumi-lang-go=\"`apiAddr`\" pulumi-lang-python=\"`api_addr`\" pulumi-lang-yaml=\"`apiAddr`\" pulumi-lang-java=\"`apiAddr`\"\u003e`api_addr`\u003c/span\u003e will be used. The issuer is a case sensitive URL using the https scheme that contains\nscheme, host, and optionally, port number and path components, but no query or fragment\ncomponents.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["issuer"],"inputProperties":{"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's\n\u003cspan pulumi-lang-nodejs=\"`apiAddr`\" pulumi-lang-dotnet=\"`ApiAddr`\" pulumi-lang-go=\"`apiAddr`\" pulumi-lang-python=\"`api_addr`\" pulumi-lang-yaml=\"`apiAddr`\" pulumi-lang-java=\"`apiAddr`\"\u003e`api_addr`\u003c/span\u003e will be used. The issuer is a case sensitive URL using the https scheme that contains\nscheme, host, and optionally, port number and path components, but no query or fragment\ncomponents.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering Oidc resources.\n","properties":{"issuer":{"type":"string","description":"Issuer URL to be used in the iss claim of the token. If not set, Vault's\n\u003cspan pulumi-lang-nodejs=\"`apiAddr`\" pulumi-lang-dotnet=\"`ApiAddr`\" pulumi-lang-go=\"`apiAddr`\" pulumi-lang-python=\"`api_addr`\" pulumi-lang-yaml=\"`apiAddr`\" pulumi-lang-java=\"`apiAddr`\"\u003e`api_addr`\u003c/span\u003e will be used. The issuer is a case sensitive URL using the https scheme that contains\nscheme, host, and optionally, port number and path components, but no query or fragment\ncomponents.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/oidcAssignment:OidcAssignment":{"description":"Manages OIDC Assignments in a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/secret/identity/oidc-provider#create-or-update-an-assignment)\nfor more information.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst internal = new vault.identity.Group(\"internal\", {\n    name: \"internal\",\n    type: \"internal\",\n    policies: [\n        \"dev\",\n        \"test\",\n    ],\n});\nconst test = new vault.identity.Entity(\"test\", {\n    name: \"test\",\n    policies: [\"test\"],\n});\nconst _default = new vault.identity.OidcAssignment(\"default\", {\n    name: \"assignment\",\n    entityIds: [test.id],\n    groupIds: [internal.id],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ninternal = vault.identity.Group(\"internal\",\n    name=\"internal\",\n    type=\"internal\",\n    policies=[\n        \"dev\",\n        \"test\",\n    ])\ntest = vault.identity.Entity(\"test\",\n    name=\"test\",\n    policies=[\"test\"])\ndefault = vault.identity.OidcAssignment(\"default\",\n    name=\"assignment\",\n    entity_ids=[test.id],\n    group_ids=[internal.id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @internal = new Vault.Identity.Group(\"internal\", new()\n    {\n        Name = \"internal\",\n        Type = \"internal\",\n        Policies = new[]\n        {\n            \"dev\",\n            \"test\",\n        },\n    });\n\n    var test = new Vault.Identity.Entity(\"test\", new()\n    {\n        Name = \"test\",\n        Policies = new[]\n        {\n            \"test\",\n        },\n    });\n\n    var @default = new Vault.Identity.OidcAssignment(\"default\", new()\n    {\n        Name = \"assignment\",\n        EntityIds = new[]\n        {\n            test.Id,\n        },\n        GroupIds = new[]\n        {\n            @internal.Id,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinternal, err := identity.NewGroup(ctx, \"internal\", \u0026identity.GroupArgs{\n\t\t\tName: pulumi.String(\"internal\"),\n\t\t\tType: pulumi.String(\"internal\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttest, err := identity.NewEntity(ctx, \"test\", \u0026identity.EntityArgs{\n\t\t\tName: pulumi.String(\"test\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcAssignment(ctx, \"default\", \u0026identity.OidcAssignmentArgs{\n\t\t\tName: pulumi.String(\"assignment\"),\n\t\t\tEntityIds: pulumi.StringArray{\n\t\t\t\ttest.ID(),\n\t\t\t},\n\t\t\tGroupIds: pulumi.StringArray{\n\t\t\t\tinternal.ID(),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.Group;\nimport com.pulumi.vault.identity.GroupArgs;\nimport com.pulumi.vault.identity.Entity;\nimport com.pulumi.vault.identity.EntityArgs;\nimport com.pulumi.vault.identity.OidcAssignment;\nimport com.pulumi.vault.identity.OidcAssignmentArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var internal = new Group(\"internal\", GroupArgs.builder()\n            .name(\"internal\")\n            .type(\"internal\")\n            .policies(            \n                \"dev\",\n                \"test\")\n            .build());\n\n        var test = new Entity(\"test\", EntityArgs.builder()\n            .name(\"test\")\n            .policies(\"test\")\n            .build());\n\n        var default_ = new OidcAssignment(\"default\", OidcAssignmentArgs.builder()\n            .name(\"assignment\")\n            .entityIds(test.id())\n            .groupIds(internal.id())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  internal:\n    type: vault:identity:Group\n    properties:\n      name: internal\n      type: internal\n      policies:\n        - dev\n        - test\n  test:\n    type: vault:identity:Entity\n    properties:\n      name: test\n      policies:\n        - test\n  default:\n    type: vault:identity:OidcAssignment\n    properties:\n      name: assignment\n      entityIds:\n        - ${test.id}\n      groupIds:\n        - ${internal.id}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOIDC Assignments can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:identity/oidcAssignment:OidcAssignment default assignment\n```\n","properties":{"entityIds":{"type":"array","items":{"type":"string"},"description":"A set of Vault entity IDs.\n"},"groupIds":{"type":"array","items":{"type":"string"},"description":"A set of Vault group IDs.\n"},"name":{"type":"string","description":"The name of the assignment.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["name"],"inputProperties":{"entityIds":{"type":"array","items":{"type":"string"},"description":"A set of Vault entity IDs.\n"},"groupIds":{"type":"array","items":{"type":"string"},"description":"A set of Vault group IDs.\n"},"name":{"type":"string","description":"The name of the assignment.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering OidcAssignment resources.\n","properties":{"entityIds":{"type":"array","items":{"type":"string"},"description":"A set of Vault entity IDs.\n"},"groupIds":{"type":"array","items":{"type":"string"},"description":"A set of Vault group IDs.\n"},"name":{"type":"string","description":"The name of the assignment.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/oidcClient:OidcClient":{"description":"Manages OIDC Clients in a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/secret/identity/oidc-provider#create-or-update-an-assignment)\nfor more information.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.identity.OidcAssignment(\"test\", {\n    name: \"my-assignment\",\n    entityIds: [\"ascbascas-2231a-sdfaa\"],\n    groupIds: [\"sajkdsad-32414-sfsada\"],\n});\nconst testOidcClient = new vault.identity.OidcClient(\"test\", {\n    name: \"my-app\",\n    redirectUris: [\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    assignments: [test.name],\n    idTokenTtl: 2400,\n    accessTokenTtl: 7200,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.identity.OidcAssignment(\"test\",\n    name=\"my-assignment\",\n    entity_ids=[\"ascbascas-2231a-sdfaa\"],\n    group_ids=[\"sajkdsad-32414-sfsada\"])\ntest_oidc_client = vault.identity.OidcClient(\"test\",\n    name=\"my-app\",\n    redirect_uris=[\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    assignments=[test.name],\n    id_token_ttl=2400,\n    access_token_ttl=7200)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Identity.OidcAssignment(\"test\", new()\n    {\n        Name = \"my-assignment\",\n        EntityIds = new[]\n        {\n            \"ascbascas-2231a-sdfaa\",\n        },\n        GroupIds = new[]\n        {\n            \"sajkdsad-32414-sfsada\",\n        },\n    });\n\n    var testOidcClient = new Vault.Identity.OidcClient(\"test\", new()\n    {\n        Name = \"my-app\",\n        RedirectUris = new[]\n        {\n            \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n            \"http://127.0.0.1:8251/callback\",\n            \"http://127.0.0.1:8080/callback\",\n        },\n        Assignments = new[]\n        {\n            test.Name,\n        },\n        IdTokenTtl = 2400,\n        AccessTokenTtl = 7200,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttest, err := identity.NewOidcAssignment(ctx, \"test\", \u0026identity.OidcAssignmentArgs{\n\t\t\tName: pulumi.String(\"my-assignment\"),\n\t\t\tEntityIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ascbascas-2231a-sdfaa\"),\n\t\t\t},\n\t\t\tGroupIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"sajkdsad-32414-sfsada\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcClient(ctx, \"test\", \u0026identity.OidcClientArgs{\n\t\t\tName: pulumi.String(\"my-app\"),\n\t\t\tRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8251/callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8080/callback\"),\n\t\t\t},\n\t\t\tAssignments: pulumi.StringArray{\n\t\t\t\ttest.Name,\n\t\t\t},\n\t\t\tIdTokenTtl:     pulumi.Int(2400),\n\t\t\tAccessTokenTtl: pulumi.Int(7200),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcAssignment;\nimport com.pulumi.vault.identity.OidcAssignmentArgs;\nimport com.pulumi.vault.identity.OidcClient;\nimport com.pulumi.vault.identity.OidcClientArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new OidcAssignment(\"test\", OidcAssignmentArgs.builder()\n            .name(\"my-assignment\")\n            .entityIds(\"ascbascas-2231a-sdfaa\")\n            .groupIds(\"sajkdsad-32414-sfsada\")\n            .build());\n\n        var testOidcClient = new OidcClient(\"testOidcClient\", OidcClientArgs.builder()\n            .name(\"my-app\")\n            .redirectUris(            \n                \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n                \"http://127.0.0.1:8251/callback\",\n                \"http://127.0.0.1:8080/callback\")\n            .assignments(test.name())\n            .idTokenTtl(2400)\n            .accessTokenTtl(7200)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:identity:OidcAssignment\n    properties:\n      name: my-assignment\n      entityIds:\n        - ascbascas-2231a-sdfaa\n      groupIds:\n        - sajkdsad-32414-sfsada\n  testOidcClient:\n    type: vault:identity:OidcClient\n    name: test\n    properties:\n      name: my-app\n      redirectUris:\n        - http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\n        - http://127.0.0.1:8251/callback\n        - http://127.0.0.1:8080/callback\n      assignments:\n        - ${test.name}\n      idTokenTtl: 2400\n      accessTokenTtl: 7200\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOIDC Clients can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:identity/oidcClient:OidcClient test my-app\n```\n","properties":{"accessTokenTtl":{"type":"integer","description":"The time-to-live for access tokens obtained by the client.\n"},"assignments":{"type":"array","items":{"type":"string"},"description":"A list of assignment resources associated with the client.\n"},"clientId":{"type":"string","description":"The Client ID returned by Vault.\n"},"clientSecret":{"type":"string","description":"The Client Secret Key returned by Vault.\nFor public OpenID Clients \u003cspan pulumi-lang-nodejs=\"`clientSecret`\" pulumi-lang-dotnet=\"`ClientSecret`\" pulumi-lang-go=\"`clientSecret`\" pulumi-lang-python=\"`client_secret`\" pulumi-lang-yaml=\"`clientSecret`\" pulumi-lang-java=\"`clientSecret`\"\u003e`client_secret`\u003c/span\u003e is set to an empty string `\"\"`\n","secret":true},"clientType":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.\nThe following client types are supported: \u003cspan pulumi-lang-nodejs=\"`confidential`\" pulumi-lang-dotnet=\"`Confidential`\" pulumi-lang-go=\"`confidential`\" pulumi-lang-python=\"`confidential`\" pulumi-lang-yaml=\"`confidential`\" pulumi-lang-java=\"`confidential`\"\u003e`confidential`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`public`\" pulumi-lang-dotnet=\"`Public`\" pulumi-lang-go=\"`public`\" pulumi-lang-python=\"`public`\" pulumi-lang-yaml=\"`public`\" pulumi-lang-java=\"`public`\"\u003e`public`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`confidential`\" pulumi-lang-dotnet=\"`Confidential`\" pulumi-lang-go=\"`confidential`\" pulumi-lang-python=\"`confidential`\" pulumi-lang-yaml=\"`confidential`\" pulumi-lang-java=\"`confidential`\"\u003e`confidential`\u003c/span\u003e.\n"},"idTokenTtl":{"type":"integer","description":"The time-to-live for ID tokens obtained by the client. \nThe value should be less than the \u003cspan pulumi-lang-nodejs=\"`verificationTtl`\" pulumi-lang-dotnet=\"`VerificationTtl`\" pulumi-lang-go=\"`verificationTtl`\" pulumi-lang-python=\"`verification_ttl`\" pulumi-lang-yaml=\"`verificationTtl`\" pulumi-lang-java=\"`verificationTtl`\"\u003e`verification_ttl`\u003c/span\u003e on the key.\n"},"key":{"type":"string","description":"A reference to a named key resource in Vault.\nThis cannot be modified after creation. If not provided, the \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e\nkey is used.\n"},"name":{"type":"string","description":"The name of the client.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"redirectUris":{"type":"array","items":{"type":"string"},"description":"Redirection URI values used by the client. \nOne of these values must exactly match the \u003cspan pulumi-lang-nodejs=\"`redirectUri`\" pulumi-lang-dotnet=\"`RedirectUri`\" pulumi-lang-go=\"`redirectUri`\" pulumi-lang-python=\"`redirect_uri`\" pulumi-lang-yaml=\"`redirectUri`\" pulumi-lang-java=\"`redirectUri`\"\u003e`redirect_uri`\u003c/span\u003e parameter value\nused in each authentication request.\n"}},"required":["accessTokenTtl","clientId","clientSecret","clientType","idTokenTtl","key","name"],"inputProperties":{"accessTokenTtl":{"type":"integer","description":"The time-to-live for access tokens obtained by the client.\n"},"assignments":{"type":"array","items":{"type":"string"},"description":"A list of assignment resources associated with the client.\n"},"clientType":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.\nThe following client types are supported: \u003cspan pulumi-lang-nodejs=\"`confidential`\" pulumi-lang-dotnet=\"`Confidential`\" pulumi-lang-go=\"`confidential`\" pulumi-lang-python=\"`confidential`\" pulumi-lang-yaml=\"`confidential`\" pulumi-lang-java=\"`confidential`\"\u003e`confidential`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`public`\" pulumi-lang-dotnet=\"`Public`\" pulumi-lang-go=\"`public`\" pulumi-lang-python=\"`public`\" pulumi-lang-yaml=\"`public`\" pulumi-lang-java=\"`public`\"\u003e`public`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`confidential`\" pulumi-lang-dotnet=\"`Confidential`\" pulumi-lang-go=\"`confidential`\" pulumi-lang-python=\"`confidential`\" pulumi-lang-yaml=\"`confidential`\" pulumi-lang-java=\"`confidential`\"\u003e`confidential`\u003c/span\u003e.\n"},"idTokenTtl":{"type":"integer","description":"The time-to-live for ID tokens obtained by the client. \nThe value should be less than the \u003cspan pulumi-lang-nodejs=\"`verificationTtl`\" pulumi-lang-dotnet=\"`VerificationTtl`\" pulumi-lang-go=\"`verificationTtl`\" pulumi-lang-python=\"`verification_ttl`\" pulumi-lang-yaml=\"`verificationTtl`\" pulumi-lang-java=\"`verificationTtl`\"\u003e`verification_ttl`\u003c/span\u003e on the key.\n"},"key":{"type":"string","description":"A reference to a named key resource in Vault.\nThis cannot be modified after creation. If not provided, the \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e\nkey is used.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"The name of the client.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"redirectUris":{"type":"array","items":{"type":"string"},"description":"Redirection URI values used by the client. \nOne of these values must exactly match the \u003cspan pulumi-lang-nodejs=\"`redirectUri`\" pulumi-lang-dotnet=\"`RedirectUri`\" pulumi-lang-go=\"`redirectUri`\" pulumi-lang-python=\"`redirect_uri`\" pulumi-lang-yaml=\"`redirectUri`\" pulumi-lang-java=\"`redirectUri`\"\u003e`redirect_uri`\u003c/span\u003e parameter value\nused in each authentication request.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering OidcClient resources.\n","properties":{"accessTokenTtl":{"type":"integer","description":"The time-to-live for access tokens obtained by the client.\n"},"assignments":{"type":"array","items":{"type":"string"},"description":"A list of assignment resources associated with the client.\n"},"clientId":{"type":"string","description":"The Client ID returned by Vault.\n"},"clientSecret":{"type":"string","description":"The Client Secret Key returned by Vault.\nFor public OpenID Clients \u003cspan pulumi-lang-nodejs=\"`clientSecret`\" pulumi-lang-dotnet=\"`ClientSecret`\" pulumi-lang-go=\"`clientSecret`\" pulumi-lang-python=\"`client_secret`\" pulumi-lang-yaml=\"`clientSecret`\" pulumi-lang-java=\"`clientSecret`\"\u003e`client_secret`\u003c/span\u003e is set to an empty string `\"\"`\n","secret":true},"clientType":{"type":"string","description":"The client type based on its ability to maintain confidentiality of credentials.\nThe following client types are supported: \u003cspan pulumi-lang-nodejs=\"`confidential`\" pulumi-lang-dotnet=\"`Confidential`\" pulumi-lang-go=\"`confidential`\" pulumi-lang-python=\"`confidential`\" pulumi-lang-yaml=\"`confidential`\" pulumi-lang-java=\"`confidential`\"\u003e`confidential`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`public`\" pulumi-lang-dotnet=\"`Public`\" pulumi-lang-go=\"`public`\" pulumi-lang-python=\"`public`\" pulumi-lang-yaml=\"`public`\" pulumi-lang-java=\"`public`\"\u003e`public`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`confidential`\" pulumi-lang-dotnet=\"`Confidential`\" pulumi-lang-go=\"`confidential`\" pulumi-lang-python=\"`confidential`\" pulumi-lang-yaml=\"`confidential`\" pulumi-lang-java=\"`confidential`\"\u003e`confidential`\u003c/span\u003e.\n"},"idTokenTtl":{"type":"integer","description":"The time-to-live for ID tokens obtained by the client. \nThe value should be less than the \u003cspan pulumi-lang-nodejs=\"`verificationTtl`\" pulumi-lang-dotnet=\"`VerificationTtl`\" pulumi-lang-go=\"`verificationTtl`\" pulumi-lang-python=\"`verification_ttl`\" pulumi-lang-yaml=\"`verificationTtl`\" pulumi-lang-java=\"`verificationTtl`\"\u003e`verification_ttl`\u003c/span\u003e on the key.\n"},"key":{"type":"string","description":"A reference to a named key resource in Vault.\nThis cannot be modified after creation. If not provided, the \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e\nkey is used.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"The name of the client.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"redirectUris":{"type":"array","items":{"type":"string"},"description":"Redirection URI values used by the client. \nOne of these values must exactly match the \u003cspan pulumi-lang-nodejs=\"`redirectUri`\" pulumi-lang-dotnet=\"`RedirectUri`\" pulumi-lang-go=\"`redirectUri`\" pulumi-lang-python=\"`redirect_uri`\" pulumi-lang-yaml=\"`redirectUri`\" pulumi-lang-java=\"`redirectUri`\"\u003e`redirect_uri`\u003c/span\u003e parameter value\nused in each authentication request.\n"}},"type":"object"}},"vault:identity/oidcKey:OidcKey":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst key = new vault.identity.OidcKey(\"key\", {\n    name: \"key\",\n    algorithm: \"RS256\",\n});\nconst role = new vault.identity.OidcRole(\"role\", {\n    name: \"role\",\n    key: key.name,\n});\nconst roleOidcKeyAllowedClientID = new vault.identity.OidcKeyAllowedClientID(\"role\", {\n    keyName: key.name,\n    allowedClientId: role.clientId,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkey = vault.identity.OidcKey(\"key\",\n    name=\"key\",\n    algorithm=\"RS256\")\nrole = vault.identity.OidcRole(\"role\",\n    name=\"role\",\n    key=key.name)\nrole_oidc_key_allowed_client_id = vault.identity.OidcKeyAllowedClientID(\"role\",\n    key_name=key.name,\n    allowed_client_id=role.client_id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var key = new Vault.Identity.OidcKey(\"key\", new()\n    {\n        Name = \"key\",\n        Algorithm = \"RS256\",\n    });\n\n    var role = new Vault.Identity.OidcRole(\"role\", new()\n    {\n        Name = \"role\",\n        Key = key.Name,\n    });\n\n    var roleOidcKeyAllowedClientID = new Vault.Identity.OidcKeyAllowedClientID(\"role\", new()\n    {\n        KeyName = key.Name,\n        AllowedClientId = role.ClientId,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkey, err := identity.NewOidcKey(ctx, \"key\", \u0026identity.OidcKeyArgs{\n\t\t\tName:      pulumi.String(\"key\"),\n\t\t\tAlgorithm: pulumi.String(\"RS256\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := identity.NewOidcRole(ctx, \"role\", \u0026identity.OidcRoleArgs{\n\t\t\tName: pulumi.String(\"role\"),\n\t\t\tKey:  key.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcKeyAllowedClientID(ctx, \"role\", \u0026identity.OidcKeyAllowedClientIDArgs{\n\t\t\tKeyName:         key.Name,\n\t\t\tAllowedClientId: role.ClientId,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcKey;\nimport com.pulumi.vault.identity.OidcKeyArgs;\nimport com.pulumi.vault.identity.OidcRole;\nimport com.pulumi.vault.identity.OidcRoleArgs;\nimport com.pulumi.vault.identity.OidcKeyAllowedClientID;\nimport com.pulumi.vault.identity.OidcKeyAllowedClientIDArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var key = new OidcKey(\"key\", OidcKeyArgs.builder()\n            .name(\"key\")\n            .algorithm(\"RS256\")\n            .build());\n\n        var role = new OidcRole(\"role\", OidcRoleArgs.builder()\n            .name(\"role\")\n            .key(key.name())\n            .build());\n\n        var roleOidcKeyAllowedClientID = new OidcKeyAllowedClientID(\"roleOidcKeyAllowedClientID\", OidcKeyAllowedClientIDArgs.builder()\n            .keyName(key.name())\n            .allowedClientId(role.clientId())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  key:\n    type: vault:identity:OidcKey\n    properties:\n      name: key\n      algorithm: RS256\n  role:\n    type: vault:identity:OidcRole\n    properties:\n      name: role\n      key: ${key.name}\n  roleOidcKeyAllowedClientID:\n    type: vault:identity:OidcKeyAllowedClientID\n    name: role\n    properties:\n      keyName: ${key.name}\n      allowedClientId: ${role.clientId}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe key can be imported with the key name, for example:\n\n```sh\n$ pulumi import vault:identity/oidcKey:OidcKey key key\n```\n","properties":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use.\nAllowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.\n"},"allowedClientIds":{"type":"array","items":{"type":"string"},"description":"Array of role client ID allowed to use this key for signing. If\nempty, no roles are allowed. If `[\"*\"]`, all roles are allowed.\n"},"name":{"type":"string","description":"Name of the OIDC Key to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"rotationPeriod":{"type":"integer","description":"How often to generate a new signing key in number of seconds\n"},"verificationTtl":{"type":"integer","description":"\"Controls how long the public portion of a signing key will be\navailable for verification after being rotated in seconds.\n"}},"required":["allowedClientIds","name"],"inputProperties":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use.\nAllowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.\n"},"allowedClientIds":{"type":"array","items":{"type":"string"},"description":"Array of role client ID allowed to use this key for signing. If\nempty, no roles are allowed. If `[\"*\"]`, all roles are allowed.\n"},"name":{"type":"string","description":"Name of the OIDC Key to create.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"rotationPeriod":{"type":"integer","description":"How often to generate a new signing key in number of seconds\n"},"verificationTtl":{"type":"integer","description":"\"Controls how long the public portion of a signing key will be\navailable for verification after being rotated in seconds.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering OidcKey resources.\n","properties":{"algorithm":{"type":"string","description":"Signing algorithm to use. Signing algorithm to use.\nAllowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.\n"},"allowedClientIds":{"type":"array","items":{"type":"string"},"description":"Array of role client ID allowed to use this key for signing. If\nempty, no roles are allowed. If `[\"*\"]`, all roles are allowed.\n"},"name":{"type":"string","description":"Name of the OIDC Key to create.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"rotationPeriod":{"type":"integer","description":"How often to generate a new signing key in number of seconds\n"},"verificationTtl":{"type":"integer","description":"\"Controls how long the public portion of a signing key will be\navailable for verification after being rotated in seconds.\n"}},"type":"object"}},"vault:identity/oidcKeyAllowedClientID:OidcKeyAllowedClientID":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst key = new vault.identity.OidcKey(\"key\", {\n    name: \"key\",\n    algorithm: \"RS256\",\n});\nconst role = new vault.identity.OidcRole(\"role\", {\n    name: \"role\",\n    key: key.name,\n});\nconst roleOidcKeyAllowedClientID = new vault.identity.OidcKeyAllowedClientID(\"role\", {\n    keyName: key.name,\n    allowedClientId: role.clientId,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkey = vault.identity.OidcKey(\"key\",\n    name=\"key\",\n    algorithm=\"RS256\")\nrole = vault.identity.OidcRole(\"role\",\n    name=\"role\",\n    key=key.name)\nrole_oidc_key_allowed_client_id = vault.identity.OidcKeyAllowedClientID(\"role\",\n    key_name=key.name,\n    allowed_client_id=role.client_id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var key = new Vault.Identity.OidcKey(\"key\", new()\n    {\n        Name = \"key\",\n        Algorithm = \"RS256\",\n    });\n\n    var role = new Vault.Identity.OidcRole(\"role\", new()\n    {\n        Name = \"role\",\n        Key = key.Name,\n    });\n\n    var roleOidcKeyAllowedClientID = new Vault.Identity.OidcKeyAllowedClientID(\"role\", new()\n    {\n        KeyName = key.Name,\n        AllowedClientId = role.ClientId,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkey, err := identity.NewOidcKey(ctx, \"key\", \u0026identity.OidcKeyArgs{\n\t\t\tName:      pulumi.String(\"key\"),\n\t\t\tAlgorithm: pulumi.String(\"RS256\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := identity.NewOidcRole(ctx, \"role\", \u0026identity.OidcRoleArgs{\n\t\t\tName: pulumi.String(\"role\"),\n\t\t\tKey:  key.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcKeyAllowedClientID(ctx, \"role\", \u0026identity.OidcKeyAllowedClientIDArgs{\n\t\t\tKeyName:         key.Name,\n\t\t\tAllowedClientId: role.ClientId,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcKey;\nimport com.pulumi.vault.identity.OidcKeyArgs;\nimport com.pulumi.vault.identity.OidcRole;\nimport com.pulumi.vault.identity.OidcRoleArgs;\nimport com.pulumi.vault.identity.OidcKeyAllowedClientID;\nimport com.pulumi.vault.identity.OidcKeyAllowedClientIDArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var key = new OidcKey(\"key\", OidcKeyArgs.builder()\n            .name(\"key\")\n            .algorithm(\"RS256\")\n            .build());\n\n        var role = new OidcRole(\"role\", OidcRoleArgs.builder()\n            .name(\"role\")\n            .key(key.name())\n            .build());\n\n        var roleOidcKeyAllowedClientID = new OidcKeyAllowedClientID(\"roleOidcKeyAllowedClientID\", OidcKeyAllowedClientIDArgs.builder()\n            .keyName(key.name())\n            .allowedClientId(role.clientId())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  key:\n    type: vault:identity:OidcKey\n    properties:\n      name: key\n      algorithm: RS256\n  role:\n    type: vault:identity:OidcRole\n    properties:\n      name: role\n      key: ${key.name}\n  roleOidcKeyAllowedClientID:\n    type: vault:identity:OidcKeyAllowedClientID\n    name: role\n    properties:\n      keyName: ${key.name}\n      allowedClientId: ${role.clientId}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"allowedClientId":{"type":"string","description":"Client ID to allow usage with the OIDC named key\n"},"keyName":{"type":"string","description":"Name of the OIDC Key allow the Client ID.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["allowedClientId","keyName"],"inputProperties":{"allowedClientId":{"type":"string","description":"Client ID to allow usage with the OIDC named key\n","willReplaceOnChanges":true},"keyName":{"type":"string","description":"Name of the OIDC Key allow the Client ID.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["allowedClientId","keyName"],"stateInputs":{"description":"Input properties used for looking up and filtering OidcKeyAllowedClientID resources.\n","properties":{"allowedClientId":{"type":"string","description":"Client ID to allow usage with the OIDC named key\n","willReplaceOnChanges":true},"keyName":{"type":"string","description":"Name of the OIDC Key allow the Client ID.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:identity/oidcProvider:OidcProvider":{"description":"Manages OIDC Providers in a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/secret/identity/oidc-provider#create-or-update-an-assignment)\nfor more information.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.identity.OidcKey(\"test\", {\n    name: \"my-key\",\n    allowedClientIds: [\"*\"],\n    rotationPeriod: 3600,\n    verificationTtl: 3600,\n});\nconst testOidcAssignment = new vault.identity.OidcAssignment(\"test\", {\n    name: \"my-assignment\",\n    entityIds: [\"fake-ascbascas-2231a-sdfaa\"],\n    groupIds: [\"fake-sajkdsad-32414-sfsada\"],\n});\nconst testOidcClient = new vault.identity.OidcClient(\"test\", {\n    name: \"application\",\n    key: test.name,\n    redirectUris: [\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    assignments: [testOidcAssignment.name],\n    idTokenTtl: 2400,\n    accessTokenTtl: 7200,\n});\nconst testOidcScope = new vault.identity.OidcScope(\"test\", {\n    name: \"groups\",\n    template: JSON.stringify({\n        groups: \"{{identity.entity.groups.names}}\",\n    }),\n    description: \"Groups scope.\",\n});\nconst testOidcProvider = new vault.identity.OidcProvider(\"test\", {\n    name: \"my-provider\",\n    httpsEnabled: false,\n    issuerHost: \"127.0.0.1:8200\",\n    allowedClientIds: [testOidcClient.clientId],\n    scopesSupporteds: [testOidcScope.name],\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\ntest = vault.identity.OidcKey(\"test\",\n    name=\"my-key\",\n    allowed_client_ids=[\"*\"],\n    rotation_period=3600,\n    verification_ttl=3600)\ntest_oidc_assignment = vault.identity.OidcAssignment(\"test\",\n    name=\"my-assignment\",\n    entity_ids=[\"fake-ascbascas-2231a-sdfaa\"],\n    group_ids=[\"fake-sajkdsad-32414-sfsada\"])\ntest_oidc_client = vault.identity.OidcClient(\"test\",\n    name=\"application\",\n    key=test.name,\n    redirect_uris=[\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    assignments=[test_oidc_assignment.name],\n    id_token_ttl=2400,\n    access_token_ttl=7200)\ntest_oidc_scope = vault.identity.OidcScope(\"test\",\n    name=\"groups\",\n    template=json.dumps({\n        \"groups\": \"{{identity.entity.groups.names}}\",\n    }),\n    description=\"Groups scope.\")\ntest_oidc_provider = vault.identity.OidcProvider(\"test\",\n    name=\"my-provider\",\n    https_enabled=False,\n    issuer_host=\"127.0.0.1:8200\",\n    allowed_client_ids=[test_oidc_client.client_id],\n    scopes_supporteds=[test_oidc_scope.name])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Identity.OidcKey(\"test\", new()\n    {\n        Name = \"my-key\",\n        AllowedClientIds = new[]\n        {\n            \"*\",\n        },\n        RotationPeriod = 3600,\n        VerificationTtl = 3600,\n    });\n\n    var testOidcAssignment = new Vault.Identity.OidcAssignment(\"test\", new()\n    {\n        Name = \"my-assignment\",\n        EntityIds = new[]\n        {\n            \"fake-ascbascas-2231a-sdfaa\",\n        },\n        GroupIds = new[]\n        {\n            \"fake-sajkdsad-32414-sfsada\",\n        },\n    });\n\n    var testOidcClient = new Vault.Identity.OidcClient(\"test\", new()\n    {\n        Name = \"application\",\n        Key = test.Name,\n        RedirectUris = new[]\n        {\n            \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n            \"http://127.0.0.1:8251/callback\",\n            \"http://127.0.0.1:8080/callback\",\n        },\n        Assignments = new[]\n        {\n            testOidcAssignment.Name,\n        },\n        IdTokenTtl = 2400,\n        AccessTokenTtl = 7200,\n    });\n\n    var testOidcScope = new Vault.Identity.OidcScope(\"test\", new()\n    {\n        Name = \"groups\",\n        Template = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"groups\"] = \"{{identity.entity.groups.names}}\",\n        }),\n        Description = \"Groups scope.\",\n    });\n\n    var testOidcProvider = new Vault.Identity.OidcProvider(\"test\", new()\n    {\n        Name = \"my-provider\",\n        HttpsEnabled = false,\n        IssuerHost = \"127.0.0.1:8200\",\n        AllowedClientIds = new[]\n        {\n            testOidcClient.ClientId,\n        },\n        ScopesSupporteds = new[]\n        {\n            testOidcScope.Name,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttest, err := identity.NewOidcKey(ctx, \"test\", \u0026identity.OidcKeyArgs{\n\t\t\tName: pulumi.String(\"my-key\"),\n\t\t\tAllowedClientIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tRotationPeriod:  pulumi.Int(3600),\n\t\t\tVerificationTtl: pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttestOidcAssignment, err := identity.NewOidcAssignment(ctx, \"test\", \u0026identity.OidcAssignmentArgs{\n\t\t\tName: pulumi.String(\"my-assignment\"),\n\t\t\tEntityIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"fake-ascbascas-2231a-sdfaa\"),\n\t\t\t},\n\t\t\tGroupIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"fake-sajkdsad-32414-sfsada\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttestOidcClient, err := identity.NewOidcClient(ctx, \"test\", \u0026identity.OidcClientArgs{\n\t\t\tName: pulumi.String(\"application\"),\n\t\t\tKey:  test.Name,\n\t\t\tRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8251/callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8080/callback\"),\n\t\t\t},\n\t\t\tAssignments: pulumi.StringArray{\n\t\t\t\ttestOidcAssignment.Name,\n\t\t\t},\n\t\t\tIdTokenTtl:     pulumi.Int(2400),\n\t\t\tAccessTokenTtl: pulumi.Int(7200),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"groups\": \"{{identity.entity.groups.names}}\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\ttestOidcScope, err := identity.NewOidcScope(ctx, \"test\", \u0026identity.OidcScopeArgs{\n\t\t\tName:        pulumi.String(\"groups\"),\n\t\t\tTemplate:    pulumi.String(json0),\n\t\t\tDescription: pulumi.String(\"Groups scope.\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcProvider(ctx, \"test\", \u0026identity.OidcProviderArgs{\n\t\t\tName:         pulumi.String(\"my-provider\"),\n\t\t\tHttpsEnabled: pulumi.Bool(false),\n\t\t\tIssuerHost:   pulumi.String(\"127.0.0.1:8200\"),\n\t\t\tAllowedClientIds: pulumi.StringArray{\n\t\t\t\ttestOidcClient.ClientId,\n\t\t\t},\n\t\t\tScopesSupporteds: pulumi.StringArray{\n\t\t\t\ttestOidcScope.Name,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcKey;\nimport com.pulumi.vault.identity.OidcKeyArgs;\nimport com.pulumi.vault.identity.OidcAssignment;\nimport com.pulumi.vault.identity.OidcAssignmentArgs;\nimport com.pulumi.vault.identity.OidcClient;\nimport com.pulumi.vault.identity.OidcClientArgs;\nimport com.pulumi.vault.identity.OidcScope;\nimport com.pulumi.vault.identity.OidcScopeArgs;\nimport com.pulumi.vault.identity.OidcProvider;\nimport com.pulumi.vault.identity.OidcProviderArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new OidcKey(\"test\", OidcKeyArgs.builder()\n            .name(\"my-key\")\n            .allowedClientIds(\"*\")\n            .rotationPeriod(3600)\n            .verificationTtl(3600)\n            .build());\n\n        var testOidcAssignment = new OidcAssignment(\"testOidcAssignment\", OidcAssignmentArgs.builder()\n            .name(\"my-assignment\")\n            .entityIds(\"fake-ascbascas-2231a-sdfaa\")\n            .groupIds(\"fake-sajkdsad-32414-sfsada\")\n            .build());\n\n        var testOidcClient = new OidcClient(\"testOidcClient\", OidcClientArgs.builder()\n            .name(\"application\")\n            .key(test.name())\n            .redirectUris(            \n                \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n                \"http://127.0.0.1:8251/callback\",\n                \"http://127.0.0.1:8080/callback\")\n            .assignments(testOidcAssignment.name())\n            .idTokenTtl(2400)\n            .accessTokenTtl(7200)\n            .build());\n\n        var testOidcScope = new OidcScope(\"testOidcScope\", OidcScopeArgs.builder()\n            .name(\"groups\")\n            .template(serializeJson(\n                jsonObject(\n                    jsonProperty(\"groups\", \"{{identity.entity.groups.names}}\")\n                )))\n            .description(\"Groups scope.\")\n            .build());\n\n        var testOidcProvider = new OidcProvider(\"testOidcProvider\", OidcProviderArgs.builder()\n            .name(\"my-provider\")\n            .httpsEnabled(false)\n            .issuerHost(\"127.0.0.1:8200\")\n            .allowedClientIds(testOidcClient.clientId())\n            .scopesSupporteds(testOidcScope.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:identity:OidcKey\n    properties:\n      name: my-key\n      allowedClientIds:\n        - '*'\n      rotationPeriod: 3600\n      verificationTtl: 3600\n  testOidcAssignment:\n    type: vault:identity:OidcAssignment\n    name: test\n    properties:\n      name: my-assignment\n      entityIds:\n        - fake-ascbascas-2231a-sdfaa\n      groupIds:\n        - fake-sajkdsad-32414-sfsada\n  testOidcClient:\n    type: vault:identity:OidcClient\n    name: test\n    properties:\n      name: application\n      key: ${test.name}\n      redirectUris:\n        - http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\n        - http://127.0.0.1:8251/callback\n        - http://127.0.0.1:8080/callback\n      assignments:\n        - ${testOidcAssignment.name}\n      idTokenTtl: 2400\n      accessTokenTtl: 7200\n  testOidcScope:\n    type: vault:identity:OidcScope\n    name: test\n    properties:\n      name: groups\n      template:\n        fn::toJSON:\n          groups: '{{identity.entity.groups.names}}'\n      description: Groups scope.\n  testOidcProvider:\n    type: vault:identity:OidcProvider\n    name: test\n    properties:\n      name: my-provider\n      httpsEnabled: false\n      issuerHost: 127.0.0.1:8200\n      allowedClientIds:\n        - ${testOidcClient.clientId}\n      scopesSupporteds:\n        - ${testOidcScope.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOIDC Providers can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:identity/oidcProvider:OidcProvider test my-provider\n```\n","properties":{"allowedClientIds":{"type":"array","items":{"type":"string"},"description":"The client IDs that are permitted to use the provider. \nIf empty, no clients are allowed. If `*`, all clients are allowed.\n"},"httpsEnabled":{"type":"boolean","description":"Set to true if the issuer endpoint uses HTTPS.\n"},"issuer":{"type":"string","description":"Specifies what will be used as the `scheme://host:port`\ncomponent for the \u003cspan pulumi-lang-nodejs=\"`iss`\" pulumi-lang-dotnet=\"`Iss`\" pulumi-lang-go=\"`iss`\" pulumi-lang-python=\"`iss`\" pulumi-lang-yaml=\"`iss`\" pulumi-lang-java=\"`iss`\"\u003e`iss`\u003c/span\u003e claim of ID tokens. This value is computed using the\n\u003cspan pulumi-lang-nodejs=\"`issuerHost`\" pulumi-lang-dotnet=\"`IssuerHost`\" pulumi-lang-go=\"`issuerHost`\" pulumi-lang-python=\"`issuer_host`\" pulumi-lang-yaml=\"`issuerHost`\" pulumi-lang-java=\"`issuerHost`\"\u003e`issuer_host`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`httpsEnabled`\" pulumi-lang-dotnet=\"`HttpsEnabled`\" pulumi-lang-go=\"`httpsEnabled`\" pulumi-lang-python=\"`https_enabled`\" pulumi-lang-yaml=\"`httpsEnabled`\" pulumi-lang-java=\"`httpsEnabled`\"\u003e`https_enabled`\u003c/span\u003e fields.\n"},"issuerHost":{"type":"string","description":"The host for the issuer. Can be either host or host:port.\n"},"name":{"type":"string","description":"The name of the provider.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"scopesSupporteds":{"type":"array","items":{"type":"string"},"description":"The scopes available for requesting on the provider.\n"}},"required":["issuer","name"],"inputProperties":{"allowedClientIds":{"type":"array","items":{"type":"string"},"description":"The client IDs that are permitted to use the provider. \nIf empty, no clients are allowed. If `*`, all clients are allowed.\n"},"httpsEnabled":{"type":"boolean","description":"Set to true if the issuer endpoint uses HTTPS.\n"},"issuerHost":{"type":"string","description":"The host for the issuer. Can be either host or host:port.\n"},"name":{"type":"string","description":"The name of the provider.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"scopesSupporteds":{"type":"array","items":{"type":"string"},"description":"The scopes available for requesting on the provider.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering OidcProvider resources.\n","properties":{"allowedClientIds":{"type":"array","items":{"type":"string"},"description":"The client IDs that are permitted to use the provider. \nIf empty, no clients are allowed. If `*`, all clients are allowed.\n"},"httpsEnabled":{"type":"boolean","description":"Set to true if the issuer endpoint uses HTTPS.\n"},"issuer":{"type":"string","description":"Specifies what will be used as the `scheme://host:port`\ncomponent for the \u003cspan pulumi-lang-nodejs=\"`iss`\" pulumi-lang-dotnet=\"`Iss`\" pulumi-lang-go=\"`iss`\" pulumi-lang-python=\"`iss`\" pulumi-lang-yaml=\"`iss`\" pulumi-lang-java=\"`iss`\"\u003e`iss`\u003c/span\u003e claim of ID tokens. This value is computed using the\n\u003cspan pulumi-lang-nodejs=\"`issuerHost`\" pulumi-lang-dotnet=\"`IssuerHost`\" pulumi-lang-go=\"`issuerHost`\" pulumi-lang-python=\"`issuer_host`\" pulumi-lang-yaml=\"`issuerHost`\" pulumi-lang-java=\"`issuerHost`\"\u003e`issuer_host`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`httpsEnabled`\" pulumi-lang-dotnet=\"`HttpsEnabled`\" pulumi-lang-go=\"`httpsEnabled`\" pulumi-lang-python=\"`https_enabled`\" pulumi-lang-yaml=\"`httpsEnabled`\" pulumi-lang-java=\"`httpsEnabled`\"\u003e`https_enabled`\u003c/span\u003e fields.\n"},"issuerHost":{"type":"string","description":"The host for the issuer. Can be either host or host:port.\n"},"name":{"type":"string","description":"The name of the provider.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"scopesSupporteds":{"type":"array","items":{"type":"string"},"description":"The scopes available for requesting on the provider.\n"}},"type":"object"}},"vault:identity/oidcRole:OidcRole":{"description":"## Example Usage\n\nYou need to create a role with a named key.\nAt creation time, the key can be created independently of the role. However, the key must\nexist before the role can be used to issue tokens. You must also configure the key with the\nrole's Client ID to allow the role to use the key.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new pulumi.Config();\n// Name of the OIDC Key\nconst key = config.get(\"key\") || \"key\";\nconst role = new vault.identity.OidcRole(\"role\", {\n    name: \"role\",\n    key: key,\n});\nconst keyOidcKey = new vault.identity.OidcKey(\"key\", {\n    name: key,\n    algorithm: \"RS256\",\n    allowedClientIds: [role.clientId],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = pulumi.Config()\n# Name of the OIDC Key\nkey = config.get(\"key\")\nif key is None:\n    key = \"key\"\nrole = vault.identity.OidcRole(\"role\",\n    name=\"role\",\n    key=key)\nkey_oidc_key = vault.identity.OidcKey(\"key\",\n    name=key,\n    algorithm=\"RS256\",\n    allowed_client_ids=[role.client_id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Config();\n    // Name of the OIDC Key\n    var key = config.Get(\"key\") ?? \"key\";\n    var role = new Vault.Identity.OidcRole(\"role\", new()\n    {\n        Name = \"role\",\n        Key = key,\n    });\n\n    var keyOidcKey = new Vault.Identity.OidcKey(\"key\", new()\n    {\n        Name = key,\n        Algorithm = \"RS256\",\n        AllowedClientIds = new[]\n        {\n            role.ClientId,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcfg := config.New(ctx, \"\")\n\t\t// Name of the OIDC Key\n\t\tkey := \"key\"\n\t\tif param := cfg.Get(\"key\"); param != \"\" {\n\t\t\tkey = param\n\t\t}\n\t\trole, err := identity.NewOidcRole(ctx, \"role\", \u0026identity.OidcRoleArgs{\n\t\t\tName: pulumi.String(\"role\"),\n\t\t\tKey:  pulumi.String(key),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcKey(ctx, \"key\", \u0026identity.OidcKeyArgs{\n\t\t\tName:      pulumi.String(key),\n\t\t\tAlgorithm: pulumi.String(\"RS256\"),\n\t\t\tAllowedClientIds: pulumi.StringArray{\n\t\t\t\trole.ClientId,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcRole;\nimport com.pulumi.vault.identity.OidcRoleArgs;\nimport com.pulumi.vault.identity.OidcKey;\nimport com.pulumi.vault.identity.OidcKeyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var config = ctx.config();\n        final var key = config.get(\"key\").orElse(\"key\");\n        var role = new OidcRole(\"role\", OidcRoleArgs.builder()\n            .name(\"role\")\n            .key(key)\n            .build());\n\n        var keyOidcKey = new OidcKey(\"keyOidcKey\", OidcKeyArgs.builder()\n            .name(key)\n            .algorithm(\"RS256\")\n            .allowedClientIds(role.clientId())\n            .build());\n\n    }\n}\n```\n```yaml\nconfiguration:\n  key:\n    type: string\n    default: key\nresources:\n  keyOidcKey:\n    type: vault:identity:OidcKey\n    name: key\n    properties:\n      name: ${key}\n      algorithm: RS256\n      allowedClientIds:\n        - ${role.clientId}\n  role:\n    type: vault:identity:OidcRole\n    properties:\n      name: role\n      key: ${key}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\nIf you want to create the key first before creating the role, you can use a separate\nresource to configure the allowed Client ID on\nthe key.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst key = new vault.identity.OidcKey(\"key\", {\n    name: \"key\",\n    algorithm: \"RS256\",\n});\nconst role = new vault.identity.OidcRole(\"role\", {\n    name: \"role\",\n    key: key.name,\n});\nconst roleOidcKeyAllowedClientID = new vault.identity.OidcKeyAllowedClientID(\"role\", {\n    keyName: key.name,\n    allowedClientId: role.clientId,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkey = vault.identity.OidcKey(\"key\",\n    name=\"key\",\n    algorithm=\"RS256\")\nrole = vault.identity.OidcRole(\"role\",\n    name=\"role\",\n    key=key.name)\nrole_oidc_key_allowed_client_id = vault.identity.OidcKeyAllowedClientID(\"role\",\n    key_name=key.name,\n    allowed_client_id=role.client_id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var key = new Vault.Identity.OidcKey(\"key\", new()\n    {\n        Name = \"key\",\n        Algorithm = \"RS256\",\n    });\n\n    var role = new Vault.Identity.OidcRole(\"role\", new()\n    {\n        Name = \"role\",\n        Key = key.Name,\n    });\n\n    var roleOidcKeyAllowedClientID = new Vault.Identity.OidcKeyAllowedClientID(\"role\", new()\n    {\n        KeyName = key.Name,\n        AllowedClientId = role.ClientId,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkey, err := identity.NewOidcKey(ctx, \"key\", \u0026identity.OidcKeyArgs{\n\t\t\tName:      pulumi.String(\"key\"),\n\t\t\tAlgorithm: pulumi.String(\"RS256\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := identity.NewOidcRole(ctx, \"role\", \u0026identity.OidcRoleArgs{\n\t\t\tName: pulumi.String(\"role\"),\n\t\t\tKey:  key.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcKeyAllowedClientID(ctx, \"role\", \u0026identity.OidcKeyAllowedClientIDArgs{\n\t\t\tKeyName:         key.Name,\n\t\t\tAllowedClientId: role.ClientId,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcKey;\nimport com.pulumi.vault.identity.OidcKeyArgs;\nimport com.pulumi.vault.identity.OidcRole;\nimport com.pulumi.vault.identity.OidcRoleArgs;\nimport com.pulumi.vault.identity.OidcKeyAllowedClientID;\nimport com.pulumi.vault.identity.OidcKeyAllowedClientIDArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var key = new OidcKey(\"key\", OidcKeyArgs.builder()\n            .name(\"key\")\n            .algorithm(\"RS256\")\n            .build());\n\n        var role = new OidcRole(\"role\", OidcRoleArgs.builder()\n            .name(\"role\")\n            .key(key.name())\n            .build());\n\n        var roleOidcKeyAllowedClientID = new OidcKeyAllowedClientID(\"roleOidcKeyAllowedClientID\", OidcKeyAllowedClientIDArgs.builder()\n            .keyName(key.name())\n            .allowedClientId(role.clientId())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  key:\n    type: vault:identity:OidcKey\n    properties:\n      name: key\n      algorithm: RS256\n  role:\n    type: vault:identity:OidcRole\n    properties:\n      name: role\n      key: ${key.name}\n  roleOidcKeyAllowedClientID:\n    type: vault:identity:OidcKeyAllowedClientID\n    name: role\n    properties:\n      keyName: ${key.name}\n      allowedClientId: ${role.clientId}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe key can be imported with the role name, for example:\n\n```sh\n$ pulumi import vault:identity/oidcRole:OidcRole role role\n```\n","properties":{"clientId":{"type":"string","description":"The value that will be included in the \u003cspan pulumi-lang-nodejs=\"`aud`\" pulumi-lang-dotnet=\"`Aud`\" pulumi-lang-go=\"`aud`\" pulumi-lang-python=\"`aud`\" pulumi-lang-yaml=\"`aud`\" pulumi-lang-java=\"`aud`\"\u003e`aud`\u003c/span\u003e field of all the OIDC identity\ntokens issued by this role\n"},"key":{"type":"string","description":"A configured named key, the key must already exist\nbefore tokens can be issued.\n"},"name":{"type":"string","description":"Name of the OIDC Role to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in\nstring-ified JSON or base64 format. See the\n[documentation](https://www.vaultproject.io/docs/secrets/identity/index.html#token-contents-and-templates)\nfor the template format.\n"},"ttl":{"type":"integer","description":"TTL of the tokens generated against the role in number of seconds.\n"}},"required":["clientId","key","name"],"inputProperties":{"clientId":{"type":"string","description":"The value that will be included in the \u003cspan pulumi-lang-nodejs=\"`aud`\" pulumi-lang-dotnet=\"`Aud`\" pulumi-lang-go=\"`aud`\" pulumi-lang-python=\"`aud`\" pulumi-lang-yaml=\"`aud`\" pulumi-lang-java=\"`aud`\"\u003e`aud`\u003c/span\u003e field of all the OIDC identity\ntokens issued by this role\n"},"key":{"type":"string","description":"A configured named key, the key must already exist\nbefore tokens can be issued.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"Name of the OIDC Role to create.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in\nstring-ified JSON or base64 format. See the\n[documentation](https://www.vaultproject.io/docs/secrets/identity/index.html#token-contents-and-templates)\nfor the template format.\n"},"ttl":{"type":"integer","description":"TTL of the tokens generated against the role in number of seconds.\n"}},"requiredInputs":["key"],"stateInputs":{"description":"Input properties used for looking up and filtering OidcRole resources.\n","properties":{"clientId":{"type":"string","description":"The value that will be included in the \u003cspan pulumi-lang-nodejs=\"`aud`\" pulumi-lang-dotnet=\"`Aud`\" pulumi-lang-go=\"`aud`\" pulumi-lang-python=\"`aud`\" pulumi-lang-yaml=\"`aud`\" pulumi-lang-java=\"`aud`\"\u003e`aud`\u003c/span\u003e field of all the OIDC identity\ntokens issued by this role\n"},"key":{"type":"string","description":"A configured named key, the key must already exist\nbefore tokens can be issued.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"Name of the OIDC Role to create.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"template":{"type":"string","description":"The template string to use for generating tokens. This may be in\nstring-ified JSON or base64 format. See the\n[documentation](https://www.vaultproject.io/docs/secrets/identity/index.html#token-contents-and-templates)\nfor the template format.\n"},"ttl":{"type":"integer","description":"TTL of the tokens generated against the role in number of seconds.\n"}},"type":"object"}},"vault:identity/oidcScope:OidcScope":{"description":"Manages OIDC Scopes in a Vault server. See the [Vault documentation](https://www.vaultproject.io/api-docs/secret/identity/oidc-provider#create-or-update-a-scope)\nfor more information.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst groups = new vault.identity.OidcScope(\"groups\", {\n    name: \"groups\",\n    template: \"{\\\"groups\\\":{{identity.entity.groups.names}}}\",\n    description: \"Vault OIDC Groups Scope\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ngroups = vault.identity.OidcScope(\"groups\",\n    name=\"groups\",\n    template=\"{\\\"groups\\\":{{identity.entity.groups.names}}}\",\n    description=\"Vault OIDC Groups Scope\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var groups = new Vault.Identity.OidcScope(\"groups\", new()\n    {\n        Name = \"groups\",\n        Template = \"{\\\"groups\\\":{{identity.entity.groups.names}}}\",\n        Description = \"Vault OIDC Groups Scope\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.NewOidcScope(ctx, \"groups\", \u0026identity.OidcScopeArgs{\n\t\t\tName:        pulumi.String(\"groups\"),\n\t\t\tTemplate:    pulumi.String(\"{\\\"groups\\\":{{identity.entity.groups.names}}}\"),\n\t\t\tDescription: pulumi.String(\"Vault OIDC Groups Scope\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcScope;\nimport com.pulumi.vault.identity.OidcScopeArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var groups = new OidcScope(\"groups\", OidcScopeArgs.builder()\n            .name(\"groups\")\n            .template(\"{\\\"groups\\\":{{identity.entity.groups.names}}}\")\n            .description(\"Vault OIDC Groups Scope\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  groups:\n    type: vault:identity:OidcScope\n    properties:\n      name: groups\n      template: '{\"groups\":{{identity.entity.groups.names}}}'\n      description: Vault OIDC Groups Scope\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOIDC Scopes can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:identity/oidcScope:OidcScope groups groups\n```\n","properties":{"description":{"type":"string","description":"A description of the scope.\n"},"name":{"type":"string","description":"The name of the scope. The \u003cspan pulumi-lang-nodejs=\"`openid`\" pulumi-lang-dotnet=\"`Openid`\" pulumi-lang-go=\"`openid`\" pulumi-lang-python=\"`openid`\" pulumi-lang-yaml=\"`openid`\" pulumi-lang-java=\"`openid`\"\u003e`openid`\u003c/span\u003e scope name is reserved.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.\n"}},"required":["name"],"inputProperties":{"description":{"type":"string","description":"A description of the scope.\n"},"name":{"type":"string","description":"The name of the scope. The \u003cspan pulumi-lang-nodejs=\"`openid`\" pulumi-lang-dotnet=\"`Openid`\" pulumi-lang-go=\"`openid`\" pulumi-lang-python=\"`openid`\" pulumi-lang-yaml=\"`openid`\" pulumi-lang-java=\"`openid`\"\u003e`openid`\u003c/span\u003e scope name is reserved.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering OidcScope resources.\n","properties":{"description":{"type":"string","description":"A description of the scope.\n"},"name":{"type":"string","description":"The name of the scope. The \u003cspan pulumi-lang-nodejs=\"`openid`\" pulumi-lang-dotnet=\"`Openid`\" pulumi-lang-go=\"`openid`\" pulumi-lang-python=\"`openid`\" pulumi-lang-yaml=\"`openid`\" pulumi-lang-java=\"`openid`\"\u003e`openid`\u003c/span\u003e scope name is reserved.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"template":{"type":"string","description":"The template string for the scope. This may be provided as escaped JSON or base64 encoded JSON.\n"}},"type":"object"}},"vault:index/audit:Audit":{"description":"## Example Usage\n\n### File Audit Device)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.Audit(\"test\", {\n    type: \"file\",\n    options: {\n        file_path: \"C:/temp/audit.txt\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.Audit(\"test\",\n    type=\"file\",\n    options={\n        \"file_path\": \"C:/temp/audit.txt\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Audit(\"test\", new()\n    {\n        Type = \"file\",\n        Options = \n        {\n            { \"file_path\", \"C:/temp/audit.txt\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewAudit(ctx, \"test\", \u0026vault.AuditArgs{\n\t\t\tType: pulumi.String(\"file\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"file_path\": pulumi.String(\"C:/temp/audit.txt\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Audit;\nimport com.pulumi.vault.AuditArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new Audit(\"test\", AuditArgs.builder()\n            .type(\"file\")\n            .options(Map.of(\"file_path\", \"C:/temp/audit.txt\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:Audit\n    properties:\n      type: file\n      options:\n        file_path: C:/temp/audit.txt\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n### Socket Audit Device)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.Audit(\"test\", {\n    type: \"socket\",\n    path: \"app_socket\",\n    local: false,\n    options: {\n        address: \"127.0.0.1:8000\",\n        socket_type: \"tcp\",\n        description: \"application x socket\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.Audit(\"test\",\n    type=\"socket\",\n    path=\"app_socket\",\n    local=False,\n    options={\n        \"address\": \"127.0.0.1:8000\",\n        \"socket_type\": \"tcp\",\n        \"description\": \"application x socket\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Audit(\"test\", new()\n    {\n        Type = \"socket\",\n        Path = \"app_socket\",\n        Local = false,\n        Options = \n        {\n            { \"address\", \"127.0.0.1:8000\" },\n            { \"socket_type\", \"tcp\" },\n            { \"description\", \"application x socket\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewAudit(ctx, \"test\", \u0026vault.AuditArgs{\n\t\t\tType:  pulumi.String(\"socket\"),\n\t\t\tPath:  pulumi.String(\"app_socket\"),\n\t\t\tLocal: pulumi.Bool(false),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"address\":     pulumi.String(\"127.0.0.1:8000\"),\n\t\t\t\t\"socket_type\": pulumi.String(\"tcp\"),\n\t\t\t\t\"description\": pulumi.String(\"application x socket\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Audit;\nimport com.pulumi.vault.AuditArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new Audit(\"test\", AuditArgs.builder()\n            .type(\"socket\")\n            .path(\"app_socket\")\n            .local(false)\n            .options(Map.ofEntries(\n                Map.entry(\"address\", \"127.0.0.1:8000\"),\n                Map.entry(\"socket_type\", \"tcp\"),\n                Map.entry(\"description\", \"application x socket\")\n            ))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:Audit\n    properties:\n      type: socket\n      path: app_socket\n      local: false\n      options:\n        address: 127.0.0.1:8000\n        socket_type: tcp\n        description: application x socket\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAudit devices can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:index/audit:Audit test syslog\n```\n","properties":{"description":{"type":"string","description":"Human-friendly description of the audit device.\n"},"local":{"type":"boolean","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Configuration options to pass to the audit device itself.\n\nFor a reference of the device types and their options, consult the [Vault documentation.](https://www.vaultproject.io/docs/audit/index.html)\n"},"path":{"type":"string","description":"The path to mount the audit device. This defaults to the type.\n"},"type":{"type":"string","description":"Type of the audit device, such as 'file'.\n"}},"required":["options","path","type"],"inputProperties":{"description":{"type":"string","description":"Human-friendly description of the audit device.\n","willReplaceOnChanges":true},"local":{"type":"boolean","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Configuration options to pass to the audit device itself.\n\nFor a reference of the device types and their options, consult the [Vault documentation.](https://www.vaultproject.io/docs/audit/index.html)\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path to mount the audit device. This defaults to the type.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Type of the audit device, such as 'file'.\n","willReplaceOnChanges":true}},"requiredInputs":["options","type"],"stateInputs":{"description":"Input properties used for looking up and filtering Audit resources.\n","properties":{"description":{"type":"string","description":"Human-friendly description of the audit device.\n","willReplaceOnChanges":true},"local":{"type":"boolean","description":"Specifies if the audit device is a local only. Local audit devices are not replicated nor (if a secondary) removed by replication.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Configuration options to pass to the audit device itself.\n\nFor a reference of the device types and their options, consult the [Vault documentation.](https://www.vaultproject.io/docs/audit/index.html)\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path to mount the audit device. This defaults to the type.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Type of the audit device, such as 'file'.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:index/auditRequestHeader:AuditRequestHeader":{"description":"Manages additional request headers that appear in audited requests.\n\n\u003e **Note**\nBecause of the way the [sys/config/auditing/request-headers API](https://www.vaultproject.io/api-docs/system/config-auditing)\nis implemented in Vault, this resource will manage existing audited headers with\nmatching names without requiring import.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst xForwardedFor = new vault.AuditRequestHeader(\"x_forwarded_for\", {\n    name: \"X-Forwarded-For\",\n    hmac: false,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nx_forwarded_for = vault.AuditRequestHeader(\"x_forwarded_for\",\n    name=\"X-Forwarded-For\",\n    hmac=False)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var xForwardedFor = new Vault.AuditRequestHeader(\"x_forwarded_for\", new()\n    {\n        Name = \"X-Forwarded-For\",\n        Hmac = false,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewAuditRequestHeader(ctx, \"x_forwarded_for\", \u0026vault.AuditRequestHeaderArgs{\n\t\t\tName: pulumi.String(\"X-Forwarded-For\"),\n\t\t\tHmac: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuditRequestHeader;\nimport com.pulumi.vault.AuditRequestHeaderArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var xForwardedFor = new AuditRequestHeader(\"xForwardedFor\", AuditRequestHeaderArgs.builder()\n            .name(\"X-Forwarded-For\")\n            .hmac(false)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  xForwardedFor:\n    type: vault:AuditRequestHeader\n    name: x_forwarded_for\n    properties:\n      name: X-Forwarded-For\n      hmac: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"hmac":{"type":"boolean","description":"Whether this header's value should be HMAC'd in the audit logs.\n"},"name":{"type":"string","description":"The name of the request header to audit.\n"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)"}},"required":["name"],"inputProperties":{"hmac":{"type":"boolean","description":"Whether this header's value should be HMAC'd in the audit logs.\n"},"name":{"type":"string","description":"The name of the request header to audit.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering AuditRequestHeader resources.\n","properties":{"hmac":{"type":"boolean","description":"Whether this header's value should be HMAC'd in the audit logs.\n"},"name":{"type":"string","description":"The name of the request header to audit.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true}},"type":"object"}},"vault:index/authBackend:AuthBackend":{"description":"\n\n## Import\n\nAuth methods can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:index/authBackend:AuthBackend example github\n```\n","properties":{"accessor":{"type":"string","description":"The accessor for this auth method\n"},"description":{"type":"string","description":"A description of the auth method.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"The path to mount the auth method — this defaults to the name of the type.\n"},"tune":{"$ref":"#/types/vault:index/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"type":{"type":"string","description":"The name of the auth method type.\n"}},"required":["accessor","path","tune","type"],"inputProperties":{"description":{"type":"string","description":"A description of the auth method.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path to mount the auth method — this defaults to the name of the type.\n"},"tune":{"$ref":"#/types/vault:index/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"type":{"type":"string","description":"The name of the auth method type.\n","willReplaceOnChanges":true}},"requiredInputs":["type"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackend resources.\n","properties":{"accessor":{"type":"string","description":"The accessor for this auth method\n"},"description":{"type":"string","description":"A description of the auth method.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"identityTokenKey":{"type":"string","description":"The key to use for signing identity tokens."},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path to mount the auth method — this defaults to the name of the type.\n"},"tune":{"$ref":"#/types/vault:index/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"type":{"type":"string","description":"The name of the auth method type.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:index/certAuthBackendRole:CertAuthBackendRole":{"description":"Provides a resource to create a role in an [Cert auth backend within Vault](https://www.vaultproject.io/docs/auth/cert.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst cert = new vault.AuthBackend(\"cert\", {\n    path: \"cert\",\n    type: \"cert\",\n});\nconst certCertAuthBackendRole = new vault.CertAuthBackendRole(\"cert\", {\n    name: \"foo\",\n    certificate: std.file({\n        input: \"/path/to/certs/ca-cert.pem\",\n    }).then(invoke =\u003e invoke.result),\n    backend: cert.path,\n    allowedNames: [\n        \"foo.example.org\",\n        \"baz.example.org\",\n    ],\n    tokenTtl: 300,\n    tokenMaxTtl: 600,\n    tokenPolicies: [\"foo\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\ncert = vault.AuthBackend(\"cert\",\n    path=\"cert\",\n    type=\"cert\")\ncert_cert_auth_backend_role = vault.CertAuthBackendRole(\"cert\",\n    name=\"foo\",\n    certificate=std.file(input=\"/path/to/certs/ca-cert.pem\").result,\n    backend=cert.path,\n    allowed_names=[\n        \"foo.example.org\",\n        \"baz.example.org\",\n    ],\n    token_ttl=300,\n    token_max_ttl=600,\n    token_policies=[\"foo\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var cert = new Vault.AuthBackend(\"cert\", new()\n    {\n        Path = \"cert\",\n        Type = \"cert\",\n    });\n\n    var certCertAuthBackendRole = new Vault.CertAuthBackendRole(\"cert\", new()\n    {\n        Name = \"foo\",\n        Certificate = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/certs/ca-cert.pem\",\n        }).Apply(invoke =\u003e invoke.Result),\n        Backend = cert.Path,\n        AllowedNames = new[]\n        {\n            \"foo.example.org\",\n            \"baz.example.org\",\n        },\n        TokenTtl = 300,\n        TokenMaxTtl = 600,\n        TokenPolicies = new[]\n        {\n            \"foo\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcert, err := vault.NewAuthBackend(ctx, \"cert\", \u0026vault.AuthBackendArgs{\n\t\t\tPath: pulumi.String(\"cert\"),\n\t\t\tType: pulumi.String(\"cert\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/certs/ca-cert.pem\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewCertAuthBackendRole(ctx, \"cert\", \u0026vault.CertAuthBackendRoleArgs{\n\t\t\tName:        pulumi.String(\"foo\"),\n\t\t\tCertificate: pulumi.String(invokeFile.Result),\n\t\t\tBackend:     cert.Path,\n\t\t\tAllowedNames: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"foo.example.org\"),\n\t\t\t\tpulumi.String(\"baz.example.org\"),\n\t\t\t},\n\t\t\tTokenTtl:    pulumi.Int(300),\n\t\t\tTokenMaxTtl: pulumi.Int(600),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"foo\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.CertAuthBackendRole;\nimport com.pulumi.vault.CertAuthBackendRoleArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var cert = new AuthBackend(\"cert\", AuthBackendArgs.builder()\n            .path(\"cert\")\n            .type(\"cert\")\n            .build());\n\n        var certCertAuthBackendRole = new CertAuthBackendRole(\"certCertAuthBackendRole\", CertAuthBackendRoleArgs.builder()\n            .name(\"foo\")\n            .certificate(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/certs/ca-cert.pem\")\n                .build()).result())\n            .backend(cert.path())\n            .allowedNames(            \n                \"foo.example.org\",\n                \"baz.example.org\")\n            .tokenTtl(300)\n            .tokenMaxTtl(600)\n            .tokenPolicies(\"foo\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  cert:\n    type: vault:AuthBackend\n    properties:\n      path: cert\n      type: cert\n  certCertAuthBackendRole:\n    type: vault:CertAuthBackendRole\n    name: cert\n    properties:\n      name: foo\n      certificate:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/certs/ca-cert.pem\n          return: result\n      backend: ${cert.path}\n      allowedNames:\n        - foo.example.org\n        - baz.example.org\n      tokenTtl: 300\n      tokenMaxTtl: 600\n      tokenPolicies:\n        - foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedCommonNames":{"type":"array","items":{"type":"string"},"description":"Allowed the common names for authenticated client certificates\n"},"allowedDnsSans":{"type":"array","items":{"type":"string"},"description":"Allowed alternative dns names for authenticated client certificates\n"},"allowedEmailSans":{"type":"array","items":{"type":"string"},"description":"Allowed emails for authenticated client certificates\n"},"allowedNames":{"type":"array","items":{"type":"string"},"description":"DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates\n"},"allowedOrganizationalUnits":{"type":"array","items":{"type":"string"},"description":"Allowed organization units for authenticated client certificates.\n"},"allowedUriSans":{"type":"array","items":{"type":"string"},"description":"Allowed URIs for authenticated client certificates\n"},"backend":{"type":"string","description":"Path to the mounted Cert auth backend\n"},"certificate":{"type":"string","description":"CA certificate used to validate client certificates\n"},"displayName":{"type":"string","description":"The name to display on tokens issued under this role.\n"},"name":{"type":"string","description":"Name of the role\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"ocspCaCertificates":{"type":"string","description":"Any additional CA certificates\nneeded to verify OCSP responses. Provided as base64 encoded PEM data.\nRequires Vault version 1.13+.\n"},"ocspEnabled":{"type":"boolean","description":"If enabled, validate certificates'\nrevocation status using OCSP. Requires Vault version 1.13+.\n"},"ocspFailOpen":{"type":"boolean","description":"If true and an OCSP response cannot\nbe fetched or is of an unknown status, the login will proceed as if the\ncertificate has not been revoked.\nRequires Vault version 1.13+.\n"},"ocspMaxRetries":{"type":"integer","description":"The number of retries to attempt when\nconnecting to an OCSP server. Defaults to 4 retries.\nMust be a non-negative value. Requires Vault version 1.16+.\n"},"ocspQueryAllServers":{"type":"boolean","description":"If set to true, rather than\naccepting the first successful OCSP response, query all servers and consider\nthe certificate valid only if all servers agree.\nRequires Vault version 1.13+.\n"},"ocspServersOverrides":{"type":"array","items":{"type":"string"},"description":": A comma-separated list of OCSP\nserver addresses. If unset, the OCSP server is determined from the\nAuthorityInformationAccess extension on the certificate being inspected.\nRequires Vault version 1.13+.\n"},"ocspThisUpdateMaxAge":{"type":"integer","description":"The maximum age in seconds of the\n'thisUpdate' field in an OCSP response before it is considered too old.\nDefaults to 0 (disabled). Must be a non-negative value.\nRequires Vault version 1.16+.\n"},"requiredExtensions":{"type":"array","items":{"type":"string"},"description":"TLS extensions required on\nclient certificates\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["allowedCommonNames","allowedDnsSans","allowedEmailSans","allowedNames","allowedUriSans","certificate","displayName","name","ocspEnabled","ocspFailOpen","ocspQueryAllServers","requiredExtensions"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedCommonNames":{"type":"array","items":{"type":"string"},"description":"Allowed the common names for authenticated client certificates\n"},"allowedDnsSans":{"type":"array","items":{"type":"string"},"description":"Allowed alternative dns names for authenticated client certificates\n"},"allowedEmailSans":{"type":"array","items":{"type":"string"},"description":"Allowed emails for authenticated client certificates\n"},"allowedNames":{"type":"array","items":{"type":"string"},"description":"DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates\n"},"allowedOrganizationalUnits":{"type":"array","items":{"type":"string"},"description":"Allowed organization units for authenticated client certificates.\n"},"allowedUriSans":{"type":"array","items":{"type":"string"},"description":"Allowed URIs for authenticated client certificates\n"},"backend":{"type":"string","description":"Path to the mounted Cert auth backend\n","willReplaceOnChanges":true},"certificate":{"type":"string","description":"CA certificate used to validate client certificates\n","willReplaceOnChanges":true},"displayName":{"type":"string","description":"The name to display on tokens issued under this role.\n"},"name":{"type":"string","description":"Name of the role\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocspCaCertificates":{"type":"string","description":"Any additional CA certificates\nneeded to verify OCSP responses. Provided as base64 encoded PEM data.\nRequires Vault version 1.13+.\n"},"ocspEnabled":{"type":"boolean","description":"If enabled, validate certificates'\nrevocation status using OCSP. Requires Vault version 1.13+.\n"},"ocspFailOpen":{"type":"boolean","description":"If true and an OCSP response cannot\nbe fetched or is of an unknown status, the login will proceed as if the\ncertificate has not been revoked.\nRequires Vault version 1.13+.\n"},"ocspMaxRetries":{"type":"integer","description":"The number of retries to attempt when\nconnecting to an OCSP server. Defaults to 4 retries.\nMust be a non-negative value. Requires Vault version 1.16+.\n"},"ocspQueryAllServers":{"type":"boolean","description":"If set to true, rather than\naccepting the first successful OCSP response, query all servers and consider\nthe certificate valid only if all servers agree.\nRequires Vault version 1.13+.\n"},"ocspServersOverrides":{"type":"array","items":{"type":"string"},"description":": A comma-separated list of OCSP\nserver addresses. If unset, the OCSP server is determined from the\nAuthorityInformationAccess extension on the certificate being inspected.\nRequires Vault version 1.13+.\n"},"ocspThisUpdateMaxAge":{"type":"integer","description":"The maximum age in seconds of the\n'thisUpdate' field in an OCSP response before it is considered too old.\nDefaults to 0 (disabled). Must be a non-negative value.\nRequires Vault version 1.16+.\n"},"requiredExtensions":{"type":"array","items":{"type":"string"},"description":"TLS extensions required on\nclient certificates\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["certificate"],"stateInputs":{"description":"Input properties used for looking up and filtering CertAuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedCommonNames":{"type":"array","items":{"type":"string"},"description":"Allowed the common names for authenticated client certificates\n"},"allowedDnsSans":{"type":"array","items":{"type":"string"},"description":"Allowed alternative dns names for authenticated client certificates\n"},"allowedEmailSans":{"type":"array","items":{"type":"string"},"description":"Allowed emails for authenticated client certificates\n"},"allowedNames":{"type":"array","items":{"type":"string"},"description":"DEPRECATED: Please use the individual `allowed_X_sans` parameters instead. Allowed subject names for authenticated client certificates\n"},"allowedOrganizationalUnits":{"type":"array","items":{"type":"string"},"description":"Allowed organization units for authenticated client certificates.\n"},"allowedUriSans":{"type":"array","items":{"type":"string"},"description":"Allowed URIs for authenticated client certificates\n"},"backend":{"type":"string","description":"Path to the mounted Cert auth backend\n","willReplaceOnChanges":true},"certificate":{"type":"string","description":"CA certificate used to validate client certificates\n","willReplaceOnChanges":true},"displayName":{"type":"string","description":"The name to display on tokens issued under this role.\n"},"name":{"type":"string","description":"Name of the role\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocspCaCertificates":{"type":"string","description":"Any additional CA certificates\nneeded to verify OCSP responses. Provided as base64 encoded PEM data.\nRequires Vault version 1.13+.\n"},"ocspEnabled":{"type":"boolean","description":"If enabled, validate certificates'\nrevocation status using OCSP. Requires Vault version 1.13+.\n"},"ocspFailOpen":{"type":"boolean","description":"If true and an OCSP response cannot\nbe fetched or is of an unknown status, the login will proceed as if the\ncertificate has not been revoked.\nRequires Vault version 1.13+.\n"},"ocspMaxRetries":{"type":"integer","description":"The number of retries to attempt when\nconnecting to an OCSP server. Defaults to 4 retries.\nMust be a non-negative value. Requires Vault version 1.16+.\n"},"ocspQueryAllServers":{"type":"boolean","description":"If set to true, rather than\naccepting the first successful OCSP response, query all servers and consider\nthe certificate valid only if all servers agree.\nRequires Vault version 1.13+.\n"},"ocspServersOverrides":{"type":"array","items":{"type":"string"},"description":": A comma-separated list of OCSP\nserver addresses. If unset, the OCSP server is determined from the\nAuthorityInformationAccess extension on the certificate being inspected.\nRequires Vault version 1.13+.\n"},"ocspThisUpdateMaxAge":{"type":"integer","description":"The maximum age in seconds of the\n'thisUpdate' field in an OCSP response before it is considered too old.\nDefaults to 0 (disabled). Must be a non-negative value.\nRequires Vault version 1.16+.\n"},"requiredExtensions":{"type":"array","items":{"type":"string"},"description":"TLS extensions required on\nclient certificates\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:index/egpPolicy:EgpPolicy":{"description":"Provides a resource to manage Endpoint Governing Policy (EGP) via [Sentinel](https://www.vaultproject.io/docs/enterprise/sentinel/index.html).\n\n**Note** this feature is available only with Vault Enterprise.\n\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst allow_all = new vault.EgpPolicy(\"allow-all\", {\n    name: \"allow-all\",\n    paths: [\"*\"],\n    enforcementLevel: \"soft-mandatory\",\n    policy: `main = rule {\n  true\n}\n`,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nallow_all = vault.EgpPolicy(\"allow-all\",\n    name=\"allow-all\",\n    paths=[\"*\"],\n    enforcement_level=\"soft-mandatory\",\n    policy=\"\"\"main = rule {\n  true\n}\n\"\"\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var allow_all = new Vault.EgpPolicy(\"allow-all\", new()\n    {\n        Name = \"allow-all\",\n        Paths = new[]\n        {\n            \"*\",\n        },\n        EnforcementLevel = \"soft-mandatory\",\n        Policy = @\"main = rule {\n  true\n}\n\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewEgpPolicy(ctx, \"allow-all\", \u0026vault.EgpPolicyArgs{\n\t\t\tName: pulumi.String(\"allow-all\"),\n\t\t\tPaths: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tEnforcementLevel: pulumi.String(\"soft-mandatory\"),\n\t\t\tPolicy:           pulumi.String(\"main = rule {\\n  true\\n}\\n\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.EgpPolicy;\nimport com.pulumi.vault.EgpPolicyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var allow_all = new EgpPolicy(\"allow-all\", EgpPolicyArgs.builder()\n            .name(\"allow-all\")\n            .paths(\"*\")\n            .enforcementLevel(\"soft-mandatory\")\n            .policy(\"\"\"\nmain = rule {\n  true\n}\n            \"\"\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  allow-all:\n    type: vault:EgpPolicy\n    properties:\n      name: allow-all\n      paths:\n        - '*'\n      enforcementLevel: soft-mandatory\n      policy: |\n        main = rule {\n          true\n        }\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"enforcementLevel":{"type":"string","description":"Enforcement level of Sentinel policy. Can be either \u003cspan pulumi-lang-nodejs=\"`advisory`\" pulumi-lang-dotnet=\"`Advisory`\" pulumi-lang-go=\"`advisory`\" pulumi-lang-python=\"`advisory`\" pulumi-lang-yaml=\"`advisory`\" pulumi-lang-java=\"`advisory`\"\u003e`advisory`\u003c/span\u003e or `soft-mandatory` or `hard-mandatory`\n"},"name":{"type":"string","description":"The name of the policy\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"paths":{"type":"array","items":{"type":"string"},"description":"List of paths to which the policy will be applied to\n"},"policy":{"type":"string","description":"String containing a Sentinel policy\n"}},"required":["enforcementLevel","name","paths","policy"],"inputProperties":{"enforcementLevel":{"type":"string","description":"Enforcement level of Sentinel policy. Can be either \u003cspan pulumi-lang-nodejs=\"`advisory`\" pulumi-lang-dotnet=\"`Advisory`\" pulumi-lang-go=\"`advisory`\" pulumi-lang-python=\"`advisory`\" pulumi-lang-yaml=\"`advisory`\" pulumi-lang-java=\"`advisory`\"\u003e`advisory`\u003c/span\u003e or `soft-mandatory` or `hard-mandatory`\n"},"name":{"type":"string","description":"The name of the policy\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"paths":{"type":"array","items":{"type":"string"},"description":"List of paths to which the policy will be applied to\n"},"policy":{"type":"string","description":"String containing a Sentinel policy\n"}},"requiredInputs":["enforcementLevel","paths","policy"],"stateInputs":{"description":"Input properties used for looking up and filtering EgpPolicy resources.\n","properties":{"enforcementLevel":{"type":"string","description":"Enforcement level of Sentinel policy. Can be either \u003cspan pulumi-lang-nodejs=\"`advisory`\" pulumi-lang-dotnet=\"`Advisory`\" pulumi-lang-go=\"`advisory`\" pulumi-lang-python=\"`advisory`\" pulumi-lang-yaml=\"`advisory`\" pulumi-lang-java=\"`advisory`\"\u003e`advisory`\u003c/span\u003e or `soft-mandatory` or `hard-mandatory`\n"},"name":{"type":"string","description":"The name of the policy\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"paths":{"type":"array","items":{"type":"string"},"description":"List of paths to which the policy will be applied to\n"},"policy":{"type":"string","description":"String containing a Sentinel policy\n"}},"type":"object"}},"vault:index/mfaDuo:MfaDuo":{"description":"Provides a resource to manage [Duo MFA](https://www.vaultproject.io/docs/enterprise/mfa/mfa-duo.html).\n\n**Note** this feature is available only with Vault Enterprise.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst userpass = new vault.AuthBackend(\"userpass\", {\n    type: \"userpass\",\n    path: \"userpass\",\n});\nconst myDuo = new vault.MfaDuo(\"my_duo\", {\n    name: \"my_duo\",\n    mountAccessor: userpass.accessor,\n    secretKey: \"8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz\",\n    integrationKey: \"BIACEUEAXI20BNWTEYXT\",\n    apiHostname: \"api-2b5c39f5.duosecurity.com\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nuserpass = vault.AuthBackend(\"userpass\",\n    type=\"userpass\",\n    path=\"userpass\")\nmy_duo = vault.MfaDuo(\"my_duo\",\n    name=\"my_duo\",\n    mount_accessor=userpass.accessor,\n    secret_key=\"8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz\",\n    integration_key=\"BIACEUEAXI20BNWTEYXT\",\n    api_hostname=\"api-2b5c39f5.duosecurity.com\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var userpass = new Vault.AuthBackend(\"userpass\", new()\n    {\n        Type = \"userpass\",\n        Path = \"userpass\",\n    });\n\n    var myDuo = new Vault.MfaDuo(\"my_duo\", new()\n    {\n        Name = \"my_duo\",\n        MountAccessor = userpass.Accessor,\n        SecretKey = \"8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz\",\n        IntegrationKey = \"BIACEUEAXI20BNWTEYXT\",\n        ApiHostname = \"api-2b5c39f5.duosecurity.com\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tuserpass, err := vault.NewAuthBackend(ctx, \"userpass\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"userpass\"),\n\t\t\tPath: pulumi.String(\"userpass\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewMfaDuo(ctx, \"my_duo\", \u0026vault.MfaDuoArgs{\n\t\t\tName:           pulumi.String(\"my_duo\"),\n\t\t\tMountAccessor:  userpass.Accessor,\n\t\t\tSecretKey:      pulumi.String(\"8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz\"),\n\t\t\tIntegrationKey: pulumi.String(\"BIACEUEAXI20BNWTEYXT\"),\n\t\t\tApiHostname:    pulumi.String(\"api-2b5c39f5.duosecurity.com\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.MfaDuo;\nimport com.pulumi.vault.MfaDuoArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var userpass = new AuthBackend(\"userpass\", AuthBackendArgs.builder()\n            .type(\"userpass\")\n            .path(\"userpass\")\n            .build());\n\n        var myDuo = new MfaDuo(\"myDuo\", MfaDuoArgs.builder()\n            .name(\"my_duo\")\n            .mountAccessor(userpass.accessor())\n            .secretKey(\"8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz\")\n            .integrationKey(\"BIACEUEAXI20BNWTEYXT\")\n            .apiHostname(\"api-2b5c39f5.duosecurity.com\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  userpass:\n    type: vault:AuthBackend\n    properties:\n      type: userpass\n      path: userpass\n  myDuo:\n    type: vault:MfaDuo\n    name: my_duo\n    properties:\n      name: my_duo\n      mountAccessor: ${userpass.accessor}\n      secretKey: 8C7THtrIigh2rPZQMbguugt8IUftWhMRCOBzbuyz\n      integrationKey: BIACEUEAXI20BNWTEYXT\n      apiHostname: api-2b5c39f5.duosecurity.com\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nMounts can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:index/mfaDuo:MfaDuo my_duo my_duo\n```\n","properties":{"apiHostname":{"type":"string","description":"`(string: \u003crequired\u003e)` - API hostname for Duo.\n"},"integrationKey":{"type":"string","description":"`(string: \u003crequired\u003e)` - Integration key for Duo.\n","secret":true},"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n"},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"pushInfo":{"type":"string","description":"`(string)` - Push information for Duo.\n"},"secretKey":{"type":"string","description":"`(string: \u003crequired\u003e)` - Secret key for Duo.\n","secret":true},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n"}},"required":["apiHostname","integrationKey","mountAccessor","name","secretKey"],"inputProperties":{"apiHostname":{"type":"string","description":"`(string: \u003crequired\u003e)` - API hostname for Duo.\n"},"integrationKey":{"type":"string","description":"`(string: \u003crequired\u003e)` - Integration key for Duo.\n","secret":true},"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n"},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pushInfo":{"type":"string","description":"`(string)` - Push information for Duo.\n"},"secretKey":{"type":"string","description":"`(string: \u003crequired\u003e)` - Secret key for Duo.\n","secret":true},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n"}},"requiredInputs":["apiHostname","integrationKey","mountAccessor","secretKey"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaDuo resources.\n","properties":{"apiHostname":{"type":"string","description":"`(string: \u003crequired\u003e)` - API hostname for Duo.\n"},"integrationKey":{"type":"string","description":"`(string: \u003crequired\u003e)` - Integration key for Duo.\n","secret":true},"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n"},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pushInfo":{"type":"string","description":"`(string)` - Push information for Duo.\n"},"secretKey":{"type":"string","description":"`(string: \u003crequired\u003e)` - Secret key for Duo.\n","secret":true},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. Values to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`. If blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n"}},"type":"object"}},"vault:index/mfaOkta:MfaOkta":{"description":"Provides a resource to manage [Okta MFA](https://www.vaultproject.io/docs/enterprise/mfa/mfa-okta).\n\n**Note** this feature is available only with Vault Enterprise.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst userpass = new vault.AuthBackend(\"userpass\", {\n    type: \"userpass\",\n    path: \"userpass\",\n});\nconst myOkta = new vault.MfaOkta(\"my_okta\", {\n    name: \"my_okta\",\n    mountAccessor: userpass.accessor,\n    usernameFormat: \"user@example.com\",\n    orgName: \"hashicorp\",\n    apiToken: \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nuserpass = vault.AuthBackend(\"userpass\",\n    type=\"userpass\",\n    path=\"userpass\")\nmy_okta = vault.MfaOkta(\"my_okta\",\n    name=\"my_okta\",\n    mount_accessor=userpass.accessor,\n    username_format=\"user@example.com\",\n    org_name=\"hashicorp\",\n    api_token=\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var userpass = new Vault.AuthBackend(\"userpass\", new()\n    {\n        Type = \"userpass\",\n        Path = \"userpass\",\n    });\n\n    var myOkta = new Vault.MfaOkta(\"my_okta\", new()\n    {\n        Name = \"my_okta\",\n        MountAccessor = userpass.Accessor,\n        UsernameFormat = \"user@example.com\",\n        OrgName = \"hashicorp\",\n        ApiToken = \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tuserpass, err := vault.NewAuthBackend(ctx, \"userpass\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"userpass\"),\n\t\t\tPath: pulumi.String(\"userpass\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewMfaOkta(ctx, \"my_okta\", \u0026vault.MfaOktaArgs{\n\t\t\tName:           pulumi.String(\"my_okta\"),\n\t\t\tMountAccessor:  userpass.Accessor,\n\t\t\tUsernameFormat: pulumi.String(\"user@example.com\"),\n\t\t\tOrgName:        pulumi.String(\"hashicorp\"),\n\t\t\tApiToken:       pulumi.String(\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.MfaOkta;\nimport com.pulumi.vault.MfaOktaArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var userpass = new AuthBackend(\"userpass\", AuthBackendArgs.builder()\n            .type(\"userpass\")\n            .path(\"userpass\")\n            .build());\n\n        var myOkta = new MfaOkta(\"myOkta\", MfaOktaArgs.builder()\n            .name(\"my_okta\")\n            .mountAccessor(userpass.accessor())\n            .usernameFormat(\"user@example.com\")\n            .orgName(\"hashicorp\")\n            .apiToken(\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  userpass:\n    type: vault:AuthBackend\n    properties:\n      type: userpass\n      path: userpass\n  myOkta:\n    type: vault:MfaOkta\n    name: my_okta\n    properties:\n      name: my_okta\n      mountAccessor: ${userpass.accessor}\n      usernameFormat: user@example.com\n      orgName: hashicorp\n      apiToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nMounts can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:index/mfaOkta:MfaOkta my_okta my_okta\n```\n","properties":{"apiToken":{"type":"string","description":"`(string: \u003crequired\u003e)` - Okta API key.\n","secret":true},"baseUrl":{"type":"string","description":"`(string)` - If set, will be used as the base domain for API requests. Examples are `okta.com`, \n`oktapreview.com`, and `okta-emea.com`.\n"},"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. \nThe mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n"},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"orgName":{"type":"string","description":"`(string: \u003crequired\u003e)` - Name of the organization to be used in the Okta API.\n"},"primaryEmail":{"type":"boolean","description":"`(string: \u003crequired\u003e)` - If set to true, the username will only match the \nprimary email for the account.\n"},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. \nValues to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`.\nIf blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n"}},"required":["apiToken","mountAccessor","name","orgName"],"inputProperties":{"apiToken":{"type":"string","description":"`(string: \u003crequired\u003e)` - Okta API key.\n","secret":true,"willReplaceOnChanges":true},"baseUrl":{"type":"string","description":"`(string)` - If set, will be used as the base domain for API requests. Examples are `okta.com`, \n`oktapreview.com`, and `okta-emea.com`.\n","willReplaceOnChanges":true},"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. \nThe mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"orgName":{"type":"string","description":"`(string: \u003crequired\u003e)` - Name of the organization to be used in the Okta API.\n","willReplaceOnChanges":true},"primaryEmail":{"type":"boolean","description":"`(string: \u003crequired\u003e)` - If set to true, the username will only match the \nprimary email for the account.\n","willReplaceOnChanges":true},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. \nValues to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`.\nIf blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n","willReplaceOnChanges":true}},"requiredInputs":["apiToken","mountAccessor","orgName"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaOkta resources.\n","properties":{"apiToken":{"type":"string","description":"`(string: \u003crequired\u003e)` - Okta API key.\n","secret":true,"willReplaceOnChanges":true},"baseUrl":{"type":"string","description":"`(string)` - If set, will be used as the base domain for API requests. Examples are `okta.com`, \n`oktapreview.com`, and `okta-emea.com`.\n","willReplaceOnChanges":true},"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. \nThe mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"orgName":{"type":"string","description":"`(string: \u003crequired\u003e)` - Name of the organization to be used in the Okta API.\n","willReplaceOnChanges":true},"primaryEmail":{"type":"boolean","description":"`(string: \u003crequired\u003e)` - If set to true, the username will only match the \nprimary email for the account.\n","willReplaceOnChanges":true},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. \nValues to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`.\nIf blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n","willReplaceOnChanges":true}},"type":"object"}},"vault:index/mfaPingid:MfaPingid":{"description":"Provides a resource to manage [PingID MFA](https://www.vaultproject.io/docs/enterprise/mfa/mfa-pingid).\n\n**Note** this feature is available only with Vault Enterprise.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new pulumi.Config();\nconst settingsFile = config.requireObject\u003cany\u003e(\"settingsFile\");\nconst userpass = new vault.AuthBackend(\"userpass\", {\n    type: \"userpass\",\n    path: \"userpass\",\n});\nconst myPingid = new vault.MfaPingid(\"my_pingid\", {\n    name: \"my_pingid\",\n    mountAccessor: userpass.accessor,\n    usernameFormat: \"user@example.com\",\n    settingsFileBase64: settingsFile,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = pulumi.Config()\nsettings_file = config.require_object(\"settingsFile\")\nuserpass = vault.AuthBackend(\"userpass\",\n    type=\"userpass\",\n    path=\"userpass\")\nmy_pingid = vault.MfaPingid(\"my_pingid\",\n    name=\"my_pingid\",\n    mount_accessor=userpass.accessor,\n    username_format=\"user@example.com\",\n    settings_file_base64=settings_file)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Config();\n    var settingsFile = config.RequireObject\u003cdynamic\u003e(\"settingsFile\");\n    var userpass = new Vault.AuthBackend(\"userpass\", new()\n    {\n        Type = \"userpass\",\n        Path = \"userpass\",\n    });\n\n    var myPingid = new Vault.MfaPingid(\"my_pingid\", new()\n    {\n        Name = \"my_pingid\",\n        MountAccessor = userpass.Accessor,\n        UsernameFormat = \"user@example.com\",\n        SettingsFileBase64 = settingsFile,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcfg := config.New(ctx, \"\")\n\t\tsettingsFile := cfg.RequireObject(\"settingsFile\")\n\t\tuserpass, err := vault.NewAuthBackend(ctx, \"userpass\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"userpass\"),\n\t\t\tPath: pulumi.String(\"userpass\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewMfaPingid(ctx, \"my_pingid\", \u0026vault.MfaPingidArgs{\n\t\t\tName:               pulumi.String(\"my_pingid\"),\n\t\t\tMountAccessor:      userpass.Accessor,\n\t\t\tUsernameFormat:     pulumi.String(\"user@example.com\"),\n\t\t\tSettingsFileBase64: pulumi.Any(settingsFile),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.MfaPingid;\nimport com.pulumi.vault.MfaPingidArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var config = ctx.config();\n        final var settingsFile = config.get(\"settingsFile\");\n        var userpass = new AuthBackend(\"userpass\", AuthBackendArgs.builder()\n            .type(\"userpass\")\n            .path(\"userpass\")\n            .build());\n\n        var myPingid = new MfaPingid(\"myPingid\", MfaPingidArgs.builder()\n            .name(\"my_pingid\")\n            .mountAccessor(userpass.accessor())\n            .usernameFormat(\"user@example.com\")\n            .settingsFileBase64(settingsFile)\n            .build());\n\n    }\n}\n```\n```yaml\nconfiguration:\n  settingsFile:\n    type: dynamic\nresources:\n  userpass:\n    type: vault:AuthBackend\n    properties:\n      type: userpass\n      path: userpass\n  myPingid:\n    type: vault:MfaPingid\n    name: my_pingid\n    properties:\n      name: my_pingid\n      mountAccessor: ${userpass.accessor}\n      usernameFormat: user@example.com\n      settingsFileBase64: ${settingsFile}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nMounts can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:index/mfaPingid:MfaPingid my_pingid my_pingid\n```\n","properties":{"adminUrl":{"type":"string","description":"`(string)` – Admin URL computed by Vault\n"},"authenticatorUrl":{"type":"string","description":"`(string)` – Authenticator URL computed by Vault\n"},"idpUrl":{"type":"string","description":"`(string)` – IDP URL computed by Vault\n"},"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. \nThe mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n"},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"namespaceId":{"type":"string","description":"`(string)` – Namespace ID computed by Vault\n"},"orgAlias":{"type":"string","description":"`(string)` – Org Alias computed by Vault\n"},"settingsFileBase64":{"type":"string","description":"`(string: \u003crequired\u003e)` - A base64-encoded third-party settings file retrieved\nfrom PingID's configuration page.\n"},"type":{"type":"string","description":"`(string)` – Type of configuration computed by Vault\n"},"useSignature":{"type":"boolean","description":"`(string)` – If set to true, enables use of PingID signature. Computed by Vault\n"},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. \nValues to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`.\nIf blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n"}},"required":["adminUrl","authenticatorUrl","idpUrl","mountAccessor","name","namespaceId","orgAlias","settingsFileBase64","type","useSignature"],"inputProperties":{"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. \nThe mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"settingsFileBase64":{"type":"string","description":"`(string: \u003crequired\u003e)` - A base64-encoded third-party settings file retrieved\nfrom PingID's configuration page.\n","willReplaceOnChanges":true},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. \nValues to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`.\nIf blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n","willReplaceOnChanges":true}},"requiredInputs":["mountAccessor","settingsFileBase64"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaPingid resources.\n","properties":{"adminUrl":{"type":"string","description":"`(string)` – Admin URL computed by Vault\n"},"authenticatorUrl":{"type":"string","description":"`(string)` – Authenticator URL computed by Vault\n"},"idpUrl":{"type":"string","description":"`(string)` – IDP URL computed by Vault\n"},"mountAccessor":{"type":"string","description":"`(string: \u003crequired\u003e)` - The mount to tie this method to for use in automatic mappings. \nThe mapping will use the Name field of Aliases associated with this mount as the username in the mapping.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"namespaceId":{"type":"string","description":"`(string)` – Namespace ID computed by Vault\n"},"orgAlias":{"type":"string","description":"`(string)` – Org Alias computed by Vault\n"},"settingsFileBase64":{"type":"string","description":"`(string: \u003crequired\u003e)` - A base64-encoded third-party settings file retrieved\nfrom PingID's configuration page.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"`(string)` – Type of configuration computed by Vault\n"},"useSignature":{"type":"boolean","description":"`(string)` – If set to true, enables use of PingID signature. Computed by Vault\n"},"usernameFormat":{"type":"string","description":"`(string)` - A format string for mapping Identity names to MFA method names. \nValues to substitute should be placed in `{{}}`. For example, `\"{{alias.name}}@example.com\"`.\nIf blank, the Alias's Name field will be used as-is. Currently-supported mappings:\n- alias.name: The name returned by the mount configured via the \u003cspan pulumi-lang-nodejs=\"`mountAccessor`\" pulumi-lang-dotnet=\"`MountAccessor`\" pulumi-lang-go=\"`mountAccessor`\" pulumi-lang-python=\"`mount_accessor`\" pulumi-lang-yaml=\"`mountAccessor`\" pulumi-lang-java=\"`mountAccessor`\"\u003e`mount_accessor`\u003c/span\u003e parameter\n- entity.name: The name configured for the Entity\n- alias.metadata.`\u003ckey\u003e`: The value of the Alias's metadata parameter\n- entity.metadata.`\u003ckey\u003e`: The value of the Entity's metadata parameter\n","willReplaceOnChanges":true}},"type":"object"}},"vault:index/mfaTotp:MfaTotp":{"description":"Provides a resource to manage [TOTP MFA](https://www.vaultproject.io/docs/enterprise/mfa/mfa-totp).\n\n**Note** this feature is available only with Vault Enterprise.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst myTotp = new vault.MfaTotp(\"my_totp\", {\n    name: \"my_totp\",\n    issuer: \"hashicorp\",\n    period: 60,\n    algorithm: \"SHA256\",\n    digits: 8,\n    keySize: 20,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nmy_totp = vault.MfaTotp(\"my_totp\",\n    name=\"my_totp\",\n    issuer=\"hashicorp\",\n    period=60,\n    algorithm=\"SHA256\",\n    digits=8,\n    key_size=20)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var myTotp = new Vault.MfaTotp(\"my_totp\", new()\n    {\n        Name = \"my_totp\",\n        Issuer = \"hashicorp\",\n        Period = 60,\n        Algorithm = \"SHA256\",\n        Digits = 8,\n        KeySize = 20,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewMfaTotp(ctx, \"my_totp\", \u0026vault.MfaTotpArgs{\n\t\t\tName:      pulumi.String(\"my_totp\"),\n\t\t\tIssuer:    pulumi.String(\"hashicorp\"),\n\t\t\tPeriod:    pulumi.Int(60),\n\t\t\tAlgorithm: pulumi.String(\"SHA256\"),\n\t\t\tDigits:    pulumi.Int(8),\n\t\t\tKeySize:   pulumi.Int(20),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.MfaTotp;\nimport com.pulumi.vault.MfaTotpArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var myTotp = new MfaTotp(\"myTotp\", MfaTotpArgs.builder()\n            .name(\"my_totp\")\n            .issuer(\"hashicorp\")\n            .period(60)\n            .algorithm(\"SHA256\")\n            .digits(8)\n            .keySize(20)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  myTotp:\n    type: vault:MfaTotp\n    name: my_totp\n    properties:\n      name: my_totp\n      issuer: hashicorp\n      period: 60\n      algorithm: SHA256\n      digits: 8\n      keySize: 20\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nMounts can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:index/mfaTotp:MfaTotp my_totp my_totp\n```\n","properties":{"algorithm":{"type":"string","description":"`(string)` - Specifies the hashing algorithm used to generate the TOTP code.\nOptions include `SHA1`, `SHA256` and `SHA512`\n"},"digits":{"type":"integer","description":"`(int)` - The number of digits in the generated TOTP token.\nThis value can either be 6 or 8.\n"},"issuer":{"type":"string","description":"`(string: \u003crequired\u003e)` - The name of the key's issuing organization.\n"},"keySize":{"type":"integer","description":"`(int)` - Specifies the size in bytes of the generated key.\n"},"maxValidationAttempts":{"type":"integer","description":"`(int)` - The maximum number of consecutive failed validation attempts allowed. Must be a positive integer. Vault defaults this value to \u003cspan pulumi-lang-nodejs=\"`5`\" pulumi-lang-dotnet=\"`5`\" pulumi-lang-go=\"`5`\" pulumi-lang-python=\"`5`\" pulumi-lang-yaml=\"`5`\" pulumi-lang-java=\"`5`\"\u003e`5`\u003c/span\u003e if not provided or if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e.\n"},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"period":{"type":"integer","description":"`(int)` - The length of time used to generate a counter for the TOTP token calculation.\n"},"qrSize":{"type":"integer","description":"`(int)` - The pixel size of the generated square QR code.\n"},"skew":{"type":"integer","description":"`(int)` - The number of delay periods that are allowed when validating a TOTP token.\nThis value can either be 0 or 1.\n"}},"required":["issuer","name"],"inputProperties":{"algorithm":{"type":"string","description":"`(string)` - Specifies the hashing algorithm used to generate the TOTP code.\nOptions include `SHA1`, `SHA256` and `SHA512`\n","willReplaceOnChanges":true},"digits":{"type":"integer","description":"`(int)` - The number of digits in the generated TOTP token.\nThis value can either be 6 or 8.\n","willReplaceOnChanges":true},"issuer":{"type":"string","description":"`(string: \u003crequired\u003e)` - The name of the key's issuing organization.\n","willReplaceOnChanges":true},"keySize":{"type":"integer","description":"`(int)` - Specifies the size in bytes of the generated key.\n","willReplaceOnChanges":true},"maxValidationAttempts":{"type":"integer","description":"`(int)` - The maximum number of consecutive failed validation attempts allowed. Must be a positive integer. Vault defaults this value to \u003cspan pulumi-lang-nodejs=\"`5`\" pulumi-lang-dotnet=\"`5`\" pulumi-lang-go=\"`5`\" pulumi-lang-python=\"`5`\" pulumi-lang-yaml=\"`5`\" pulumi-lang-java=\"`5`\"\u003e`5`\u003c/span\u003e if not provided or if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"period":{"type":"integer","description":"`(int)` - The length of time used to generate a counter for the TOTP token calculation.\n","willReplaceOnChanges":true},"qrSize":{"type":"integer","description":"`(int)` - The pixel size of the generated square QR code.\n","willReplaceOnChanges":true},"skew":{"type":"integer","description":"`(int)` - The number of delay periods that are allowed when validating a TOTP token.\nThis value can either be 0 or 1.\n","willReplaceOnChanges":true}},"requiredInputs":["issuer"],"stateInputs":{"description":"Input properties used for looking up and filtering MfaTotp resources.\n","properties":{"algorithm":{"type":"string","description":"`(string)` - Specifies the hashing algorithm used to generate the TOTP code.\nOptions include `SHA1`, `SHA256` and `SHA512`\n","willReplaceOnChanges":true},"digits":{"type":"integer","description":"`(int)` - The number of digits in the generated TOTP token.\nThis value can either be 6 or 8.\n","willReplaceOnChanges":true},"issuer":{"type":"string","description":"`(string: \u003crequired\u003e)` - The name of the key's issuing organization.\n","willReplaceOnChanges":true},"keySize":{"type":"integer","description":"`(int)` - Specifies the size in bytes of the generated key.\n","willReplaceOnChanges":true},"maxValidationAttempts":{"type":"integer","description":"`(int)` - The maximum number of consecutive failed validation attempts allowed. Must be a positive integer. Vault defaults this value to \u003cspan pulumi-lang-nodejs=\"`5`\" pulumi-lang-dotnet=\"`5`\" pulumi-lang-go=\"`5`\" pulumi-lang-python=\"`5`\" pulumi-lang-yaml=\"`5`\" pulumi-lang-java=\"`5`\"\u003e`5`\u003c/span\u003e if not provided or if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"`(string: \u003crequired\u003e)` – Name of the MFA method.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"period":{"type":"integer","description":"`(int)` - The length of time used to generate a counter for the TOTP token calculation.\n","willReplaceOnChanges":true},"qrSize":{"type":"integer","description":"`(int)` - The pixel size of the generated square QR code.\n","willReplaceOnChanges":true},"skew":{"type":"integer","description":"`(int)` - The number of delay periods that are allowed when validating a TOTP token.\nThis value can either be 0 or 1.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:index/mount:Mount":{"description":"This resource enables a new secrets engine at the given path.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.Mount(\"example\", {\n    path: \"dummy\",\n    type: \"generic\",\n    description: \"This is an example mount\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.Mount(\"example\",\n    path=\"dummy\",\n    type=\"generic\",\n    description=\"This is an example mount\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Mount(\"example\", new()\n    {\n        Path = \"dummy\",\n        Type = \"generic\",\n        Description = \"This is an example mount\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewMount(ctx, \"example\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"dummy\"),\n\t\t\tType:        pulumi.String(\"generic\"),\n\t\t\tDescription: pulumi.String(\"This is an example mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new Mount(\"example\", MountArgs.builder()\n            .path(\"dummy\")\n            .type(\"generic\")\n            .description(\"This is an example mount\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:Mount\n    properties:\n      path: dummy\n      type: generic\n      description: This is an example mount\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2_example = new vault.Mount(\"kvv2-example\", {\n    path: \"version2-example\",\n    type: \"kv-v2\",\n    options: {\n        version: \"2\",\n        type: \"kv-v2\",\n    },\n    description: \"This is an example KV Version 2 secret engine mount\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkvv2_example = vault.Mount(\"kvv2-example\",\n    path=\"version2-example\",\n    type=\"kv-v2\",\n    options={\n        \"version\": \"2\",\n        \"type\": \"kv-v2\",\n    },\n    description=\"This is an example KV Version 2 secret engine mount\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv2_example = new Vault.Mount(\"kvv2-example\", new()\n    {\n        Path = \"version2-example\",\n        Type = \"kv-v2\",\n        Options = \n        {\n            { \"version\", \"2\" },\n            { \"type\", \"kv-v2\" },\n        },\n        Description = \"This is an example KV Version 2 secret engine mount\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewMount(ctx, \"kvv2-example\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"version2-example\"),\n\t\t\tType: pulumi.String(\"kv-v2\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t\t\"type\":    pulumi.String(\"kv-v2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"This is an example KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv2_example = new Mount(\"kvv2-example\", MountArgs.builder()\n            .path(\"version2-example\")\n            .type(\"kv-v2\")\n            .options(Map.ofEntries(\n                Map.entry(\"version\", \"2\"),\n                Map.entry(\"type\", \"kv-v2\")\n            ))\n            .description(\"This is an example KV Version 2 secret engine mount\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv2-example:\n    type: vault:Mount\n    properties:\n      path: version2-example\n      type: kv-v2\n      options:\n        version: '2'\n        type: kv-v2\n      description: This is an example KV Version 2 secret engine mount\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst transit_example = new vault.Mount(\"transit-example\", {\n    path: \"transit-example\",\n    type: \"transit\",\n    description: \"This is an example transit secret engine mount\",\n    options: {\n        convergent_encryption: \"false\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntransit_example = vault.Mount(\"transit-example\",\n    path=\"transit-example\",\n    type=\"transit\",\n    description=\"This is an example transit secret engine mount\",\n    options={\n        \"convergent_encryption\": \"false\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var transit_example = new Vault.Mount(\"transit-example\", new()\n    {\n        Path = \"transit-example\",\n        Type = \"transit\",\n        Description = \"This is an example transit secret engine mount\",\n        Options = \n        {\n            { \"convergent_encryption\", \"false\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewMount(ctx, \"transit-example\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"transit-example\"),\n\t\t\tType:        pulumi.String(\"transit\"),\n\t\t\tDescription: pulumi.String(\"This is an example transit secret engine mount\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"convergent_encryption\": pulumi.String(\"false\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var transit_example = new Mount(\"transit-example\", MountArgs.builder()\n            .path(\"transit-example\")\n            .type(\"transit\")\n            .description(\"This is an example transit secret engine mount\")\n            .options(Map.of(\"convergent_encryption\", \"false\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  transit-example:\n    type: vault:Mount\n    properties:\n      path: transit-example\n      type: transit\n      description: This is an example transit secret engine mount\n      options:\n        convergent_encryption: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki_example = new vault.Mount(\"pki-example\", {\n    path: \"pki-example\",\n    type: \"pki\",\n    description: \"This is an example PKI mount\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki_example = vault.Mount(\"pki-example\",\n    path=\"pki-example\",\n    type=\"pki\",\n    description=\"This is an example PKI mount\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki_example = new Vault.Mount(\"pki-example\", new()\n    {\n        Path = \"pki-example\",\n        Type = \"pki\",\n        Description = \"This is an example PKI mount\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewMount(ctx, \"pki-example\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki-example\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDescription:            pulumi.String(\"This is an example PKI mount\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki_example = new Mount(\"pki-example\", MountArgs.builder()\n            .path(\"pki-example\")\n            .type(\"pki\")\n            .description(\"This is an example PKI mount\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki-example:\n    type: vault:Mount\n    properties:\n      path: pki-example\n      type: pki\n      description: This is an example PKI mount\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nMounts can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:index/mount:Mount example dummy\n```\n","properties":{"accessor":{"type":"string","description":"The accessor for this mount.\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"Set of managed key registry entry names that the mount in question is allowed to access\n"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow, allowing a plugin to include\nthem in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds\n"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of allowed authentication mount accessors the\nbackend can request delegated authentication for.\n"},"description":{"type":"string","description":"Human-friendly description of the mount\n"},"externalEntropyAccess":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source\n"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens. If\nnot provided, this will default to Vault's OIDC default key.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific\nlisting endpoint. Valid values are \u003cspan pulumi-lang-nodejs=\"`unauth`\" pulumi-lang-dotnet=\"`Unauth`\" pulumi-lang-go=\"`unauth`\" pulumi-lang-python=\"`unauth`\" pulumi-lang-yaml=\"`unauth`\" pulumi-lang-java=\"`unauth`\"\u003e`unauth`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`hidden`\" pulumi-lang-dotnet=\"`Hidden`\" pulumi-lang-go=\"`hidden`\" pulumi-lang-python=\"`hidden`\" pulumi-lang-yaml=\"`hidden`\" pulumi-lang-java=\"`hidden`\"\u003e`hidden`\u003c/span\u003e. If not set, behaves like \u003cspan pulumi-lang-nodejs=\"`hidden`\" pulumi-lang-dotnet=\"`Hidden`\" pulumi-lang-go=\"`hidden`\" pulumi-lang-python=\"`hidden`\" pulumi-lang-yaml=\"`hidden`\" pulumi-lang-java=\"`hidden`\"\u003e`hidden`\u003c/span\u003e.\n"},"local":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enforce local mount in HA environment\n"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to\nthe plugin.\n"},"path":{"type":"string","description":"Where the secret backend will be mounted\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. \"v1.0.0\".\nIf unspecified, the server will select any matching unversioned plugin that may have been\nregistered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.\n"},"sealWrap":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability\n"},"type":{"type":"string","description":"Type of the backend, such as \"aws\"\n"}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","defaultLeaseTtlSeconds","forceNoCache","maxLeaseTtlSeconds","path","sealWrap","type"],"inputProperties":{"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"Set of managed key registry entry names that the mount in question is allowed to access\n"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow, allowing a plugin to include\nthem in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds\n"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of allowed authentication mount accessors the\nbackend can request delegated authentication for.\n"},"description":{"type":"string","description":"Human-friendly description of the mount\n"},"externalEntropyAccess":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source\n","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens. If\nnot provided, this will default to Vault's OIDC default key.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific\nlisting endpoint. Valid values are \u003cspan pulumi-lang-nodejs=\"`unauth`\" pulumi-lang-dotnet=\"`Unauth`\" pulumi-lang-go=\"`unauth`\" pulumi-lang-python=\"`unauth`\" pulumi-lang-yaml=\"`unauth`\" pulumi-lang-java=\"`unauth`\"\u003e`unauth`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`hidden`\" pulumi-lang-dotnet=\"`Hidden`\" pulumi-lang-go=\"`hidden`\" pulumi-lang-python=\"`hidden`\" pulumi-lang-yaml=\"`hidden`\" pulumi-lang-java=\"`hidden`\"\u003e`hidden`\u003c/span\u003e. If not set, behaves like \u003cspan pulumi-lang-nodejs=\"`hidden`\" pulumi-lang-dotnet=\"`Hidden`\" pulumi-lang-go=\"`hidden`\" pulumi-lang-python=\"`hidden`\" pulumi-lang-yaml=\"`hidden`\" pulumi-lang-java=\"`hidden`\"\u003e`hidden`\u003c/span\u003e.\n"},"local":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enforce local mount in HA environment\n","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to\nthe plugin.\n"},"path":{"type":"string","description":"Where the secret backend will be mounted\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. \"v1.0.0\".\nIf unspecified, the server will select any matching unversioned plugin that may have been\nregistered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.\n"},"sealWrap":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Type of the backend, such as \"aws\"\n","willReplaceOnChanges":true}},"requiredInputs":["path","type"],"stateInputs":{"description":"Input properties used for looking up and filtering Mount resources.\n","properties":{"accessor":{"type":"string","description":"The accessor for this mount.\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"Set of managed key registry entry names that the mount in question is allowed to access\n"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow, allowing a plugin to include\nthem in the response.\n"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.\n"},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds\n"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of allowed authentication mount accessors the\nbackend can request delegated authentication for.\n"},"description":{"type":"string","description":"Human-friendly description of the mount\n"},"externalEntropyAccess":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source\n","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens. If\nnot provided, this will default to Vault's OIDC default key.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific\nlisting endpoint. Valid values are \u003cspan pulumi-lang-nodejs=\"`unauth`\" pulumi-lang-dotnet=\"`Unauth`\" pulumi-lang-go=\"`unauth`\" pulumi-lang-python=\"`unauth`\" pulumi-lang-yaml=\"`unauth`\" pulumi-lang-java=\"`unauth`\"\u003e`unauth`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`hidden`\" pulumi-lang-dotnet=\"`Hidden`\" pulumi-lang-go=\"`hidden`\" pulumi-lang-python=\"`hidden`\" pulumi-lang-yaml=\"`hidden`\" pulumi-lang-java=\"`hidden`\"\u003e`hidden`\u003c/span\u003e. If not set, behaves like \u003cspan pulumi-lang-nodejs=\"`hidden`\" pulumi-lang-dotnet=\"`Hidden`\" pulumi-lang-go=\"`hidden`\" pulumi-lang-python=\"`hidden`\" pulumi-lang-yaml=\"`hidden`\" pulumi-lang-java=\"`hidden`\"\u003e`hidden`\u003c/span\u003e.\n"},"local":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enforce local mount in HA environment\n","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend\n"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to\nthe plugin.\n"},"path":{"type":"string","description":"Where the secret backend will be mounted\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. \"v1.0.0\".\nIf unspecified, the server will select any matching unversioned plugin that may have been\nregistered, the latest versioned plugin registered, or a built-in plugin in that order of precedence.\n"},"sealWrap":{"type":"boolean","description":"Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Type of the backend, such as \"aws\"\n","willReplaceOnChanges":true}},"type":"object"}},"vault:index/namespace:Namespace":{"description":"\n\n## Import\n\nNamespaces can be imported using its `name` as accessor id\n\n```sh\n$ pulumi import vault:index/namespace:Namespace example \u003cname\u003e\n```\n\nIf the declared resource is imported and intends to support namespaces using a provider alias, then the name is relative to the namespace path.\n\nhcl\n\nprovider \"vault\" {\n\n  # Configuration options\n\n  namespace = \"example\"\n\n  alias     = \"example\"\n\n}\n\nresource \"vault_namespace\" \"example2\" {\n\n  provider = vault.example\n\n  path     = \"example2\"\n\n}\n\n```sh\n$ pulumi import vault:index/namespace:Namespace example2 example2\n```\n\n$ terraform state show vault_namespace.example2\n\nvault_namespace.example2:\n\nresource \"vault_namespace\" \"example2\" {\n\n    id           = \"example/example2/\"\n\n    namespace_id = \u003cknown after import\u003e\n\n    path         = \"example2\"\n\n    path_fq      = \"example2\"\n\n}\n\n","properties":{"customMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom metadata describing this namespace. Value type\nis `map[string]string`. Requires Vault version 1.12+.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","language":{"csharp":{"name":"TargetNamespace"}}},"namespaceId":{"type":"string","description":"Vault server's internal ID of the namespace.\n"},"path":{"type":"string","description":"The path of the namespace. Must not have a trailing `/`.\n"},"pathFq":{"type":"string","description":"The fully qualified path to the namespace. Useful when provisioning resources in a child \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e.\nThe path is relative to the provider's \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e argument.\n"}},"required":["customMetadata","namespaceId","path","pathFq"],"inputProperties":{"customMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom metadata describing this namespace. Value type\nis `map[string]string`. Requires Vault version 1.12+.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","language":{"csharp":{"name":"TargetNamespace"}},"willReplaceOnChanges":true},"path":{"type":"string","description":"The path of the namespace. Must not have a trailing `/`.\n","willReplaceOnChanges":true},"pathFq":{"type":"string","description":"The fully qualified path to the namespace. Useful when provisioning resources in a child \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e.\nThe path is relative to the provider's \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e argument.\n"}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering Namespace resources.\n","properties":{"customMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom metadata describing this namespace. Value type\nis `map[string]string`. Requires Vault version 1.12+.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","language":{"csharp":{"name":"TargetNamespace"}},"willReplaceOnChanges":true},"namespaceId":{"type":"string","description":"Vault server's internal ID of the namespace.\n"},"path":{"type":"string","description":"The path of the namespace. Must not have a trailing `/`.\n","willReplaceOnChanges":true},"pathFq":{"type":"string","description":"The fully qualified path to the namespace. Useful when provisioning resources in a child \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e.\nThe path is relative to the provider's \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e argument.\n"}},"type":"object"}},"vault:index/nomadSecretBackend:NomadSecretBackend":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.NomadSecretBackend(\"config\", {\n    backend: \"nomad\",\n    description: \"test description\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 7200,\n    maxTtl: 240,\n    address: \"https://127.0.0.1:4646\",\n    token: \"ae20ceaa-...\",\n    ttl: 120,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.NomadSecretBackend(\"config\",\n    backend=\"nomad\",\n    description=\"test description\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=7200,\n    max_ttl=240,\n    address=\"https://127.0.0.1:4646\",\n    token=\"ae20ceaa-...\",\n    ttl=120)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.NomadSecretBackend(\"config\", new()\n    {\n        Backend = \"nomad\",\n        Description = \"test description\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 7200,\n        MaxTtl = 240,\n        Address = \"https://127.0.0.1:4646\",\n        Token = \"ae20ceaa-...\",\n        Ttl = 120,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewNomadSecretBackend(ctx, \"config\", \u0026vault.NomadSecretBackendArgs{\n\t\t\tBackend:                pulumi.String(\"nomad\"),\n\t\t\tDescription:            pulumi.String(\"test description\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(7200),\n\t\t\tMaxTtl:                 pulumi.Int(240),\n\t\t\tAddress:                pulumi.String(\"https://127.0.0.1:4646\"),\n\t\t\tToken:                  pulumi.String(\"ae20ceaa-...\"),\n\t\t\tTtl:                    pulumi.Int(120),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.NomadSecretBackend;\nimport com.pulumi.vault.NomadSecretBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new NomadSecretBackend(\"config\", NomadSecretBackendArgs.builder()\n            .backend(\"nomad\")\n            .description(\"test description\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(7200)\n            .maxTtl(240)\n            .address(\"https://127.0.0.1:4646\")\n            .token(\"ae20ceaa-...\")\n            .ttl(120)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:NomadSecretBackend\n    properties:\n      backend: nomad\n      description: test description\n      defaultLeaseTtlSeconds: '3600'\n      maxLeaseTtlSeconds: '7200'\n      maxTtl: '240'\n      address: https://127.0.0.1:4646\n      token: ae20ceaa-...\n      ttl: '120'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported:\n\n* \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e - (Optional) Write-only client certificate key to provide to the Nomad server, must be x509 PEM encoded.\n  Use this for enhanced security when you don't want the client key to appear in state files. Requires \u003cspan pulumi-lang-nodejs=\"`clientKeyWoVersion`\" pulumi-lang-dotnet=\"`ClientKeyWoVersion`\" pulumi-lang-go=\"`clientKeyWoVersion`\" pulumi-lang-python=\"`client_key_wo_version`\" pulumi-lang-yaml=\"`clientKeyWoVersion`\" pulumi-lang-java=\"`clientKeyWoVersion`\"\u003e`client_key_wo_version`\u003c/span\u003e. Conflicts with \u003cspan pulumi-lang-nodejs=\"`clientKey`\" pulumi-lang-dotnet=\"`ClientKey`\" pulumi-lang-go=\"`clientKey`\" pulumi-lang-python=\"`client_key`\" pulumi-lang-yaml=\"`clientKey`\" pulumi-lang-java=\"`clientKey`\"\u003e`client_key`\u003c/span\u003e.\n  **Note**: This property is write-only and will not be read from the API.\n\n* \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e - (Optional) Write-only Nomad Management token to use.\n  Use this for enhanced security when you don't want the token to appear in state files. Requires \u003cspan pulumi-lang-nodejs=\"`tokenWoVersion`\" pulumi-lang-dotnet=\"`TokenWoVersion`\" pulumi-lang-go=\"`tokenWoVersion`\" pulumi-lang-python=\"`token_wo_version`\" pulumi-lang-yaml=\"`tokenWoVersion`\" pulumi-lang-java=\"`tokenWoVersion`\"\u003e`token_wo_version`\u003c/span\u003e. Conflicts with \u003cspan pulumi-lang-nodejs=\"`token`\" pulumi-lang-dotnet=\"`Token`\" pulumi-lang-go=\"`token`\" pulumi-lang-python=\"`token`\" pulumi-lang-yaml=\"`token`\" pulumi-lang-java=\"`token`\"\u003e`token`\u003c/span\u003e.\n  **Note**: This property is write-only and will not be read from the API.\n\n## Import\n\nNomad secret backend can be imported using the `backend`, e.g.\n\n```sh\n$ pulumi import vault:index/nomadSecretBackend:NomadSecretBackend nomad nomad\n```\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided\nas \"protocol://host:port\" like \"http://127.0.0.1:4646\".\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`nomad`\" pulumi-lang-dotnet=\"`Nomad`\" pulumi-lang-go=\"`nomad`\" pulumi-lang-python=\"`nomad`\" pulumi-lang-yaml=\"`nomad`\" pulumi-lang-java=\"`nomad`\"\u003e`nomad`\u003c/span\u003e.\n"},"caCert":{"type":"string","description":"CA certificate to use when verifying the Nomad server certificate, must be\nx509 PEM encoded.\n"},"clientCert":{"type":"string","description":"Client certificate to provide to the Nomad server, must be x509 PEM encoded.\n","secret":true},"clientKey":{"type":"string","description":"Client certificate key to provide to the Nomad server, must be x509 PEM encoded.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n","secret":true},"clientKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","secret":true},"clientKeyWoVersion":{"type":"integer","description":"Version counter for the write-only client key. This must be incremented\neach time the \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e value is changed to trigger an update. Required when using \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds."},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time."},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds."},"maxTokenNameLength":{"type":"integer","description":"Specifies the maximum length to use for the name of the Nomad token\ngenerated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed\nby the Nomad version.\n"},"maxTtl":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"token":{"type":"string","description":"Specifies the Nomad Management token to use. Conflicts with \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only Nomad Management token to use.","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for the write-only token. This must be incremented each time\nthe \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e value is changed to trigger an update. Required when using \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n"},"ttl":{"type":"integer","description":"Specifies the ttl of the lease for the generated token.\n"}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","defaultLeaseTtlSeconds","forceNoCache","maxLeaseTtlSeconds","maxTokenNameLength","maxTtl","sealWrap","ttl"],"inputProperties":{"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided\nas \"protocol://host:port\" like \"http://127.0.0.1:4646\".\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`nomad`\" pulumi-lang-dotnet=\"`Nomad`\" pulumi-lang-go=\"`nomad`\" pulumi-lang-python=\"`nomad`\" pulumi-lang-yaml=\"`nomad`\" pulumi-lang-java=\"`nomad`\"\u003e`nomad`\u003c/span\u003e.\n"},"caCert":{"type":"string","description":"CA certificate to use when verifying the Nomad server certificate, must be\nx509 PEM encoded.\n"},"clientCert":{"type":"string","description":"Client certificate to provide to the Nomad server, must be x509 PEM encoded.\n","secret":true},"clientKey":{"type":"string","description":"Client certificate key to provide to the Nomad server, must be x509 PEM encoded.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n","secret":true},"clientKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","secret":true},"clientKeyWoVersion":{"type":"integer","description":"Version counter for the write-only client key. This must be incremented\neach time the \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e value is changed to trigger an update. Required when using \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds."},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time."},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds."},"maxTokenNameLength":{"type":"integer","description":"Specifies the maximum length to use for the name of the Nomad token\ngenerated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed\nby the Nomad version.\n"},"maxTtl":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"token":{"type":"string","description":"Specifies the Nomad Management token to use. Conflicts with \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only Nomad Management token to use.","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for the write-only token. This must be incremented each time\nthe \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e value is changed to trigger an update. Required when using \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n"},"ttl":{"type":"integer","description":"Specifies the ttl of the lease for the generated token.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering NomadSecretBackend resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"address":{"type":"string","description":"Specifies the address of the Nomad instance, provided\nas \"protocol://host:port\" like \"http://127.0.0.1:4646\".\n"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"backend":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`nomad`\" pulumi-lang-dotnet=\"`Nomad`\" pulumi-lang-go=\"`nomad`\" pulumi-lang-python=\"`nomad`\" pulumi-lang-yaml=\"`nomad`\" pulumi-lang-java=\"`nomad`\"\u003e`nomad`\u003c/span\u003e.\n"},"caCert":{"type":"string","description":"CA certificate to use when verifying the Nomad server certificate, must be\nx509 PEM encoded.\n"},"clientCert":{"type":"string","description":"Client certificate to provide to the Nomad server, must be x509 PEM encoded.\n","secret":true},"clientKey":{"type":"string","description":"Client certificate key to provide to the Nomad server, must be x509 PEM encoded.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n","secret":true},"clientKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.","secret":true},"clientKeyWoVersion":{"type":"integer","description":"Version counter for the write-only client key. This must be incremented\neach time the \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e value is changed to trigger an update. Required when using \u003cspan pulumi-lang-nodejs=\"`clientKeyWo`\" pulumi-lang-dotnet=\"`ClientKeyWo`\" pulumi-lang-go=\"`clientKeyWo`\" pulumi-lang-python=\"`client_key_wo`\" pulumi-lang-yaml=\"`clientKeyWo`\" pulumi-lang-java=\"`clientKeyWo`\"\u003e`client_key_wo`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds."},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Mark the secrets engine as local-only. Local engines are not replicated or removed by replication. Tolerance duration to use when checking the last rotation time."},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds."},"maxTokenNameLength":{"type":"integer","description":"Specifies the maximum length to use for the name of the Nomad token\ngenerated with Generate Credential. If omitted, 0 is used and ignored, defaulting to the max value allowed\nby the Nomad version.\n"},"maxTtl":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"token":{"type":"string","description":"Specifies the Nomad Management token to use. Conflicts with \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only Nomad Management token to use.","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for the write-only token. This must be incremented each time\nthe \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e value is changed to trigger an update. Required when using \u003cspan pulumi-lang-nodejs=\"`tokenWo`\" pulumi-lang-dotnet=\"`TokenWo`\" pulumi-lang-go=\"`tokenWo`\" pulumi-lang-python=\"`token_wo`\" pulumi-lang-yaml=\"`tokenWo`\" pulumi-lang-java=\"`tokenWo`\"\u003e`token_wo`\u003c/span\u003e.\n"},"ttl":{"type":"integer","description":"Specifies the ttl of the lease for the generated token.\n"}},"type":"object"}},"vault:index/nomadSecretRole:NomadSecretRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.NomadSecretBackend(\"config\", {\n    backend: \"nomad\",\n    description: \"test description\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 7200,\n    address: \"https://127.0.0.1:4646\",\n    token: \"ae20ceaa-...\",\n});\nconst test = new vault.NomadSecretRole(\"test\", {\n    backend: config.backend,\n    role: \"test\",\n    type: \"client\",\n    policies: [\"readonly\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.NomadSecretBackend(\"config\",\n    backend=\"nomad\",\n    description=\"test description\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=7200,\n    address=\"https://127.0.0.1:4646\",\n    token=\"ae20ceaa-...\")\ntest = vault.NomadSecretRole(\"test\",\n    backend=config.backend,\n    role=\"test\",\n    type=\"client\",\n    policies=[\"readonly\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.NomadSecretBackend(\"config\", new()\n    {\n        Backend = \"nomad\",\n        Description = \"test description\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 7200,\n        Address = \"https://127.0.0.1:4646\",\n        Token = \"ae20ceaa-...\",\n    });\n\n    var test = new Vault.NomadSecretRole(\"test\", new()\n    {\n        Backend = config.Backend,\n        Role = \"test\",\n        Type = \"client\",\n        Policies = new[]\n        {\n            \"readonly\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tconfig, err := vault.NewNomadSecretBackend(ctx, \"config\", \u0026vault.NomadSecretBackendArgs{\n\t\t\tBackend:                pulumi.String(\"nomad\"),\n\t\t\tDescription:            pulumi.String(\"test description\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(7200),\n\t\t\tAddress:                pulumi.String(\"https://127.0.0.1:4646\"),\n\t\t\tToken:                  pulumi.String(\"ae20ceaa-...\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewNomadSecretRole(ctx, \"test\", \u0026vault.NomadSecretRoleArgs{\n\t\t\tBackend: config.Backend,\n\t\t\tRole:    pulumi.String(\"test\"),\n\t\t\tType:    pulumi.String(\"client\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"readonly\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.NomadSecretBackend;\nimport com.pulumi.vault.NomadSecretBackendArgs;\nimport com.pulumi.vault.NomadSecretRole;\nimport com.pulumi.vault.NomadSecretRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new NomadSecretBackend(\"config\", NomadSecretBackendArgs.builder()\n            .backend(\"nomad\")\n            .description(\"test description\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(7200)\n            .address(\"https://127.0.0.1:4646\")\n            .token(\"ae20ceaa-...\")\n            .build());\n\n        var test = new NomadSecretRole(\"test\", NomadSecretRoleArgs.builder()\n            .backend(config.backend())\n            .role(\"test\")\n            .type(\"client\")\n            .policies(\"readonly\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:NomadSecretBackend\n    properties:\n      backend: nomad\n      description: test description\n      defaultLeaseTtlSeconds: '3600'\n      maxLeaseTtlSeconds: '7200'\n      address: https://127.0.0.1:4646\n      token: ae20ceaa-...\n  test:\n    type: vault:NomadSecretRole\n    properties:\n      backend: ${config.backend}\n      role: test\n      type: client\n      policies:\n        - readonly\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nNomad secret role can be imported using the `backend`, e.g.\n\n```sh\n$ pulumi import vault:index/nomadSecretRole:NomadSecretRole bob nomad/role/bob\n```\n","properties":{"backend":{"type":"string","description":"The unique path this backend should be mounted at.\n"},"global":{"type":"boolean","description":"Specifies if the generated token should be global. Defaults to \nfalse.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies attached to the generated token. This setting is only used \nwhen \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is 'client'.\n"},"role":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n"},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid \nsettings are 'client' and 'management'. Defaults to 'client'.\n"}},"required":["backend","global","policies","role","type"],"inputProperties":{"backend":{"type":"string","description":"The unique path this backend should be mounted at.\n","willReplaceOnChanges":true},"global":{"type":"boolean","description":"Specifies if the generated token should be global. Defaults to \nfalse.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies attached to the generated token. This setting is only used \nwhen \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is 'client'.\n"},"role":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid \nsettings are 'client' and 'management'. Defaults to 'client'.\n"}},"requiredInputs":["backend","role"],"stateInputs":{"description":"Input properties used for looking up and filtering NomadSecretRole resources.\n","properties":{"backend":{"type":"string","description":"The unique path this backend should be mounted at.\n","willReplaceOnChanges":true},"global":{"type":"boolean","description":"Specifies if the generated token should be global. Defaults to \nfalse.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies attached to the generated token. This setting is only used \nwhen \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is 'client'.\n"},"role":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Specifies the type of token to create when using this role. Valid \nsettings are 'client' and 'management'. Defaults to 'client'.\n"}},"type":"object"}},"vault:index/ociAuthBackend:OciAuthBackend":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.OciAuthBackend(\"example\", {\n    path: exampleVaultAuthBackend.path,\n    homeTenancyId: \"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.OciAuthBackend(\"example\",\n    path=example_vault_auth_backend[\"path\"],\n    home_tenancy_id=\"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.OciAuthBackend(\"example\", new()\n    {\n        Path = exampleVaultAuthBackend.Path,\n        HomeTenancyId = \"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewOciAuthBackend(ctx, \"example\", \u0026vault.OciAuthBackendArgs{\n\t\t\tPath:          pulumi.Any(exampleVaultAuthBackend.Path),\n\t\t\tHomeTenancyId: pulumi.String(\"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.OciAuthBackend;\nimport com.pulumi.vault.OciAuthBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new OciAuthBackend(\"example\", OciAuthBackendArgs.builder()\n            .path(exampleVaultAuthBackend.path())\n            .homeTenancyId(\"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:OciAuthBackend\n    properties:\n      path: ${exampleVaultAuthBackend.path}\n      homeTenancyId: ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOCI auth backends can be imported using the backend's `path`, e.g.\n\n```sh\n$ pulumi import vault:index/ociAuthBackend:OciAuthBackend example oci\n```\n","properties":{"accessor":{"type":"string","description":"The accessor of the auth backend"},"description":{"type":"string","description":"A description of the auth backend.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Stops rotation of the root credential until set to false."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates."},"homeTenancyId":{"type":"string","description":"The Tenancy OCID of your OCI account.\n","secret":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Unique name of the auth backend to configure."},"rotationPeriod":{"type":"integer","description":"The period of time in seconds between each rotation of the root credential. Cannot be used with rotation_schedule."},"rotationSchedule":{"type":"string","description":"The cron-style schedule for the root credential to be rotated on. Cannot be used with rotation_period."},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds Vault is allowed to complete a rotation once a scheduled rotation is triggered. Can only be used with rotation_schedule."},"tune":{"$ref":"#/types/vault:index/OciAuthBackendTune:OciAuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"required":["accessor","homeTenancyId","tune"],"inputProperties":{"description":{"type":"string","description":"A description of the auth backend.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Stops rotation of the root credential until set to false."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates."},"homeTenancyId":{"type":"string","description":"The Tenancy OCID of your OCI account.\n","secret":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Unique name of the auth backend to configure."},"rotationPeriod":{"type":"integer","description":"The period of time in seconds between each rotation of the root credential. Cannot be used with rotation_schedule."},"rotationSchedule":{"type":"string","description":"The cron-style schedule for the root credential to be rotated on. Cannot be used with rotation_period."},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds Vault is allowed to complete a rotation once a scheduled rotation is triggered. Can only be used with rotation_schedule."},"tune":{"$ref":"#/types/vault:index/OciAuthBackendTune:OciAuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"requiredInputs":["homeTenancyId"],"stateInputs":{"description":"Input properties used for looking up and filtering OciAuthBackend resources.\n","properties":{"accessor":{"type":"string","description":"The accessor of the auth backend"},"description":{"type":"string","description":"A description of the auth backend.\n"},"disableAutomatedRotation":{"type":"boolean","description":"Stops rotation of the root credential until set to false."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates."},"homeTenancyId":{"type":"string","description":"The Tenancy OCID of your OCI account.\n","secret":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Unique name of the auth backend to configure."},"rotationPeriod":{"type":"integer","description":"The period of time in seconds between each rotation of the root credential. Cannot be used with rotation_schedule."},"rotationSchedule":{"type":"string","description":"The cron-style schedule for the root credential to be rotated on. Cannot be used with rotation_period."},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds Vault is allowed to complete a rotation once a scheduled rotation is triggered. Can only be used with rotation_schedule."},"tune":{"$ref":"#/types/vault:index/OciAuthBackendTune:OciAuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"}},"type":"object"}},"vault:index/ociAuthBackendRole:OciAuthBackendRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst oci = new vault.OciAuthBackend(\"oci\", {\n    path: \"oci\",\n    homeTenancyId: \"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\",\n});\nconst example = new vault.OciAuthBackendRole(\"example\", {\n    backend: oci.path,\n    name: \"test-role\",\n    ocidLists: [\n        \"ocid1.group.oc1..aaaaaaaabmyiinfq32y5aha3r2yo4exampleo4yg3fjk2sbne4567tropaa\",\n        \"ocid1.dynamicgroup.oc1..aaaaaaaabvfwct33xri5examplegov4zyjp3rd5d7sk9jjdggxijhco56hrq\",\n    ],\n    tokenTtl: 60,\n    tokenMaxTtl: 120,\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\noci = vault.OciAuthBackend(\"oci\",\n    path=\"oci\",\n    home_tenancy_id=\"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\")\nexample = vault.OciAuthBackendRole(\"example\",\n    backend=oci.path,\n    name=\"test-role\",\n    ocid_lists=[\n        \"ocid1.group.oc1..aaaaaaaabmyiinfq32y5aha3r2yo4exampleo4yg3fjk2sbne4567tropaa\",\n        \"ocid1.dynamicgroup.oc1..aaaaaaaabvfwct33xri5examplegov4zyjp3rd5d7sk9jjdggxijhco56hrq\",\n    ],\n    token_ttl=60,\n    token_max_ttl=120,\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var oci = new Vault.OciAuthBackend(\"oci\", new()\n    {\n        Path = \"oci\",\n        HomeTenancyId = \"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\",\n    });\n\n    var example = new Vault.OciAuthBackendRole(\"example\", new()\n    {\n        Backend = oci.Path,\n        Name = \"test-role\",\n        OcidLists = new[]\n        {\n            \"ocid1.group.oc1..aaaaaaaabmyiinfq32y5aha3r2yo4exampleo4yg3fjk2sbne4567tropaa\",\n            \"ocid1.dynamicgroup.oc1..aaaaaaaabvfwct33xri5examplegov4zyjp3rd5d7sk9jjdggxijhco56hrq\",\n        },\n        TokenTtl = 60,\n        TokenMaxTtl = 120,\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\toci, err := vault.NewOciAuthBackend(ctx, \"oci\", \u0026vault.OciAuthBackendArgs{\n\t\t\tPath:          pulumi.String(\"oci\"),\n\t\t\tHomeTenancyId: pulumi.String(\"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewOciAuthBackendRole(ctx, \"example\", \u0026vault.OciAuthBackendRoleArgs{\n\t\t\tBackend: oci.Path,\n\t\t\tName:    pulumi.String(\"test-role\"),\n\t\t\tOcidLists: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ocid1.group.oc1..aaaaaaaabmyiinfq32y5aha3r2yo4exampleo4yg3fjk2sbne4567tropaa\"),\n\t\t\t\tpulumi.String(\"ocid1.dynamicgroup.oc1..aaaaaaaabvfwct33xri5examplegov4zyjp3rd5d7sk9jjdggxijhco56hrq\"),\n\t\t\t},\n\t\t\tTokenTtl:    pulumi.Int(60),\n\t\t\tTokenMaxTtl: pulumi.Int(120),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.OciAuthBackend;\nimport com.pulumi.vault.OciAuthBackendArgs;\nimport com.pulumi.vault.OciAuthBackendRole;\nimport com.pulumi.vault.OciAuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var oci = new OciAuthBackend(\"oci\", OciAuthBackendArgs.builder()\n            .path(\"oci\")\n            .homeTenancyId(\"ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\")\n            .build());\n\n        var example = new OciAuthBackendRole(\"example\", OciAuthBackendRoleArgs.builder()\n            .backend(oci.path())\n            .name(\"test-role\")\n            .ocidLists(            \n                \"ocid1.group.oc1..aaaaaaaabmyiinfq32y5aha3r2yo4exampleo4yg3fjk2sbne4567tropaa\",\n                \"ocid1.dynamicgroup.oc1..aaaaaaaabvfwct33xri5examplegov4zyjp3rd5d7sk9jjdggxijhco56hrq\")\n            .tokenTtl(60)\n            .tokenMaxTtl(120)\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  oci:\n    type: vault:OciAuthBackend\n    properties:\n      path: oci\n      homeTenancyId: ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq\n  example:\n    type: vault:OciAuthBackendRole\n    properties:\n      backend: ${oci.path}\n      name: test-role\n      ocidLists:\n        - ocid1.group.oc1..aaaaaaaabmyiinfq32y5aha3r2yo4exampleo4yg3fjk2sbne4567tropaa\n        - ocid1.dynamicgroup.oc1..aaaaaaaabvfwct33xri5examplegov4zyjp3rd5d7sk9jjdggxijhco56hrq\n      tokenTtl: 60\n      tokenMaxTtl: 120\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOCI auth backend roles can be imported using `auth/`, the `backend` path, `/role/`, and the `role` name e.g.\n\n```sh\n$ pulumi import vault:index/ociAuthBackendRole:OciAuthBackendRole example auth/oci/role/test-role\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"Unique name of the auth backend to configure."},"name":{"type":"string","description":"The name of the role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n"},"ocidLists":{"type":"array","items":{"type":"string"},"description":"The list of Group or Dynamic Group OCIDs that can take this role.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["name"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","willReplaceOnChanges":true},"name":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocidLists":{"type":"array","items":{"type":"string"},"description":"The list of Group or Dynamic Group OCIDs that can take this role.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"stateInputs":{"description":"Input properties used for looking up and filtering OciAuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"backend":{"type":"string","description":"Unique name of the auth backend to configure.","willReplaceOnChanges":true},"name":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocidLists":{"type":"array","items":{"type":"string"},"description":"The list of Group or Dynamic Group OCIDs that can take this role.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:index/plugin:Plugin":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst jwt = new vault.Plugin(\"jwt\", {\n    type: \"auth\",\n    name: \"jwt\",\n    command: \"vault-plugin-auth-jwt\",\n    version: \"v0.17.0\",\n    sha256: \"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\",\n    envs: [\"HTTP_PROXY=http://proxy.example.com:8080\"],\n});\nconst jwtAuth = new vault.AuthBackend(\"jwt_auth\", {type: jwt.name});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\njwt = vault.Plugin(\"jwt\",\n    type=\"auth\",\n    name=\"jwt\",\n    command=\"vault-plugin-auth-jwt\",\n    version=\"v0.17.0\",\n    sha256=\"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\",\n    envs=[\"HTTP_PROXY=http://proxy.example.com:8080\"])\njwt_auth = vault.AuthBackend(\"jwt_auth\", type=jwt.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var jwt = new Vault.Plugin(\"jwt\", new()\n    {\n        Type = \"auth\",\n        Name = \"jwt\",\n        Command = \"vault-plugin-auth-jwt\",\n        Version = \"v0.17.0\",\n        Sha256 = \"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\",\n        Envs = new[]\n        {\n            \"HTTP_PROXY=http://proxy.example.com:8080\",\n        },\n    });\n\n    var jwtAuth = new Vault.AuthBackend(\"jwt_auth\", new()\n    {\n        Type = jwt.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tjwt, err := vault.NewPlugin(ctx, \"jwt\", \u0026vault.PluginArgs{\n\t\t\tType:    pulumi.String(\"auth\"),\n\t\t\tName:    pulumi.String(\"jwt\"),\n\t\t\tCommand: pulumi.String(\"vault-plugin-auth-jwt\"),\n\t\t\tVersion: pulumi.String(\"v0.17.0\"),\n\t\t\tSha256:  pulumi.String(\"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\"),\n\t\t\tEnvs: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"HTTP_PROXY=http://proxy.example.com:8080\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewAuthBackend(ctx, \"jwt_auth\", \u0026vault.AuthBackendArgs{\n\t\t\tType: jwt.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Plugin;\nimport com.pulumi.vault.PluginArgs;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var jwt = new Plugin(\"jwt\", PluginArgs.builder()\n            .type(\"auth\")\n            .name(\"jwt\")\n            .command(\"vault-plugin-auth-jwt\")\n            .version(\"v0.17.0\")\n            .sha256(\"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\")\n            .envs(\"HTTP_PROXY=http://proxy.example.com:8080\")\n            .build());\n\n        var jwtAuth = new AuthBackend(\"jwtAuth\", AuthBackendArgs.builder()\n            .type(jwt.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  jwt:\n    type: vault:Plugin\n    properties:\n      type: auth\n      name: jwt\n      command: vault-plugin-auth-jwt\n      version: v0.17.0\n      sha256: 6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\n      envs:\n        - HTTP_PROXY=http://proxy.example.com:8080\n  jwtAuth:\n    type: vault:AuthBackend\n    name: jwt_auth\n    properties:\n      type: ${jwt.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nPlugins can be imported using `:type/name/:name` or `:type/version/:version/name/:name` as the ID if the version is non-empty, e.g.\n\n```sh\n$ pulumi import vault:index/plugin:Plugin jwt auth/name/jwt\n```\n```sh\n$ pulumi import vault:index/plugin:Plugin jwt auth/version/v0.17.0/name/jwt\n```\n","properties":{"args":{"type":"array","items":{"type":"string"},"description":"List of additional args to pass to the plugin.\n"},"command":{"type":"string","description":"Command to execute the plugin, relative to the server's configured \u003cspan pulumi-lang-nodejs=\"`pluginDirectory`\" pulumi-lang-dotnet=\"`PluginDirectory`\" pulumi-lang-go=\"`pluginDirectory`\" pulumi-lang-python=\"`plugin_directory`\" pulumi-lang-yaml=\"`pluginDirectory`\" pulumi-lang-java=\"`pluginDirectory`\"\u003e`plugin_directory`\u003c/span\u003e.\n"},"envs":{"type":"array","items":{"type":"string"},"description":"List of additional environment variables to run the plugin with in KEY=VALUE form.\n","secret":true},"name":{"type":"string","description":"Name of the plugin.\n"},"ociImage":{"type":"string","description":"Specifies OCI image to run. If specified, setting\n\u003cspan pulumi-lang-nodejs=\"`command`\" pulumi-lang-dotnet=\"`Command`\" pulumi-lang-go=\"`command`\" pulumi-lang-python=\"`command`\" pulumi-lang-yaml=\"`command`\" pulumi-lang-java=\"`command`\"\u003e`command`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`args`\" pulumi-lang-dotnet=\"`Args`\" pulumi-lang-go=\"`args`\" pulumi-lang-python=\"`args`\" pulumi-lang-yaml=\"`args`\" pulumi-lang-java=\"`args`\"\u003e`args`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`env`\" pulumi-lang-dotnet=\"`Env`\" pulumi-lang-go=\"`env`\" pulumi-lang-python=\"`env`\" pulumi-lang-yaml=\"`env`\" pulumi-lang-java=\"`env`\"\u003e`env`\u003c/span\u003e will update the container's entrypoint, args, and\nenvironment variables (append-only) respectively.\n"},"runtime":{"type":"string","description":"Vault plugin runtime to use if \u003cspan pulumi-lang-nodejs=\"`ociImage`\" pulumi-lang-dotnet=\"`OciImage`\" pulumi-lang-go=\"`ociImage`\" pulumi-lang-python=\"`oci_image`\" pulumi-lang-yaml=\"`ociImage`\" pulumi-lang-java=\"`ociImage`\"\u003e`oci_image`\u003c/span\u003e is specified.\n"},"sha256":{"type":"string","description":"SHA256 sum of the plugin binary.\n"},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".\n"},"version":{"type":"string","description":"Semantic version of the plugin.\n"}},"required":["command","name","sha256","type"],"inputProperties":{"args":{"type":"array","items":{"type":"string"},"description":"List of additional args to pass to the plugin.\n"},"command":{"type":"string","description":"Command to execute the plugin, relative to the server's configured \u003cspan pulumi-lang-nodejs=\"`pluginDirectory`\" pulumi-lang-dotnet=\"`PluginDirectory`\" pulumi-lang-go=\"`pluginDirectory`\" pulumi-lang-python=\"`plugin_directory`\" pulumi-lang-yaml=\"`pluginDirectory`\" pulumi-lang-java=\"`pluginDirectory`\"\u003e`plugin_directory`\u003c/span\u003e.\n"},"envs":{"type":"array","items":{"type":"string"},"description":"List of additional environment variables to run the plugin with in KEY=VALUE form.\n","secret":true},"name":{"type":"string","description":"Name of the plugin.\n","willReplaceOnChanges":true},"ociImage":{"type":"string","description":"Specifies OCI image to run. If specified, setting\n\u003cspan pulumi-lang-nodejs=\"`command`\" pulumi-lang-dotnet=\"`Command`\" pulumi-lang-go=\"`command`\" pulumi-lang-python=\"`command`\" pulumi-lang-yaml=\"`command`\" pulumi-lang-java=\"`command`\"\u003e`command`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`args`\" pulumi-lang-dotnet=\"`Args`\" pulumi-lang-go=\"`args`\" pulumi-lang-python=\"`args`\" pulumi-lang-yaml=\"`args`\" pulumi-lang-java=\"`args`\"\u003e`args`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`env`\" pulumi-lang-dotnet=\"`Env`\" pulumi-lang-go=\"`env`\" pulumi-lang-python=\"`env`\" pulumi-lang-yaml=\"`env`\" pulumi-lang-java=\"`env`\"\u003e`env`\u003c/span\u003e will update the container's entrypoint, args, and\nenvironment variables (append-only) respectively.\n"},"runtime":{"type":"string","description":"Vault plugin runtime to use if \u003cspan pulumi-lang-nodejs=\"`ociImage`\" pulumi-lang-dotnet=\"`OciImage`\" pulumi-lang-go=\"`ociImage`\" pulumi-lang-python=\"`oci_image`\" pulumi-lang-yaml=\"`ociImage`\" pulumi-lang-java=\"`ociImage`\"\u003e`oci_image`\u003c/span\u003e is specified.\n"},"sha256":{"type":"string","description":"SHA256 sum of the plugin binary.\n"},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".\n","willReplaceOnChanges":true},"version":{"type":"string","description":"Semantic version of the plugin.\n","willReplaceOnChanges":true}},"requiredInputs":["command","sha256","type"],"stateInputs":{"description":"Input properties used for looking up and filtering Plugin resources.\n","properties":{"args":{"type":"array","items":{"type":"string"},"description":"List of additional args to pass to the plugin.\n"},"command":{"type":"string","description":"Command to execute the plugin, relative to the server's configured \u003cspan pulumi-lang-nodejs=\"`pluginDirectory`\" pulumi-lang-dotnet=\"`PluginDirectory`\" pulumi-lang-go=\"`pluginDirectory`\" pulumi-lang-python=\"`plugin_directory`\" pulumi-lang-yaml=\"`pluginDirectory`\" pulumi-lang-java=\"`pluginDirectory`\"\u003e`plugin_directory`\u003c/span\u003e.\n"},"envs":{"type":"array","items":{"type":"string"},"description":"List of additional environment variables to run the plugin with in KEY=VALUE form.\n","secret":true},"name":{"type":"string","description":"Name of the plugin.\n","willReplaceOnChanges":true},"ociImage":{"type":"string","description":"Specifies OCI image to run. If specified, setting\n\u003cspan pulumi-lang-nodejs=\"`command`\" pulumi-lang-dotnet=\"`Command`\" pulumi-lang-go=\"`command`\" pulumi-lang-python=\"`command`\" pulumi-lang-yaml=\"`command`\" pulumi-lang-java=\"`command`\"\u003e`command`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`args`\" pulumi-lang-dotnet=\"`Args`\" pulumi-lang-go=\"`args`\" pulumi-lang-python=\"`args`\" pulumi-lang-yaml=\"`args`\" pulumi-lang-java=\"`args`\"\u003e`args`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`env`\" pulumi-lang-dotnet=\"`Env`\" pulumi-lang-go=\"`env`\" pulumi-lang-python=\"`env`\" pulumi-lang-yaml=\"`env`\" pulumi-lang-java=\"`env`\"\u003e`env`\u003c/span\u003e will update the container's entrypoint, args, and\nenvironment variables (append-only) respectively.\n"},"runtime":{"type":"string","description":"Vault plugin runtime to use if \u003cspan pulumi-lang-nodejs=\"`ociImage`\" pulumi-lang-dotnet=\"`OciImage`\" pulumi-lang-go=\"`ociImage`\" pulumi-lang-python=\"`oci_image`\" pulumi-lang-yaml=\"`ociImage`\" pulumi-lang-java=\"`ociImage`\"\u003e`oci_image`\u003c/span\u003e is specified.\n"},"sha256":{"type":"string","description":"SHA256 sum of the plugin binary.\n"},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".\n","willReplaceOnChanges":true},"version":{"type":"string","description":"Semantic version of the plugin.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:index/pluginPinnedVersion:PluginPinnedVersion":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst jwt = new vault.Plugin(\"jwt\", {\n    type: \"auth\",\n    name: \"jwt\",\n    command: \"vault-plugin-auth-jwt\",\n    version: \"v0.17.0\",\n    sha256: \"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\",\n    envs: [\"HTTP_PROXY=http://proxy.example.com:8080\"],\n});\nconst jwtPin = new vault.PluginPinnedVersion(\"jwt_pin\", {\n    type: jwt.type,\n    name: jwt.name,\n    version: jwt.version,\n});\nconst jwtAuth = new vault.AuthBackend(\"jwt_auth\", {type: jwtPin.name});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\njwt = vault.Plugin(\"jwt\",\n    type=\"auth\",\n    name=\"jwt\",\n    command=\"vault-plugin-auth-jwt\",\n    version=\"v0.17.0\",\n    sha256=\"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\",\n    envs=[\"HTTP_PROXY=http://proxy.example.com:8080\"])\njwt_pin = vault.PluginPinnedVersion(\"jwt_pin\",\n    type=jwt.type,\n    name=jwt.name,\n    version=jwt.version)\njwt_auth = vault.AuthBackend(\"jwt_auth\", type=jwt_pin.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var jwt = new Vault.Plugin(\"jwt\", new()\n    {\n        Type = \"auth\",\n        Name = \"jwt\",\n        Command = \"vault-plugin-auth-jwt\",\n        Version = \"v0.17.0\",\n        Sha256 = \"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\",\n        Envs = new[]\n        {\n            \"HTTP_PROXY=http://proxy.example.com:8080\",\n        },\n    });\n\n    var jwtPin = new Vault.PluginPinnedVersion(\"jwt_pin\", new()\n    {\n        Type = jwt.Type,\n        Name = jwt.Name,\n        Version = jwt.Version,\n    });\n\n    var jwtAuth = new Vault.AuthBackend(\"jwt_auth\", new()\n    {\n        Type = jwtPin.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tjwt, err := vault.NewPlugin(ctx, \"jwt\", \u0026vault.PluginArgs{\n\t\t\tType:    pulumi.String(\"auth\"),\n\t\t\tName:    pulumi.String(\"jwt\"),\n\t\t\tCommand: pulumi.String(\"vault-plugin-auth-jwt\"),\n\t\t\tVersion: pulumi.String(\"v0.17.0\"),\n\t\t\tSha256:  pulumi.String(\"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\"),\n\t\t\tEnvs: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"HTTP_PROXY=http://proxy.example.com:8080\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjwtPin, err := vault.NewPluginPinnedVersion(ctx, \"jwt_pin\", \u0026vault.PluginPinnedVersionArgs{\n\t\t\tType:    jwt.Type,\n\t\t\tName:    jwt.Name,\n\t\t\tVersion: jwt.Version,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewAuthBackend(ctx, \"jwt_auth\", \u0026vault.AuthBackendArgs{\n\t\t\tType: jwtPin.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Plugin;\nimport com.pulumi.vault.PluginArgs;\nimport com.pulumi.vault.PluginPinnedVersion;\nimport com.pulumi.vault.PluginPinnedVersionArgs;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var jwt = new Plugin(\"jwt\", PluginArgs.builder()\n            .type(\"auth\")\n            .name(\"jwt\")\n            .command(\"vault-plugin-auth-jwt\")\n            .version(\"v0.17.0\")\n            .sha256(\"6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\")\n            .envs(\"HTTP_PROXY=http://proxy.example.com:8080\")\n            .build());\n\n        var jwtPin = new PluginPinnedVersion(\"jwtPin\", PluginPinnedVersionArgs.builder()\n            .type(jwt.type())\n            .name(jwt.name())\n            .version(jwt.version())\n            .build());\n\n        var jwtAuth = new AuthBackend(\"jwtAuth\", AuthBackendArgs.builder()\n            .type(jwtPin.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  jwt:\n    type: vault:Plugin\n    properties:\n      type: auth\n      name: jwt\n      command: vault-plugin-auth-jwt\n      version: v0.17.0\n      sha256: 6bd0a803ed742aa3ce35e4fa23d2c8d550e6c1567bf63410cec489c28b68b0fc\n      envs:\n        - HTTP_PROXY=http://proxy.example.com:8080\n  jwtPin:\n    type: vault:PluginPinnedVersion\n    name: jwt_pin\n    properties:\n      type: ${jwt.type}\n      name: ${jwt.name}\n      version: ${jwt.version}\n  jwtAuth:\n    type: vault:AuthBackend\n    name: jwt_auth\n    properties:\n      type: ${jwtPin.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nPinned plugin versions can be imported using `type/name` as the ID, e.g.\n\n```sh\n$ pulumi import vault:index/pluginPinnedVersion:PluginPinnedVersion jwt_pin auth/jwt\n```\n","properties":{"name":{"type":"string","description":"Name of the plugin.\n"},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".\n"},"version":{"type":"string","description":"Semantic version of the plugin to pin.\n"}},"required":["name","type","version"],"inputProperties":{"name":{"type":"string","description":"Name of the plugin.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".\n","willReplaceOnChanges":true},"version":{"type":"string","description":"Semantic version of the plugin to pin.\n"}},"requiredInputs":["type","version"],"stateInputs":{"description":"Input properties used for looking up and filtering PluginPinnedVersion resources.\n","properties":{"name":{"type":"string","description":"Name of the plugin.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Type of plugin; one of \"auth\", \"secret\", or \"database\".\n","willReplaceOnChanges":true},"version":{"type":"string","description":"Semantic version of the plugin to pin.\n"}},"type":"object"}},"vault:index/policy:Policy":{"description":"\n\n## Import\n\nPolicies can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:index/policy:Policy example dev-team\n```\n","properties":{"name":{"type":"string","description":"The name of the policy\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policy":{"type":"string","description":"String containing a Vault policy\n","language":{"csharp":{"name":"PolicyContents"}}}},"required":["name","policy"],"inputProperties":{"name":{"type":"string","description":"The name of the policy\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policy":{"type":"string","description":"String containing a Vault policy\n","language":{"csharp":{"name":"PolicyContents"}}}},"requiredInputs":["policy"],"stateInputs":{"description":"Input properties used for looking up and filtering Policy resources.\n","properties":{"name":{"type":"string","description":"The name of the policy\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policy":{"type":"string","description":"String containing a Vault policy\n","language":{"csharp":{"name":"PolicyContents"}}}},"type":"object"}},"vault:index/quotaLeaseCount:QuotaLeaseCount":{"description":"Manage lease count quotas which enforce the number of leases that can be created.\nA lease count quota can be created at the root level or defined on a namespace or mount by\nspecifying a path when creating the quota.\n\nSee [Vault's Documentation](https://www.vaultproject.io/docs/enterprise/lease-count-quotas) for more\ninformation.   \n\n**Note** this feature is available only with Vault Enterprise.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst global = new vault.QuotaLeaseCount(\"global\", {\n    name: \"global\",\n    path: \"\",\n    maxLeases: 100,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nglobal_ = vault.QuotaLeaseCount(\"global\",\n    name=\"global\",\n    path=\"\",\n    max_leases=100)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @global = new Vault.QuotaLeaseCount(\"global\", new()\n    {\n        Name = \"global\",\n        Path = \"\",\n        MaxLeases = 100,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewQuotaLeaseCount(ctx, \"global\", \u0026vault.QuotaLeaseCountArgs{\n\t\t\tName:      pulumi.String(\"global\"),\n\t\t\tPath:      pulumi.String(\"\"),\n\t\t\tMaxLeases: pulumi.Int(100),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.QuotaLeaseCount;\nimport com.pulumi.vault.QuotaLeaseCountArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var global = new QuotaLeaseCount(\"global\", QuotaLeaseCountArgs.builder()\n            .name(\"global\")\n            .path(\"\")\n            .maxLeases(100)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  global:\n    type: vault:QuotaLeaseCount\n    properties:\n      name: global\n      path: \"\"\n      maxLeases: 100\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLease count quotas can be imported using their names\n\n```sh\n$ pulumi import vault:index/quotaLeaseCount:QuotaLeaseCount global global\n```\n","properties":{"inheritable":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.\n"},"maxLeases":{"type":"integer","description":"The maximum number of leases to be allowed by the quota\nrule. The \u003cspan pulumi-lang-nodejs=\"`maxLeases`\" pulumi-lang-dotnet=\"`MaxLeases`\" pulumi-lang-go=\"`maxLeases`\" pulumi-lang-python=\"`max_leases`\" pulumi-lang-yaml=\"`maxLeases`\" pulumi-lang-java=\"`maxLeases`\"\u003e`max_leases`\u003c/span\u003e must be positive.\n"},"name":{"type":"string","description":"Name of the rate limit quota\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a\nglobal rate limit quota. For example `namespace1/` adds a quota to a full namespace,\n`namespace1/auth/userpass` adds a \u003cspan pulumi-lang-nodejs=\"`quota`\" pulumi-lang-dotnet=\"`Quota`\" pulumi-lang-go=\"`quota`\" pulumi-lang-python=\"`quota`\" pulumi-lang-yaml=\"`quota`\" pulumi-lang-java=\"`quota`\"\u003e`quota`\u003c/span\u003e to \u003cspan pulumi-lang-nodejs=\"`userpass`\" pulumi-lang-dotnet=\"`Userpass`\" pulumi-lang-go=\"`userpass`\" pulumi-lang-python=\"`userpass`\" pulumi-lang-yaml=\"`userpass`\" pulumi-lang-java=\"`userpass`\"\u003e`userpass`\u003c/span\u003e in \u003cspan pulumi-lang-nodejs=\"`namespace1`\" pulumi-lang-dotnet=\"`Namespace1`\" pulumi-lang-go=\"`namespace1`\" pulumi-lang-python=\"`namespace1`\" pulumi-lang-yaml=\"`namespace1`\" pulumi-lang-java=\"`namespace1`\"\u003e`namespace1`\u003c/span\u003e.\nUpdating this field on an existing quota can have \"moving\" effects. For example, updating\n`auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to\na namespace specific mount quota. **Note, namespaces are supported in Enterprise only.**\n"},"role":{"type":"string","description":"If set on a quota where \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.\n"}},"required":["maxLeases","name"],"inputProperties":{"inheritable":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.\n"},"maxLeases":{"type":"integer","description":"The maximum number of leases to be allowed by the quota\nrule. The \u003cspan pulumi-lang-nodejs=\"`maxLeases`\" pulumi-lang-dotnet=\"`MaxLeases`\" pulumi-lang-go=\"`maxLeases`\" pulumi-lang-python=\"`max_leases`\" pulumi-lang-yaml=\"`maxLeases`\" pulumi-lang-java=\"`maxLeases`\"\u003e`max_leases`\u003c/span\u003e must be positive.\n"},"name":{"type":"string","description":"Name of the rate limit quota\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a\nglobal rate limit quota. For example `namespace1/` adds a quota to a full namespace,\n`namespace1/auth/userpass` adds a \u003cspan pulumi-lang-nodejs=\"`quota`\" pulumi-lang-dotnet=\"`Quota`\" pulumi-lang-go=\"`quota`\" pulumi-lang-python=\"`quota`\" pulumi-lang-yaml=\"`quota`\" pulumi-lang-java=\"`quota`\"\u003e`quota`\u003c/span\u003e to \u003cspan pulumi-lang-nodejs=\"`userpass`\" pulumi-lang-dotnet=\"`Userpass`\" pulumi-lang-go=\"`userpass`\" pulumi-lang-python=\"`userpass`\" pulumi-lang-yaml=\"`userpass`\" pulumi-lang-java=\"`userpass`\"\u003e`userpass`\u003c/span\u003e in \u003cspan pulumi-lang-nodejs=\"`namespace1`\" pulumi-lang-dotnet=\"`Namespace1`\" pulumi-lang-go=\"`namespace1`\" pulumi-lang-python=\"`namespace1`\" pulumi-lang-yaml=\"`namespace1`\" pulumi-lang-java=\"`namespace1`\"\u003e`namespace1`\u003c/span\u003e.\nUpdating this field on an existing quota can have \"moving\" effects. For example, updating\n`auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to\na namespace specific mount quota. **Note, namespaces are supported in Enterprise only.**\n"},"role":{"type":"string","description":"If set on a quota where \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.\n"}},"requiredInputs":["maxLeases"],"stateInputs":{"description":"Input properties used for looking up and filtering QuotaLeaseCount resources.\n","properties":{"inheritable":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.\n"},"maxLeases":{"type":"integer","description":"The maximum number of leases to be allowed by the quota\nrule. The \u003cspan pulumi-lang-nodejs=\"`maxLeases`\" pulumi-lang-dotnet=\"`MaxLeases`\" pulumi-lang-go=\"`maxLeases`\" pulumi-lang-python=\"`max_leases`\" pulumi-lang-yaml=\"`maxLeases`\" pulumi-lang-java=\"`maxLeases`\"\u003e`max_leases`\u003c/span\u003e must be positive.\n"},"name":{"type":"string","description":"Name of the rate limit quota\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a\nglobal rate limit quota. For example `namespace1/` adds a quota to a full namespace,\n`namespace1/auth/userpass` adds a \u003cspan pulumi-lang-nodejs=\"`quota`\" pulumi-lang-dotnet=\"`Quota`\" pulumi-lang-go=\"`quota`\" pulumi-lang-python=\"`quota`\" pulumi-lang-yaml=\"`quota`\" pulumi-lang-java=\"`quota`\"\u003e`quota`\u003c/span\u003e to \u003cspan pulumi-lang-nodejs=\"`userpass`\" pulumi-lang-dotnet=\"`Userpass`\" pulumi-lang-go=\"`userpass`\" pulumi-lang-python=\"`userpass`\" pulumi-lang-yaml=\"`userpass`\" pulumi-lang-java=\"`userpass`\"\u003e`userpass`\u003c/span\u003e in \u003cspan pulumi-lang-nodejs=\"`namespace1`\" pulumi-lang-dotnet=\"`Namespace1`\" pulumi-lang-go=\"`namespace1`\" pulumi-lang-python=\"`namespace1`\" pulumi-lang-yaml=\"`namespace1`\" pulumi-lang-java=\"`namespace1`\"\u003e`namespace1`\u003c/span\u003e.\nUpdating this field on an existing quota can have \"moving\" effects. For example, updating\n`auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to\na namespace specific mount quota. **Note, namespaces are supported in Enterprise only.**\n"},"role":{"type":"string","description":"If set on a quota where \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.\n"}},"type":"object"}},"vault:index/quotaRateLimit:QuotaRateLimit":{"description":"Manage rate limit quotas which enforce API rate limiting using a token bucket algorithm.\nA rate limit quota can be created at the root level or defined on a namespace or mount by\nspecifying a path when creating the quota.\n\nSee [Vault's Documentation](https://www.vaultproject.io/docs/concepts/resource-quotas) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst global = new vault.QuotaRateLimit(\"global\", {\n    name: \"global\",\n    path: \"\",\n    rate: 100,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nglobal_ = vault.QuotaRateLimit(\"global\",\n    name=\"global\",\n    path=\"\",\n    rate=100)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @global = new Vault.QuotaRateLimit(\"global\", new()\n    {\n        Name = \"global\",\n        Path = \"\",\n        Rate = 100,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewQuotaRateLimit(ctx, \"global\", \u0026vault.QuotaRateLimitArgs{\n\t\t\tName: pulumi.String(\"global\"),\n\t\t\tPath: pulumi.String(\"\"),\n\t\t\tRate: pulumi.Float64(100),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.QuotaRateLimit;\nimport com.pulumi.vault.QuotaRateLimitArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var global = new QuotaRateLimit(\"global\", QuotaRateLimitArgs.builder()\n            .name(\"global\")\n            .path(\"\")\n            .rate(100.0)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  global:\n    type: vault:QuotaRateLimit\n    properties:\n      name: global\n      path: \"\"\n      rate: 100\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nRate limit quotas can be imported using their names\n\n```sh\n$ pulumi import vault:index/quotaRateLimit:QuotaRateLimit global global\n```\n","properties":{"blockInterval":{"type":"integer","description":"If set, when a client reaches a rate limit threshold, the client will\nbe prohibited from any further requests until after the 'block_interval' in seconds has elapsed.\n"},"groupBy":{"type":"string","description":"Attribute used to group requests for rate limiting. Limits are enforced independently for each\ngroup. Valid \u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e modes are: 1) \u003cspan pulumi-lang-nodejs=\"`ip`\" pulumi-lang-dotnet=\"`Ip`\" pulumi-lang-go=\"`ip`\" pulumi-lang-python=\"`ip`\" pulumi-lang-yaml=\"`ip`\" pulumi-lang-java=\"`ip`\"\u003e`ip`\u003c/span\u003e that groups requests by their source IP address (**\u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e defaults to\n\u003cspan pulumi-lang-nodejs=\"`ip`\" pulumi-lang-dotnet=\"`Ip`\" pulumi-lang-go=\"`ip`\" pulumi-lang-python=\"`ip`\" pulumi-lang-yaml=\"`ip`\" pulumi-lang-java=\"`ip`\"\u003e`ip`\u003c/span\u003e if unset, which is the only supported mode in community edition**); 2) \u003cspan pulumi-lang-nodejs=\"`none`\" pulumi-lang-dotnet=\"`None`\" pulumi-lang-go=\"`none`\" pulumi-lang-python=\"`none`\" pulumi-lang-yaml=\"`none`\" pulumi-lang-java=\"`none`\"\u003e`none`\u003c/span\u003e that groups together all requests\nthat match the rate limit quota rule; 3) \u003cspan pulumi-lang-nodejs=\"`entityThenIp`\" pulumi-lang-dotnet=\"`EntityThenIp`\" pulumi-lang-go=\"`entityThenIp`\" pulumi-lang-python=\"`entity_then_ip`\" pulumi-lang-yaml=\"`entityThenIp`\" pulumi-lang-java=\"`entityThenIp`\"\u003e`entity_then_ip`\u003c/span\u003e that groups requests by their entity ID for authenticated\nrequests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not\nconnected to an entity); and 4) \u003cspan pulumi-lang-nodejs=\"`entityThenNone`\" pulumi-lang-dotnet=\"`EntityThenNone`\" pulumi-lang-go=\"`entityThenNone`\" pulumi-lang-python=\"`entity_then_none`\" pulumi-lang-yaml=\"`entityThenNone`\" pulumi-lang-java=\"`entityThenNone`\"\u003e`entity_then_none`\u003c/span\u003e which also groups requests by their entity ID when available, but\nthe rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).\n"},"inheritable":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.\n"},"interval":{"type":"integer","description":"The duration in seconds to enforce rate limiting for.\n"},"name":{"type":"string","description":"Name of the rate limit quota\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a\nglobal rate limit quota. For example `namespace1/` adds a quota to a full namespace,\n`namespace1/auth/userpass` adds a \u003cspan pulumi-lang-nodejs=\"`quota`\" pulumi-lang-dotnet=\"`Quota`\" pulumi-lang-go=\"`quota`\" pulumi-lang-python=\"`quota`\" pulumi-lang-yaml=\"`quota`\" pulumi-lang-java=\"`quota`\"\u003e`quota`\u003c/span\u003e to \u003cspan pulumi-lang-nodejs=\"`userpass`\" pulumi-lang-dotnet=\"`Userpass`\" pulumi-lang-go=\"`userpass`\" pulumi-lang-python=\"`userpass`\" pulumi-lang-yaml=\"`userpass`\" pulumi-lang-java=\"`userpass`\"\u003e`userpass`\u003c/span\u003e in \u003cspan pulumi-lang-nodejs=\"`namespace1`\" pulumi-lang-dotnet=\"`Namespace1`\" pulumi-lang-go=\"`namespace1`\" pulumi-lang-python=\"`namespace1`\" pulumi-lang-yaml=\"`namespace1`\" pulumi-lang-java=\"`namespace1`\"\u003e`namespace1`\u003c/span\u003e.\nUpdating this field on an existing quota can have \"moving\" effects. For example, updating\n`auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to\na namespace specific mount quota. **Note, namespaces are supported in Enterprise only.**\n"},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota\nrule. The \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e must be positive.\n"},"role":{"type":"string","description":"If set on a quota where \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.\n"},"secondaryRate":{"type":"number","description":"Can only be set for the \u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e modes \u003cspan pulumi-lang-nodejs=\"`entityThenIp`\" pulumi-lang-dotnet=\"`EntityThenIp`\" pulumi-lang-go=\"`entityThenIp`\" pulumi-lang-python=\"`entity_then_ip`\" pulumi-lang-yaml=\"`entityThenIp`\" pulumi-lang-java=\"`entityThenIp`\"\u003e`entity_then_ip`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`entityThenNone`\" pulumi-lang-dotnet=\"`EntityThenNone`\" pulumi-lang-go=\"`entityThenNone`\" pulumi-lang-python=\"`entity_then_none`\" pulumi-lang-yaml=\"`entityThenNone`\" pulumi-lang-java=\"`entityThenNone`\"\u003e`entity_then_none`\u003c/span\u003e. This is\nthe rate limit applied to the requests that fall under the \"ip\" or \"none\" groupings, while the authenticated requests\nthat contain an entity ID are subject to the \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e field instead. Defaults to the same value as \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e.\n"}},"required":["groupBy","interval","name","rate","secondaryRate"],"inputProperties":{"blockInterval":{"type":"integer","description":"If set, when a client reaches a rate limit threshold, the client will\nbe prohibited from any further requests until after the 'block_interval' in seconds has elapsed.\n"},"groupBy":{"type":"string","description":"Attribute used to group requests for rate limiting. Limits are enforced independently for each\ngroup. Valid \u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e modes are: 1) \u003cspan pulumi-lang-nodejs=\"`ip`\" pulumi-lang-dotnet=\"`Ip`\" pulumi-lang-go=\"`ip`\" pulumi-lang-python=\"`ip`\" pulumi-lang-yaml=\"`ip`\" pulumi-lang-java=\"`ip`\"\u003e`ip`\u003c/span\u003e that groups requests by their source IP address (**\u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e defaults to\n\u003cspan pulumi-lang-nodejs=\"`ip`\" pulumi-lang-dotnet=\"`Ip`\" pulumi-lang-go=\"`ip`\" pulumi-lang-python=\"`ip`\" pulumi-lang-yaml=\"`ip`\" pulumi-lang-java=\"`ip`\"\u003e`ip`\u003c/span\u003e if unset, which is the only supported mode in community edition**); 2) \u003cspan pulumi-lang-nodejs=\"`none`\" pulumi-lang-dotnet=\"`None`\" pulumi-lang-go=\"`none`\" pulumi-lang-python=\"`none`\" pulumi-lang-yaml=\"`none`\" pulumi-lang-java=\"`none`\"\u003e`none`\u003c/span\u003e that groups together all requests\nthat match the rate limit quota rule; 3) \u003cspan pulumi-lang-nodejs=\"`entityThenIp`\" pulumi-lang-dotnet=\"`EntityThenIp`\" pulumi-lang-go=\"`entityThenIp`\" pulumi-lang-python=\"`entity_then_ip`\" pulumi-lang-yaml=\"`entityThenIp`\" pulumi-lang-java=\"`entityThenIp`\"\u003e`entity_then_ip`\u003c/span\u003e that groups requests by their entity ID for authenticated\nrequests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not\nconnected to an entity); and 4) \u003cspan pulumi-lang-nodejs=\"`entityThenNone`\" pulumi-lang-dotnet=\"`EntityThenNone`\" pulumi-lang-go=\"`entityThenNone`\" pulumi-lang-python=\"`entity_then_none`\" pulumi-lang-yaml=\"`entityThenNone`\" pulumi-lang-java=\"`entityThenNone`\"\u003e`entity_then_none`\u003c/span\u003e which also groups requests by their entity ID when available, but\nthe rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).\n"},"inheritable":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.\n"},"interval":{"type":"integer","description":"The duration in seconds to enforce rate limiting for.\n"},"name":{"type":"string","description":"Name of the rate limit quota\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a\nglobal rate limit quota. For example `namespace1/` adds a quota to a full namespace,\n`namespace1/auth/userpass` adds a \u003cspan pulumi-lang-nodejs=\"`quota`\" pulumi-lang-dotnet=\"`Quota`\" pulumi-lang-go=\"`quota`\" pulumi-lang-python=\"`quota`\" pulumi-lang-yaml=\"`quota`\" pulumi-lang-java=\"`quota`\"\u003e`quota`\u003c/span\u003e to \u003cspan pulumi-lang-nodejs=\"`userpass`\" pulumi-lang-dotnet=\"`Userpass`\" pulumi-lang-go=\"`userpass`\" pulumi-lang-python=\"`userpass`\" pulumi-lang-yaml=\"`userpass`\" pulumi-lang-java=\"`userpass`\"\u003e`userpass`\u003c/span\u003e in \u003cspan pulumi-lang-nodejs=\"`namespace1`\" pulumi-lang-dotnet=\"`Namespace1`\" pulumi-lang-go=\"`namespace1`\" pulumi-lang-python=\"`namespace1`\" pulumi-lang-yaml=\"`namespace1`\" pulumi-lang-java=\"`namespace1`\"\u003e`namespace1`\u003c/span\u003e.\nUpdating this field on an existing quota can have \"moving\" effects. For example, updating\n`auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to\na namespace specific mount quota. **Note, namespaces are supported in Enterprise only.**\n","willReplaceOnChanges":true},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota\nrule. The \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e must be positive.\n"},"role":{"type":"string","description":"If set on a quota where \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.\n"},"secondaryRate":{"type":"number","description":"Can only be set for the \u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e modes \u003cspan pulumi-lang-nodejs=\"`entityThenIp`\" pulumi-lang-dotnet=\"`EntityThenIp`\" pulumi-lang-go=\"`entityThenIp`\" pulumi-lang-python=\"`entity_then_ip`\" pulumi-lang-yaml=\"`entityThenIp`\" pulumi-lang-java=\"`entityThenIp`\"\u003e`entity_then_ip`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`entityThenNone`\" pulumi-lang-dotnet=\"`EntityThenNone`\" pulumi-lang-go=\"`entityThenNone`\" pulumi-lang-python=\"`entity_then_none`\" pulumi-lang-yaml=\"`entityThenNone`\" pulumi-lang-java=\"`entityThenNone`\"\u003e`entity_then_none`\u003c/span\u003e. This is\nthe rate limit applied to the requests that fall under the \"ip\" or \"none\" groupings, while the authenticated requests\nthat contain an entity ID are subject to the \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e field instead. Defaults to the same value as \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e.\n"}},"requiredInputs":["rate"],"stateInputs":{"description":"Input properties used for looking up and filtering QuotaRateLimit resources.\n","properties":{"blockInterval":{"type":"integer","description":"If set, when a client reaches a rate limit threshold, the client will\nbe prohibited from any further requests until after the 'block_interval' in seconds has elapsed.\n"},"groupBy":{"type":"string","description":"Attribute used to group requests for rate limiting. Limits are enforced independently for each\ngroup. Valid \u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e modes are: 1) \u003cspan pulumi-lang-nodejs=\"`ip`\" pulumi-lang-dotnet=\"`Ip`\" pulumi-lang-go=\"`ip`\" pulumi-lang-python=\"`ip`\" pulumi-lang-yaml=\"`ip`\" pulumi-lang-java=\"`ip`\"\u003e`ip`\u003c/span\u003e that groups requests by their source IP address (**\u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e defaults to\n\u003cspan pulumi-lang-nodejs=\"`ip`\" pulumi-lang-dotnet=\"`Ip`\" pulumi-lang-go=\"`ip`\" pulumi-lang-python=\"`ip`\" pulumi-lang-yaml=\"`ip`\" pulumi-lang-java=\"`ip`\"\u003e`ip`\u003c/span\u003e if unset, which is the only supported mode in community edition**); 2) \u003cspan pulumi-lang-nodejs=\"`none`\" pulumi-lang-dotnet=\"`None`\" pulumi-lang-go=\"`none`\" pulumi-lang-python=\"`none`\" pulumi-lang-yaml=\"`none`\" pulumi-lang-java=\"`none`\"\u003e`none`\u003c/span\u003e that groups together all requests\nthat match the rate limit quota rule; 3) \u003cspan pulumi-lang-nodejs=\"`entityThenIp`\" pulumi-lang-dotnet=\"`EntityThenIp`\" pulumi-lang-go=\"`entityThenIp`\" pulumi-lang-python=\"`entity_then_ip`\" pulumi-lang-yaml=\"`entityThenIp`\" pulumi-lang-java=\"`entityThenIp`\"\u003e`entity_then_ip`\u003c/span\u003e that groups requests by their entity ID for authenticated\nrequests that carry one, or by their IP for unauthenticated requests (or requests whose authentication is not\nconnected to an entity); and 4) \u003cspan pulumi-lang-nodejs=\"`entityThenNone`\" pulumi-lang-dotnet=\"`EntityThenNone`\" pulumi-lang-go=\"`entityThenNone`\" pulumi-lang-python=\"`entity_then_none`\" pulumi-lang-yaml=\"`entityThenNone`\" pulumi-lang-java=\"`entityThenNone`\"\u003e`entity_then_none`\u003c/span\u003e which also groups requests by their entity ID when available, but\nthe rest is all grouped together (i.e. unauthenticated or with authentication not connected to an entity).\n"},"inheritable":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e on a quota where path is set to a namespace, the same quota will be cumulatively applied to all child namespace. The inheritable parameter cannot be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the path does not specify a namespace. Only the quotas associated with the root namespace are inheritable by default. Requires Vault 1.15+.\n"},"interval":{"type":"integer","description":"The duration in seconds to enforce rate limiting for.\n"},"name":{"type":"string","description":"Name of the rate limit quota\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path of the mount or namespace to apply the quota. A blank path configures a\nglobal rate limit quota. For example `namespace1/` adds a quota to a full namespace,\n`namespace1/auth/userpass` adds a \u003cspan pulumi-lang-nodejs=\"`quota`\" pulumi-lang-dotnet=\"`Quota`\" pulumi-lang-go=\"`quota`\" pulumi-lang-python=\"`quota`\" pulumi-lang-yaml=\"`quota`\" pulumi-lang-java=\"`quota`\"\u003e`quota`\u003c/span\u003e to \u003cspan pulumi-lang-nodejs=\"`userpass`\" pulumi-lang-dotnet=\"`Userpass`\" pulumi-lang-go=\"`userpass`\" pulumi-lang-python=\"`userpass`\" pulumi-lang-yaml=\"`userpass`\" pulumi-lang-java=\"`userpass`\"\u003e`userpass`\u003c/span\u003e in \u003cspan pulumi-lang-nodejs=\"`namespace1`\" pulumi-lang-dotnet=\"`Namespace1`\" pulumi-lang-go=\"`namespace1`\" pulumi-lang-python=\"`namespace1`\" pulumi-lang-yaml=\"`namespace1`\" pulumi-lang-java=\"`namespace1`\"\u003e`namespace1`\u003c/span\u003e.\nUpdating this field on an existing quota can have \"moving\" effects. For example, updating\n`auth/userpass` to `namespace1/auth/userpass` moves this quota from being a global mount quota to\na namespace specific mount quota. **Note, namespaces are supported in Enterprise only.**\n","willReplaceOnChanges":true},"rate":{"type":"number","description":"The maximum number of requests at any given second to be allowed by the quota\nrule. The \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e must be positive.\n"},"role":{"type":"string","description":"If set on a quota where \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e is set to an auth mount with a concept of roles (such as /auth/approle/), this will make the quota restrict login requests to that mount that are made with the specified role.\n"},"secondaryRate":{"type":"number","description":"Can only be set for the \u003cspan pulumi-lang-nodejs=\"`groupBy`\" pulumi-lang-dotnet=\"`GroupBy`\" pulumi-lang-go=\"`groupBy`\" pulumi-lang-python=\"`group_by`\" pulumi-lang-yaml=\"`groupBy`\" pulumi-lang-java=\"`groupBy`\"\u003e`group_by`\u003c/span\u003e modes \u003cspan pulumi-lang-nodejs=\"`entityThenIp`\" pulumi-lang-dotnet=\"`EntityThenIp`\" pulumi-lang-go=\"`entityThenIp`\" pulumi-lang-python=\"`entity_then_ip`\" pulumi-lang-yaml=\"`entityThenIp`\" pulumi-lang-java=\"`entityThenIp`\"\u003e`entity_then_ip`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`entityThenNone`\" pulumi-lang-dotnet=\"`EntityThenNone`\" pulumi-lang-go=\"`entityThenNone`\" pulumi-lang-python=\"`entity_then_none`\" pulumi-lang-yaml=\"`entityThenNone`\" pulumi-lang-java=\"`entityThenNone`\"\u003e`entity_then_none`\u003c/span\u003e. This is\nthe rate limit applied to the requests that fall under the \"ip\" or \"none\" groupings, while the authenticated requests\nthat contain an entity ID are subject to the \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e field instead. Defaults to the same value as \u003cspan pulumi-lang-nodejs=\"`rate`\" pulumi-lang-dotnet=\"`Rate`\" pulumi-lang-go=\"`rate`\" pulumi-lang-python=\"`rate`\" pulumi-lang-yaml=\"`rate`\" pulumi-lang-java=\"`rate`\"\u003e`rate`\u003c/span\u003e.\n"}},"type":"object"}},"vault:index/raftAutopilot:RaftAutopilot":{"description":"Autopilot enables automated workflows for managing Raft clusters. The \ncurrent feature set includes 3 main features: Server Stabilization, Dead \nServer Cleanup and State API. **These three features are introduced in \nVault 1.7.**\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst autopilot = new vault.RaftAutopilot(\"autopilot\", {\n    cleanupDeadServers: true,\n    deadServerLastContactThreshold: \"24h0m0s\",\n    lastContactThreshold: \"10s\",\n    maxTrailingLogs: 1000,\n    minQuorum: 3,\n    serverStabilizationTime: \"10s\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nautopilot = vault.RaftAutopilot(\"autopilot\",\n    cleanup_dead_servers=True,\n    dead_server_last_contact_threshold=\"24h0m0s\",\n    last_contact_threshold=\"10s\",\n    max_trailing_logs=1000,\n    min_quorum=3,\n    server_stabilization_time=\"10s\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var autopilot = new Vault.RaftAutopilot(\"autopilot\", new()\n    {\n        CleanupDeadServers = true,\n        DeadServerLastContactThreshold = \"24h0m0s\",\n        LastContactThreshold = \"10s\",\n        MaxTrailingLogs = 1000,\n        MinQuorum = 3,\n        ServerStabilizationTime = \"10s\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewRaftAutopilot(ctx, \"autopilot\", \u0026vault.RaftAutopilotArgs{\n\t\t\tCleanupDeadServers:             pulumi.Bool(true),\n\t\t\tDeadServerLastContactThreshold: pulumi.String(\"24h0m0s\"),\n\t\t\tLastContactThreshold:           pulumi.String(\"10s\"),\n\t\t\tMaxTrailingLogs:                pulumi.Int(1000),\n\t\t\tMinQuorum:                      pulumi.Int(3),\n\t\t\tServerStabilizationTime:        pulumi.String(\"10s\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.RaftAutopilot;\nimport com.pulumi.vault.RaftAutopilotArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var autopilot = new RaftAutopilot(\"autopilot\", RaftAutopilotArgs.builder()\n            .cleanupDeadServers(true)\n            .deadServerLastContactThreshold(\"24h0m0s\")\n            .lastContactThreshold(\"10s\")\n            .maxTrailingLogs(1000)\n            .minQuorum(3)\n            .serverStabilizationTime(\"10s\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  autopilot:\n    type: vault:RaftAutopilot\n    properties:\n      cleanupDeadServers: true\n      deadServerLastContactThreshold: 24h0m0s\n      lastContactThreshold: 10s\n      maxTrailingLogs: 1000\n      minQuorum: 3\n      serverStabilizationTime: 10s\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nRaft Autopilot config can be imported using the ID, e.g.\n\n```sh\n$ pulumi import vault:index/raftAutopilot:RaftAutopilot autopilot sys/storage/raft/autopilot/configuration\n```\n","properties":{"cleanupDeadServers":{"type":"boolean","description":"Specifies whether to remove dead server nodes\nperiodically or when a new server joins. This requires that `min-quorum` is also set.\n"},"deadServerLastContactThreshold":{"type":"string","description":"Limit the amount of time a \nserver can go without leader contact before being considered failed. This only takes\neffect when \u003cspan pulumi-lang-nodejs=\"`cleanupDeadServers`\" pulumi-lang-dotnet=\"`CleanupDeadServers`\" pulumi-lang-go=\"`cleanupDeadServers`\" pulumi-lang-python=\"`cleanup_dead_servers`\" pulumi-lang-yaml=\"`cleanupDeadServers`\" pulumi-lang-java=\"`cleanupDeadServers`\"\u003e`cleanup_dead_servers`\u003c/span\u003e is set.\n"},"disableUpgradeMigration":{"type":"boolean","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)\n"},"lastContactThreshold":{"type":"string","description":"Limit the amount of time a server can go \nwithout leader contact before being considered unhealthy.\n"},"maxTrailingLogs":{"type":"integer","description":"Maximum number of log entries in the Raft log \nthat a server can be behind its leader before being considered unhealthy.\n"},"minQuorum":{"type":"integer","description":"Minimum number of servers allowed in a cluster before \nautopilot can prune dead servers. This should at least be 3. Applicable only for\nvoting nodes.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"serverStabilizationTime":{"type":"string","description":"Minimum amount of time a server must be \nstable in the 'healthy' state before being added to the cluster.\n"}},"inputProperties":{"cleanupDeadServers":{"type":"boolean","description":"Specifies whether to remove dead server nodes\nperiodically or when a new server joins. This requires that `min-quorum` is also set.\n"},"deadServerLastContactThreshold":{"type":"string","description":"Limit the amount of time a \nserver can go without leader contact before being considered failed. This only takes\neffect when \u003cspan pulumi-lang-nodejs=\"`cleanupDeadServers`\" pulumi-lang-dotnet=\"`CleanupDeadServers`\" pulumi-lang-go=\"`cleanupDeadServers`\" pulumi-lang-python=\"`cleanup_dead_servers`\" pulumi-lang-yaml=\"`cleanupDeadServers`\" pulumi-lang-java=\"`cleanupDeadServers`\"\u003e`cleanup_dead_servers`\u003c/span\u003e is set.\n"},"disableUpgradeMigration":{"type":"boolean","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)\n"},"lastContactThreshold":{"type":"string","description":"Limit the amount of time a server can go \nwithout leader contact before being considered unhealthy.\n"},"maxTrailingLogs":{"type":"integer","description":"Maximum number of log entries in the Raft log \nthat a server can be behind its leader before being considered unhealthy.\n"},"minQuorum":{"type":"integer","description":"Minimum number of servers allowed in a cluster before \nautopilot can prune dead servers. This should at least be 3. Applicable only for\nvoting nodes.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"serverStabilizationTime":{"type":"string","description":"Minimum amount of time a server must be \nstable in the 'healthy' state before being added to the cluster.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering RaftAutopilot resources.\n","properties":{"cleanupDeadServers":{"type":"boolean","description":"Specifies whether to remove dead server nodes\nperiodically or when a new server joins. This requires that `min-quorum` is also set.\n"},"deadServerLastContactThreshold":{"type":"string","description":"Limit the amount of time a \nserver can go without leader contact before being considered failed. This only takes\neffect when \u003cspan pulumi-lang-nodejs=\"`cleanupDeadServers`\" pulumi-lang-dotnet=\"`CleanupDeadServers`\" pulumi-lang-go=\"`cleanupDeadServers`\" pulumi-lang-python=\"`cleanup_dead_servers`\" pulumi-lang-yaml=\"`cleanupDeadServers`\" pulumi-lang-java=\"`cleanupDeadServers`\"\u003e`cleanup_dead_servers`\u003c/span\u003e is set.\n"},"disableUpgradeMigration":{"type":"boolean","description":"Disables automatically upgrading Vault using autopilot. (Enterprise-only)\n"},"lastContactThreshold":{"type":"string","description":"Limit the amount of time a server can go \nwithout leader contact before being considered unhealthy.\n"},"maxTrailingLogs":{"type":"integer","description":"Maximum number of log entries in the Raft log \nthat a server can be behind its leader before being considered unhealthy.\n"},"minQuorum":{"type":"integer","description":"Minimum number of servers allowed in a cluster before \nautopilot can prune dead servers. This should at least be 3. Applicable only for\nvoting nodes.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"serverStabilizationTime":{"type":"string","description":"Minimum amount of time a server must be \nstable in the 'healthy' state before being added to the cluster.\n"}},"type":"object"}},"vault:index/raftSnapshotAgentConfig:RaftSnapshotAgentConfig":{"description":"## Example Usage\n\n### Local Storage\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst localBackups = new vault.RaftSnapshotAgentConfig(\"local_backups\", {\n    name: \"local\",\n    intervalSeconds: 86400,\n    retain: 7,\n    pathPrefix: \"/opt/vault/snapshots/\",\n    storageType: \"local\",\n    localMaxSpace: 10000000,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nlocal_backups = vault.RaftSnapshotAgentConfig(\"local_backups\",\n    name=\"local\",\n    interval_seconds=86400,\n    retain=7,\n    path_prefix=\"/opt/vault/snapshots/\",\n    storage_type=\"local\",\n    local_max_space=10000000)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var localBackups = new Vault.RaftSnapshotAgentConfig(\"local_backups\", new()\n    {\n        Name = \"local\",\n        IntervalSeconds = 86400,\n        Retain = 7,\n        PathPrefix = \"/opt/vault/snapshots/\",\n        StorageType = \"local\",\n        LocalMaxSpace = 10000000,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewRaftSnapshotAgentConfig(ctx, \"local_backups\", \u0026vault.RaftSnapshotAgentConfigArgs{\n\t\t\tName:            pulumi.String(\"local\"),\n\t\t\tIntervalSeconds: pulumi.Int(86400),\n\t\t\tRetain:          pulumi.Int(7),\n\t\t\tPathPrefix:      pulumi.String(\"/opt/vault/snapshots/\"),\n\t\t\tStorageType:     pulumi.String(\"local\"),\n\t\t\tLocalMaxSpace:   pulumi.Int(10000000),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.RaftSnapshotAgentConfig;\nimport com.pulumi.vault.RaftSnapshotAgentConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var localBackups = new RaftSnapshotAgentConfig(\"localBackups\", RaftSnapshotAgentConfigArgs.builder()\n            .name(\"local\")\n            .intervalSeconds(86400)\n            .retain(7)\n            .pathPrefix(\"/opt/vault/snapshots/\")\n            .storageType(\"local\")\n            .localMaxSpace(10000000)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  localBackups:\n    type: vault:RaftSnapshotAgentConfig\n    name: local_backups\n    properties:\n      name: local\n      intervalSeconds: 86400 # 24h\n      retain: 7\n      pathPrefix: /opt/vault/snapshots/\n      storageType: local\n      localMaxSpace: 1e+07\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Azure BLOB\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new pulumi.Config();\nconst azureAccountName = config.requireObject\u003cany\u003e(\"azureAccountName\");\nconst azureAccountKey = config.requireObject\u003cany\u003e(\"azureAccountKey\");\nconst azureBackups = new vault.RaftSnapshotAgentConfig(\"azure_backups\", {\n    name: \"azure_backup\",\n    intervalSeconds: 86400,\n    retain: 7,\n    pathPrefix: \"/\",\n    storageType: \"azure-blob\",\n    azureContainerName: \"vault-blob\",\n    azureAccountName: azureAccountName,\n    azureAccountKey: azureAccountKey,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = pulumi.Config()\nazure_account_name = config.require_object(\"azureAccountName\")\nazure_account_key = config.require_object(\"azureAccountKey\")\nazure_backups = vault.RaftSnapshotAgentConfig(\"azure_backups\",\n    name=\"azure_backup\",\n    interval_seconds=86400,\n    retain=7,\n    path_prefix=\"/\",\n    storage_type=\"azure-blob\",\n    azure_container_name=\"vault-blob\",\n    azure_account_name=azure_account_name,\n    azure_account_key=azure_account_key)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Config();\n    var azureAccountName = config.RequireObject\u003cdynamic\u003e(\"azureAccountName\");\n    var azureAccountKey = config.RequireObject\u003cdynamic\u003e(\"azureAccountKey\");\n    var azureBackups = new Vault.RaftSnapshotAgentConfig(\"azure_backups\", new()\n    {\n        Name = \"azure_backup\",\n        IntervalSeconds = 86400,\n        Retain = 7,\n        PathPrefix = \"/\",\n        StorageType = \"azure-blob\",\n        AzureContainerName = \"vault-blob\",\n        AzureAccountName = azureAccountName,\n        AzureAccountKey = azureAccountKey,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcfg := config.New(ctx, \"\")\n\t\tazureAccountName := cfg.RequireObject(\"azureAccountName\")\n\t\tazureAccountKey := cfg.RequireObject(\"azureAccountKey\")\n\t\t_, err := vault.NewRaftSnapshotAgentConfig(ctx, \"azure_backups\", \u0026vault.RaftSnapshotAgentConfigArgs{\n\t\t\tName:               pulumi.String(\"azure_backup\"),\n\t\t\tIntervalSeconds:    pulumi.Int(86400),\n\t\t\tRetain:             pulumi.Int(7),\n\t\t\tPathPrefix:         pulumi.String(\"/\"),\n\t\t\tStorageType:        pulumi.String(\"azure-blob\"),\n\t\t\tAzureContainerName: pulumi.String(\"vault-blob\"),\n\t\t\tAzureAccountName:   pulumi.Any(azureAccountName),\n\t\t\tAzureAccountKey:    pulumi.Any(azureAccountKey),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.RaftSnapshotAgentConfig;\nimport com.pulumi.vault.RaftSnapshotAgentConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var config = ctx.config();\n        final var azureAccountName = config.get(\"azureAccountName\");\n        final var azureAccountKey = config.get(\"azureAccountKey\");\n        var azureBackups = new RaftSnapshotAgentConfig(\"azureBackups\", RaftSnapshotAgentConfigArgs.builder()\n            .name(\"azure_backup\")\n            .intervalSeconds(86400)\n            .retain(7)\n            .pathPrefix(\"/\")\n            .storageType(\"azure-blob\")\n            .azureContainerName(\"vault-blob\")\n            .azureAccountName(azureAccountName)\n            .azureAccountKey(azureAccountKey)\n            .build());\n\n    }\n}\n```\n```yaml\nconfiguration:\n  azureAccountName:\n    type: dynamic\n  azureAccountKey:\n    type: dynamic\nresources:\n  azureBackups:\n    type: vault:RaftSnapshotAgentConfig\n    name: azure_backups\n    properties:\n      name: azure_backup\n      intervalSeconds: 86400 # 24h\n      retain: 7\n      pathPrefix: /\n      storageType: azure-blob\n      azureContainerName: vault-blob\n      azureAccountName: ${azureAccountName}\n      azureAccountKey: ${azureAccountKey}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nRaft Snapshot Agent Configurations can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:index/raftSnapshotAgentConfig:RaftSnapshotAgentConfig local local\n```\n","properties":{"awsAccessKeyId":{"type":"string","description":"AWS access key ID."},"awsS3Bucket":{"type":"string","description":"S3 bucket to write snapshots to."},"awsS3DisableTls":{"type":"boolean","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes."},"awsS3EnableKms":{"type":"boolean","description":"Use KMS to encrypt bucket contents."},"awsS3Endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio."},"awsS3ForcePathStyle":{"type":"boolean","description":"Use the endpoint/bucket URL style instead of bucket.endpoint."},"awsS3KmsKey":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true"},"awsS3Region":{"type":"string","description":"AWS region bucket is in."},"awsS3ServerSideEncryption":{"type":"boolean","description":"Use AES256 to encrypt bucket contents."},"awsSecretAccessKey":{"type":"string","description":"AWS secret access key."},"awsSessionToken":{"type":"string","description":"AWS session token."},"azureAccountKey":{"type":"string","description":"Azure account key."},"azureAccountName":{"type":"string","description":"Azure account name."},"azureBlobEnvironment":{"type":"string","description":"Azure blob environment."},"azureContainerName":{"type":"string","description":"Azure container name to write snapshots to."},"azureEndpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite."},"filePrefix":{"type":"string","description":"Within the directory or bucket\nprefix given by \u003cspan pulumi-lang-nodejs=\"`pathPrefix`\" pulumi-lang-dotnet=\"`PathPrefix`\" pulumi-lang-go=\"`pathPrefix`\" pulumi-lang-python=\"`path_prefix`\" pulumi-lang-yaml=\"`pathPrefix`\" pulumi-lang-java=\"`pathPrefix`\"\u003e`path_prefix`\u003c/span\u003e, the file or object name of snapshot files\nwill start with this string.\n"},"googleDisableTls":{"type":"boolean","description":"Disable TLS for the GCS endpoint."},"googleEndpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server."},"googleGcsBucket":{"type":"string","description":"GCS bucket to write snapshots to."},"googleServiceAccountKey":{"type":"string","description":"Google service account key in JSON format."},"intervalSeconds":{"type":"integer","description":"`\u003crequired\u003e` - Time (in seconds) between snapshots.\n"},"localMaxSpace":{"type":"integer","description":"The maximum space, in bytes, to use for snapshots."},"name":{"type":"string","description":"`\u003crequired\u003e` – Name of the configuration to modify.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"pathPrefix":{"type":"string","description":"`\u003crequired\u003e` - For \u003cspan pulumi-lang-nodejs=\"`storageType \" pulumi-lang-dotnet=\"`StorageType \" pulumi-lang-go=\"`storageType \" pulumi-lang-python=\"`storage_type \" pulumi-lang-yaml=\"`storageType \" pulumi-lang-java=\"`storageType \"\u003e`storage_type \u003c/span\u003e= \"local\"`, the directory to\nwrite the snapshots in. For cloud storage types, the bucket prefix to use.\nTypes `azure-s3` and `google-gcs` require a trailing `/` (slash).\nTypes \u003cspan pulumi-lang-nodejs=\"`local`\" pulumi-lang-dotnet=\"`Local`\" pulumi-lang-go=\"`local`\" pulumi-lang-python=\"`local`\" pulumi-lang-yaml=\"`local`\" pulumi-lang-java=\"`local`\"\u003e`local`\u003c/span\u003e and `aws-s3` the trailing `/` is optional.\n"},"retain":{"type":"integer","description":"How many snapshots are to be kept; when writing a\nsnapshot, if there are more snapshots already stored than this number, the\noldest ones will be deleted.\n"},"storageType":{"type":"string","description":"`\u003crequired\u003e` - One of \"local\", \"azure-blob\", \"aws-s3\",\nor \"google-gcs\". The remaining parameters described below are all specific to\nthe selected \u003cspan pulumi-lang-nodejs=\"`storageType`\" pulumi-lang-dotnet=\"`StorageType`\" pulumi-lang-go=\"`storageType`\" pulumi-lang-python=\"`storage_type`\" pulumi-lang-yaml=\"`storageType`\" pulumi-lang-java=\"`storageType`\"\u003e`storage_type`\u003c/span\u003e and prefixed accordingly.\n"}},"required":["intervalSeconds","name","pathPrefix","storageType"],"inputProperties":{"awsAccessKeyId":{"type":"string","description":"AWS access key ID."},"awsS3Bucket":{"type":"string","description":"S3 bucket to write snapshots to."},"awsS3DisableTls":{"type":"boolean","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes."},"awsS3EnableKms":{"type":"boolean","description":"Use KMS to encrypt bucket contents."},"awsS3Endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio."},"awsS3ForcePathStyle":{"type":"boolean","description":"Use the endpoint/bucket URL style instead of bucket.endpoint."},"awsS3KmsKey":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true"},"awsS3Region":{"type":"string","description":"AWS region bucket is in."},"awsS3ServerSideEncryption":{"type":"boolean","description":"Use AES256 to encrypt bucket contents."},"awsSecretAccessKey":{"type":"string","description":"AWS secret access key."},"awsSessionToken":{"type":"string","description":"AWS session token."},"azureAccountKey":{"type":"string","description":"Azure account key."},"azureAccountName":{"type":"string","description":"Azure account name."},"azureBlobEnvironment":{"type":"string","description":"Azure blob environment."},"azureContainerName":{"type":"string","description":"Azure container name to write snapshots to."},"azureEndpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite."},"filePrefix":{"type":"string","description":"Within the directory or bucket\nprefix given by \u003cspan pulumi-lang-nodejs=\"`pathPrefix`\" pulumi-lang-dotnet=\"`PathPrefix`\" pulumi-lang-go=\"`pathPrefix`\" pulumi-lang-python=\"`path_prefix`\" pulumi-lang-yaml=\"`pathPrefix`\" pulumi-lang-java=\"`pathPrefix`\"\u003e`path_prefix`\u003c/span\u003e, the file or object name of snapshot files\nwill start with this string.\n"},"googleDisableTls":{"type":"boolean","description":"Disable TLS for the GCS endpoint."},"googleEndpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server."},"googleGcsBucket":{"type":"string","description":"GCS bucket to write snapshots to."},"googleServiceAccountKey":{"type":"string","description":"Google service account key in JSON format."},"intervalSeconds":{"type":"integer","description":"`\u003crequired\u003e` - Time (in seconds) between snapshots.\n"},"localMaxSpace":{"type":"integer","description":"The maximum space, in bytes, to use for snapshots."},"name":{"type":"string","description":"`\u003crequired\u003e` – Name of the configuration to modify.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pathPrefix":{"type":"string","description":"`\u003crequired\u003e` - For \u003cspan pulumi-lang-nodejs=\"`storageType \" pulumi-lang-dotnet=\"`StorageType \" pulumi-lang-go=\"`storageType \" pulumi-lang-python=\"`storage_type \" pulumi-lang-yaml=\"`storageType \" pulumi-lang-java=\"`storageType \"\u003e`storage_type \u003c/span\u003e= \"local\"`, the directory to\nwrite the snapshots in. For cloud storage types, the bucket prefix to use.\nTypes `azure-s3` and `google-gcs` require a trailing `/` (slash).\nTypes \u003cspan pulumi-lang-nodejs=\"`local`\" pulumi-lang-dotnet=\"`Local`\" pulumi-lang-go=\"`local`\" pulumi-lang-python=\"`local`\" pulumi-lang-yaml=\"`local`\" pulumi-lang-java=\"`local`\"\u003e`local`\u003c/span\u003e and `aws-s3` the trailing `/` is optional.\n"},"retain":{"type":"integer","description":"How many snapshots are to be kept; when writing a\nsnapshot, if there are more snapshots already stored than this number, the\noldest ones will be deleted.\n"},"storageType":{"type":"string","description":"`\u003crequired\u003e` - One of \"local\", \"azure-blob\", \"aws-s3\",\nor \"google-gcs\". The remaining parameters described below are all specific to\nthe selected \u003cspan pulumi-lang-nodejs=\"`storageType`\" pulumi-lang-dotnet=\"`StorageType`\" pulumi-lang-go=\"`storageType`\" pulumi-lang-python=\"`storage_type`\" pulumi-lang-yaml=\"`storageType`\" pulumi-lang-java=\"`storageType`\"\u003e`storage_type`\u003c/span\u003e and prefixed accordingly.\n","willReplaceOnChanges":true}},"requiredInputs":["intervalSeconds","pathPrefix","storageType"],"stateInputs":{"description":"Input properties used for looking up and filtering RaftSnapshotAgentConfig resources.\n","properties":{"awsAccessKeyId":{"type":"string","description":"AWS access key ID."},"awsS3Bucket":{"type":"string","description":"S3 bucket to write snapshots to."},"awsS3DisableTls":{"type":"boolean","description":"Disable TLS for the S3 endpoint. This should only be used for testing purposes."},"awsS3EnableKms":{"type":"boolean","description":"Use KMS to encrypt bucket contents."},"awsS3Endpoint":{"type":"string","description":"AWS endpoint. This is typically only set when using a non-AWS S3 implementation like Minio."},"awsS3ForcePathStyle":{"type":"boolean","description":"Use the endpoint/bucket URL style instead of bucket.endpoint."},"awsS3KmsKey":{"type":"string","description":"Use named KMS key, when aws_s3_enable_kms=true"},"awsS3Region":{"type":"string","description":"AWS region bucket is in."},"awsS3ServerSideEncryption":{"type":"boolean","description":"Use AES256 to encrypt bucket contents."},"awsSecretAccessKey":{"type":"string","description":"AWS secret access key."},"awsSessionToken":{"type":"string","description":"AWS session token."},"azureAccountKey":{"type":"string","description":"Azure account key."},"azureAccountName":{"type":"string","description":"Azure account name."},"azureBlobEnvironment":{"type":"string","description":"Azure blob environment."},"azureContainerName":{"type":"string","description":"Azure container name to write snapshots to."},"azureEndpoint":{"type":"string","description":"Azure blob storage endpoint. This is typically only set when using a non-Azure implementation like Azurite."},"filePrefix":{"type":"string","description":"Within the directory or bucket\nprefix given by \u003cspan pulumi-lang-nodejs=\"`pathPrefix`\" pulumi-lang-dotnet=\"`PathPrefix`\" pulumi-lang-go=\"`pathPrefix`\" pulumi-lang-python=\"`path_prefix`\" pulumi-lang-yaml=\"`pathPrefix`\" pulumi-lang-java=\"`pathPrefix`\"\u003e`path_prefix`\u003c/span\u003e, the file or object name of snapshot files\nwill start with this string.\n"},"googleDisableTls":{"type":"boolean","description":"Disable TLS for the GCS endpoint."},"googleEndpoint":{"type":"string","description":"GCS endpoint. This is typically only set when using a non-Google GCS implementation like fake-gcs-server."},"googleGcsBucket":{"type":"string","description":"GCS bucket to write snapshots to."},"googleServiceAccountKey":{"type":"string","description":"Google service account key in JSON format."},"intervalSeconds":{"type":"integer","description":"`\u003crequired\u003e` - Time (in seconds) between snapshots.\n"},"localMaxSpace":{"type":"integer","description":"The maximum space, in bytes, to use for snapshots."},"name":{"type":"string","description":"`\u003crequired\u003e` – Name of the configuration to modify.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pathPrefix":{"type":"string","description":"`\u003crequired\u003e` - For \u003cspan pulumi-lang-nodejs=\"`storageType \" pulumi-lang-dotnet=\"`StorageType \" pulumi-lang-go=\"`storageType \" pulumi-lang-python=\"`storage_type \" pulumi-lang-yaml=\"`storageType \" pulumi-lang-java=\"`storageType \"\u003e`storage_type \u003c/span\u003e= \"local\"`, the directory to\nwrite the snapshots in. For cloud storage types, the bucket prefix to use.\nTypes `azure-s3` and `google-gcs` require a trailing `/` (slash).\nTypes \u003cspan pulumi-lang-nodejs=\"`local`\" pulumi-lang-dotnet=\"`Local`\" pulumi-lang-go=\"`local`\" pulumi-lang-python=\"`local`\" pulumi-lang-yaml=\"`local`\" pulumi-lang-java=\"`local`\"\u003e`local`\u003c/span\u003e and `aws-s3` the trailing `/` is optional.\n"},"retain":{"type":"integer","description":"How many snapshots are to be kept; when writing a\nsnapshot, if there are more snapshots already stored than this number, the\noldest ones will be deleted.\n"},"storageType":{"type":"string","description":"`\u003crequired\u003e` - One of \"local\", \"azure-blob\", \"aws-s3\",\nor \"google-gcs\". The remaining parameters described below are all specific to\nthe selected \u003cspan pulumi-lang-nodejs=\"`storageType`\" pulumi-lang-dotnet=\"`StorageType`\" pulumi-lang-go=\"`storageType`\" pulumi-lang-python=\"`storage_type`\" pulumi-lang-yaml=\"`storageType`\" pulumi-lang-java=\"`storageType`\"\u003e`storage_type`\u003c/span\u003e and prefixed accordingly.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:index/rgpPolicy:RgpPolicy":{"description":"Provides a resource to manage Role Governing Policy (RGP) via [Sentinel](https://www.vaultproject.io/docs/enterprise/sentinel/index.html).\n\n**Note** this feature is available only with Vault Enterprise.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst allow_all = new vault.RgpPolicy(\"allow-all\", {\n    name: \"allow-all\",\n    enforcementLevel: \"soft-mandatory\",\n    policy: `main = rule {\n  true\n}\n`,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nallow_all = vault.RgpPolicy(\"allow-all\",\n    name=\"allow-all\",\n    enforcement_level=\"soft-mandatory\",\n    policy=\"\"\"main = rule {\n  true\n}\n\"\"\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var allow_all = new Vault.RgpPolicy(\"allow-all\", new()\n    {\n        Name = \"allow-all\",\n        EnforcementLevel = \"soft-mandatory\",\n        Policy = @\"main = rule {\n  true\n}\n\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewRgpPolicy(ctx, \"allow-all\", \u0026vault.RgpPolicyArgs{\n\t\t\tName:             pulumi.String(\"allow-all\"),\n\t\t\tEnforcementLevel: pulumi.String(\"soft-mandatory\"),\n\t\t\tPolicy:           pulumi.String(\"main = rule {\\n  true\\n}\\n\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.RgpPolicy;\nimport com.pulumi.vault.RgpPolicyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var allow_all = new RgpPolicy(\"allow-all\", RgpPolicyArgs.builder()\n            .name(\"allow-all\")\n            .enforcementLevel(\"soft-mandatory\")\n            .policy(\"\"\"\nmain = rule {\n  true\n}\n            \"\"\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  allow-all:\n    type: vault:RgpPolicy\n    properties:\n      name: allow-all\n      enforcementLevel: soft-mandatory\n      policy: |\n        main = rule {\n          true\n        }\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"enforcementLevel":{"type":"string","description":"Enforcement level of Sentinel policy. Can be either \u003cspan pulumi-lang-nodejs=\"`advisory`\" pulumi-lang-dotnet=\"`Advisory`\" pulumi-lang-go=\"`advisory`\" pulumi-lang-python=\"`advisory`\" pulumi-lang-yaml=\"`advisory`\" pulumi-lang-java=\"`advisory`\"\u003e`advisory`\u003c/span\u003e or `soft-mandatory` or `hard-mandatory`\n"},"name":{"type":"string","description":"The name of the policy\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policy":{"type":"string","description":"String containing a Sentinel policy\n"}},"required":["enforcementLevel","name","policy"],"inputProperties":{"enforcementLevel":{"type":"string","description":"Enforcement level of Sentinel policy. Can be either \u003cspan pulumi-lang-nodejs=\"`advisory`\" pulumi-lang-dotnet=\"`Advisory`\" pulumi-lang-go=\"`advisory`\" pulumi-lang-python=\"`advisory`\" pulumi-lang-yaml=\"`advisory`\" pulumi-lang-java=\"`advisory`\"\u003e`advisory`\u003c/span\u003e or `soft-mandatory` or `hard-mandatory`\n"},"name":{"type":"string","description":"The name of the policy\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policy":{"type":"string","description":"String containing a Sentinel policy\n"}},"requiredInputs":["enforcementLevel","policy"],"stateInputs":{"description":"Input properties used for looking up and filtering RgpPolicy resources.\n","properties":{"enforcementLevel":{"type":"string","description":"Enforcement level of Sentinel policy. Can be either \u003cspan pulumi-lang-nodejs=\"`advisory`\" pulumi-lang-dotnet=\"`Advisory`\" pulumi-lang-go=\"`advisory`\" pulumi-lang-python=\"`advisory`\" pulumi-lang-yaml=\"`advisory`\" pulumi-lang-java=\"`advisory`\"\u003e`advisory`\u003c/span\u003e or `soft-mandatory` or `hard-mandatory`\n"},"name":{"type":"string","description":"The name of the policy\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policy":{"type":"string","description":"String containing a Sentinel policy\n"}},"type":"object"}},"vault:index/scepAuthBackendRole:ScepAuthBackendRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst scep = new vault.AuthBackend(\"scep\", {\n    path: \"scep\",\n    type: \"scep\",\n});\nconst scepScepAuthBackendRole = new vault.ScepAuthBackendRole(\"scep\", {\n    backend: scep.path,\n    name: \"scep_challenge\",\n    authType: \"static-challenge\",\n    challenge: \"well known secret\",\n    tokenType: \"batch\",\n    tokenTtl: 300,\n    tokenMaxTtl: 600,\n    tokenPolicies: [\"scep-clients\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nscep = vault.AuthBackend(\"scep\",\n    path=\"scep\",\n    type=\"scep\")\nscep_scep_auth_backend_role = vault.ScepAuthBackendRole(\"scep\",\n    backend=scep.path,\n    name=\"scep_challenge\",\n    auth_type=\"static-challenge\",\n    challenge=\"well known secret\",\n    token_type=\"batch\",\n    token_ttl=300,\n    token_max_ttl=600,\n    token_policies=[\"scep-clients\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var scep = new Vault.AuthBackend(\"scep\", new()\n    {\n        Path = \"scep\",\n        Type = \"scep\",\n    });\n\n    var scepScepAuthBackendRole = new Vault.ScepAuthBackendRole(\"scep\", new()\n    {\n        Backend = scep.Path,\n        Name = \"scep_challenge\",\n        AuthType = \"static-challenge\",\n        Challenge = \"well known secret\",\n        TokenType = \"batch\",\n        TokenTtl = 300,\n        TokenMaxTtl = 600,\n        TokenPolicies = new[]\n        {\n            \"scep-clients\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tscep, err := vault.NewAuthBackend(ctx, \"scep\", \u0026vault.AuthBackendArgs{\n\t\t\tPath: pulumi.String(\"scep\"),\n\t\t\tType: pulumi.String(\"scep\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewScepAuthBackendRole(ctx, \"scep\", \u0026vault.ScepAuthBackendRoleArgs{\n\t\t\tBackend:     scep.Path,\n\t\t\tName:        pulumi.String(\"scep_challenge\"),\n\t\t\tAuthType:    pulumi.String(\"static-challenge\"),\n\t\t\tChallenge:   pulumi.String(\"well known secret\"),\n\t\t\tTokenType:   pulumi.String(\"batch\"),\n\t\t\tTokenTtl:    pulumi.Int(300),\n\t\t\tTokenMaxTtl: pulumi.Int(600),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"scep-clients\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.ScepAuthBackendRole;\nimport com.pulumi.vault.ScepAuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var scep = new AuthBackend(\"scep\", AuthBackendArgs.builder()\n            .path(\"scep\")\n            .type(\"scep\")\n            .build());\n\n        var scepScepAuthBackendRole = new ScepAuthBackendRole(\"scepScepAuthBackendRole\", ScepAuthBackendRoleArgs.builder()\n            .backend(scep.path())\n            .name(\"scep_challenge\")\n            .authType(\"static-challenge\")\n            .challenge(\"well known secret\")\n            .tokenType(\"batch\")\n            .tokenTtl(300)\n            .tokenMaxTtl(600)\n            .tokenPolicies(\"scep-clients\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  scep:\n    type: vault:AuthBackend\n    properties:\n      path: scep\n      type: scep\n  scepScepAuthBackendRole:\n    type: vault:ScepAuthBackendRole\n    name: scep\n    properties:\n      backend: ${scep.path}\n      name: scep_challenge\n      authType: static-challenge\n      challenge: well known secret\n      tokenType: batch\n      tokenTtl: 300\n      tokenMaxTtl: 600\n      tokenPolicies:\n        - scep-clients\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"authType":{"type":"string","description":"The authentication type to use. This can be either \"static-challenge\" or \"intune\".\n"},"backend":{"type":"string","description":"Path to the mounted SCEP auth backend.\n"},"challenge":{"type":"string","description":"The static challenge to use if\u003cspan pulumi-lang-nodejs=\" authType \" pulumi-lang-dotnet=\" AuthType \" pulumi-lang-go=\" authType \" pulumi-lang-python=\" auth_type \" pulumi-lang-yaml=\" authType \" pulumi-lang-java=\" authType \"\u003e auth_type \u003c/span\u003eis \"static-challenge\", not used for other auth types.\n"},"displayName":{"type":"string"},"name":{"type":"string","description":"Name of the role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["authType","displayName","name"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"authType":{"type":"string","description":"The authentication type to use. This can be either \"static-challenge\" or \"intune\".\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"Path to the mounted SCEP auth backend.\n","willReplaceOnChanges":true},"challenge":{"type":"string","description":"The static challenge to use if\u003cspan pulumi-lang-nodejs=\" authType \" pulumi-lang-dotnet=\" AuthType \" pulumi-lang-go=\" authType \" pulumi-lang-python=\" auth_type \" pulumi-lang-yaml=\" authType \" pulumi-lang-java=\" authType \"\u003e auth_type \u003c/span\u003eis \"static-challenge\", not used for other auth types.\n"},"displayName":{"type":"string"},"name":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["authType"],"stateInputs":{"description":"Input properties used for looking up and filtering ScepAuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"authType":{"type":"string","description":"The authentication type to use. This can be either \"static-challenge\" or \"intune\".\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"Path to the mounted SCEP auth backend.\n","willReplaceOnChanges":true},"challenge":{"type":"string","description":"The static challenge to use if\u003cspan pulumi-lang-nodejs=\" authType \" pulumi-lang-dotnet=\" AuthType \" pulumi-lang-go=\" authType \" pulumi-lang-python=\" auth_type \" pulumi-lang-yaml=\" authType \" pulumi-lang-java=\" authType \"\u003e auth_type \u003c/span\u003eis \"static-challenge\", not used for other auth types.\n"},"displayName":{"type":"string"},"name":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:index/token:Token":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.Token(\"example\", {\n    roleName: \"app\",\n    policies: [\n        \"policy1\",\n        \"policy2\",\n    ],\n    renewable: true,\n    ttl: \"24h\",\n    renewMinLease: 43200,\n    renewIncrement: 86400,\n    metadata: {\n        purpose: \"service-account\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.Token(\"example\",\n    role_name=\"app\",\n    policies=[\n        \"policy1\",\n        \"policy2\",\n    ],\n    renewable=True,\n    ttl=\"24h\",\n    renew_min_lease=43200,\n    renew_increment=86400,\n    metadata={\n        \"purpose\": \"service-account\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Token(\"example\", new()\n    {\n        RoleName = \"app\",\n        Policies = new[]\n        {\n            \"policy1\",\n            \"policy2\",\n        },\n        Renewable = true,\n        Ttl = \"24h\",\n        RenewMinLease = 43200,\n        RenewIncrement = 86400,\n        Metadata = \n        {\n            { \"purpose\", \"service-account\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.NewToken(ctx, \"example\", \u0026vault.TokenArgs{\n\t\t\tRoleName: pulumi.String(\"app\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"policy1\"),\n\t\t\t\tpulumi.String(\"policy2\"),\n\t\t\t},\n\t\t\tRenewable:      pulumi.Bool(true),\n\t\t\tTtl:            pulumi.String(\"24h\"),\n\t\t\tRenewMinLease:  pulumi.Int(43200),\n\t\t\tRenewIncrement: pulumi.Int(86400),\n\t\t\tMetadata: pulumi.StringMap{\n\t\t\t\t\"purpose\": pulumi.String(\"service-account\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Token;\nimport com.pulumi.vault.TokenArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new Token(\"example\", TokenArgs.builder()\n            .roleName(\"app\")\n            .policies(            \n                \"policy1\",\n                \"policy2\")\n            .renewable(true)\n            .ttl(\"24h\")\n            .renewMinLease(43200)\n            .renewIncrement(86400)\n            .metadata(Map.of(\"purpose\", \"service-account\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:Token\n    properties:\n      roleName: app\n      policies:\n        - policy1\n        - policy2\n      renewable: true\n      ttl: 24h\n      renewMinLease: 43200\n      renewIncrement: 86400\n      metadata:\n        purpose: service-account\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nTokens can be imported using its `id` as accessor id, e.g.\n\n```sh\n$ pulumi import vault:index/token:Token example \u003caccessor_id\u003e\n```\n","properties":{"clientToken":{"type":"string","description":"String containing the client token if stored in present file\n","secret":true},"displayName":{"type":"string","description":"String containing the token display name\n"},"explicitMaxTtl":{"type":"string","description":"The explicit max TTL of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n"},"leaseDuration":{"type":"integer","description":"String containing the token lease duration if present in state file\n"},"leaseStarted":{"type":"string","description":"String containing the token lease started time if present in state file\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Metadata to be set on this token\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"noDefaultPolicy":{"type":"boolean","description":"Flag to not attach the default policy to this token\n"},"noParent":{"type":"boolean","description":"Flag to create a token without parent\n"},"numUses":{"type":"integer","description":"The number of allowed uses of this token\n"},"period":{"type":"string","description":"The period of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n"},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to attach to this token\n"},"renewIncrement":{"type":"integer","description":"The renew increment. This is specified in seconds\n"},"renewMinLease":{"type":"integer","description":"The minimal lease to renew this token\n"},"renewable":{"type":"boolean","description":"Flag to allow to renew this token\n"},"roleName":{"type":"string","description":"The token role name\n"},"ttl":{"type":"string","description":"The TTL period of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n"},"wrappedToken":{"type":"string","description":"The client wrapped token.","secret":true},"wrappingAccessor":{"type":"string","description":"The client wrapping accessor.","secret":true},"wrappingTtl":{"type":"string","description":"The TTL period of the wrapped token."}},"required":["clientToken","leaseDuration","leaseStarted","noParent","numUses","renewable","wrappedToken","wrappingAccessor"],"inputProperties":{"displayName":{"type":"string","description":"String containing the token display name\n","willReplaceOnChanges":true},"explicitMaxTtl":{"type":"string","description":"The explicit max TTL of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n","willReplaceOnChanges":true},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Metadata to be set on this token\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"noDefaultPolicy":{"type":"boolean","description":"Flag to not attach the default policy to this token\n","willReplaceOnChanges":true},"noParent":{"type":"boolean","description":"Flag to create a token without parent\n","willReplaceOnChanges":true},"numUses":{"type":"integer","description":"The number of allowed uses of this token\n","willReplaceOnChanges":true},"period":{"type":"string","description":"The period of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to attach to this token\n","willReplaceOnChanges":true},"renewIncrement":{"type":"integer","description":"The renew increment. This is specified in seconds\n"},"renewMinLease":{"type":"integer","description":"The minimal lease to renew this token\n"},"renewable":{"type":"boolean","description":"Flag to allow to renew this token\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The token role name\n","willReplaceOnChanges":true},"ttl":{"type":"string","description":"The TTL period of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n","willReplaceOnChanges":true},"wrappingTtl":{"type":"string","description":"The TTL period of the wrapped token."}},"stateInputs":{"description":"Input properties used for looking up and filtering Token resources.\n","properties":{"clientToken":{"type":"string","description":"String containing the client token if stored in present file\n","secret":true},"displayName":{"type":"string","description":"String containing the token display name\n","willReplaceOnChanges":true},"explicitMaxTtl":{"type":"string","description":"The explicit max TTL of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n","willReplaceOnChanges":true},"leaseDuration":{"type":"integer","description":"String containing the token lease duration if present in state file\n"},"leaseStarted":{"type":"string","description":"String containing the token lease started time if present in state file\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Metadata to be set on this token\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"noDefaultPolicy":{"type":"boolean","description":"Flag to not attach the default policy to this token\n","willReplaceOnChanges":true},"noParent":{"type":"boolean","description":"Flag to create a token without parent\n","willReplaceOnChanges":true},"numUses":{"type":"integer","description":"The number of allowed uses of this token\n","willReplaceOnChanges":true},"period":{"type":"string","description":"The period of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of policies to attach to this token\n","willReplaceOnChanges":true},"renewIncrement":{"type":"integer","description":"The renew increment. This is specified in seconds\n"},"renewMinLease":{"type":"integer","description":"The minimal lease to renew this token\n"},"renewable":{"type":"boolean","description":"Flag to allow to renew this token\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The token role name\n","willReplaceOnChanges":true},"ttl":{"type":"string","description":"The TTL period of this token. This is specified as a numeric string with suffix like \"30s\" ro \"5m\"\n","willReplaceOnChanges":true},"wrappedToken":{"type":"string","description":"The client wrapped token.","secret":true},"wrappingAccessor":{"type":"string","description":"The client wrapping accessor.","secret":true},"wrappingTtl":{"type":"string","description":"The TTL period of the wrapped token."}},"type":"object"}},"vault:jwt/authBackend:AuthBackend":{"description":"\n\n## Import\n\nJWT auth backend can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:jwt/authBackend:AuthBackend oidc oidc\n```\nor\n\n```sh\n$ pulumi import vault:jwt/authBackend:AuthBackend jwt jwt\n```\n","properties":{"accessor":{"type":"string","description":"The accessor for this auth method\n"},"boundIssuer":{"type":"string","description":"The value against which to match the iss claim in a JWT\n"},"defaultRole":{"type":"string","description":"The default role to use if none is provided during login\n"},"description":{"type":"string","description":"The description of the auth backend\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"jwksCaPem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.\n"},"jwksPairs":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"List of JWKS URL and optional CA certificate pairs. Cannot be used with \u003cspan pulumi-lang-nodejs=\"`jwksUrl`\" pulumi-lang-dotnet=\"`JwksUrl`\" pulumi-lang-go=\"`jwksUrl`\" pulumi-lang-python=\"`jwks_url`\" pulumi-lang-yaml=\"`jwksUrl`\" pulumi-lang-java=\"`jwksUrl`\"\u003e`jwks_url`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`jwksCaPem`\" pulumi-lang-dotnet=\"`JwksCaPem`\" pulumi-lang-go=\"`jwksCaPem`\" pulumi-lang-python=\"`jwks_ca_pem`\" pulumi-lang-yaml=\"`jwksCaPem`\" pulumi-lang-java=\"`jwksCaPem`\"\u003e`jwks_ca_pem`\u003c/span\u003e. Requires Vault 1.16+.\n"},"jwksUrl":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with \u003cspan pulumi-lang-nodejs=\"\"oidcDiscoveryUrl\"\" pulumi-lang-dotnet=\"\"OidcDiscoveryUrl\"\" pulumi-lang-go=\"\"oidcDiscoveryUrl\"\" pulumi-lang-python=\"\"oidc_discovery_url\"\" pulumi-lang-yaml=\"\"oidcDiscoveryUrl\"\" pulumi-lang-java=\"\"oidcDiscoveryUrl\"\"\u003e\"oidc_discovery_url\"\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"\"jwtValidationPubkeys\"\" pulumi-lang-dotnet=\"\"JwtValidationPubkeys\"\" pulumi-lang-go=\"\"jwtValidationPubkeys\"\" pulumi-lang-python=\"\"jwt_validation_pubkeys\"\" pulumi-lang-yaml=\"\"jwtValidationPubkeys\"\" pulumi-lang-java=\"\"jwtValidationPubkeys\"\"\u003e\"jwt_validation_pubkeys\"\u003c/span\u003e.\n"},"jwtSupportedAlgs":{"type":"array","items":{"type":"string"},"description":"A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ\n"},"jwtValidationPubkeys":{"type":"array","items":{"type":"string"},"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with \u003cspan pulumi-lang-nodejs=\"`oidcDiscoveryUrl`\" pulumi-lang-dotnet=\"`OidcDiscoveryUrl`\" pulumi-lang-go=\"`oidcDiscoveryUrl`\" pulumi-lang-python=\"`oidc_discovery_url`\" pulumi-lang-yaml=\"`oidcDiscoveryUrl`\" pulumi-lang-java=\"`oidcDiscoveryUrl`\"\u003e`oidc_discovery_url`\u003c/span\u003e\n"},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"namespaceInState":{"type":"boolean","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs\n\n* tune - (Optional) Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"oidcClientId":{"type":"string","description":"Client ID used for OIDC backends\n"},"oidcClientSecret":{"type":"string","description":"Client Secret used for OIDC backends. **Note:** This field is stored in state. For enhanced security, use \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e instead.\n","secret":true},"oidcClientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only Client Secret used for OIDC. This field is recommended over\u003cspan pulumi-lang-nodejs=\" oidcClientSecret \" pulumi-lang-dotnet=\" OidcClientSecret \" pulumi-lang-go=\" oidcClientSecret \" pulumi-lang-python=\" oidc_client_secret \" pulumi-lang-yaml=\" oidcClientSecret \" pulumi-lang-java=\" oidcClientSecret \"\u003e oidc_client_secret \u003c/span\u003efor enhanced security.","secret":true},"oidcClientSecretWoVersion":{"type":"integer","description":"Version counter for the write-only \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e field. Increment this value to trigger an update of the client secret in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e.\n"},"oidcDiscoveryCaPem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used\n"},"oidcDiscoveryUrl":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with \u003cspan pulumi-lang-nodejs=\"`jwtValidationPubkeys`\" pulumi-lang-dotnet=\"`JwtValidationPubkeys`\" pulumi-lang-go=\"`jwtValidationPubkeys`\" pulumi-lang-python=\"`jwt_validation_pubkeys`\" pulumi-lang-yaml=\"`jwtValidationPubkeys`\" pulumi-lang-java=\"`jwtValidationPubkeys`\"\u003e`jwt_validation_pubkeys`\u003c/span\u003e\n"},"oidcResponseMode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are \u003cspan pulumi-lang-nodejs=\"`query`\" pulumi-lang-dotnet=\"`Query`\" pulumi-lang-go=\"`query`\" pulumi-lang-python=\"`query`\" pulumi-lang-yaml=\"`query`\" pulumi-lang-java=\"`query`\"\u003e`query`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`query`\" pulumi-lang-dotnet=\"`Query`\" pulumi-lang-go=\"`query`\" pulumi-lang-python=\"`query`\" pulumi-lang-yaml=\"`query`\" pulumi-lang-java=\"`query`\"\u003e`query`\u003c/span\u003e. If using Vault namespaces, and \u003cspan pulumi-lang-nodejs=\"`oidcResponseMode`\" pulumi-lang-dotnet=\"`OidcResponseMode`\" pulumi-lang-go=\"`oidcResponseMode`\" pulumi-lang-python=\"`oidc_response_mode`\" pulumi-lang-yaml=\"`oidcResponseMode`\" pulumi-lang-java=\"`oidcResponseMode`\"\u003e`oidc_response_mode`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e, then \u003cspan pulumi-lang-nodejs=\"`namespaceInState`\" pulumi-lang-dotnet=\"`NamespaceInState`\" pulumi-lang-go=\"`namespaceInState`\" pulumi-lang-python=\"`namespace_in_state`\" pulumi-lang-yaml=\"`namespaceInState`\" pulumi-lang-java=\"`namespaceInState`\"\u003e`namespace_in_state`\u003c/span\u003e should be set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"oidcResponseTypes":{"type":"array","items":{"type":"string"},"description":"List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `[\"code\"]`. Note: \u003cspan pulumi-lang-nodejs=\"`idToken`\" pulumi-lang-dotnet=\"`IdToken`\" pulumi-lang-go=\"`idToken`\" pulumi-lang-python=\"`id_token`\" pulumi-lang-yaml=\"`idToken`\" pulumi-lang-java=\"`idToken`\"\u003e`id_token`\u003c/span\u003e may only be used if \u003cspan pulumi-lang-nodejs=\"`oidcResponseMode`\" pulumi-lang-dotnet=\"`OidcResponseMode`\" pulumi-lang-go=\"`oidcResponseMode`\" pulumi-lang-python=\"`oidc_response_mode`\" pulumi-lang-yaml=\"`oidcResponseMode`\" pulumi-lang-java=\"`oidcResponseMode`\"\u003e`oidc_response_mode`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e.\n"},"path":{"type":"string","description":"Path to mount the JWT/OIDC auth backend\n"},"providerConfig":{"type":"object","additionalProperties":{"type":"string"},"description":"Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.\n"},"tune":{"$ref":"#/types/vault:jwt/AuthBackendTune:AuthBackendTune"},"type":{"type":"string","description":"Type of auth backend. Should be one of \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`oidc`\" pulumi-lang-dotnet=\"`Oidc`\" pulumi-lang-go=\"`oidc`\" pulumi-lang-python=\"`oidc`\" pulumi-lang-yaml=\"`oidc`\" pulumi-lang-java=\"`oidc`\"\u003e`oidc`\u003c/span\u003e. Default - \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e\n"}},"required":["accessor","tune"],"inputProperties":{"boundIssuer":{"type":"string","description":"The value against which to match the iss claim in a JWT\n"},"defaultRole":{"type":"string","description":"The default role to use if none is provided during login\n"},"description":{"type":"string","description":"The description of the auth backend\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"jwksCaPem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.\n"},"jwksPairs":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"List of JWKS URL and optional CA certificate pairs. Cannot be used with \u003cspan pulumi-lang-nodejs=\"`jwksUrl`\" pulumi-lang-dotnet=\"`JwksUrl`\" pulumi-lang-go=\"`jwksUrl`\" pulumi-lang-python=\"`jwks_url`\" pulumi-lang-yaml=\"`jwksUrl`\" pulumi-lang-java=\"`jwksUrl`\"\u003e`jwks_url`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`jwksCaPem`\" pulumi-lang-dotnet=\"`JwksCaPem`\" pulumi-lang-go=\"`jwksCaPem`\" pulumi-lang-python=\"`jwks_ca_pem`\" pulumi-lang-yaml=\"`jwksCaPem`\" pulumi-lang-java=\"`jwksCaPem`\"\u003e`jwks_ca_pem`\u003c/span\u003e. Requires Vault 1.16+.\n"},"jwksUrl":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with \u003cspan pulumi-lang-nodejs=\"\"oidcDiscoveryUrl\"\" pulumi-lang-dotnet=\"\"OidcDiscoveryUrl\"\" pulumi-lang-go=\"\"oidcDiscoveryUrl\"\" pulumi-lang-python=\"\"oidc_discovery_url\"\" pulumi-lang-yaml=\"\"oidcDiscoveryUrl\"\" pulumi-lang-java=\"\"oidcDiscoveryUrl\"\"\u003e\"oidc_discovery_url\"\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"\"jwtValidationPubkeys\"\" pulumi-lang-dotnet=\"\"JwtValidationPubkeys\"\" pulumi-lang-go=\"\"jwtValidationPubkeys\"\" pulumi-lang-python=\"\"jwt_validation_pubkeys\"\" pulumi-lang-yaml=\"\"jwtValidationPubkeys\"\" pulumi-lang-java=\"\"jwtValidationPubkeys\"\"\u003e\"jwt_validation_pubkeys\"\u003c/span\u003e.\n"},"jwtSupportedAlgs":{"type":"array","items":{"type":"string"},"description":"A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ\n"},"jwtValidationPubkeys":{"type":"array","items":{"type":"string"},"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with \u003cspan pulumi-lang-nodejs=\"`oidcDiscoveryUrl`\" pulumi-lang-dotnet=\"`OidcDiscoveryUrl`\" pulumi-lang-go=\"`oidcDiscoveryUrl`\" pulumi-lang-python=\"`oidc_discovery_url`\" pulumi-lang-yaml=\"`oidcDiscoveryUrl`\" pulumi-lang-java=\"`oidcDiscoveryUrl`\"\u003e`oidc_discovery_url`\u003c/span\u003e\n"},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"namespaceInState":{"type":"boolean","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs\n\n* tune - (Optional) Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"oidcClientId":{"type":"string","description":"Client ID used for OIDC backends\n"},"oidcClientSecret":{"type":"string","description":"Client Secret used for OIDC backends. **Note:** This field is stored in state. For enhanced security, use \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e instead.\n","secret":true},"oidcClientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only Client Secret used for OIDC. This field is recommended over\u003cspan pulumi-lang-nodejs=\" oidcClientSecret \" pulumi-lang-dotnet=\" OidcClientSecret \" pulumi-lang-go=\" oidcClientSecret \" pulumi-lang-python=\" oidc_client_secret \" pulumi-lang-yaml=\" oidcClientSecret \" pulumi-lang-java=\" oidcClientSecret \"\u003e oidc_client_secret \u003c/span\u003efor enhanced security.","secret":true},"oidcClientSecretWoVersion":{"type":"integer","description":"Version counter for the write-only \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e field. Increment this value to trigger an update of the client secret in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e.\n"},"oidcDiscoveryCaPem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used\n"},"oidcDiscoveryUrl":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with \u003cspan pulumi-lang-nodejs=\"`jwtValidationPubkeys`\" pulumi-lang-dotnet=\"`JwtValidationPubkeys`\" pulumi-lang-go=\"`jwtValidationPubkeys`\" pulumi-lang-python=\"`jwt_validation_pubkeys`\" pulumi-lang-yaml=\"`jwtValidationPubkeys`\" pulumi-lang-java=\"`jwtValidationPubkeys`\"\u003e`jwt_validation_pubkeys`\u003c/span\u003e\n"},"oidcResponseMode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are \u003cspan pulumi-lang-nodejs=\"`query`\" pulumi-lang-dotnet=\"`Query`\" pulumi-lang-go=\"`query`\" pulumi-lang-python=\"`query`\" pulumi-lang-yaml=\"`query`\" pulumi-lang-java=\"`query`\"\u003e`query`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`query`\" pulumi-lang-dotnet=\"`Query`\" pulumi-lang-go=\"`query`\" pulumi-lang-python=\"`query`\" pulumi-lang-yaml=\"`query`\" pulumi-lang-java=\"`query`\"\u003e`query`\u003c/span\u003e. If using Vault namespaces, and \u003cspan pulumi-lang-nodejs=\"`oidcResponseMode`\" pulumi-lang-dotnet=\"`OidcResponseMode`\" pulumi-lang-go=\"`oidcResponseMode`\" pulumi-lang-python=\"`oidc_response_mode`\" pulumi-lang-yaml=\"`oidcResponseMode`\" pulumi-lang-java=\"`oidcResponseMode`\"\u003e`oidc_response_mode`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e, then \u003cspan pulumi-lang-nodejs=\"`namespaceInState`\" pulumi-lang-dotnet=\"`NamespaceInState`\" pulumi-lang-go=\"`namespaceInState`\" pulumi-lang-python=\"`namespace_in_state`\" pulumi-lang-yaml=\"`namespaceInState`\" pulumi-lang-java=\"`namespaceInState`\"\u003e`namespace_in_state`\u003c/span\u003e should be set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"oidcResponseTypes":{"type":"array","items":{"type":"string"},"description":"List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `[\"code\"]`. Note: \u003cspan pulumi-lang-nodejs=\"`idToken`\" pulumi-lang-dotnet=\"`IdToken`\" pulumi-lang-go=\"`idToken`\" pulumi-lang-python=\"`id_token`\" pulumi-lang-yaml=\"`idToken`\" pulumi-lang-java=\"`idToken`\"\u003e`id_token`\u003c/span\u003e may only be used if \u003cspan pulumi-lang-nodejs=\"`oidcResponseMode`\" pulumi-lang-dotnet=\"`OidcResponseMode`\" pulumi-lang-go=\"`oidcResponseMode`\" pulumi-lang-python=\"`oidc_response_mode`\" pulumi-lang-yaml=\"`oidcResponseMode`\" pulumi-lang-java=\"`oidcResponseMode`\"\u003e`oidc_response_mode`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e.\n"},"path":{"type":"string","description":"Path to mount the JWT/OIDC auth backend\n"},"providerConfig":{"type":"object","additionalProperties":{"type":"string"},"description":"Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.\n"},"tune":{"$ref":"#/types/vault:jwt/AuthBackendTune:AuthBackendTune"},"type":{"type":"string","description":"Type of auth backend. Should be one of \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`oidc`\" pulumi-lang-dotnet=\"`Oidc`\" pulumi-lang-go=\"`oidc`\" pulumi-lang-python=\"`oidc`\" pulumi-lang-yaml=\"`oidc`\" pulumi-lang-java=\"`oidc`\"\u003e`oidc`\u003c/span\u003e. Default - \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e\n","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackend resources.\n","properties":{"accessor":{"type":"string","description":"The accessor for this auth method\n"},"boundIssuer":{"type":"string","description":"The value against which to match the iss claim in a JWT\n"},"defaultRole":{"type":"string","description":"The default role to use if none is provided during login\n"},"description":{"type":"string","description":"The description of the auth backend\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"jwksCaPem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used.\n"},"jwksPairs":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"List of JWKS URL and optional CA certificate pairs. Cannot be used with \u003cspan pulumi-lang-nodejs=\"`jwksUrl`\" pulumi-lang-dotnet=\"`JwksUrl`\" pulumi-lang-go=\"`jwksUrl`\" pulumi-lang-python=\"`jwks_url`\" pulumi-lang-yaml=\"`jwksUrl`\" pulumi-lang-java=\"`jwksUrl`\"\u003e`jwks_url`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`jwksCaPem`\" pulumi-lang-dotnet=\"`JwksCaPem`\" pulumi-lang-go=\"`jwksCaPem`\" pulumi-lang-python=\"`jwks_ca_pem`\" pulumi-lang-yaml=\"`jwksCaPem`\" pulumi-lang-java=\"`jwksCaPem`\"\u003e`jwks_ca_pem`\u003c/span\u003e. Requires Vault 1.16+.\n"},"jwksUrl":{"type":"string","description":"JWKS URL to use to authenticate signatures. Cannot be used with \u003cspan pulumi-lang-nodejs=\"\"oidcDiscoveryUrl\"\" pulumi-lang-dotnet=\"\"OidcDiscoveryUrl\"\" pulumi-lang-go=\"\"oidcDiscoveryUrl\"\" pulumi-lang-python=\"\"oidc_discovery_url\"\" pulumi-lang-yaml=\"\"oidcDiscoveryUrl\"\" pulumi-lang-java=\"\"oidcDiscoveryUrl\"\"\u003e\"oidc_discovery_url\"\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"\"jwtValidationPubkeys\"\" pulumi-lang-dotnet=\"\"JwtValidationPubkeys\"\" pulumi-lang-go=\"\"jwtValidationPubkeys\"\" pulumi-lang-python=\"\"jwt_validation_pubkeys\"\" pulumi-lang-yaml=\"\"jwtValidationPubkeys\"\" pulumi-lang-java=\"\"jwtValidationPubkeys\"\"\u003e\"jwt_validation_pubkeys\"\u003c/span\u003e.\n"},"jwtSupportedAlgs":{"type":"array","items":{"type":"string"},"description":"A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ\n"},"jwtValidationPubkeys":{"type":"array","items":{"type":"string"},"description":"A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with \u003cspan pulumi-lang-nodejs=\"`oidcDiscoveryUrl`\" pulumi-lang-dotnet=\"`OidcDiscoveryUrl`\" pulumi-lang-go=\"`oidcDiscoveryUrl`\" pulumi-lang-python=\"`oidc_discovery_url`\" pulumi-lang-yaml=\"`oidcDiscoveryUrl`\" pulumi-lang-java=\"`oidcDiscoveryUrl`\"\u003e`oidc_discovery_url`\u003c/span\u003e\n"},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"namespaceInState":{"type":"boolean","description":"Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs\n\n* tune - (Optional) Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"oidcClientId":{"type":"string","description":"Client ID used for OIDC backends\n"},"oidcClientSecret":{"type":"string","description":"Client Secret used for OIDC backends. **Note:** This field is stored in state. For enhanced security, use \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e instead.\n","secret":true},"oidcClientSecretWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only Client Secret used for OIDC. This field is recommended over\u003cspan pulumi-lang-nodejs=\" oidcClientSecret \" pulumi-lang-dotnet=\" OidcClientSecret \" pulumi-lang-go=\" oidcClientSecret \" pulumi-lang-python=\" oidc_client_secret \" pulumi-lang-yaml=\" oidcClientSecret \" pulumi-lang-java=\" oidcClientSecret \"\u003e oidc_client_secret \u003c/span\u003efor enhanced security.","secret":true},"oidcClientSecretWoVersion":{"type":"integer","description":"Version counter for the write-only \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e field. Increment this value to trigger an update of the client secret in Vault. Required when using \u003cspan pulumi-lang-nodejs=\"`oidcClientSecretWo`\" pulumi-lang-dotnet=\"`OidcClientSecretWo`\" pulumi-lang-go=\"`oidcClientSecretWo`\" pulumi-lang-python=\"`oidc_client_secret_wo`\" pulumi-lang-yaml=\"`oidcClientSecretWo`\" pulumi-lang-java=\"`oidcClientSecretWo`\"\u003e`oidc_client_secret_wo`\u003c/span\u003e.\n"},"oidcDiscoveryCaPem":{"type":"string","description":"The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used\n"},"oidcDiscoveryUrl":{"type":"string","description":"The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with \u003cspan pulumi-lang-nodejs=\"`jwtValidationPubkeys`\" pulumi-lang-dotnet=\"`JwtValidationPubkeys`\" pulumi-lang-go=\"`jwtValidationPubkeys`\" pulumi-lang-python=\"`jwt_validation_pubkeys`\" pulumi-lang-yaml=\"`jwtValidationPubkeys`\" pulumi-lang-java=\"`jwtValidationPubkeys`\"\u003e`jwt_validation_pubkeys`\u003c/span\u003e\n"},"oidcResponseMode":{"type":"string","description":"The response mode to be used in the OAuth2 request. Allowed values are \u003cspan pulumi-lang-nodejs=\"`query`\" pulumi-lang-dotnet=\"`Query`\" pulumi-lang-go=\"`query`\" pulumi-lang-python=\"`query`\" pulumi-lang-yaml=\"`query`\" pulumi-lang-java=\"`query`\"\u003e`query`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e. Defaults to \u003cspan pulumi-lang-nodejs=\"`query`\" pulumi-lang-dotnet=\"`Query`\" pulumi-lang-go=\"`query`\" pulumi-lang-python=\"`query`\" pulumi-lang-yaml=\"`query`\" pulumi-lang-java=\"`query`\"\u003e`query`\u003c/span\u003e. If using Vault namespaces, and \u003cspan pulumi-lang-nodejs=\"`oidcResponseMode`\" pulumi-lang-dotnet=\"`OidcResponseMode`\" pulumi-lang-go=\"`oidcResponseMode`\" pulumi-lang-python=\"`oidc_response_mode`\" pulumi-lang-yaml=\"`oidcResponseMode`\" pulumi-lang-java=\"`oidcResponseMode`\"\u003e`oidc_response_mode`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e, then \u003cspan pulumi-lang-nodejs=\"`namespaceInState`\" pulumi-lang-dotnet=\"`NamespaceInState`\" pulumi-lang-go=\"`namespaceInState`\" pulumi-lang-python=\"`namespace_in_state`\" pulumi-lang-yaml=\"`namespaceInState`\" pulumi-lang-java=\"`namespaceInState`\"\u003e`namespace_in_state`\u003c/span\u003e should be set to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"oidcResponseTypes":{"type":"array","items":{"type":"string"},"description":"List of response types to request. Allowed values are 'code' and 'id_token'. Defaults to `[\"code\"]`. Note: \u003cspan pulumi-lang-nodejs=\"`idToken`\" pulumi-lang-dotnet=\"`IdToken`\" pulumi-lang-go=\"`idToken`\" pulumi-lang-python=\"`id_token`\" pulumi-lang-yaml=\"`idToken`\" pulumi-lang-java=\"`idToken`\"\u003e`id_token`\u003c/span\u003e may only be used if \u003cspan pulumi-lang-nodejs=\"`oidcResponseMode`\" pulumi-lang-dotnet=\"`OidcResponseMode`\" pulumi-lang-go=\"`oidcResponseMode`\" pulumi-lang-python=\"`oidc_response_mode`\" pulumi-lang-yaml=\"`oidcResponseMode`\" pulumi-lang-java=\"`oidcResponseMode`\"\u003e`oidc_response_mode`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`formPost`\" pulumi-lang-dotnet=\"`FormPost`\" pulumi-lang-go=\"`formPost`\" pulumi-lang-python=\"`form_post`\" pulumi-lang-yaml=\"`formPost`\" pulumi-lang-java=\"`formPost`\"\u003e`form_post`\u003c/span\u003e.\n"},"path":{"type":"string","description":"Path to mount the JWT/OIDC auth backend\n"},"providerConfig":{"type":"object","additionalProperties":{"type":"string"},"description":"Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault.\n"},"tune":{"$ref":"#/types/vault:jwt/AuthBackendTune:AuthBackendTune"},"type":{"type":"string","description":"Type of auth backend. Should be one of \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`oidc`\" pulumi-lang-dotnet=\"`Oidc`\" pulumi-lang-go=\"`oidc`\" pulumi-lang-python=\"`oidc`\" pulumi-lang-yaml=\"`oidc`\" pulumi-lang-java=\"`oidc`\"\u003e`oidc`\u003c/span\u003e. Default - \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e\n","willReplaceOnChanges":true}},"type":"object"}},"vault:jwt/authBackendRole:AuthBackendRole":{"description":"Manages an JWT/OIDC auth backend role in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/jwt.html) for more\ninformation.\n\n## Example Usage\n\nRole for JWT backend:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst jwt = new vault.jwt.AuthBackend(\"jwt\", {path: \"jwt\"});\nconst example = new vault.jwt.AuthBackendRole(\"example\", {\n    backend: jwt.path,\n    roleName: \"test-role\",\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n    boundAudiences: [\"https://myco.test\"],\n    boundClaims: {\n        color: \"red,green,blue\",\n    },\n    userClaim: \"https://vault/user\",\n    roleType: \"jwt\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\njwt = vault.jwt.AuthBackend(\"jwt\", path=\"jwt\")\nexample = vault.jwt.AuthBackendRole(\"example\",\n    backend=jwt.path,\n    role_name=\"test-role\",\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n    bound_audiences=[\"https://myco.test\"],\n    bound_claims={\n        \"color\": \"red,green,blue\",\n    },\n    user_claim=\"https://vault/user\",\n    role_type=\"jwt\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var jwt = new Vault.Jwt.AuthBackend(\"jwt\", new()\n    {\n        Path = \"jwt\",\n    });\n\n    var example = new Vault.Jwt.AuthBackendRole(\"example\", new()\n    {\n        Backend = jwt.Path,\n        RoleName = \"test-role\",\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n        BoundAudiences = new[]\n        {\n            \"https://myco.test\",\n        },\n        BoundClaims = \n        {\n            { \"color\", \"red,green,blue\" },\n        },\n        UserClaim = \"https://vault/user\",\n        RoleType = \"jwt\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/jwt\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tjwt, err := jwt.NewAuthBackend(ctx, \"jwt\", \u0026jwt.AuthBackendArgs{\n\t\t\tPath: pulumi.String(\"jwt\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = jwt.NewAuthBackendRole(ctx, \"example\", \u0026jwt.AuthBackendRoleArgs{\n\t\t\tBackend:  jwt.Path,\n\t\t\tRoleName: pulumi.String(\"test-role\"),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t\tBoundAudiences: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"https://myco.test\"),\n\t\t\t},\n\t\t\tBoundClaims: pulumi.StringMap{\n\t\t\t\t\"color\": pulumi.String(\"red,green,blue\"),\n\t\t\t},\n\t\t\tUserClaim: pulumi.String(\"https://vault/user\"),\n\t\t\tRoleType:  pulumi.String(\"jwt\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.jwt.AuthBackend;\nimport com.pulumi.vault.jwt.AuthBackendArgs;\nimport com.pulumi.vault.jwt.AuthBackendRole;\nimport com.pulumi.vault.jwt.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var jwt = new AuthBackend(\"jwt\", AuthBackendArgs.builder()\n            .path(\"jwt\")\n            .build());\n\n        var example = new AuthBackendRole(\"example\", AuthBackendRoleArgs.builder()\n            .backend(jwt.path())\n            .roleName(\"test-role\")\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .boundAudiences(\"https://myco.test\")\n            .boundClaims(Map.of(\"color\", \"red,green,blue\"))\n            .userClaim(\"https://vault/user\")\n            .roleType(\"jwt\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  jwt:\n    type: vault:jwt:AuthBackend\n    properties:\n      path: jwt\n  example:\n    type: vault:jwt:AuthBackendRole\n    properties:\n      backend: ${jwt.path}\n      roleName: test-role\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n      boundAudiences:\n        - https://myco.test\n      boundClaims:\n        color: red,green,blue\n      userClaim: https://vault/user\n      roleType: jwt\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\nRole for OIDC backend:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst oidc = new vault.jwt.AuthBackend(\"oidc\", {\n    path: \"oidc\",\n    defaultRole: \"test-role\",\n});\nconst example = new vault.jwt.AuthBackendRole(\"example\", {\n    backend: oidc.path,\n    roleName: \"test-role\",\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n    userClaim: \"https://vault/user\",\n    roleType: \"oidc\",\n    allowedRedirectUris: [\"http://localhost:8200/ui/vault/auth/oidc/oidc/callback\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\noidc = vault.jwt.AuthBackend(\"oidc\",\n    path=\"oidc\",\n    default_role=\"test-role\")\nexample = vault.jwt.AuthBackendRole(\"example\",\n    backend=oidc.path,\n    role_name=\"test-role\",\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n    user_claim=\"https://vault/user\",\n    role_type=\"oidc\",\n    allowed_redirect_uris=[\"http://localhost:8200/ui/vault/auth/oidc/oidc/callback\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var oidc = new Vault.Jwt.AuthBackend(\"oidc\", new()\n    {\n        Path = \"oidc\",\n        DefaultRole = \"test-role\",\n    });\n\n    var example = new Vault.Jwt.AuthBackendRole(\"example\", new()\n    {\n        Backend = oidc.Path,\n        RoleName = \"test-role\",\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n        UserClaim = \"https://vault/user\",\n        RoleType = \"oidc\",\n        AllowedRedirectUris = new[]\n        {\n            \"http://localhost:8200/ui/vault/auth/oidc/oidc/callback\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/jwt\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\toidc, err := jwt.NewAuthBackend(ctx, \"oidc\", \u0026jwt.AuthBackendArgs{\n\t\t\tPath:        pulumi.String(\"oidc\"),\n\t\t\tDefaultRole: pulumi.String(\"test-role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = jwt.NewAuthBackendRole(ctx, \"example\", \u0026jwt.AuthBackendRoleArgs{\n\t\t\tBackend:  oidc.Path,\n\t\t\tRoleName: pulumi.String(\"test-role\"),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t\tUserClaim: pulumi.String(\"https://vault/user\"),\n\t\t\tRoleType:  pulumi.String(\"oidc\"),\n\t\t\tAllowedRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://localhost:8200/ui/vault/auth/oidc/oidc/callback\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.jwt.AuthBackend;\nimport com.pulumi.vault.jwt.AuthBackendArgs;\nimport com.pulumi.vault.jwt.AuthBackendRole;\nimport com.pulumi.vault.jwt.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var oidc = new AuthBackend(\"oidc\", AuthBackendArgs.builder()\n            .path(\"oidc\")\n            .defaultRole(\"test-role\")\n            .build());\n\n        var example = new AuthBackendRole(\"example\", AuthBackendRoleArgs.builder()\n            .backend(oidc.path())\n            .roleName(\"test-role\")\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .userClaim(\"https://vault/user\")\n            .roleType(\"oidc\")\n            .allowedRedirectUris(\"http://localhost:8200/ui/vault/auth/oidc/oidc/callback\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  oidc:\n    type: vault:jwt:AuthBackend\n    properties:\n      path: oidc\n      defaultRole: test-role\n  example:\n    type: vault:jwt:AuthBackendRole\n    properties:\n      backend: ${oidc.path}\n      roleName: test-role\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n      userClaim: https://vault/user\n      roleType: oidc\n      allowedRedirectUris:\n        - http://localhost:8200/ui/vault/auth/oidc/oidc/callback\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nJWT authentication backend roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:jwt/authBackendRole:AuthBackendRole example auth/jwt/role/test-role\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedRedirectUris":{"type":"array","items":{"type":"string"},"description":"The list of allowed values for\u003cspan pulumi-lang-nodejs=\" redirectUri \" pulumi-lang-dotnet=\" RedirectUri \" pulumi-lang-go=\" redirectUri \" pulumi-lang-python=\" redirect_uri \" pulumi-lang-yaml=\" redirectUri \" pulumi-lang-java=\" redirectUri \"\u003e redirect_uri \u003c/span\u003eduring OIDC logins.\nRequired for OIDC roles\n"},"backend":{"type":"string","description":"The unique name of the auth backend to configure.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e.\n"},"boundAudiences":{"type":"array","items":{"type":"string"},"description":"(Required for roles of type \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e, optional for roles of\ntype \u003cspan pulumi-lang-nodejs=\"`oidc`\" pulumi-lang-dotnet=\"`Oidc`\" pulumi-lang-go=\"`oidc`\" pulumi-lang-python=\"`oidc`\" pulumi-lang-yaml=\"`oidc`\" pulumi-lang-java=\"`oidc`\"\u003e`oidc`\u003c/span\u003e) List of \u003cspan pulumi-lang-nodejs=\"`aud`\" pulumi-lang-dotnet=\"`Aud`\" pulumi-lang-go=\"`aud`\" pulumi-lang-python=\"`aud`\" pulumi-lang-yaml=\"`aud`\" pulumi-lang-java=\"`aud`\"\u003e`aud`\u003c/span\u003e claims to match against. Any match is sufficient.\n"},"boundClaims":{"type":"object","additionalProperties":{"type":"string"},"description":"If set, a map of claims to values to match against.\nA claim's value must be a string, which may contain one value or multiple\ncomma-separated values, e.g. `\"red\"` or `\"red,green,blue\"`.\n"},"boundClaimsType":{"type":"string","description":"How to interpret values in the claims/values\nmap (\u003cspan pulumi-lang-nodejs=\"`boundClaims`\" pulumi-lang-dotnet=\"`BoundClaims`\" pulumi-lang-go=\"`boundClaims`\" pulumi-lang-python=\"`bound_claims`\" pulumi-lang-yaml=\"`boundClaims`\" pulumi-lang-java=\"`boundClaims`\"\u003e`bound_claims`\u003c/span\u003e): can be either \u003cspan pulumi-lang-nodejs=\"`string`\" pulumi-lang-dotnet=\"`String`\" pulumi-lang-go=\"`string`\" pulumi-lang-python=\"`string`\" pulumi-lang-yaml=\"`string`\" pulumi-lang-java=\"`string`\"\u003e`string`\u003c/span\u003e (exact match) or \u003cspan pulumi-lang-nodejs=\"`glob`\" pulumi-lang-dotnet=\"`Glob`\" pulumi-lang-go=\"`glob`\" pulumi-lang-python=\"`glob`\" pulumi-lang-yaml=\"`glob`\" pulumi-lang-java=\"`glob`\"\u003e`glob`\u003c/span\u003e (wildcard\nmatch). Requires Vault 1.4.0 or above.\n"},"boundSubject":{"type":"string","description":"If set, requires that the \u003cspan pulumi-lang-nodejs=\"`sub`\" pulumi-lang-dotnet=\"`Sub`\" pulumi-lang-go=\"`sub`\" pulumi-lang-python=\"`sub`\" pulumi-lang-yaml=\"`sub`\" pulumi-lang-java=\"`sub`\"\u003e`sub`\u003c/span\u003e claim matches\nthis value.\n"},"claimMappings":{"type":"object","additionalProperties":{"type":"string"},"description":"If set, a map of claims (keys) to be copied\nto specified metadata fields (values).\n"},"clockSkewLeeway":{"type":"integer","description":"The amount of leeway to add to all claims to account for clock skew, in\nseconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`60`\" pulumi-lang-dotnet=\"`60`\" pulumi-lang-go=\"`60`\" pulumi-lang-python=\"`60`\" pulumi-lang-yaml=\"`60`\" pulumi-lang-java=\"`60`\"\u003e`60`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"disableBoundClaimsParsing":{"type":"boolean","description":"Disable bound claim value parsing. Useful when values contain commas."},"expirationLeeway":{"type":"integer","description":"The amount of leeway to add to expiration (\u003cspan pulumi-lang-nodejs=\"`exp`\" pulumi-lang-dotnet=\"`Exp`\" pulumi-lang-go=\"`exp`\" pulumi-lang-python=\"`exp`\" pulumi-lang-yaml=\"`exp`\" pulumi-lang-java=\"`exp`\"\u003e`exp`\u003c/span\u003e) claims to account for\nclock skew, in seconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`150`\" pulumi-lang-dotnet=\"`150`\" pulumi-lang-go=\"`150`\" pulumi-lang-python=\"`150`\" pulumi-lang-yaml=\"`150`\" pulumi-lang-java=\"`150`\"\u003e`150`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"groupsClaim":{"type":"string","description":"The claim to use to uniquely identify\nthe set of groups to which the user belongs; this will be used as the names\nfor the Identity group aliases created due to a successful login. The claim\nvalue must be a list of strings.\n"},"maxAge":{"type":"integer","description":"Specifies the allowable elapsed time in seconds since the last time \nthe user was actively authenticated with the OIDC provider.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"notBeforeLeeway":{"type":"integer","description":"The amount of leeway to add to not before (\u003cspan pulumi-lang-nodejs=\"`nbf`\" pulumi-lang-dotnet=\"`Nbf`\" pulumi-lang-go=\"`nbf`\" pulumi-lang-python=\"`nbf`\" pulumi-lang-yaml=\"`nbf`\" pulumi-lang-java=\"`nbf`\"\u003e`nbf`\u003c/span\u003e) claims to account for\nclock skew, in seconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`150`\" pulumi-lang-dotnet=\"`150`\" pulumi-lang-go=\"`150`\" pulumi-lang-python=\"`150`\" pulumi-lang-yaml=\"`150`\" pulumi-lang-java=\"`150`\"\u003e`150`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"oidcScopes":{"type":"array","items":{"type":"string"},"description":"If set, a list of OIDC scopes to be used with an OIDC role.\nThe standard scope \"openid\" is automatically included and need not be specified.\n"},"roleName":{"type":"string","description":"The name of the role.\n"},"roleType":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\".\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"userClaim":{"type":"string","description":"The claim to use to uniquely identify\nthe user; this will be used as the name for the Identity entity alias created\ndue to a successful login.\n"},"userClaimJsonPointer":{"type":"boolean","description":"Specifies if the \u003cspan pulumi-lang-nodejs=\"`userClaim`\" pulumi-lang-dotnet=\"`UserClaim`\" pulumi-lang-go=\"`userClaim`\" pulumi-lang-python=\"`user_claim`\" pulumi-lang-yaml=\"`userClaim`\" pulumi-lang-java=\"`userClaim`\"\u003e`user_claim`\u003c/span\u003e value uses\n[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)\nsyntax for referencing claims. By default, the \u003cspan pulumi-lang-nodejs=\"`userClaim`\" pulumi-lang-dotnet=\"`UserClaim`\" pulumi-lang-go=\"`userClaim`\" pulumi-lang-python=\"`user_claim`\" pulumi-lang-yaml=\"`userClaim`\" pulumi-lang-java=\"`userClaim`\"\u003e`user_claim`\u003c/span\u003e value will not use JSON pointer.\nRequires Vault 1.11+.\n"},"verboseOidcLogging":{"type":"boolean","description":"Log received OIDC tokens and claims when debug-level\nlogging is active. Not recommended in production since sensitive information may be present\nin OIDC responses.\n"}},"required":["boundClaimsType","roleName","roleType","userClaim"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedRedirectUris":{"type":"array","items":{"type":"string"},"description":"The list of allowed values for\u003cspan pulumi-lang-nodejs=\" redirectUri \" pulumi-lang-dotnet=\" RedirectUri \" pulumi-lang-go=\" redirectUri \" pulumi-lang-python=\" redirect_uri \" pulumi-lang-yaml=\" redirectUri \" pulumi-lang-java=\" redirectUri \"\u003e redirect_uri \u003c/span\u003eduring OIDC logins.\nRequired for OIDC roles\n"},"backend":{"type":"string","description":"The unique name of the auth backend to configure.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e.\n","willReplaceOnChanges":true},"boundAudiences":{"type":"array","items":{"type":"string"},"description":"(Required for roles of type \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e, optional for roles of\ntype \u003cspan pulumi-lang-nodejs=\"`oidc`\" pulumi-lang-dotnet=\"`Oidc`\" pulumi-lang-go=\"`oidc`\" pulumi-lang-python=\"`oidc`\" pulumi-lang-yaml=\"`oidc`\" pulumi-lang-java=\"`oidc`\"\u003e`oidc`\u003c/span\u003e) List of \u003cspan pulumi-lang-nodejs=\"`aud`\" pulumi-lang-dotnet=\"`Aud`\" pulumi-lang-go=\"`aud`\" pulumi-lang-python=\"`aud`\" pulumi-lang-yaml=\"`aud`\" pulumi-lang-java=\"`aud`\"\u003e`aud`\u003c/span\u003e claims to match against. Any match is sufficient.\n"},"boundClaims":{"type":"object","additionalProperties":{"type":"string"},"description":"If set, a map of claims to values to match against.\nA claim's value must be a string, which may contain one value or multiple\ncomma-separated values, e.g. `\"red\"` or `\"red,green,blue\"`.\n"},"boundClaimsType":{"type":"string","description":"How to interpret values in the claims/values\nmap (\u003cspan pulumi-lang-nodejs=\"`boundClaims`\" pulumi-lang-dotnet=\"`BoundClaims`\" pulumi-lang-go=\"`boundClaims`\" pulumi-lang-python=\"`bound_claims`\" pulumi-lang-yaml=\"`boundClaims`\" pulumi-lang-java=\"`boundClaims`\"\u003e`bound_claims`\u003c/span\u003e): can be either \u003cspan pulumi-lang-nodejs=\"`string`\" pulumi-lang-dotnet=\"`String`\" pulumi-lang-go=\"`string`\" pulumi-lang-python=\"`string`\" pulumi-lang-yaml=\"`string`\" pulumi-lang-java=\"`string`\"\u003e`string`\u003c/span\u003e (exact match) or \u003cspan pulumi-lang-nodejs=\"`glob`\" pulumi-lang-dotnet=\"`Glob`\" pulumi-lang-go=\"`glob`\" pulumi-lang-python=\"`glob`\" pulumi-lang-yaml=\"`glob`\" pulumi-lang-java=\"`glob`\"\u003e`glob`\u003c/span\u003e (wildcard\nmatch). Requires Vault 1.4.0 or above.\n"},"boundSubject":{"type":"string","description":"If set, requires that the \u003cspan pulumi-lang-nodejs=\"`sub`\" pulumi-lang-dotnet=\"`Sub`\" pulumi-lang-go=\"`sub`\" pulumi-lang-python=\"`sub`\" pulumi-lang-yaml=\"`sub`\" pulumi-lang-java=\"`sub`\"\u003e`sub`\u003c/span\u003e claim matches\nthis value.\n"},"claimMappings":{"type":"object","additionalProperties":{"type":"string"},"description":"If set, a map of claims (keys) to be copied\nto specified metadata fields (values).\n"},"clockSkewLeeway":{"type":"integer","description":"The amount of leeway to add to all claims to account for clock skew, in\nseconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`60`\" pulumi-lang-dotnet=\"`60`\" pulumi-lang-go=\"`60`\" pulumi-lang-python=\"`60`\" pulumi-lang-yaml=\"`60`\" pulumi-lang-java=\"`60`\"\u003e`60`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"disableBoundClaimsParsing":{"type":"boolean","description":"Disable bound claim value parsing. Useful when values contain commas."},"expirationLeeway":{"type":"integer","description":"The amount of leeway to add to expiration (\u003cspan pulumi-lang-nodejs=\"`exp`\" pulumi-lang-dotnet=\"`Exp`\" pulumi-lang-go=\"`exp`\" pulumi-lang-python=\"`exp`\" pulumi-lang-yaml=\"`exp`\" pulumi-lang-java=\"`exp`\"\u003e`exp`\u003c/span\u003e) claims to account for\nclock skew, in seconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`150`\" pulumi-lang-dotnet=\"`150`\" pulumi-lang-go=\"`150`\" pulumi-lang-python=\"`150`\" pulumi-lang-yaml=\"`150`\" pulumi-lang-java=\"`150`\"\u003e`150`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"groupsClaim":{"type":"string","description":"The claim to use to uniquely identify\nthe set of groups to which the user belongs; this will be used as the names\nfor the Identity group aliases created due to a successful login. The claim\nvalue must be a list of strings.\n"},"maxAge":{"type":"integer","description":"Specifies the allowable elapsed time in seconds since the last time \nthe user was actively authenticated with the OIDC provider.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notBeforeLeeway":{"type":"integer","description":"The amount of leeway to add to not before (\u003cspan pulumi-lang-nodejs=\"`nbf`\" pulumi-lang-dotnet=\"`Nbf`\" pulumi-lang-go=\"`nbf`\" pulumi-lang-python=\"`nbf`\" pulumi-lang-yaml=\"`nbf`\" pulumi-lang-java=\"`nbf`\"\u003e`nbf`\u003c/span\u003e) claims to account for\nclock skew, in seconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`150`\" pulumi-lang-dotnet=\"`150`\" pulumi-lang-go=\"`150`\" pulumi-lang-python=\"`150`\" pulumi-lang-yaml=\"`150`\" pulumi-lang-java=\"`150`\"\u003e`150`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"oidcScopes":{"type":"array","items":{"type":"string"},"description":"If set, a list of OIDC scopes to be used with an OIDC role.\nThe standard scope \"openid\" is automatically included and need not be specified.\n"},"roleName":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"roleType":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\".\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"userClaim":{"type":"string","description":"The claim to use to uniquely identify\nthe user; this will be used as the name for the Identity entity alias created\ndue to a successful login.\n"},"userClaimJsonPointer":{"type":"boolean","description":"Specifies if the \u003cspan pulumi-lang-nodejs=\"`userClaim`\" pulumi-lang-dotnet=\"`UserClaim`\" pulumi-lang-go=\"`userClaim`\" pulumi-lang-python=\"`user_claim`\" pulumi-lang-yaml=\"`userClaim`\" pulumi-lang-java=\"`userClaim`\"\u003e`user_claim`\u003c/span\u003e value uses\n[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)\nsyntax for referencing claims. By default, the \u003cspan pulumi-lang-nodejs=\"`userClaim`\" pulumi-lang-dotnet=\"`UserClaim`\" pulumi-lang-go=\"`userClaim`\" pulumi-lang-python=\"`user_claim`\" pulumi-lang-yaml=\"`userClaim`\" pulumi-lang-java=\"`userClaim`\"\u003e`user_claim`\u003c/span\u003e value will not use JSON pointer.\nRequires Vault 1.11+.\n"},"verboseOidcLogging":{"type":"boolean","description":"Log received OIDC tokens and claims when debug-level\nlogging is active. Not recommended in production since sensitive information may be present\nin OIDC responses.\n"}},"requiredInputs":["roleName","userClaim"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedRedirectUris":{"type":"array","items":{"type":"string"},"description":"The list of allowed values for\u003cspan pulumi-lang-nodejs=\" redirectUri \" pulumi-lang-dotnet=\" RedirectUri \" pulumi-lang-go=\" redirectUri \" pulumi-lang-python=\" redirect_uri \" pulumi-lang-yaml=\" redirectUri \" pulumi-lang-java=\" redirectUri \"\u003e redirect_uri \u003c/span\u003eduring OIDC logins.\nRequired for OIDC roles\n"},"backend":{"type":"string","description":"The unique name of the auth backend to configure.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e.\n","willReplaceOnChanges":true},"boundAudiences":{"type":"array","items":{"type":"string"},"description":"(Required for roles of type \u003cspan pulumi-lang-nodejs=\"`jwt`\" pulumi-lang-dotnet=\"`Jwt`\" pulumi-lang-go=\"`jwt`\" pulumi-lang-python=\"`jwt`\" pulumi-lang-yaml=\"`jwt`\" pulumi-lang-java=\"`jwt`\"\u003e`jwt`\u003c/span\u003e, optional for roles of\ntype \u003cspan pulumi-lang-nodejs=\"`oidc`\" pulumi-lang-dotnet=\"`Oidc`\" pulumi-lang-go=\"`oidc`\" pulumi-lang-python=\"`oidc`\" pulumi-lang-yaml=\"`oidc`\" pulumi-lang-java=\"`oidc`\"\u003e`oidc`\u003c/span\u003e) List of \u003cspan pulumi-lang-nodejs=\"`aud`\" pulumi-lang-dotnet=\"`Aud`\" pulumi-lang-go=\"`aud`\" pulumi-lang-python=\"`aud`\" pulumi-lang-yaml=\"`aud`\" pulumi-lang-java=\"`aud`\"\u003e`aud`\u003c/span\u003e claims to match against. Any match is sufficient.\n"},"boundClaims":{"type":"object","additionalProperties":{"type":"string"},"description":"If set, a map of claims to values to match against.\nA claim's value must be a string, which may contain one value or multiple\ncomma-separated values, e.g. `\"red\"` or `\"red,green,blue\"`.\n"},"boundClaimsType":{"type":"string","description":"How to interpret values in the claims/values\nmap (\u003cspan pulumi-lang-nodejs=\"`boundClaims`\" pulumi-lang-dotnet=\"`BoundClaims`\" pulumi-lang-go=\"`boundClaims`\" pulumi-lang-python=\"`bound_claims`\" pulumi-lang-yaml=\"`boundClaims`\" pulumi-lang-java=\"`boundClaims`\"\u003e`bound_claims`\u003c/span\u003e): can be either \u003cspan pulumi-lang-nodejs=\"`string`\" pulumi-lang-dotnet=\"`String`\" pulumi-lang-go=\"`string`\" pulumi-lang-python=\"`string`\" pulumi-lang-yaml=\"`string`\" pulumi-lang-java=\"`string`\"\u003e`string`\u003c/span\u003e (exact match) or \u003cspan pulumi-lang-nodejs=\"`glob`\" pulumi-lang-dotnet=\"`Glob`\" pulumi-lang-go=\"`glob`\" pulumi-lang-python=\"`glob`\" pulumi-lang-yaml=\"`glob`\" pulumi-lang-java=\"`glob`\"\u003e`glob`\u003c/span\u003e (wildcard\nmatch). Requires Vault 1.4.0 or above.\n"},"boundSubject":{"type":"string","description":"If set, requires that the \u003cspan pulumi-lang-nodejs=\"`sub`\" pulumi-lang-dotnet=\"`Sub`\" pulumi-lang-go=\"`sub`\" pulumi-lang-python=\"`sub`\" pulumi-lang-yaml=\"`sub`\" pulumi-lang-java=\"`sub`\"\u003e`sub`\u003c/span\u003e claim matches\nthis value.\n"},"claimMappings":{"type":"object","additionalProperties":{"type":"string"},"description":"If set, a map of claims (keys) to be copied\nto specified metadata fields (values).\n"},"clockSkewLeeway":{"type":"integer","description":"The amount of leeway to add to all claims to account for clock skew, in\nseconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`60`\" pulumi-lang-dotnet=\"`60`\" pulumi-lang-go=\"`60`\" pulumi-lang-python=\"`60`\" pulumi-lang-yaml=\"`60`\" pulumi-lang-java=\"`60`\"\u003e`60`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"disableBoundClaimsParsing":{"type":"boolean","description":"Disable bound claim value parsing. Useful when values contain commas."},"expirationLeeway":{"type":"integer","description":"The amount of leeway to add to expiration (\u003cspan pulumi-lang-nodejs=\"`exp`\" pulumi-lang-dotnet=\"`Exp`\" pulumi-lang-go=\"`exp`\" pulumi-lang-python=\"`exp`\" pulumi-lang-yaml=\"`exp`\" pulumi-lang-java=\"`exp`\"\u003e`exp`\u003c/span\u003e) claims to account for\nclock skew, in seconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`150`\" pulumi-lang-dotnet=\"`150`\" pulumi-lang-go=\"`150`\" pulumi-lang-python=\"`150`\" pulumi-lang-yaml=\"`150`\" pulumi-lang-java=\"`150`\"\u003e`150`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"groupsClaim":{"type":"string","description":"The claim to use to uniquely identify\nthe set of groups to which the user belongs; this will be used as the names\nfor the Identity group aliases created due to a successful login. The claim\nvalue must be a list of strings.\n"},"maxAge":{"type":"integer","description":"Specifies the allowable elapsed time in seconds since the last time \nthe user was actively authenticated with the OIDC provider.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notBeforeLeeway":{"type":"integer","description":"The amount of leeway to add to not before (\u003cspan pulumi-lang-nodejs=\"`nbf`\" pulumi-lang-dotnet=\"`Nbf`\" pulumi-lang-go=\"`nbf`\" pulumi-lang-python=\"`nbf`\" pulumi-lang-yaml=\"`nbf`\" pulumi-lang-java=\"`nbf`\"\u003e`nbf`\u003c/span\u003e) claims to account for\nclock skew, in seconds. Defaults to \u003cspan pulumi-lang-nodejs=\"`150`\" pulumi-lang-dotnet=\"`150`\" pulumi-lang-go=\"`150`\" pulumi-lang-python=\"`150`\" pulumi-lang-yaml=\"`150`\" pulumi-lang-java=\"`150`\"\u003e`150`\u003c/span\u003e seconds if set to \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e and can be disabled if set to `-1`.\nOnly applicable with \"jwt\" roles.\n"},"oidcScopes":{"type":"array","items":{"type":"string"},"description":"If set, a list of OIDC scopes to be used with an OIDC role.\nThe standard scope \"openid\" is automatically included and need not be specified.\n"},"roleName":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"roleType":{"type":"string","description":"Type of role, either \"oidc\" (default) or \"jwt\".\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"userClaim":{"type":"string","description":"The claim to use to uniquely identify\nthe user; this will be used as the name for the Identity entity alias created\ndue to a successful login.\n"},"userClaimJsonPointer":{"type":"boolean","description":"Specifies if the \u003cspan pulumi-lang-nodejs=\"`userClaim`\" pulumi-lang-dotnet=\"`UserClaim`\" pulumi-lang-go=\"`userClaim`\" pulumi-lang-python=\"`user_claim`\" pulumi-lang-yaml=\"`userClaim`\" pulumi-lang-java=\"`userClaim`\"\u003e`user_claim`\u003c/span\u003e value uses\n[JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer)\nsyntax for referencing claims. By default, the \u003cspan pulumi-lang-nodejs=\"`userClaim`\" pulumi-lang-dotnet=\"`UserClaim`\" pulumi-lang-go=\"`userClaim`\" pulumi-lang-python=\"`user_claim`\" pulumi-lang-yaml=\"`userClaim`\" pulumi-lang-java=\"`userClaim`\"\u003e`user_claim`\u003c/span\u003e value will not use JSON pointer.\nRequires Vault 1.11+.\n"},"verboseOidcLogging":{"type":"boolean","description":"Log received OIDC tokens and claims when debug-level\nlogging is active. Not recommended in production since sensitive information may be present\nin OIDC responses.\n"}},"type":"object"}},"vault:kmip/secretBackend:SecretBackend":{"description":"Manages KMIP Secret backends in a Vault server. This feature requires\nVault Enterprise. See the [Vault documentation](https://www.vaultproject.io/docs/secrets/kmip)\nfor more information.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst _default = new vault.kmip.SecretBackend(\"default\", {\n    path: \"kmip\",\n    description: \"Vault KMIP backend\",\n    listenAddrs: [\n        \"127.0.0.1:5696\",\n        \"127.0.0.1:8080\",\n    ],\n    tlsCaKeyType: \"rsa\",\n    tlsCaKeyBits: 4096,\n    defaultTlsClientKeyType: \"rsa\",\n    defaultTlsClientKeyBits: 4096,\n    defaultTlsClientTtl: 86400,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ndefault = vault.kmip.SecretBackend(\"default\",\n    path=\"kmip\",\n    description=\"Vault KMIP backend\",\n    listen_addrs=[\n        \"127.0.0.1:5696\",\n        \"127.0.0.1:8080\",\n    ],\n    tls_ca_key_type=\"rsa\",\n    tls_ca_key_bits=4096,\n    default_tls_client_key_type=\"rsa\",\n    default_tls_client_key_bits=4096,\n    default_tls_client_ttl=86400)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @default = new Vault.Kmip.SecretBackend(\"default\", new()\n    {\n        Path = \"kmip\",\n        Description = \"Vault KMIP backend\",\n        ListenAddrs = new[]\n        {\n            \"127.0.0.1:5696\",\n            \"127.0.0.1:8080\",\n        },\n        TlsCaKeyType = \"rsa\",\n        TlsCaKeyBits = 4096,\n        DefaultTlsClientKeyType = \"rsa\",\n        DefaultTlsClientKeyBits = 4096,\n        DefaultTlsClientTtl = 86400,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kmip\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := kmip.NewSecretBackend(ctx, \"default\", \u0026kmip.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"kmip\"),\n\t\t\tDescription: pulumi.String(\"Vault KMIP backend\"),\n\t\t\tListenAddrs: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"127.0.0.1:5696\"),\n\t\t\t\tpulumi.String(\"127.0.0.1:8080\"),\n\t\t\t},\n\t\t\tTlsCaKeyType:            pulumi.String(\"rsa\"),\n\t\t\tTlsCaKeyBits:            pulumi.Int(4096),\n\t\t\tDefaultTlsClientKeyType: pulumi.String(\"rsa\"),\n\t\t\tDefaultTlsClientKeyBits: pulumi.Int(4096),\n\t\t\tDefaultTlsClientTtl:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kmip.SecretBackend;\nimport com.pulumi.vault.kmip.SecretBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var default_ = new SecretBackend(\"default\", SecretBackendArgs.builder()\n            .path(\"kmip\")\n            .description(\"Vault KMIP backend\")\n            .listenAddrs(            \n                \"127.0.0.1:5696\",\n                \"127.0.0.1:8080\")\n            .tlsCaKeyType(\"rsa\")\n            .tlsCaKeyBits(4096)\n            .defaultTlsClientKeyType(\"rsa\")\n            .defaultTlsClientKeyBits(4096)\n            .defaultTlsClientTtl(86400)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  default:\n    type: vault:kmip:SecretBackend\n    properties:\n      path: kmip\n      description: Vault KMIP backend\n      listenAddrs:\n        - 127.0.0.1:5696\n        - 127.0.0.1:8080\n      tlsCaKeyType: rsa\n      tlsCaKeyBits: 4096\n      defaultTlsClientKeyType: rsa\n      defaultTlsClientKeyBits: 4096\n      defaultTlsClientTtl: 86400\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nKMIP Secret backend can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:kmip/secretBackend:SecretBackend default kmip\n```\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"defaultTlsClientKeyBits":{"type":"integer","description":"Client certificate key bits, valid values depend on key type.\n"},"defaultTlsClientKeyType":{"type":"string","description":"Client certificate key type, \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n"},"defaultTlsClientTtl":{"type":"integer","description":"Client certificate TTL in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listenAddrs":{"type":"array","items":{"type":"string"},"description":"Addresses the KMIP server should listen on (`host:port`).\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"serverHostnames":{"type":"array","items":{"type":"string"},"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN).\n"},"serverIps":{"type":"array","items":{"type":"string"},"description":"IPs to include in the server's TLS certificate as SAN IP addresses.\n"},"tlsCaKeyBits":{"type":"integer","description":"CA key bits, valid values depend on key type.\n"},"tlsCaKeyType":{"type":"string","description":"CA key type, rsa or ec.\n"},"tlsMinVersion":{"type":"string","description":"Minimum TLS version to accept.\n"}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","defaultLeaseTtlSeconds","defaultTlsClientKeyBits","defaultTlsClientKeyType","defaultTlsClientTtl","forceNoCache","listenAddrs","maxLeaseTtlSeconds","path","sealWrap","serverHostnames","serverIps","tlsCaKeyBits","tlsCaKeyType","tlsMinVersion"],"inputProperties":{"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"defaultTlsClientKeyBits":{"type":"integer","description":"Client certificate key bits, valid values depend on key type.\n"},"defaultTlsClientKeyType":{"type":"string","description":"Client certificate key type, \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n"},"defaultTlsClientTtl":{"type":"integer","description":"Client certificate TTL in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listenAddrs":{"type":"array","items":{"type":"string"},"description":"Addresses the KMIP server should listen on (`host:port`).\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"serverHostnames":{"type":"array","items":{"type":"string"},"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN).\n"},"serverIps":{"type":"array","items":{"type":"string"},"description":"IPs to include in the server's TLS certificate as SAN IP addresses.\n"},"tlsCaKeyBits":{"type":"integer","description":"CA key bits, valid values depend on key type.\n"},"tlsCaKeyType":{"type":"string","description":"CA key type, rsa or ec.\n"},"tlsMinVersion":{"type":"string","description":"Minimum TLS version to accept.\n"}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"defaultTlsClientKeyBits":{"type":"integer","description":"Client certificate key bits, valid values depend on key type.\n"},"defaultTlsClientKeyType":{"type":"string","description":"Client certificate key type, \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n"},"defaultTlsClientTtl":{"type":"integer","description":"Client certificate TTL in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listenAddrs":{"type":"array","items":{"type":"string"},"description":"Addresses the KMIP server should listen on (`host:port`).\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"serverHostnames":{"type":"array","items":{"type":"string"},"description":"Hostnames to include in the server's TLS certificate as SAN DNS names. The first will be used as the common name (CN).\n"},"serverIps":{"type":"array","items":{"type":"string"},"description":"IPs to include in the server's TLS certificate as SAN IP addresses.\n"},"tlsCaKeyBits":{"type":"integer","description":"CA key bits, valid values depend on key type.\n"},"tlsCaKeyType":{"type":"string","description":"CA key type, rsa or ec.\n"},"tlsMinVersion":{"type":"string","description":"Minimum TLS version to accept.\n"}},"type":"object"}},"vault:kmip/secretRole:SecretRole":{"description":"Manages KMIP Secret roles in a Vault server. This feature requires\nVault Enterprise. See the [Vault documentation](https://www.vaultproject.io/docs/secrets/kmip)\nfor more information.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst _default = new vault.kmip.SecretBackend(\"default\", {\n    path: \"kmip\",\n    description: \"Vault KMIP backend\",\n});\nconst dev = new vault.kmip.SecretScope(\"dev\", {\n    path: _default.path,\n    scope: \"dev\",\n    force: true,\n});\nconst admin = new vault.kmip.SecretRole(\"admin\", {\n    path: dev.path,\n    scope: dev.scope,\n    role: \"admin\",\n    tlsClientKeyType: \"ec\",\n    tlsClientKeyBits: 256,\n    operationActivate: true,\n    operationGet: true,\n    operationGetAttributes: true,\n    operationCreate: true,\n    operationDestroy: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ndefault = vault.kmip.SecretBackend(\"default\",\n    path=\"kmip\",\n    description=\"Vault KMIP backend\")\ndev = vault.kmip.SecretScope(\"dev\",\n    path=default.path,\n    scope=\"dev\",\n    force=True)\nadmin = vault.kmip.SecretRole(\"admin\",\n    path=dev.path,\n    scope=dev.scope,\n    role=\"admin\",\n    tls_client_key_type=\"ec\",\n    tls_client_key_bits=256,\n    operation_activate=True,\n    operation_get=True,\n    operation_get_attributes=True,\n    operation_create=True,\n    operation_destroy=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @default = new Vault.Kmip.SecretBackend(\"default\", new()\n    {\n        Path = \"kmip\",\n        Description = \"Vault KMIP backend\",\n    });\n\n    var dev = new Vault.Kmip.SecretScope(\"dev\", new()\n    {\n        Path = @default.Path,\n        Scope = \"dev\",\n        Force = true,\n    });\n\n    var admin = new Vault.Kmip.SecretRole(\"admin\", new()\n    {\n        Path = dev.Path,\n        Scope = dev.Scope,\n        Role = \"admin\",\n        TlsClientKeyType = \"ec\",\n        TlsClientKeyBits = 256,\n        OperationActivate = true,\n        OperationGet = true,\n        OperationGetAttributes = true,\n        OperationCreate = true,\n        OperationDestroy = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kmip\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_default, err := kmip.NewSecretBackend(ctx, \"default\", \u0026kmip.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"kmip\"),\n\t\t\tDescription: pulumi.String(\"Vault KMIP backend\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdev, err := kmip.NewSecretScope(ctx, \"dev\", \u0026kmip.SecretScopeArgs{\n\t\t\tPath:  _default.Path,\n\t\t\tScope: pulumi.String(\"dev\"),\n\t\t\tForce: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kmip.NewSecretRole(ctx, \"admin\", \u0026kmip.SecretRoleArgs{\n\t\t\tPath:                   dev.Path,\n\t\t\tScope:                  dev.Scope,\n\t\t\tRole:                   pulumi.String(\"admin\"),\n\t\t\tTlsClientKeyType:       pulumi.String(\"ec\"),\n\t\t\tTlsClientKeyBits:       pulumi.Int(256),\n\t\t\tOperationActivate:      pulumi.Bool(true),\n\t\t\tOperationGet:           pulumi.Bool(true),\n\t\t\tOperationGetAttributes: pulumi.Bool(true),\n\t\t\tOperationCreate:        pulumi.Bool(true),\n\t\t\tOperationDestroy:       pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kmip.SecretBackend;\nimport com.pulumi.vault.kmip.SecretBackendArgs;\nimport com.pulumi.vault.kmip.SecretScope;\nimport com.pulumi.vault.kmip.SecretScopeArgs;\nimport com.pulumi.vault.kmip.SecretRole;\nimport com.pulumi.vault.kmip.SecretRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var default_ = new SecretBackend(\"default\", SecretBackendArgs.builder()\n            .path(\"kmip\")\n            .description(\"Vault KMIP backend\")\n            .build());\n\n        var dev = new SecretScope(\"dev\", SecretScopeArgs.builder()\n            .path(default_.path())\n            .scope(\"dev\")\n            .force(true)\n            .build());\n\n        var admin = new SecretRole(\"admin\", SecretRoleArgs.builder()\n            .path(dev.path())\n            .scope(dev.scope())\n            .role(\"admin\")\n            .tlsClientKeyType(\"ec\")\n            .tlsClientKeyBits(256)\n            .operationActivate(true)\n            .operationGet(true)\n            .operationGetAttributes(true)\n            .operationCreate(true)\n            .operationDestroy(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  default:\n    type: vault:kmip:SecretBackend\n    properties:\n      path: kmip\n      description: Vault KMIP backend\n  dev:\n    type: vault:kmip:SecretScope\n    properties:\n      path: ${default.path}\n      scope: dev\n      force: true\n  admin:\n    type: vault:kmip:SecretRole\n    properties:\n      path: ${dev.path}\n      scope: ${dev.scope}\n      role: admin\n      tlsClientKeyType: ec\n      tlsClientKeyBits: 256\n      operationActivate: true\n      operationGet: true\n      operationGetAttributes: true\n      operationCreate: true\n      operationDestroy: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nKMIP Secret role can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:kmip/secretRole:SecretRole admin kmip\n```\n","properties":{"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"operationActivate":{"type":"boolean","description":"Grant permission to use the KMIP Activate operation.\n"},"operationAddAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Add Attribute operation.\n"},"operationAll":{"type":"boolean","description":"Grant all permissions to this role. May not be specified with any other `operation_*` params.\n"},"operationCreate":{"type":"boolean","description":"Grant permission to use the KMIP Create operation.\n"},"operationCreateKeyPair":{"type":"boolean","description":"Grant permission to use the KMIP Create Key Pair operation.\n"},"operationDecrypt":{"type":"boolean","description":"Grant permission to use the KMIP Decrypt operation.\n"},"operationDeleteAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Delete Attribute operation.\n"},"operationDestroy":{"type":"boolean","description":"Grant permission to use the KMIP Destroy operation.\n"},"operationDiscoverVersions":{"type":"boolean","description":"Grant permission to use the KMIP Discover Version operation.\n"},"operationEncrypt":{"type":"boolean","description":"Grant permission to use the KMIP Encrypt operation.\n"},"operationGet":{"type":"boolean","description":"Grant permission to use the KMIP Get operation.\n"},"operationGetAttributeList":{"type":"boolean","description":"Grant permission to use the KMIP Get Atrribute List operation.\n"},"operationGetAttributes":{"type":"boolean","description":"Grant permission to use the KMIP Get Atrributes operation.\n"},"operationImport":{"type":"boolean","description":"Grant permission to use the KMIP Import operation.\n"},"operationLocate":{"type":"boolean","description":"Grant permission to use the KMIP Get Locate operation.\n"},"operationMac":{"type":"boolean","description":"Grant permission to use the KMIP MAC operation.\n"},"operationMacVerify":{"type":"boolean","description":"Grant permission to use the KMIP MAC Verify operation.\n"},"operationModifyAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Modify Attribute operation.\n"},"operationNone":{"type":"boolean","description":"Remove all permissions from this role. May not be specified with any other `operation_*` params.\n"},"operationQuery":{"type":"boolean","description":"Grant permission to use the KMIP Query operation.\n"},"operationRegister":{"type":"boolean","description":"Grant permission to use the KMIP Register operation.\n"},"operationRekey":{"type":"boolean","description":"Grant permission to use the KMIP Rekey operation.\n"},"operationRekeyKeyPair":{"type":"boolean","description":"Grant permission to use the KMIP Rekey Key Pair operation.\n"},"operationRevoke":{"type":"boolean","description":"Grant permission to use the KMIP Revoke operation.\n"},"operationRngRetrieve":{"type":"boolean","description":"Grant permission to use the KMIP RNG Retrieve operation.\n"},"operationRngSeed":{"type":"boolean","description":"Grant permission to use the KMIP RNG Seed operation.\n"},"operationSign":{"type":"boolean","description":"Grant permission to use the KMIP Sign operation.\n"},"operationSignatureVerify":{"type":"boolean","description":"Grant permission to use the KMIP Signature Verify operation.\n"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"role":{"type":"string","description":"Name of the role.\n"},"scope":{"type":"string","description":"Name of the scope.\n"},"tlsClientKeyBits":{"type":"integer","description":"Client certificate key bits, valid values depend on key type.\n"},"tlsClientKeyType":{"type":"string","description":"Client certificate key type, \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n"},"tlsClientTtl":{"type":"integer","description":"Client certificate TTL in seconds.\n"}},"required":["operationActivate","operationAddAttribute","operationAll","operationCreate","operationCreateKeyPair","operationDecrypt","operationDeleteAttribute","operationDestroy","operationDiscoverVersions","operationEncrypt","operationGet","operationGetAttributeList","operationGetAttributes","operationImport","operationLocate","operationMac","operationMacVerify","operationModifyAttribute","operationNone","operationQuery","operationRegister","operationRekey","operationRekeyKeyPair","operationRevoke","operationRngRetrieve","operationRngSeed","operationSign","operationSignatureVerify","path","role","scope"],"inputProperties":{"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"operationActivate":{"type":"boolean","description":"Grant permission to use the KMIP Activate operation.\n"},"operationAddAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Add Attribute operation.\n"},"operationAll":{"type":"boolean","description":"Grant all permissions to this role. May not be specified with any other `operation_*` params.\n"},"operationCreate":{"type":"boolean","description":"Grant permission to use the KMIP Create operation.\n"},"operationCreateKeyPair":{"type":"boolean","description":"Grant permission to use the KMIP Create Key Pair operation.\n"},"operationDecrypt":{"type":"boolean","description":"Grant permission to use the KMIP Decrypt operation.\n"},"operationDeleteAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Delete Attribute operation.\n"},"operationDestroy":{"type":"boolean","description":"Grant permission to use the KMIP Destroy operation.\n"},"operationDiscoverVersions":{"type":"boolean","description":"Grant permission to use the KMIP Discover Version operation.\n"},"operationEncrypt":{"type":"boolean","description":"Grant permission to use the KMIP Encrypt operation.\n"},"operationGet":{"type":"boolean","description":"Grant permission to use the KMIP Get operation.\n"},"operationGetAttributeList":{"type":"boolean","description":"Grant permission to use the KMIP Get Atrribute List operation.\n"},"operationGetAttributes":{"type":"boolean","description":"Grant permission to use the KMIP Get Atrributes operation.\n"},"operationImport":{"type":"boolean","description":"Grant permission to use the KMIP Import operation.\n"},"operationLocate":{"type":"boolean","description":"Grant permission to use the KMIP Get Locate operation.\n"},"operationMac":{"type":"boolean","description":"Grant permission to use the KMIP MAC operation.\n"},"operationMacVerify":{"type":"boolean","description":"Grant permission to use the KMIP MAC Verify operation.\n"},"operationModifyAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Modify Attribute operation.\n"},"operationNone":{"type":"boolean","description":"Remove all permissions from this role. May not be specified with any other `operation_*` params.\n"},"operationQuery":{"type":"boolean","description":"Grant permission to use the KMIP Query operation.\n"},"operationRegister":{"type":"boolean","description":"Grant permission to use the KMIP Register operation.\n"},"operationRekey":{"type":"boolean","description":"Grant permission to use the KMIP Rekey operation.\n"},"operationRekeyKeyPair":{"type":"boolean","description":"Grant permission to use the KMIP Rekey Key Pair operation.\n"},"operationRevoke":{"type":"boolean","description":"Grant permission to use the KMIP Revoke operation.\n"},"operationRngRetrieve":{"type":"boolean","description":"Grant permission to use the KMIP RNG Retrieve operation.\n"},"operationRngSeed":{"type":"boolean","description":"Grant permission to use the KMIP RNG Seed operation.\n"},"operationSign":{"type":"boolean","description":"Grant permission to use the KMIP Sign operation.\n"},"operationSignatureVerify":{"type":"boolean","description":"Grant permission to use the KMIP Signature Verify operation.\n"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"role":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"scope":{"type":"string","description":"Name of the scope.\n","willReplaceOnChanges":true},"tlsClientKeyBits":{"type":"integer","description":"Client certificate key bits, valid values depend on key type.\n"},"tlsClientKeyType":{"type":"string","description":"Client certificate key type, \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n"},"tlsClientTtl":{"type":"integer","description":"Client certificate TTL in seconds.\n"}},"requiredInputs":["path","role","scope"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretRole resources.\n","properties":{"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"operationActivate":{"type":"boolean","description":"Grant permission to use the KMIP Activate operation.\n"},"operationAddAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Add Attribute operation.\n"},"operationAll":{"type":"boolean","description":"Grant all permissions to this role. May not be specified with any other `operation_*` params.\n"},"operationCreate":{"type":"boolean","description":"Grant permission to use the KMIP Create operation.\n"},"operationCreateKeyPair":{"type":"boolean","description":"Grant permission to use the KMIP Create Key Pair operation.\n"},"operationDecrypt":{"type":"boolean","description":"Grant permission to use the KMIP Decrypt operation.\n"},"operationDeleteAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Delete Attribute operation.\n"},"operationDestroy":{"type":"boolean","description":"Grant permission to use the KMIP Destroy operation.\n"},"operationDiscoverVersions":{"type":"boolean","description":"Grant permission to use the KMIP Discover Version operation.\n"},"operationEncrypt":{"type":"boolean","description":"Grant permission to use the KMIP Encrypt operation.\n"},"operationGet":{"type":"boolean","description":"Grant permission to use the KMIP Get operation.\n"},"operationGetAttributeList":{"type":"boolean","description":"Grant permission to use the KMIP Get Atrribute List operation.\n"},"operationGetAttributes":{"type":"boolean","description":"Grant permission to use the KMIP Get Atrributes operation.\n"},"operationImport":{"type":"boolean","description":"Grant permission to use the KMIP Import operation.\n"},"operationLocate":{"type":"boolean","description":"Grant permission to use the KMIP Get Locate operation.\n"},"operationMac":{"type":"boolean","description":"Grant permission to use the KMIP MAC operation.\n"},"operationMacVerify":{"type":"boolean","description":"Grant permission to use the KMIP MAC Verify operation.\n"},"operationModifyAttribute":{"type":"boolean","description":"Grant permission to use the KMIP Modify Attribute operation.\n"},"operationNone":{"type":"boolean","description":"Remove all permissions from this role. May not be specified with any other `operation_*` params.\n"},"operationQuery":{"type":"boolean","description":"Grant permission to use the KMIP Query operation.\n"},"operationRegister":{"type":"boolean","description":"Grant permission to use the KMIP Register operation.\n"},"operationRekey":{"type":"boolean","description":"Grant permission to use the KMIP Rekey operation.\n"},"operationRekeyKeyPair":{"type":"boolean","description":"Grant permission to use the KMIP Rekey Key Pair operation.\n"},"operationRevoke":{"type":"boolean","description":"Grant permission to use the KMIP Revoke operation.\n"},"operationRngRetrieve":{"type":"boolean","description":"Grant permission to use the KMIP RNG Retrieve operation.\n"},"operationRngSeed":{"type":"boolean","description":"Grant permission to use the KMIP RNG Seed operation.\n"},"operationSign":{"type":"boolean","description":"Grant permission to use the KMIP Sign operation.\n"},"operationSignatureVerify":{"type":"boolean","description":"Grant permission to use the KMIP Signature Verify operation.\n"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"role":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"scope":{"type":"string","description":"Name of the scope.\n","willReplaceOnChanges":true},"tlsClientKeyBits":{"type":"integer","description":"Client certificate key bits, valid values depend on key type.\n"},"tlsClientKeyType":{"type":"string","description":"Client certificate key type, \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n"},"tlsClientTtl":{"type":"integer","description":"Client certificate TTL in seconds.\n"}},"type":"object"}},"vault:kmip/secretScope:SecretScope":{"description":"Manages KMIP Secret Scopes in a Vault server. This feature requires\nVault Enterprise. See the [Vault documentation](https://www.vaultproject.io/docs/secrets/kmip)\nfor more information.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst _default = new vault.kmip.SecretBackend(\"default\", {\n    path: \"kmip\",\n    description: \"Vault KMIP backend\",\n});\nconst dev = new vault.kmip.SecretScope(\"dev\", {\n    path: _default.path,\n    scope: \"dev\",\n    force: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ndefault = vault.kmip.SecretBackend(\"default\",\n    path=\"kmip\",\n    description=\"Vault KMIP backend\")\ndev = vault.kmip.SecretScope(\"dev\",\n    path=default.path,\n    scope=\"dev\",\n    force=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @default = new Vault.Kmip.SecretBackend(\"default\", new()\n    {\n        Path = \"kmip\",\n        Description = \"Vault KMIP backend\",\n    });\n\n    var dev = new Vault.Kmip.SecretScope(\"dev\", new()\n    {\n        Path = @default.Path,\n        Scope = \"dev\",\n        Force = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kmip\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_default, err := kmip.NewSecretBackend(ctx, \"default\", \u0026kmip.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"kmip\"),\n\t\t\tDescription: pulumi.String(\"Vault KMIP backend\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kmip.NewSecretScope(ctx, \"dev\", \u0026kmip.SecretScopeArgs{\n\t\t\tPath:  _default.Path,\n\t\t\tScope: pulumi.String(\"dev\"),\n\t\t\tForce: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kmip.SecretBackend;\nimport com.pulumi.vault.kmip.SecretBackendArgs;\nimport com.pulumi.vault.kmip.SecretScope;\nimport com.pulumi.vault.kmip.SecretScopeArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var default_ = new SecretBackend(\"default\", SecretBackendArgs.builder()\n            .path(\"kmip\")\n            .description(\"Vault KMIP backend\")\n            .build());\n\n        var dev = new SecretScope(\"dev\", SecretScopeArgs.builder()\n            .path(default_.path())\n            .scope(\"dev\")\n            .force(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  default:\n    type: vault:kmip:SecretBackend\n    properties:\n      path: kmip\n      description: Vault KMIP backend\n  dev:\n    type: vault:kmip:SecretScope\n    properties:\n      path: ${default.path}\n      scope: dev\n      force: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nKMIP Secret scope can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:kmip/secretScope:SecretScope dev kmip\n```\n","properties":{"force":{"type":"boolean","description":"Boolean field to force deletion even if there are managed objects in the scope.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"scope":{"type":"string","description":"Name of the scope.\n"}},"required":["path","scope"],"inputProperties":{"force":{"type":"boolean","description":"Boolean field to force deletion even if there are managed objects in the scope.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"scope":{"type":"string","description":"Name of the scope.\n","willReplaceOnChanges":true}},"requiredInputs":["path","scope"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretScope resources.\n","properties":{"force":{"type":"boolean","description":"Boolean field to force deletion even if there are managed objects in the scope.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`kmip`\" pulumi-lang-dotnet=\"`Kmip`\" pulumi-lang-go=\"`kmip`\" pulumi-lang-python=\"`kmip`\" pulumi-lang-yaml=\"`kmip`\" pulumi-lang-java=\"`kmip`\"\u003e`kmip`\u003c/span\u003e.\n"},"scope":{"type":"string","description":"Name of the scope.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:kubernetes/authBackendConfig:AuthBackendConfig":{"description":"Manages an Kubernetes auth backend config in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kubernetes = new vault.AuthBackend(\"kubernetes\", {type: \"kubernetes\"});\nconst example = new vault.kubernetes.AuthBackendConfig(\"example\", {\n    backend: kubernetes.path,\n    kubernetesHost: \"http://example.com:443\",\n    kubernetesCaCert: `-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----`,\n    tokenReviewerJwt: \"ZXhhbXBsZQo=\",\n    issuer: \"api\",\n    disableIssValidation: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkubernetes = vault.AuthBackend(\"kubernetes\", type=\"kubernetes\")\nexample = vault.kubernetes.AuthBackendConfig(\"example\",\n    backend=kubernetes.path,\n    kubernetes_host=\"http://example.com:443\",\n    kubernetes_ca_cert=\"\"\"-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----\"\"\",\n    token_reviewer_jwt=\"ZXhhbXBsZQo=\",\n    issuer=\"api\",\n    disable_iss_validation=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kubernetes = new Vault.AuthBackend(\"kubernetes\", new()\n    {\n        Type = \"kubernetes\",\n    });\n\n    var example = new Vault.Kubernetes.AuthBackendConfig(\"example\", new()\n    {\n        Backend = kubernetes.Path,\n        KubernetesHost = \"http://example.com:443\",\n        KubernetesCaCert = @\"-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----\",\n        TokenReviewerJwt = \"ZXhhbXBsZQo=\",\n        Issuer = \"api\",\n        DisableIssValidation = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkubernetes, err := vault.NewAuthBackend(ctx, \"kubernetes\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"kubernetes\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kubernetes.NewAuthBackendConfig(ctx, \"example\", \u0026kubernetes.AuthBackendConfigArgs{\n\t\t\tBackend:              kubernetes.Path,\n\t\t\tKubernetesHost:       pulumi.String(\"http://example.com:443\"),\n\t\t\tKubernetesCaCert:     pulumi.String(\"-----BEGIN CERTIFICATE-----\\nexample\\n-----END CERTIFICATE-----\"),\n\t\t\tTokenReviewerJwt:     pulumi.String(\"ZXhhbXBsZQo=\"),\n\t\t\tIssuer:               pulumi.String(\"api\"),\n\t\t\tDisableIssValidation: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.kubernetes.AuthBackendConfig;\nimport com.pulumi.vault.kubernetes.AuthBackendConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kubernetes = new AuthBackend(\"kubernetes\", AuthBackendArgs.builder()\n            .type(\"kubernetes\")\n            .build());\n\n        var example = new AuthBackendConfig(\"example\", AuthBackendConfigArgs.builder()\n            .backend(kubernetes.path())\n            .kubernetesHost(\"http://example.com:443\")\n            .kubernetesCaCert(\"\"\"\n-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----            \"\"\")\n            .tokenReviewerJwt(\"ZXhhbXBsZQo=\")\n            .issuer(\"api\")\n            .disableIssValidation(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kubernetes:\n    type: vault:AuthBackend\n    properties:\n      type: kubernetes\n  example:\n    type: vault:kubernetes:AuthBackendConfig\n    properties:\n      backend: ${kubernetes.path}\n      kubernetesHost: http://example.com:443\n      kubernetesCaCert: |-\n        -----BEGIN CERTIFICATE-----\n        example\n        -----END CERTIFICATE-----\n      tokenReviewerJwt: ZXhhbXBsZQo=\n      issuer: api\n      disableIssValidation: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example Usage with Write-Only JWT\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kubernetes = new vault.AuthBackend(\"kubernetes\", {type: \"kubernetes\"});\nconst example = new vault.kubernetes.AuthBackendConfig(\"example\", {\n    backend: kubernetes.path,\n    kubernetesHost: \"http://example.com:443\",\n    kubernetesCaCert: `-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----`,\n    tokenReviewerJwtWo: k8sTokenReviewerJwt,\n    tokenReviewerJwtWoVersion: 1,\n    issuer: \"api\",\n    disableIssValidation: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkubernetes = vault.AuthBackend(\"kubernetes\", type=\"kubernetes\")\nexample = vault.kubernetes.AuthBackendConfig(\"example\",\n    backend=kubernetes.path,\n    kubernetes_host=\"http://example.com:443\",\n    kubernetes_ca_cert=\"\"\"-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----\"\"\",\n    token_reviewer_jwt_wo=k8s_token_reviewer_jwt,\n    token_reviewer_jwt_wo_version=1,\n    issuer=\"api\",\n    disable_iss_validation=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kubernetes = new Vault.AuthBackend(\"kubernetes\", new()\n    {\n        Type = \"kubernetes\",\n    });\n\n    var example = new Vault.Kubernetes.AuthBackendConfig(\"example\", new()\n    {\n        Backend = kubernetes.Path,\n        KubernetesHost = \"http://example.com:443\",\n        KubernetesCaCert = @\"-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----\",\n        TokenReviewerJwtWo = k8sTokenReviewerJwt,\n        TokenReviewerJwtWoVersion = 1,\n        Issuer = \"api\",\n        DisableIssValidation = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkubernetes, err := vault.NewAuthBackend(ctx, \"kubernetes\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"kubernetes\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kubernetes.NewAuthBackendConfig(ctx, \"example\", \u0026kubernetes.AuthBackendConfigArgs{\n\t\t\tBackend:                   kubernetes.Path,\n\t\t\tKubernetesHost:            pulumi.String(\"http://example.com:443\"),\n\t\t\tKubernetesCaCert:          pulumi.String(\"-----BEGIN CERTIFICATE-----\\nexample\\n-----END CERTIFICATE-----\"),\n\t\t\tTokenReviewerJwtWo:        pulumi.Any(k8sTokenReviewerJwt),\n\t\t\tTokenReviewerJwtWoVersion: pulumi.Int(1),\n\t\t\tIssuer:                    pulumi.String(\"api\"),\n\t\t\tDisableIssValidation:      pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.kubernetes.AuthBackendConfig;\nimport com.pulumi.vault.kubernetes.AuthBackendConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kubernetes = new AuthBackend(\"kubernetes\", AuthBackendArgs.builder()\n            .type(\"kubernetes\")\n            .build());\n\n        var example = new AuthBackendConfig(\"example\", AuthBackendConfigArgs.builder()\n            .backend(kubernetes.path())\n            .kubernetesHost(\"http://example.com:443\")\n            .kubernetesCaCert(\"\"\"\n-----BEGIN CERTIFICATE-----\nexample\n-----END CERTIFICATE-----            \"\"\")\n            .tokenReviewerJwtWo(k8sTokenReviewerJwt)\n            .tokenReviewerJwtWoVersion(1)\n            .issuer(\"api\")\n            .disableIssValidation(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kubernetes:\n    type: vault:AuthBackend\n    properties:\n      type: kubernetes\n  example:\n    type: vault:kubernetes:AuthBackendConfig\n    properties:\n      backend: ${kubernetes.path}\n      kubernetesHost: http://example.com:443\n      kubernetesCaCert: |-\n        -----BEGIN CERTIFICATE-----\n        example\n        -----END CERTIFICATE-----\n      tokenReviewerJwtWo: ${k8sTokenReviewerJwt}\n      tokenReviewerJwtWoVersion: 1\n      issuer: api\n      disableIssValidation: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported:\n\n* \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e - (Optional) A write-only service account JWT (or other token) used as a bearer token to access the \n  TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. \n  Conflicts with \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwt`\" pulumi-lang-dotnet=\"`TokenReviewerJwt`\" pulumi-lang-go=\"`tokenReviewerJwt`\" pulumi-lang-python=\"`token_reviewer_jwt`\" pulumi-lang-yaml=\"`tokenReviewerJwt`\" pulumi-lang-java=\"`tokenReviewerJwt`\"\u003e`token_reviewer_jwt`\u003c/span\u003e.\n  **Note**: This property is write-only and will not be read from the API.\n\n## Import\n\nKubernetes authentication backend can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:kubernetes/authBackendConfig:AuthBackendConfig config auth/kubernetes/config\n```\n","properties":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure."},"disableIssValidation":{"type":"boolean","description":"Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n"},"disableLocalCaJwt":{"type":"boolean","description":"Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n"},"issuer":{"type":"string","description":"JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.\n"},"kubernetesCaCert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.\n"},"kubernetesHost":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n"},"pemKeys":{"type":"array","items":{"type":"string"},"description":"List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.\n"},"tokenReviewerJwt":{"type":"string","description":"A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e.\n","secret":true},"tokenReviewerJwtWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nA write-only service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","secret":true},"tokenReviewerJwtWoVersion":{"type":"integer","description":"The version of \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e to use during write operations. Required with \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"useAnnotationsAsAliasMetadata":{"type":"boolean","description":"Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n"}},"required":["disableIssValidation","disableLocalCaJwt","kubernetesCaCert","kubernetesHost","useAnnotationsAsAliasMetadata"],"inputProperties":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","willReplaceOnChanges":true},"disableIssValidation":{"type":"boolean","description":"Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n"},"disableLocalCaJwt":{"type":"boolean","description":"Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n"},"issuer":{"type":"string","description":"JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.\n"},"kubernetesCaCert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.\n"},"kubernetesHost":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pemKeys":{"type":"array","items":{"type":"string"},"description":"List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.\n"},"tokenReviewerJwt":{"type":"string","description":"A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e.\n","secret":true},"tokenReviewerJwtWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nA write-only service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","secret":true},"tokenReviewerJwtWoVersion":{"type":"integer","description":"The version of \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e to use during write operations. Required with \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"useAnnotationsAsAliasMetadata":{"type":"boolean","description":"Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n"}},"requiredInputs":["kubernetesHost"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendConfig resources.\n","properties":{"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.","willReplaceOnChanges":true},"disableIssValidation":{"type":"boolean","description":"Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n"},"disableLocalCaJwt":{"type":"boolean","description":"Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n"},"issuer":{"type":"string","description":"JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.\n"},"kubernetesCaCert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.\n"},"kubernetesHost":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pemKeys":{"type":"array","items":{"type":"string"},"description":"List of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.\n"},"tokenReviewerJwt":{"type":"string","description":"A service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e.\n","secret":true},"tokenReviewerJwtWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nA write-only service account JWT (or other token) used as a bearer token to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.","secret":true},"tokenReviewerJwtWoVersion":{"type":"integer","description":"The version of \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e to use during write operations. Required with \u003cspan pulumi-lang-nodejs=\"`tokenReviewerJwtWo`\" pulumi-lang-dotnet=\"`TokenReviewerJwtWo`\" pulumi-lang-go=\"`tokenReviewerJwtWo`\" pulumi-lang-python=\"`token_reviewer_jwt_wo`\" pulumi-lang-yaml=\"`tokenReviewerJwtWo`\" pulumi-lang-java=\"`tokenReviewerJwtWo`\"\u003e`token_reviewer_jwt_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"useAnnotationsAsAliasMetadata":{"type":"boolean","description":"Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n"}},"type":"object"}},"vault:kubernetes/authBackendRole:AuthBackendRole":{"description":"Manages an Kubernetes auth backend role in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/kubernetes.html) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kubernetes = new vault.AuthBackend(\"kubernetes\", {type: \"kubernetes\"});\nconst example = new vault.kubernetes.AuthBackendRole(\"example\", {\n    backend: kubernetes.path,\n    roleName: \"example-role\",\n    boundServiceAccountNames: [\"example\"],\n    boundServiceAccountNamespaces: [\"example\"],\n    tokenTtl: 3600,\n    tokenPolicies: [\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n    audience: \"vault\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkubernetes = vault.AuthBackend(\"kubernetes\", type=\"kubernetes\")\nexample = vault.kubernetes.AuthBackendRole(\"example\",\n    backend=kubernetes.path,\n    role_name=\"example-role\",\n    bound_service_account_names=[\"example\"],\n    bound_service_account_namespaces=[\"example\"],\n    token_ttl=3600,\n    token_policies=[\n        \"default\",\n        \"dev\",\n        \"prod\",\n    ],\n    audience=\"vault\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kubernetes = new Vault.AuthBackend(\"kubernetes\", new()\n    {\n        Type = \"kubernetes\",\n    });\n\n    var example = new Vault.Kubernetes.AuthBackendRole(\"example\", new()\n    {\n        Backend = kubernetes.Path,\n        RoleName = \"example-role\",\n        BoundServiceAccountNames = new[]\n        {\n            \"example\",\n        },\n        BoundServiceAccountNamespaces = new[]\n        {\n            \"example\",\n        },\n        TokenTtl = 3600,\n        TokenPolicies = new[]\n        {\n            \"default\",\n            \"dev\",\n            \"prod\",\n        },\n        Audience = \"vault\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkubernetes, err := vault.NewAuthBackend(ctx, \"kubernetes\", \u0026vault.AuthBackendArgs{\n\t\t\tType: pulumi.String(\"kubernetes\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kubernetes.NewAuthBackendRole(ctx, \"example\", \u0026kubernetes.AuthBackendRoleArgs{\n\t\t\tBackend:  kubernetes.Path,\n\t\t\tRoleName: pulumi.String(\"example-role\"),\n\t\t\tBoundServiceAccountNames: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"example\"),\n\t\t\t},\n\t\t\tBoundServiceAccountNamespaces: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"example\"),\n\t\t\t},\n\t\t\tTokenTtl: pulumi.Int(3600),\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"prod\"),\n\t\t\t},\n\t\t\tAudience: pulumi.String(\"vault\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.kubernetes.AuthBackendRole;\nimport com.pulumi.vault.kubernetes.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kubernetes = new AuthBackend(\"kubernetes\", AuthBackendArgs.builder()\n            .type(\"kubernetes\")\n            .build());\n\n        var example = new AuthBackendRole(\"example\", AuthBackendRoleArgs.builder()\n            .backend(kubernetes.path())\n            .roleName(\"example-role\")\n            .boundServiceAccountNames(\"example\")\n            .boundServiceAccountNamespaces(\"example\")\n            .tokenTtl(3600)\n            .tokenPolicies(            \n                \"default\",\n                \"dev\",\n                \"prod\")\n            .audience(\"vault\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kubernetes:\n    type: vault:AuthBackend\n    properties:\n      type: kubernetes\n  example:\n    type: vault:kubernetes:AuthBackendRole\n    properties:\n      backend: ${kubernetes.path}\n      roleName: example-role\n      boundServiceAccountNames:\n        - example\n      boundServiceAccountNamespaces:\n        - example\n      tokenTtl: 3600\n      tokenPolicies:\n        - default\n        - dev\n        - prod\n      audience: vault\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nKubernetes auth backend role can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:kubernetes/authBackendRole:AuthBackendRole foo auth/kubernetes/role/foo\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"aliasNameSource":{"type":"string","description":"Configures how identity aliases are generated.\nValid choices are: \u003cspan pulumi-lang-nodejs=\"`serviceaccountUid`\" pulumi-lang-dotnet=\"`ServiceaccountUid`\" pulumi-lang-go=\"`serviceaccountUid`\" pulumi-lang-python=\"`serviceaccount_uid`\" pulumi-lang-yaml=\"`serviceaccountUid`\" pulumi-lang-java=\"`serviceaccountUid`\"\u003e`serviceaccount_uid`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceaccountName`\" pulumi-lang-dotnet=\"`ServiceaccountName`\" pulumi-lang-go=\"`serviceaccountName`\" pulumi-lang-python=\"`serviceaccount_name`\" pulumi-lang-yaml=\"`serviceaccountName`\" pulumi-lang-java=\"`serviceaccountName`\"\u003e`serviceaccount_name`\u003c/span\u003e. (vault-1.9+)\n"},"audience":{"type":"string","description":"Audience claim to verify in the JWT.\n\n\u003e Please see \u003cspan pulumi-lang-nodejs=\"[aliasNameSource]\" pulumi-lang-dotnet=\"[AliasNameSource]\" pulumi-lang-go=\"[aliasNameSource]\" pulumi-lang-python=\"[alias_name_source]\" pulumi-lang-yaml=\"[aliasNameSource]\" pulumi-lang-java=\"[aliasNameSource]\"\u003e[alias_name_source]\u003c/span\u003e(https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)\nbefore setting this to something other its default value. There are **important** security\nimplications to be aware of.\n"},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.\n"},"boundServiceAccountNames":{"type":"array","items":{"type":"string"},"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and\u003cspan pulumi-lang-nodejs=\" boundServiceAccountNamespaces \" pulumi-lang-dotnet=\" BoundServiceAccountNamespaces \" pulumi-lang-go=\" boundServiceAccountNamespaces \" pulumi-lang-python=\" bound_service_account_namespaces \" pulumi-lang-yaml=\" boundServiceAccountNamespaces \" pulumi-lang-java=\" boundServiceAccountNamespaces \"\u003e bound_service_account_namespaces \u003c/span\u003ecan not be \"*\".\n"},"boundServiceAccountNamespaceSelector":{"type":"string","description":"A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.\n"},"boundServiceAccountNamespaces":{"type":"array","items":{"type":"string"},"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and\u003cspan pulumi-lang-nodejs=\" boundServiceAccountNames \" pulumi-lang-dotnet=\" BoundServiceAccountNames \" pulumi-lang-go=\" boundServiceAccountNames \" pulumi-lang-python=\" bound_service_account_names \" pulumi-lang-yaml=\" boundServiceAccountNames \" pulumi-lang-java=\" boundServiceAccountNames \"\u003e bound_service_account_names \u003c/span\u003ecan not be set to \"*\".\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"roleName":{"type":"string","description":"Name of the role.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["aliasNameSource","boundServiceAccountNames","roleName"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"aliasNameSource":{"type":"string","description":"Configures how identity aliases are generated.\nValid choices are: \u003cspan pulumi-lang-nodejs=\"`serviceaccountUid`\" pulumi-lang-dotnet=\"`ServiceaccountUid`\" pulumi-lang-go=\"`serviceaccountUid`\" pulumi-lang-python=\"`serviceaccount_uid`\" pulumi-lang-yaml=\"`serviceaccountUid`\" pulumi-lang-java=\"`serviceaccountUid`\"\u003e`serviceaccount_uid`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceaccountName`\" pulumi-lang-dotnet=\"`ServiceaccountName`\" pulumi-lang-go=\"`serviceaccountName`\" pulumi-lang-python=\"`serviceaccount_name`\" pulumi-lang-yaml=\"`serviceaccountName`\" pulumi-lang-java=\"`serviceaccountName`\"\u003e`serviceaccount_name`\u003c/span\u003e. (vault-1.9+)\n"},"audience":{"type":"string","description":"Audience claim to verify in the JWT.\n\n\u003e Please see \u003cspan pulumi-lang-nodejs=\"[aliasNameSource]\" pulumi-lang-dotnet=\"[AliasNameSource]\" pulumi-lang-go=\"[aliasNameSource]\" pulumi-lang-python=\"[alias_name_source]\" pulumi-lang-yaml=\"[aliasNameSource]\" pulumi-lang-java=\"[aliasNameSource]\"\u003e[alias_name_source]\u003c/span\u003e(https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)\nbefore setting this to something other its default value. There are **important** security\nimplications to be aware of.\n"},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.\n","willReplaceOnChanges":true},"boundServiceAccountNames":{"type":"array","items":{"type":"string"},"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and\u003cspan pulumi-lang-nodejs=\" boundServiceAccountNamespaces \" pulumi-lang-dotnet=\" BoundServiceAccountNamespaces \" pulumi-lang-go=\" boundServiceAccountNamespaces \" pulumi-lang-python=\" bound_service_account_namespaces \" pulumi-lang-yaml=\" boundServiceAccountNamespaces \" pulumi-lang-java=\" boundServiceAccountNamespaces \"\u003e bound_service_account_namespaces \u003c/span\u003ecan not be \"*\".\n"},"boundServiceAccountNamespaceSelector":{"type":"string","description":"A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.\n"},"boundServiceAccountNamespaces":{"type":"array","items":{"type":"string"},"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and\u003cspan pulumi-lang-nodejs=\" boundServiceAccountNames \" pulumi-lang-dotnet=\" BoundServiceAccountNames \" pulumi-lang-go=\" boundServiceAccountNames \" pulumi-lang-python=\" bound_service_account_names \" pulumi-lang-yaml=\" boundServiceAccountNames \" pulumi-lang-java=\" boundServiceAccountNames \"\u003e bound_service_account_names \u003c/span\u003ecan not be set to \"*\".\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["boundServiceAccountNames","roleName"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"aliasNameSource":{"type":"string","description":"Configures how identity aliases are generated.\nValid choices are: \u003cspan pulumi-lang-nodejs=\"`serviceaccountUid`\" pulumi-lang-dotnet=\"`ServiceaccountUid`\" pulumi-lang-go=\"`serviceaccountUid`\" pulumi-lang-python=\"`serviceaccount_uid`\" pulumi-lang-yaml=\"`serviceaccountUid`\" pulumi-lang-java=\"`serviceaccountUid`\"\u003e`serviceaccount_uid`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`serviceaccountName`\" pulumi-lang-dotnet=\"`ServiceaccountName`\" pulumi-lang-go=\"`serviceaccountName`\" pulumi-lang-python=\"`serviceaccount_name`\" pulumi-lang-yaml=\"`serviceaccountName`\" pulumi-lang-java=\"`serviceaccountName`\"\u003e`serviceaccount_name`\u003c/span\u003e. (vault-1.9+)\n"},"audience":{"type":"string","description":"Audience claim to verify in the JWT.\n\n\u003e Please see \u003cspan pulumi-lang-nodejs=\"[aliasNameSource]\" pulumi-lang-dotnet=\"[AliasNameSource]\" pulumi-lang-go=\"[aliasNameSource]\" pulumi-lang-python=\"[alias_name_source]\" pulumi-lang-yaml=\"[aliasNameSource]\" pulumi-lang-java=\"[aliasNameSource]\"\u003e[alias_name_source]\u003c/span\u003e(https://www.vaultproject.io/api-docs/auth/kubernetes#alias_name_source)\nbefore setting this to something other its default value. There are **important** security\nimplications to be aware of.\n"},"backend":{"type":"string","description":"Unique name of the kubernetes backend to configure.\n","willReplaceOnChanges":true},"boundServiceAccountNames":{"type":"array","items":{"type":"string"},"description":"List of service account names able to access this role. If set to `[\"*\"]` all names are allowed, both this and\u003cspan pulumi-lang-nodejs=\" boundServiceAccountNamespaces \" pulumi-lang-dotnet=\" BoundServiceAccountNamespaces \" pulumi-lang-go=\" boundServiceAccountNamespaces \" pulumi-lang-python=\" bound_service_account_namespaces \" pulumi-lang-yaml=\" boundServiceAccountNamespaces \" pulumi-lang-java=\" boundServiceAccountNamespaces \"\u003e bound_service_account_namespaces \u003c/span\u003ecan not be \"*\".\n"},"boundServiceAccountNamespaceSelector":{"type":"string","description":"A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.\n"},"boundServiceAccountNamespaces":{"type":"array","items":{"type":"string"},"description":"List of namespaces allowed to access this role. If set to `[\"*\"]` all namespaces are allowed, both this and\u003cspan pulumi-lang-nodejs=\" boundServiceAccountNames \" pulumi-lang-dotnet=\" BoundServiceAccountNames \" pulumi-lang-go=\" boundServiceAccountNames \" pulumi-lang-python=\" bound_service_account_names \" pulumi-lang-yaml=\" boundServiceAccountNames \" pulumi-lang-java=\" boundServiceAccountNames \"\u003e bound_service_account_names \u003c/span\u003ecan not be set to \"*\".\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:kubernetes/secretBackend:SecretBackend":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.kubernetes.SecretBackend(\"config\", {\n    path: \"kubernetes\",\n    description: \"kubernetes secrets engine description\",\n    defaultLeaseTtlSeconds: 43200,\n    maxLeaseTtlSeconds: 86400,\n    kubernetesHost: \"https://127.0.0.1:61233\",\n    kubernetesCaCert: std.file({\n        input: \"/path/to/cert\",\n    }).then(invoke =\u003e invoke.result),\n    serviceAccountJwtWo: std.file({\n        input: \"/path/to/token\",\n    }).then(invoke =\u003e invoke.result),\n    serviceAccountJwtWoVersion: 1,\n    disableLocalCaJwt: false,\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\nconfig = vault.kubernetes.SecretBackend(\"config\",\n    path=\"kubernetes\",\n    description=\"kubernetes secrets engine description\",\n    default_lease_ttl_seconds=43200,\n    max_lease_ttl_seconds=86400,\n    kubernetes_host=\"https://127.0.0.1:61233\",\n    kubernetes_ca_cert=std.file(input=\"/path/to/cert\").result,\n    service_account_jwt_wo=std.file(input=\"/path/to/token\").result,\n    service_account_jwt_wo_version=1,\n    disable_local_ca_jwt=False)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Kubernetes.SecretBackend(\"config\", new()\n    {\n        Path = \"kubernetes\",\n        Description = \"kubernetes secrets engine description\",\n        DefaultLeaseTtlSeconds = 43200,\n        MaxLeaseTtlSeconds = 86400,\n        KubernetesHost = \"https://127.0.0.1:61233\",\n        KubernetesCaCert = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/cert\",\n        }).Apply(invoke =\u003e invoke.Result),\n        ServiceAccountJwtWo = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/token\",\n        }).Apply(invoke =\u003e invoke.Result),\n        ServiceAccountJwtWoVersion = 1,\n        DisableLocalCaJwt = false,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/cert\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFile1, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/token\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kubernetes.NewSecretBackend(ctx, \"config\", \u0026kubernetes.SecretBackendArgs{\n\t\t\tPath:                       pulumi.String(\"kubernetes\"),\n\t\t\tDescription:                pulumi.String(\"kubernetes secrets engine description\"),\n\t\t\tDefaultLeaseTtlSeconds:     pulumi.Int(43200),\n\t\t\tMaxLeaseTtlSeconds:         pulumi.Int(86400),\n\t\t\tKubernetesHost:             pulumi.String(\"https://127.0.0.1:61233\"),\n\t\t\tKubernetesCaCert:           pulumi.String(invokeFile.Result),\n\t\t\tServiceAccountJwtWo:        pulumi.String(invokeFile1.Result),\n\t\t\tServiceAccountJwtWoVersion: pulumi.Int(1),\n\t\t\tDisableLocalCaJwt:          pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kubernetes.SecretBackend;\nimport com.pulumi.vault.kubernetes.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"kubernetes\")\n            .description(\"kubernetes secrets engine description\")\n            .defaultLeaseTtlSeconds(43200)\n            .maxLeaseTtlSeconds(86400)\n            .kubernetesHost(\"https://127.0.0.1:61233\")\n            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/cert\")\n                .build()).result())\n            .serviceAccountJwtWo(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/token\")\n                .build()).result())\n            .serviceAccountJwtWoVersion(1)\n            .disableLocalCaJwt(false)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:kubernetes:SecretBackend\n    properties:\n      path: kubernetes\n      description: kubernetes secrets engine description\n      defaultLeaseTtlSeconds: 43200\n      maxLeaseTtlSeconds: 86400\n      kubernetesHost: https://127.0.0.1:61233\n      kubernetesCaCert:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/cert\n          return: result\n      serviceAccountJwtWo:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/token\n          return: result\n      serviceAccountJwtWoVersion: 1\n      disableLocalCaJwt: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported:\n\n* \u003cspan pulumi-lang-nodejs=\"`serviceAccountJwtWo`\" pulumi-lang-dotnet=\"`ServiceAccountJwtWo`\" pulumi-lang-go=\"`serviceAccountJwtWo`\" pulumi-lang-python=\"`service_account_jwt_wo`\" pulumi-lang-yaml=\"`serviceAccountJwtWo`\" pulumi-lang-java=\"`serviceAccountJwtWo`\"\u003e`service_account_jwt_wo`\u003c/span\u003e - (Optional) Write-only JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. This value is not stored in state.\n  **Note**: This property is write-only and will not be read from the API.\n\n## Import\n\nThe Kubernetes secret backend can be imported using its `path` e.g.\n\n```sh\n$ pulumi import vault:kubernetes/secretBackend:SecretBackend config kubernetes\n```\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount"},"disableLocalCaJwt":{"type":"boolean","description":"Disable defaulting to the local CA certificate and \nservice account JWT when Vault is running in a Kubernetes pod.\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"kubernetesCaCert":{"type":"string","description":"A PEM-encoded CA certificate used by the \nsecrets engine to verify the Kubernetes API server certificate. Defaults to the local\npod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where\nVault is running.\n"},"kubernetesHost":{"type":"string","description":"The Kubernetes API URL to connect to. Required if the \nstandard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`\nare not set on the host that Vault is running on.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"Where the secret backend will be mounted"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"serviceAccountJwt":{"type":"string","description":"The JSON web token of the service account used by the\nsecrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault\nis running in Kubernetes.\n","secret":true},"serviceAccountJwtWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. This value will not be stored in state.","secret":true},"serviceAccountJwtWoVersion":{"type":"integer","description":"Version counter for \u003cspan pulumi-lang-nodejs=\"`serviceAccountJwtWo`\" pulumi-lang-dotnet=\"`ServiceAccountJwtWo`\" pulumi-lang-go=\"`serviceAccountJwtWo`\" pulumi-lang-python=\"`service_account_jwt_wo`\" pulumi-lang-yaml=\"`serviceAccountJwtWo`\" pulumi-lang-java=\"`serviceAccountJwtWo`\"\u003e`service_account_jwt_wo`\u003c/span\u003e. Increment to force an update.\nFor more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","defaultLeaseTtlSeconds","forceNoCache","maxLeaseTtlSeconds","path","sealWrap"],"inputProperties":{"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount"},"disableLocalCaJwt":{"type":"boolean","description":"Disable defaulting to the local CA certificate and \nservice account JWT when Vault is running in a Kubernetes pod.\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"kubernetesCaCert":{"type":"string","description":"A PEM-encoded CA certificate used by the \nsecrets engine to verify the Kubernetes API server certificate. Defaults to the local\npod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where\nVault is running.\n"},"kubernetesHost":{"type":"string","description":"The Kubernetes API URL to connect to. Required if the \nstandard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`\nare not set on the host that Vault is running on.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"Where the secret backend will be mounted"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"serviceAccountJwt":{"type":"string","description":"The JSON web token of the service account used by the\nsecrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault\nis running in Kubernetes.\n","secret":true},"serviceAccountJwtWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. This value will not be stored in state.","secret":true},"serviceAccountJwtWoVersion":{"type":"integer","description":"Version counter for \u003cspan pulumi-lang-nodejs=\"`serviceAccountJwtWo`\" pulumi-lang-dotnet=\"`ServiceAccountJwtWo`\" pulumi-lang-go=\"`serviceAccountJwtWo`\" pulumi-lang-python=\"`service_account_jwt_wo`\" pulumi-lang-yaml=\"`serviceAccountJwtWo`\" pulumi-lang-java=\"`serviceAccountJwtWo`\"\u003e`service_account_jwt_wo`\u003c/span\u003e. Increment to force an update.\nFor more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount"},"disableLocalCaJwt":{"type":"boolean","description":"Disable defaulting to the local CA certificate and \nservice account JWT when Vault is running in a Kubernetes pod.\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"kubernetesCaCert":{"type":"string","description":"A PEM-encoded CA certificate used by the \nsecrets engine to verify the Kubernetes API server certificate. Defaults to the local\npod’s CA if Vault is running in Kubernetes. Otherwise, defaults to the root CA set where\nVault is running.\n"},"kubernetesHost":{"type":"string","description":"The Kubernetes API URL to connect to. Required if the \nstandard pod environment variables `KUBERNETES_SERVICE_HOST` or `KUBERNETES_SERVICE_PORT`\nare not set on the host that Vault is running on.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"path":{"type":"string","description":"Where the secret backend will be mounted"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"serviceAccountJwt":{"type":"string","description":"The JSON web token of the service account used by the\nsecrets engine to manage Kubernetes credentials. Defaults to the local pod’s JWT if Vault\nis running in Kubernetes.\n","secret":true},"serviceAccountJwtWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only JSON web token of the service account used by the secrets engine to manage Kubernetes credentials. This value will not be stored in state.","secret":true},"serviceAccountJwtWoVersion":{"type":"integer","description":"Version counter for \u003cspan pulumi-lang-nodejs=\"`serviceAccountJwtWo`\" pulumi-lang-dotnet=\"`ServiceAccountJwtWo`\" pulumi-lang-go=\"`serviceAccountJwtWo`\" pulumi-lang-python=\"`service_account_jwt_wo`\" pulumi-lang-yaml=\"`serviceAccountJwtWo`\" pulumi-lang-java=\"`serviceAccountJwtWo`\"\u003e`service_account_jwt_wo`\u003c/span\u003e. Increment to force an update.\nFor more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"}},"type":"object"}},"vault:kubernetes/secretBackendRole:SecretBackendRole":{"description":"## Example Usage\n\nExample using \u003cspan pulumi-lang-nodejs=\"`serviceAccountName`\" pulumi-lang-dotnet=\"`ServiceAccountName`\" pulumi-lang-go=\"`serviceAccountName`\" pulumi-lang-python=\"`service_account_name`\" pulumi-lang-yaml=\"`serviceAccountName`\" pulumi-lang-java=\"`serviceAccountName`\"\u003e`service_account_name`\u003c/span\u003e mode:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.kubernetes.SecretBackend(\"config\", {\n    path: \"kubernetes\",\n    description: \"kubernetes secrets engine description\",\n    kubernetesHost: \"https://127.0.0.1:61233\",\n    kubernetesCaCert: std.file({\n        input: \"/path/to/cert\",\n    }).then(invoke =\u003e invoke.result),\n    serviceAccountJwt: std.file({\n        input: \"/path/to/token\",\n    }).then(invoke =\u003e invoke.result),\n    disableLocalCaJwt: false,\n});\nconst sa_example = new vault.kubernetes.SecretBackendRole(\"sa-example\", {\n    backend: config.path,\n    name: \"service-account-name-role\",\n    allowedKubernetesNamespaces: [\"*\"],\n    tokenMaxTtl: 43200,\n    tokenDefaultTtl: 21600,\n    serviceAccountName: \"test-service-account-with-generated-token\",\n    extraLabels: {\n        id: \"abc123\",\n        name: \"some_name\",\n    },\n    extraAnnotations: {\n        env: \"development\",\n        location: \"earth\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\nconfig = vault.kubernetes.SecretBackend(\"config\",\n    path=\"kubernetes\",\n    description=\"kubernetes secrets engine description\",\n    kubernetes_host=\"https://127.0.0.1:61233\",\n    kubernetes_ca_cert=std.file(input=\"/path/to/cert\").result,\n    service_account_jwt=std.file(input=\"/path/to/token\").result,\n    disable_local_ca_jwt=False)\nsa_example = vault.kubernetes.SecretBackendRole(\"sa-example\",\n    backend=config.path,\n    name=\"service-account-name-role\",\n    allowed_kubernetes_namespaces=[\"*\"],\n    token_max_ttl=43200,\n    token_default_ttl=21600,\n    service_account_name=\"test-service-account-with-generated-token\",\n    extra_labels={\n        \"id\": \"abc123\",\n        \"name\": \"some_name\",\n    },\n    extra_annotations={\n        \"env\": \"development\",\n        \"location\": \"earth\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Kubernetes.SecretBackend(\"config\", new()\n    {\n        Path = \"kubernetes\",\n        Description = \"kubernetes secrets engine description\",\n        KubernetesHost = \"https://127.0.0.1:61233\",\n        KubernetesCaCert = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/cert\",\n        }).Apply(invoke =\u003e invoke.Result),\n        ServiceAccountJwt = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/token\",\n        }).Apply(invoke =\u003e invoke.Result),\n        DisableLocalCaJwt = false,\n    });\n\n    var sa_example = new Vault.Kubernetes.SecretBackendRole(\"sa-example\", new()\n    {\n        Backend = config.Path,\n        Name = \"service-account-name-role\",\n        AllowedKubernetesNamespaces = new[]\n        {\n            \"*\",\n        },\n        TokenMaxTtl = 43200,\n        TokenDefaultTtl = 21600,\n        ServiceAccountName = \"test-service-account-with-generated-token\",\n        ExtraLabels = \n        {\n            { \"id\", \"abc123\" },\n            { \"name\", \"some_name\" },\n        },\n        ExtraAnnotations = \n        {\n            { \"env\", \"development\" },\n            { \"location\", \"earth\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/cert\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFile1, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/token\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tconfig, err := kubernetes.NewSecretBackend(ctx, \"config\", \u0026kubernetes.SecretBackendArgs{\n\t\t\tPath:              pulumi.String(\"kubernetes\"),\n\t\t\tDescription:       pulumi.String(\"kubernetes secrets engine description\"),\n\t\t\tKubernetesHost:    pulumi.String(\"https://127.0.0.1:61233\"),\n\t\t\tKubernetesCaCert:  pulumi.String(invokeFile.Result),\n\t\t\tServiceAccountJwt: pulumi.String(invokeFile1.Result),\n\t\t\tDisableLocalCaJwt: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kubernetes.NewSecretBackendRole(ctx, \"sa-example\", \u0026kubernetes.SecretBackendRoleArgs{\n\t\t\tBackend: config.Path,\n\t\t\tName:    pulumi.String(\"service-account-name-role\"),\n\t\t\tAllowedKubernetesNamespaces: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tTokenMaxTtl:        pulumi.Int(43200),\n\t\t\tTokenDefaultTtl:    pulumi.Int(21600),\n\t\t\tServiceAccountName: pulumi.String(\"test-service-account-with-generated-token\"),\n\t\t\tExtraLabels: pulumi.StringMap{\n\t\t\t\t\"id\":   pulumi.String(\"abc123\"),\n\t\t\t\t\"name\": pulumi.String(\"some_name\"),\n\t\t\t},\n\t\t\tExtraAnnotations: pulumi.StringMap{\n\t\t\t\t\"env\":      pulumi.String(\"development\"),\n\t\t\t\t\"location\": pulumi.String(\"earth\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kubernetes.SecretBackend;\nimport com.pulumi.vault.kubernetes.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport com.pulumi.vault.kubernetes.SecretBackendRole;\nimport com.pulumi.vault.kubernetes.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"kubernetes\")\n            .description(\"kubernetes secrets engine description\")\n            .kubernetesHost(\"https://127.0.0.1:61233\")\n            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/cert\")\n                .build()).result())\n            .serviceAccountJwt(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/token\")\n                .build()).result())\n            .disableLocalCaJwt(false)\n            .build());\n\n        var sa_example = new SecretBackendRole(\"sa-example\", SecretBackendRoleArgs.builder()\n            .backend(config.path())\n            .name(\"service-account-name-role\")\n            .allowedKubernetesNamespaces(\"*\")\n            .tokenMaxTtl(43200)\n            .tokenDefaultTtl(21600)\n            .serviceAccountName(\"test-service-account-with-generated-token\")\n            .extraLabels(Map.ofEntries(\n                Map.entry(\"id\", \"abc123\"),\n                Map.entry(\"name\", \"some_name\")\n            ))\n            .extraAnnotations(Map.ofEntries(\n                Map.entry(\"env\", \"development\"),\n                Map.entry(\"location\", \"earth\")\n            ))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:kubernetes:SecretBackend\n    properties:\n      path: kubernetes\n      description: kubernetes secrets engine description\n      kubernetesHost: https://127.0.0.1:61233\n      kubernetesCaCert:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/cert\n          return: result\n      serviceAccountJwt:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/token\n          return: result\n      disableLocalCaJwt: false\n  sa-example:\n    type: vault:kubernetes:SecretBackendRole\n    properties:\n      backend: ${config.path}\n      name: service-account-name-role\n      allowedKubernetesNamespaces:\n        - '*'\n      tokenMaxTtl: 43200\n      tokenDefaultTtl: 21600\n      serviceAccountName: test-service-account-with-generated-token\n      extraLabels:\n        id: abc123\n        name: some_name\n      extraAnnotations:\n        env: development\n        location: earth\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\nExample using \u003cspan pulumi-lang-nodejs=\"`kubernetesRoleName`\" pulumi-lang-dotnet=\"`KubernetesRoleName`\" pulumi-lang-go=\"`kubernetesRoleName`\" pulumi-lang-python=\"`kubernetes_role_name`\" pulumi-lang-yaml=\"`kubernetesRoleName`\" pulumi-lang-java=\"`kubernetesRoleName`\"\u003e`kubernetes_role_name`\u003c/span\u003e mode:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.kubernetes.SecretBackend(\"config\", {\n    path: \"kubernetes\",\n    description: \"kubernetes secrets engine description\",\n    kubernetesHost: \"https://127.0.0.1:61233\",\n    kubernetesCaCert: std.file({\n        input: \"/path/to/cert\",\n    }).then(invoke =\u003e invoke.result),\n    serviceAccountJwt: std.file({\n        input: \"/path/to/token\",\n    }).then(invoke =\u003e invoke.result),\n    disableLocalCaJwt: false,\n});\nconst name_example = new vault.kubernetes.SecretBackendRole(\"name-example\", {\n    backend: config.path,\n    name: \"service-account-name-role\",\n    allowedKubernetesNamespaces: [\"*\"],\n    tokenMaxTtl: 43200,\n    tokenDefaultTtl: 21600,\n    kubernetesRoleName: \"vault-k8s-secrets-role\",\n    extraLabels: {\n        id: \"abc123\",\n        name: \"some_name\",\n    },\n    extraAnnotations: {\n        env: \"development\",\n        location: \"earth\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\nconfig = vault.kubernetes.SecretBackend(\"config\",\n    path=\"kubernetes\",\n    description=\"kubernetes secrets engine description\",\n    kubernetes_host=\"https://127.0.0.1:61233\",\n    kubernetes_ca_cert=std.file(input=\"/path/to/cert\").result,\n    service_account_jwt=std.file(input=\"/path/to/token\").result,\n    disable_local_ca_jwt=False)\nname_example = vault.kubernetes.SecretBackendRole(\"name-example\",\n    backend=config.path,\n    name=\"service-account-name-role\",\n    allowed_kubernetes_namespaces=[\"*\"],\n    token_max_ttl=43200,\n    token_default_ttl=21600,\n    kubernetes_role_name=\"vault-k8s-secrets-role\",\n    extra_labels={\n        \"id\": \"abc123\",\n        \"name\": \"some_name\",\n    },\n    extra_annotations={\n        \"env\": \"development\",\n        \"location\": \"earth\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Kubernetes.SecretBackend(\"config\", new()\n    {\n        Path = \"kubernetes\",\n        Description = \"kubernetes secrets engine description\",\n        KubernetesHost = \"https://127.0.0.1:61233\",\n        KubernetesCaCert = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/cert\",\n        }).Apply(invoke =\u003e invoke.Result),\n        ServiceAccountJwt = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/token\",\n        }).Apply(invoke =\u003e invoke.Result),\n        DisableLocalCaJwt = false,\n    });\n\n    var name_example = new Vault.Kubernetes.SecretBackendRole(\"name-example\", new()\n    {\n        Backend = config.Path,\n        Name = \"service-account-name-role\",\n        AllowedKubernetesNamespaces = new[]\n        {\n            \"*\",\n        },\n        TokenMaxTtl = 43200,\n        TokenDefaultTtl = 21600,\n        KubernetesRoleName = \"vault-k8s-secrets-role\",\n        ExtraLabels = \n        {\n            { \"id\", \"abc123\" },\n            { \"name\", \"some_name\" },\n        },\n        ExtraAnnotations = \n        {\n            { \"env\", \"development\" },\n            { \"location\", \"earth\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/cert\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFile1, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/token\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tconfig, err := kubernetes.NewSecretBackend(ctx, \"config\", \u0026kubernetes.SecretBackendArgs{\n\t\t\tPath:              pulumi.String(\"kubernetes\"),\n\t\t\tDescription:       pulumi.String(\"kubernetes secrets engine description\"),\n\t\t\tKubernetesHost:    pulumi.String(\"https://127.0.0.1:61233\"),\n\t\t\tKubernetesCaCert:  pulumi.String(invokeFile.Result),\n\t\t\tServiceAccountJwt: pulumi.String(invokeFile1.Result),\n\t\t\tDisableLocalCaJwt: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kubernetes.NewSecretBackendRole(ctx, \"name-example\", \u0026kubernetes.SecretBackendRoleArgs{\n\t\t\tBackend: config.Path,\n\t\t\tName:    pulumi.String(\"service-account-name-role\"),\n\t\t\tAllowedKubernetesNamespaces: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tTokenMaxTtl:        pulumi.Int(43200),\n\t\t\tTokenDefaultTtl:    pulumi.Int(21600),\n\t\t\tKubernetesRoleName: pulumi.String(\"vault-k8s-secrets-role\"),\n\t\t\tExtraLabels: pulumi.StringMap{\n\t\t\t\t\"id\":   pulumi.String(\"abc123\"),\n\t\t\t\t\"name\": pulumi.String(\"some_name\"),\n\t\t\t},\n\t\t\tExtraAnnotations: pulumi.StringMap{\n\t\t\t\t\"env\":      pulumi.String(\"development\"),\n\t\t\t\t\"location\": pulumi.String(\"earth\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kubernetes.SecretBackend;\nimport com.pulumi.vault.kubernetes.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport com.pulumi.vault.kubernetes.SecretBackendRole;\nimport com.pulumi.vault.kubernetes.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"kubernetes\")\n            .description(\"kubernetes secrets engine description\")\n            .kubernetesHost(\"https://127.0.0.1:61233\")\n            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/cert\")\n                .build()).result())\n            .serviceAccountJwt(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/token\")\n                .build()).result())\n            .disableLocalCaJwt(false)\n            .build());\n\n        var name_example = new SecretBackendRole(\"name-example\", SecretBackendRoleArgs.builder()\n            .backend(config.path())\n            .name(\"service-account-name-role\")\n            .allowedKubernetesNamespaces(\"*\")\n            .tokenMaxTtl(43200)\n            .tokenDefaultTtl(21600)\n            .kubernetesRoleName(\"vault-k8s-secrets-role\")\n            .extraLabels(Map.ofEntries(\n                Map.entry(\"id\", \"abc123\"),\n                Map.entry(\"name\", \"some_name\")\n            ))\n            .extraAnnotations(Map.ofEntries(\n                Map.entry(\"env\", \"development\"),\n                Map.entry(\"location\", \"earth\")\n            ))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:kubernetes:SecretBackend\n    properties:\n      path: kubernetes\n      description: kubernetes secrets engine description\n      kubernetesHost: https://127.0.0.1:61233\n      kubernetesCaCert:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/cert\n          return: result\n      serviceAccountJwt:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/token\n          return: result\n      disableLocalCaJwt: false\n  name-example:\n    type: vault:kubernetes:SecretBackendRole\n    properties:\n      backend: ${config.path}\n      name: service-account-name-role\n      allowedKubernetesNamespaces:\n        - '*'\n      tokenMaxTtl: 43200\n      tokenDefaultTtl: 21600\n      kubernetesRoleName: vault-k8s-secrets-role\n      extraLabels:\n        id: abc123\n        name: some_name\n      extraAnnotations:\n        env: development\n        location: earth\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\nExample using \u003cspan pulumi-lang-nodejs=\"`generatedRoleRules`\" pulumi-lang-dotnet=\"`GeneratedRoleRules`\" pulumi-lang-go=\"`generatedRoleRules`\" pulumi-lang-python=\"`generated_role_rules`\" pulumi-lang-yaml=\"`generatedRoleRules`\" pulumi-lang-java=\"`generatedRoleRules`\"\u003e`generated_role_rules`\u003c/span\u003e mode:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.kubernetes.SecretBackend(\"config\", {\n    path: \"kubernetes\",\n    description: \"kubernetes secrets engine description\",\n    kubernetesHost: \"https://127.0.0.1:61233\",\n    kubernetesCaCert: std.file({\n        input: \"/path/to/cert\",\n    }).then(invoke =\u003e invoke.result),\n    serviceAccountJwt: std.file({\n        input: \"/path/to/token\",\n    }).then(invoke =\u003e invoke.result),\n    disableLocalCaJwt: false,\n});\nconst rules_example = new vault.kubernetes.SecretBackendRole(\"rules-example\", {\n    backend: config.path,\n    name: \"service-account-name-role\",\n    allowedKubernetesNamespaces: [\"*\"],\n    tokenMaxTtl: 43200,\n    tokenDefaultTtl: 21600,\n    kubernetesRoleType: \"Role\",\n    generatedRoleRules: `rules:\n- apiGroups: [\\\\\"\\\\\"]\n  resources: [\\\\\"pods\\\\\"]\n  verbs: [\\\\\"list\\\\\"]\n`,\n    extraLabels: {\n        id: \"abc123\",\n        name: \"some_name\",\n    },\n    extraAnnotations: {\n        env: \"development\",\n        location: \"earth\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\nconfig = vault.kubernetes.SecretBackend(\"config\",\n    path=\"kubernetes\",\n    description=\"kubernetes secrets engine description\",\n    kubernetes_host=\"https://127.0.0.1:61233\",\n    kubernetes_ca_cert=std.file(input=\"/path/to/cert\").result,\n    service_account_jwt=std.file(input=\"/path/to/token\").result,\n    disable_local_ca_jwt=False)\nrules_example = vault.kubernetes.SecretBackendRole(\"rules-example\",\n    backend=config.path,\n    name=\"service-account-name-role\",\n    allowed_kubernetes_namespaces=[\"*\"],\n    token_max_ttl=43200,\n    token_default_ttl=21600,\n    kubernetes_role_type=\"Role\",\n    generated_role_rules=\"\"\"rules:\n- apiGroups: [\\\"\\\"]\n  resources: [\\\"pods\\\"]\n  verbs: [\\\"list\\\"]\n\"\"\",\n    extra_labels={\n        \"id\": \"abc123\",\n        \"name\": \"some_name\",\n    },\n    extra_annotations={\n        \"env\": \"development\",\n        \"location\": \"earth\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Kubernetes.SecretBackend(\"config\", new()\n    {\n        Path = \"kubernetes\",\n        Description = \"kubernetes secrets engine description\",\n        KubernetesHost = \"https://127.0.0.1:61233\",\n        KubernetesCaCert = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/cert\",\n        }).Apply(invoke =\u003e invoke.Result),\n        ServiceAccountJwt = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/token\",\n        }).Apply(invoke =\u003e invoke.Result),\n        DisableLocalCaJwt = false,\n    });\n\n    var rules_example = new Vault.Kubernetes.SecretBackendRole(\"rules-example\", new()\n    {\n        Backend = config.Path,\n        Name = \"service-account-name-role\",\n        AllowedKubernetesNamespaces = new[]\n        {\n            \"*\",\n        },\n        TokenMaxTtl = 43200,\n        TokenDefaultTtl = 21600,\n        KubernetesRoleType = \"Role\",\n        GeneratedRoleRules = @\"rules:\n- apiGroups: [\\\"\"\\\"\"]\n  resources: [\\\"\"pods\\\"\"]\n  verbs: [\\\"\"list\\\"\"]\n\",\n        ExtraLabels = \n        {\n            { \"id\", \"abc123\" },\n            { \"name\", \"some_name\" },\n        },\n        ExtraAnnotations = \n        {\n            { \"env\", \"development\" },\n            { \"location\", \"earth\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/cert\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFile1, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/token\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tconfig, err := kubernetes.NewSecretBackend(ctx, \"config\", \u0026kubernetes.SecretBackendArgs{\n\t\t\tPath:              pulumi.String(\"kubernetes\"),\n\t\t\tDescription:       pulumi.String(\"kubernetes secrets engine description\"),\n\t\t\tKubernetesHost:    pulumi.String(\"https://127.0.0.1:61233\"),\n\t\t\tKubernetesCaCert:  pulumi.String(invokeFile.Result),\n\t\t\tServiceAccountJwt: pulumi.String(invokeFile1.Result),\n\t\t\tDisableLocalCaJwt: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kubernetes.NewSecretBackendRole(ctx, \"rules-example\", \u0026kubernetes.SecretBackendRoleArgs{\n\t\t\tBackend: config.Path,\n\t\t\tName:    pulumi.String(\"service-account-name-role\"),\n\t\t\tAllowedKubernetesNamespaces: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tTokenMaxTtl:        pulumi.Int(43200),\n\t\t\tTokenDefaultTtl:    pulumi.Int(21600),\n\t\t\tKubernetesRoleType: pulumi.String(\"Role\"),\n\t\t\tGeneratedRoleRules: pulumi.String(\"rules:\\n- apiGroups: [\\\\\\\"\\\\\\\"]\\n  resources: [\\\\\\\"pods\\\\\\\"]\\n  verbs: [\\\\\\\"list\\\\\\\"]\\n\"),\n\t\t\tExtraLabels: pulumi.StringMap{\n\t\t\t\t\"id\":   pulumi.String(\"abc123\"),\n\t\t\t\t\"name\": pulumi.String(\"some_name\"),\n\t\t\t},\n\t\t\tExtraAnnotations: pulumi.StringMap{\n\t\t\t\t\"env\":      pulumi.String(\"development\"),\n\t\t\t\t\"location\": pulumi.String(\"earth\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kubernetes.SecretBackend;\nimport com.pulumi.vault.kubernetes.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport com.pulumi.vault.kubernetes.SecretBackendRole;\nimport com.pulumi.vault.kubernetes.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"kubernetes\")\n            .description(\"kubernetes secrets engine description\")\n            .kubernetesHost(\"https://127.0.0.1:61233\")\n            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/cert\")\n                .build()).result())\n            .serviceAccountJwt(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/token\")\n                .build()).result())\n            .disableLocalCaJwt(false)\n            .build());\n\n        var rules_example = new SecretBackendRole(\"rules-example\", SecretBackendRoleArgs.builder()\n            .backend(config.path())\n            .name(\"service-account-name-role\")\n            .allowedKubernetesNamespaces(\"*\")\n            .tokenMaxTtl(43200)\n            .tokenDefaultTtl(21600)\n            .kubernetesRoleType(\"Role\")\n            .generatedRoleRules(\"\"\"\nrules:\n- apiGroups: [\\\"\\\"]\n  resources: [\\\"pods\\\"]\n  verbs: [\\\"list\\\"]\n            \"\"\")\n            .extraLabels(Map.ofEntries(\n                Map.entry(\"id\", \"abc123\"),\n                Map.entry(\"name\", \"some_name\")\n            ))\n            .extraAnnotations(Map.ofEntries(\n                Map.entry(\"env\", \"development\"),\n                Map.entry(\"location\", \"earth\")\n            ))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:kubernetes:SecretBackend\n    properties:\n      path: kubernetes\n      description: kubernetes secrets engine description\n      kubernetesHost: https://127.0.0.1:61233\n      kubernetesCaCert:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/cert\n          return: result\n      serviceAccountJwt:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/token\n          return: result\n      disableLocalCaJwt: false\n  rules-example:\n    type: vault:kubernetes:SecretBackendRole\n    properties:\n      backend: ${config.path}\n      name: service-account-name-role\n      allowedKubernetesNamespaces:\n        - '*'\n      tokenMaxTtl: 43200\n      tokenDefaultTtl: 21600\n      kubernetesRoleType: Role\n      generatedRoleRules: |\n        rules:\n        - apiGroups: [\\\"\\\"]\n          resources: [\\\"pods\\\"]\n          verbs: [\\\"list\\\"]\n      extraLabels:\n        id: abc123\n        name: some_name\n      extraAnnotations:\n        env: development\n        location: earth\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe Kubernetes secret backend role can be imported using the full path to the role\n\nof the form: `\u003cbackend_path\u003e/roles/\u003crole_name\u003e` e.g.\n\n```sh\n$ pulumi import vault:kubernetes/secretBackendRole:SecretBackendRole example kubernetes kubernetes/roles/example-role\n```\n\n","properties":{"allowedKubernetesNamespaceSelector":{"type":"string","description":"A label selector for Kubernetes namespaces \nin which credentials can be generated. Accepts either a JSON or YAML object. The value should be\nof type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).\nIf set with \u003cspan pulumi-lang-nodejs=\"`allowedKubernetesNamespace`\" pulumi-lang-dotnet=\"`AllowedKubernetesNamespace`\" pulumi-lang-go=\"`allowedKubernetesNamespace`\" pulumi-lang-python=\"`allowed_kubernetes_namespace`\" pulumi-lang-yaml=\"`allowedKubernetesNamespace`\" pulumi-lang-java=\"`allowedKubernetesNamespace`\"\u003e`allowed_kubernetes_namespace`\u003c/span\u003e, the conditions are `OR`ed.\n"},"allowedKubernetesNamespaces":{"type":"array","items":{"type":"string"},"description":"The list of Kubernetes namespaces this role \ncan generate credentials for. If set to `*` all namespaces are allowed. If set with\n\u003cspan pulumi-lang-nodejs=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-dotnet=\"`AllowedKubernetesNamespaceSelector`\" pulumi-lang-go=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-python=\"`allowed_kubernetes_namespace_selector`\" pulumi-lang-yaml=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-java=\"`allowedKubernetesNamespaceSelector`\"\u003e`allowed_kubernetes_namespace_selector`\u003c/span\u003e, the conditions are `OR`ed.\n"},"backend":{"type":"string","description":"The path of the Kubernetes Secrets Engine backend mount to create\nthe role in.\n"},"extraAnnotations":{"type":"object","additionalProperties":{"type":"string"},"description":"Additional annotations to apply to all generated \nKubernetes objects.\n"},"extraLabels":{"type":"object","additionalProperties":{"type":"string"},"description":"Additional labels to apply to all generated Kubernetes \nobjects.\n\nThis resource also directly accepts all\u003cspan pulumi-lang-nodejs=\" vault.Mount \" pulumi-lang-dotnet=\" vault.Mount \" pulumi-lang-go=\" Mount \" pulumi-lang-python=\" Mount \" pulumi-lang-yaml=\" vault.Mount \" pulumi-lang-java=\" vault.Mount \"\u003e vault.Mount \u003c/span\u003efields.\n"},"generatedRoleRules":{"type":"string","description":"The Role or ClusterRole rules to use when generating \na role. Accepts either JSON or YAML formatted rules. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`serviceAccountName`\" pulumi-lang-dotnet=\"`ServiceAccountName`\" pulumi-lang-go=\"`serviceAccountName`\" pulumi-lang-python=\"`service_account_name`\" pulumi-lang-yaml=\"`serviceAccountName`\" pulumi-lang-java=\"`serviceAccountName`\"\u003e`service_account_name`\u003c/span\u003e\nand \u003cspan pulumi-lang-nodejs=\"`kubernetesRoleName`\" pulumi-lang-dotnet=\"`KubernetesRoleName`\" pulumi-lang-go=\"`kubernetesRoleName`\" pulumi-lang-python=\"`kubernetes_role_name`\" pulumi-lang-yaml=\"`kubernetesRoleName`\" pulumi-lang-java=\"`kubernetesRoleName`\"\u003e`kubernetes_role_name`\u003c/span\u003e. If set, the entire chain of Kubernetes objects will be generated\nwhen credentials are requested.\n"},"kubernetesRoleName":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a \ngenerated service account to. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`serviceAccountName`\" pulumi-lang-dotnet=\"`ServiceAccountName`\" pulumi-lang-go=\"`serviceAccountName`\" pulumi-lang-python=\"`service_account_name`\" pulumi-lang-yaml=\"`serviceAccountName`\" pulumi-lang-java=\"`serviceAccountName`\"\u003e`service_account_name`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`generatedRoleRules`\" pulumi-lang-dotnet=\"`GeneratedRoleRules`\" pulumi-lang-go=\"`generatedRoleRules`\" pulumi-lang-python=\"`generated_role_rules`\" pulumi-lang-yaml=\"`generatedRoleRules`\" pulumi-lang-java=\"`generatedRoleRules`\"\u003e`generated_role_rules`\u003c/span\u003e. If set, Kubernetes token, service account, and role\nbinding objects will be created when credentials are requested.\n"},"kubernetesRoleType":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or \nClusterRole.\n"},"name":{"type":"string","description":"The name of the role.\n"},"nameTemplate":{"type":"string","description":"The name template to use when generating service accounts, \nroles and role bindings. If unset, a default template is used.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"serviceAccountName":{"type":"string","description":"The pre-existing service account to generate tokens for.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`kubernetesRoleName`\" pulumi-lang-dotnet=\"`KubernetesRoleName`\" pulumi-lang-go=\"`kubernetesRoleName`\" pulumi-lang-python=\"`kubernetes_role_name`\" pulumi-lang-yaml=\"`kubernetesRoleName`\" pulumi-lang-java=\"`kubernetesRoleName`\"\u003e`kubernetes_role_name`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`generatedRoleRules`\" pulumi-lang-dotnet=\"`GeneratedRoleRules`\" pulumi-lang-go=\"`generatedRoleRules`\" pulumi-lang-python=\"`generated_role_rules`\" pulumi-lang-yaml=\"`generatedRoleRules`\" pulumi-lang-java=\"`generatedRoleRules`\"\u003e`generated_role_rules`\u003c/span\u003e. If set, only a\nKubernetes token will be created when credentials are requested.\n"},"tokenDefaultTtl":{"type":"integer","description":"The default TTL for generated Kubernetes tokens in seconds.\n"},"tokenMaxTtl":{"type":"integer","description":"The maximum TTL for generated Kubernetes tokens in seconds.\n"}},"required":["backend","name"],"inputProperties":{"allowedKubernetesNamespaceSelector":{"type":"string","description":"A label selector for Kubernetes namespaces \nin which credentials can be generated. Accepts either a JSON or YAML object. The value should be\nof type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).\nIf set with \u003cspan pulumi-lang-nodejs=\"`allowedKubernetesNamespace`\" pulumi-lang-dotnet=\"`AllowedKubernetesNamespace`\" pulumi-lang-go=\"`allowedKubernetesNamespace`\" pulumi-lang-python=\"`allowed_kubernetes_namespace`\" pulumi-lang-yaml=\"`allowedKubernetesNamespace`\" pulumi-lang-java=\"`allowedKubernetesNamespace`\"\u003e`allowed_kubernetes_namespace`\u003c/span\u003e, the conditions are `OR`ed.\n"},"allowedKubernetesNamespaces":{"type":"array","items":{"type":"string"},"description":"The list of Kubernetes namespaces this role \ncan generate credentials for. If set to `*` all namespaces are allowed. If set with\n\u003cspan pulumi-lang-nodejs=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-dotnet=\"`AllowedKubernetesNamespaceSelector`\" pulumi-lang-go=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-python=\"`allowed_kubernetes_namespace_selector`\" pulumi-lang-yaml=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-java=\"`allowedKubernetesNamespaceSelector`\"\u003e`allowed_kubernetes_namespace_selector`\u003c/span\u003e, the conditions are `OR`ed.\n"},"backend":{"type":"string","description":"The path of the Kubernetes Secrets Engine backend mount to create\nthe role in.\n","willReplaceOnChanges":true},"extraAnnotations":{"type":"object","additionalProperties":{"type":"string"},"description":"Additional annotations to apply to all generated \nKubernetes objects.\n"},"extraLabels":{"type":"object","additionalProperties":{"type":"string"},"description":"Additional labels to apply to all generated Kubernetes \nobjects.\n\nThis resource also directly accepts all\u003cspan pulumi-lang-nodejs=\" vault.Mount \" pulumi-lang-dotnet=\" vault.Mount \" pulumi-lang-go=\" Mount \" pulumi-lang-python=\" Mount \" pulumi-lang-yaml=\" vault.Mount \" pulumi-lang-java=\" vault.Mount \"\u003e vault.Mount \u003c/span\u003efields.\n"},"generatedRoleRules":{"type":"string","description":"The Role or ClusterRole rules to use when generating \na role. Accepts either JSON or YAML formatted rules. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`serviceAccountName`\" pulumi-lang-dotnet=\"`ServiceAccountName`\" pulumi-lang-go=\"`serviceAccountName`\" pulumi-lang-python=\"`service_account_name`\" pulumi-lang-yaml=\"`serviceAccountName`\" pulumi-lang-java=\"`serviceAccountName`\"\u003e`service_account_name`\u003c/span\u003e\nand \u003cspan pulumi-lang-nodejs=\"`kubernetesRoleName`\" pulumi-lang-dotnet=\"`KubernetesRoleName`\" pulumi-lang-go=\"`kubernetesRoleName`\" pulumi-lang-python=\"`kubernetes_role_name`\" pulumi-lang-yaml=\"`kubernetesRoleName`\" pulumi-lang-java=\"`kubernetesRoleName`\"\u003e`kubernetes_role_name`\u003c/span\u003e. If set, the entire chain of Kubernetes objects will be generated\nwhen credentials are requested.\n"},"kubernetesRoleName":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a \ngenerated service account to. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`serviceAccountName`\" pulumi-lang-dotnet=\"`ServiceAccountName`\" pulumi-lang-go=\"`serviceAccountName`\" pulumi-lang-python=\"`service_account_name`\" pulumi-lang-yaml=\"`serviceAccountName`\" pulumi-lang-java=\"`serviceAccountName`\"\u003e`service_account_name`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`generatedRoleRules`\" pulumi-lang-dotnet=\"`GeneratedRoleRules`\" pulumi-lang-go=\"`generatedRoleRules`\" pulumi-lang-python=\"`generated_role_rules`\" pulumi-lang-yaml=\"`generatedRoleRules`\" pulumi-lang-java=\"`generatedRoleRules`\"\u003e`generated_role_rules`\u003c/span\u003e. If set, Kubernetes token, service account, and role\nbinding objects will be created when credentials are requested.\n"},"kubernetesRoleType":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or \nClusterRole.\n"},"name":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"nameTemplate":{"type":"string","description":"The name template to use when generating service accounts, \nroles and role bindings. If unset, a default template is used.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"serviceAccountName":{"type":"string","description":"The pre-existing service account to generate tokens for.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`kubernetesRoleName`\" pulumi-lang-dotnet=\"`KubernetesRoleName`\" pulumi-lang-go=\"`kubernetesRoleName`\" pulumi-lang-python=\"`kubernetes_role_name`\" pulumi-lang-yaml=\"`kubernetesRoleName`\" pulumi-lang-java=\"`kubernetesRoleName`\"\u003e`kubernetes_role_name`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`generatedRoleRules`\" pulumi-lang-dotnet=\"`GeneratedRoleRules`\" pulumi-lang-go=\"`generatedRoleRules`\" pulumi-lang-python=\"`generated_role_rules`\" pulumi-lang-yaml=\"`generatedRoleRules`\" pulumi-lang-java=\"`generatedRoleRules`\"\u003e`generated_role_rules`\u003c/span\u003e. If set, only a\nKubernetes token will be created when credentials are requested.\n"},"tokenDefaultTtl":{"type":"integer","description":"The default TTL for generated Kubernetes tokens in seconds.\n"},"tokenMaxTtl":{"type":"integer","description":"The maximum TTL for generated Kubernetes tokens in seconds.\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRole resources.\n","properties":{"allowedKubernetesNamespaceSelector":{"type":"string","description":"A label selector for Kubernetes namespaces \nin which credentials can be generated. Accepts either a JSON or YAML object. The value should be\nof type [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta).\nIf set with \u003cspan pulumi-lang-nodejs=\"`allowedKubernetesNamespace`\" pulumi-lang-dotnet=\"`AllowedKubernetesNamespace`\" pulumi-lang-go=\"`allowedKubernetesNamespace`\" pulumi-lang-python=\"`allowed_kubernetes_namespace`\" pulumi-lang-yaml=\"`allowedKubernetesNamespace`\" pulumi-lang-java=\"`allowedKubernetesNamespace`\"\u003e`allowed_kubernetes_namespace`\u003c/span\u003e, the conditions are `OR`ed.\n"},"allowedKubernetesNamespaces":{"type":"array","items":{"type":"string"},"description":"The list of Kubernetes namespaces this role \ncan generate credentials for. If set to `*` all namespaces are allowed. If set with\n\u003cspan pulumi-lang-nodejs=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-dotnet=\"`AllowedKubernetesNamespaceSelector`\" pulumi-lang-go=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-python=\"`allowed_kubernetes_namespace_selector`\" pulumi-lang-yaml=\"`allowedKubernetesNamespaceSelector`\" pulumi-lang-java=\"`allowedKubernetesNamespaceSelector`\"\u003e`allowed_kubernetes_namespace_selector`\u003c/span\u003e, the conditions are `OR`ed.\n"},"backend":{"type":"string","description":"The path of the Kubernetes Secrets Engine backend mount to create\nthe role in.\n","willReplaceOnChanges":true},"extraAnnotations":{"type":"object","additionalProperties":{"type":"string"},"description":"Additional annotations to apply to all generated \nKubernetes objects.\n"},"extraLabels":{"type":"object","additionalProperties":{"type":"string"},"description":"Additional labels to apply to all generated Kubernetes \nobjects.\n\nThis resource also directly accepts all\u003cspan pulumi-lang-nodejs=\" vault.Mount \" pulumi-lang-dotnet=\" vault.Mount \" pulumi-lang-go=\" Mount \" pulumi-lang-python=\" Mount \" pulumi-lang-yaml=\" vault.Mount \" pulumi-lang-java=\" vault.Mount \"\u003e vault.Mount \u003c/span\u003efields.\n"},"generatedRoleRules":{"type":"string","description":"The Role or ClusterRole rules to use when generating \na role. Accepts either JSON or YAML formatted rules. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`serviceAccountName`\" pulumi-lang-dotnet=\"`ServiceAccountName`\" pulumi-lang-go=\"`serviceAccountName`\" pulumi-lang-python=\"`service_account_name`\" pulumi-lang-yaml=\"`serviceAccountName`\" pulumi-lang-java=\"`serviceAccountName`\"\u003e`service_account_name`\u003c/span\u003e\nand \u003cspan pulumi-lang-nodejs=\"`kubernetesRoleName`\" pulumi-lang-dotnet=\"`KubernetesRoleName`\" pulumi-lang-go=\"`kubernetesRoleName`\" pulumi-lang-python=\"`kubernetes_role_name`\" pulumi-lang-yaml=\"`kubernetesRoleName`\" pulumi-lang-java=\"`kubernetesRoleName`\"\u003e`kubernetes_role_name`\u003c/span\u003e. If set, the entire chain of Kubernetes objects will be generated\nwhen credentials are requested.\n"},"kubernetesRoleName":{"type":"string","description":"The pre-existing Role or ClusterRole to bind a \ngenerated service account to. Mutually exclusive with \u003cspan pulumi-lang-nodejs=\"`serviceAccountName`\" pulumi-lang-dotnet=\"`ServiceAccountName`\" pulumi-lang-go=\"`serviceAccountName`\" pulumi-lang-python=\"`service_account_name`\" pulumi-lang-yaml=\"`serviceAccountName`\" pulumi-lang-java=\"`serviceAccountName`\"\u003e`service_account_name`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`generatedRoleRules`\" pulumi-lang-dotnet=\"`GeneratedRoleRules`\" pulumi-lang-go=\"`generatedRoleRules`\" pulumi-lang-python=\"`generated_role_rules`\" pulumi-lang-yaml=\"`generatedRoleRules`\" pulumi-lang-java=\"`generatedRoleRules`\"\u003e`generated_role_rules`\u003c/span\u003e. If set, Kubernetes token, service account, and role\nbinding objects will be created when credentials are requested.\n"},"kubernetesRoleType":{"type":"string","description":"Specifies whether the Kubernetes role is a Role or \nClusterRole.\n"},"name":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"nameTemplate":{"type":"string","description":"The name template to use when generating service accounts, \nroles and role bindings. If unset, a default template is used.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"serviceAccountName":{"type":"string","description":"The pre-existing service account to generate tokens for.\nMutually exclusive with \u003cspan pulumi-lang-nodejs=\"`kubernetesRoleName`\" pulumi-lang-dotnet=\"`KubernetesRoleName`\" pulumi-lang-go=\"`kubernetesRoleName`\" pulumi-lang-python=\"`kubernetes_role_name`\" pulumi-lang-yaml=\"`kubernetesRoleName`\" pulumi-lang-java=\"`kubernetesRoleName`\"\u003e`kubernetes_role_name`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`generatedRoleRules`\" pulumi-lang-dotnet=\"`GeneratedRoleRules`\" pulumi-lang-go=\"`generatedRoleRules`\" pulumi-lang-python=\"`generated_role_rules`\" pulumi-lang-yaml=\"`generatedRoleRules`\" pulumi-lang-java=\"`generatedRoleRules`\"\u003e`generated_role_rules`\u003c/span\u003e. If set, only a\nKubernetes token will be created when credentials are requested.\n"},"tokenDefaultTtl":{"type":"integer","description":"The default TTL for generated Kubernetes tokens in seconds.\n"},"tokenMaxTtl":{"type":"integer","description":"The maximum TTL for generated Kubernetes tokens in seconds.\n"}},"type":"object"}},"vault:kv/secret:Secret":{"description":"Writes a KV-V1 secret to a given path in Vault.\n\nFor more information on Vault's KV-V1 secret backend\n[see here](https://www.vaultproject.io/docs/secrets/kv/kv-v1).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv1 = new vault.Mount(\"kvv1\", {\n    path: \"kvv1\",\n    type: \"kv\",\n    options: {\n        version: \"1\",\n    },\n    description: \"KV Version 1 secret engine mount\",\n});\nconst secret = new vault.kv.Secret(\"secret\", {\n    path: pulumi.interpolate`${kvv1.path}/secret`,\n    dataJson: JSON.stringify({\n        zip: \"zap\",\n        foo: \"bar\",\n    }),\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv1 = vault.Mount(\"kvv1\",\n    path=\"kvv1\",\n    type=\"kv\",\n    options={\n        \"version\": \"1\",\n    },\n    description=\"KV Version 1 secret engine mount\")\nsecret = vault.kv.Secret(\"secret\",\n    path=kvv1.path.apply(lambda path: f\"{path}/secret\"),\n    data_json=json.dumps({\n        \"zip\": \"zap\",\n        \"foo\": \"bar\",\n    }))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv1 = new Vault.Mount(\"kvv1\", new()\n    {\n        Path = \"kvv1\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"1\" },\n        },\n        Description = \"KV Version 1 secret engine mount\",\n    });\n\n    var secret = new Vault.Kv.Secret(\"secret\", new()\n    {\n        Path = kvv1.Path.Apply(path =\u003e $\"{path}/secret\"),\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"zip\"] = \"zap\",\n            [\"foo\"] = \"bar\",\n        }),\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv1, err := vault.NewMount(ctx, \"kvv1\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv1\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"1\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 1 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err = kv.NewSecret(ctx, \"secret\", \u0026kv.SecretArgs{\n\t\t\tPath: kvv1.Path.ApplyT(func(path string) (string, error) {\n\t\t\t\treturn fmt.Sprintf(\"%v/secret\", path), nil\n\t\t\t}).(pulumi.StringOutput),\n\t\t\tDataJson: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.Secret;\nimport com.pulumi.vault.kv.SecretArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv1 = new Mount(\"kvv1\", MountArgs.builder()\n            .path(\"kvv1\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"1\"))\n            .description(\"KV Version 1 secret engine mount\")\n            .build());\n\n        var secret = new Secret(\"secret\", SecretArgs.builder()\n            .path(kvv1.path().applyValue(_path -\u003e String.format(\"%s/secret\", _path)))\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"zip\", \"zap\"),\n                    jsonProperty(\"foo\", \"bar\")\n                )))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv1:\n    type: vault:Mount\n    properties:\n      path: kvv1\n      type: kv\n      options:\n        version: '1'\n      description: KV Version 1 secret engine mount\n  secret:\n    type: vault:kv:Secret\n    properties:\n      path: ${kvv1.path}/secret\n      dataJson:\n        fn::toJSON:\n          zip: zap\n          foo: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`create`\" pulumi-lang-dotnet=\"`Create`\" pulumi-lang-go=\"`create`\" pulumi-lang-python=\"`create`\" pulumi-lang-yaml=\"`create`\" pulumi-lang-java=\"`create`\"\u003e`create`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`update`\" pulumi-lang-dotnet=\"`Update`\" pulumi-lang-go=\"`update`\" pulumi-lang-python=\"`update`\" pulumi-lang-yaml=\"`update`\" pulumi-lang-java=\"`update`\"\u003e`update`\u003c/span\u003e capability\n(depending on whether the resource already exists) on the given path,\nthe \u003cspan pulumi-lang-nodejs=\"`delete`\" pulumi-lang-dotnet=\"`Delete`\" pulumi-lang-go=\"`delete`\" pulumi-lang-python=\"`delete`\" pulumi-lang-yaml=\"`delete`\" pulumi-lang-java=\"`delete`\"\u003e`delete`\u003c/span\u003e capability if the resource is removed from configuration,\nand the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability for drift detection (by default).\n\n## Import\n\nKV-V1 secrets can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:kv/secret:Secret secret kvv1/secret\n```\n","properties":{"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only\nrepresent string data, so any non-string values returned from Vault are\nserialized as JSON.\n","secret":true},"dataJson":{"type":"string","description":"JSON-encoded string that will be\nwritten as the secret data at the given path.\n","secret":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Full path of the KV-V1 secret.\n"}},"required":["data","dataJson","path"],"inputProperties":{"dataJson":{"type":"string","description":"JSON-encoded string that will be\nwritten as the secret data at the given path.\n","secret":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.\n","willReplaceOnChanges":true}},"requiredInputs":["dataJson","path"],"stateInputs":{"description":"Input properties used for looking up and filtering Secret resources.\n","properties":{"data":{"type":"object","additionalProperties":{"type":"string"},"description":"A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only\nrepresent string data, so any non-string values returned from Vault are\nserialized as JSON.\n","secret":true},"dataJson":{"type":"string","description":"JSON-encoded string that will be\nwritten as the secret data at the given path.\n","secret":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:kv/secretBackendV2:SecretBackendV2":{"description":"Configures KV-V2 backend level settings that are applied to\nevery key in the key-value store.\n\nFor more information on Vault's KV-V2 secret backend\n[see here](https://www.vaultproject.io/docs/secrets/kv/kv-v2).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2 = new vault.Mount(\"kvv2\", {\n    path: \"kvv2\",\n    type: \"kv\",\n    options: {\n        version: \"2\",\n    },\n    description: \"KV Version 2 secret engine mount\",\n});\nconst example = new vault.kv.SecretBackendV2(\"example\", {\n    mount: kvv2.path,\n    maxVersions: 5,\n    deleteVersionAfter: 12600,\n    casRequired: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkvv2 = vault.Mount(\"kvv2\",\n    path=\"kvv2\",\n    type=\"kv\",\n    options={\n        \"version\": \"2\",\n    },\n    description=\"KV Version 2 secret engine mount\")\nexample = vault.kv.SecretBackendV2(\"example\",\n    mount=kvv2.path,\n    max_versions=5,\n    delete_version_after=12600,\n    cas_required=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv2 = new Vault.Mount(\"kvv2\", new()\n    {\n        Path = \"kvv2\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"2\" },\n        },\n        Description = \"KV Version 2 secret engine mount\",\n    });\n\n    var example = new Vault.Kv.SecretBackendV2(\"example\", new()\n    {\n        Mount = kvv2.Path,\n        MaxVersions = 5,\n        DeleteVersionAfter = 12600,\n        CasRequired = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv2, err := vault.NewMount(ctx, \"kvv2\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv2\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = kv.NewSecretBackendV2(ctx, \"example\", \u0026kv.SecretBackendV2Args{\n\t\t\tMount:              kvv2.Path,\n\t\t\tMaxVersions:        pulumi.Int(5),\n\t\t\tDeleteVersionAfter: pulumi.Int(12600),\n\t\t\tCasRequired:        pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.SecretBackendV2;\nimport com.pulumi.vault.kv.SecretBackendV2Args;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv2 = new Mount(\"kvv2\", MountArgs.builder()\n            .path(\"kvv2\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"2\"))\n            .description(\"KV Version 2 secret engine mount\")\n            .build());\n\n        var example = new SecretBackendV2(\"example\", SecretBackendV2Args.builder()\n            .mount(kvv2.path())\n            .maxVersions(5)\n            .deleteVersionAfter(12600)\n            .casRequired(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv2:\n    type: vault:Mount\n    properties:\n      path: kvv2\n      type: kv\n      options:\n        version: '2'\n      description: KV Version 2 secret engine mount\n  example:\n    type: vault:kv:SecretBackendV2\n    properties:\n      mount: ${kvv2.path}\n      maxVersions: 5\n      deleteVersionAfter: 12600\n      casRequired: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`create`\" pulumi-lang-dotnet=\"`Create`\" pulumi-lang-go=\"`create`\" pulumi-lang-python=\"`create`\" pulumi-lang-yaml=\"`create`\" pulumi-lang-java=\"`create`\"\u003e`create`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`update`\" pulumi-lang-dotnet=\"`Update`\" pulumi-lang-go=\"`update`\" pulumi-lang-python=\"`update`\" pulumi-lang-yaml=\"`update`\" pulumi-lang-java=\"`update`\"\u003e`update`\u003c/span\u003e capability\n(depending on whether the resource already exists) on the given path,\nthe \u003cspan pulumi-lang-nodejs=\"`delete`\" pulumi-lang-dotnet=\"`Delete`\" pulumi-lang-go=\"`delete`\" pulumi-lang-python=\"`delete`\" pulumi-lang-yaml=\"`delete`\" pulumi-lang-java=\"`delete`\"\u003e`delete`\u003c/span\u003e capability if the resource is removed from configuration,\nand the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability for drift detection (by default).\n\n## Import\n\nThe KV-V2 secret backend can be imported using its unique ID,\nthe `${mount}/config`, e.g.\n\n```sh\n$ pulumi import vault:kv/secretBackendV2:SecretBackendV2 example kvv2/config\n```\n","properties":{"casRequired":{"type":"boolean","description":"If true, all keys will require the cas\nparameter to be set on all write requests.\n"},"deleteVersionAfter":{"type":"integer","description":"If set, specifies the length of time before\na version is deleted. Accepts duration in integer seconds.\n"},"maxVersions":{"type":"integer","description":"The number of versions to keep per key.\n"},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["casRequired","maxVersions","mount"],"inputProperties":{"casRequired":{"type":"boolean","description":"If true, all keys will require the cas\nparameter to be set on all write requests.\n"},"deleteVersionAfter":{"type":"integer","description":"If set, specifies the length of time before\na version is deleted. Accepts duration in integer seconds.\n"},"maxVersions":{"type":"integer","description":"The number of versions to keep per key.\n"},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["mount"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendV2 resources.\n","properties":{"casRequired":{"type":"boolean","description":"If true, all keys will require the cas\nparameter to be set on all write requests.\n"},"deleteVersionAfter":{"type":"integer","description":"If set, specifies the length of time before\na version is deleted. Accepts duration in integer seconds.\n"},"maxVersions":{"type":"integer","description":"The number of versions to keep per key.\n"},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:kv/secretV2:SecretV2":{"description":"Writes a KV-V2 secret to a given path in Vault.\n\nFor more information on Vault's KV-V2 secret backend\n[see here](https://www.vaultproject.io/docs/secrets/kv/kv-v2).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2 = new vault.Mount(\"kvv2\", {\n    path: \"kvv2\",\n    type: \"kv\",\n    options: {\n        version: \"2\",\n    },\n    description: \"KV Version 2 secret engine mount\",\n});\nconst example = new vault.kv.SecretV2(\"example\", {\n    mount: kvv2.path,\n    name: \"secret\",\n    cas: 1,\n    deleteAllVersions: true,\n    dataJsonWo: JSON.stringify({\n        zip: \"zap\",\n        foo: \"bar\",\n    }),\n    dataJsonWoVersion: 1,\n    customMetadata: {\n        maxVersions: 5,\n        data: {\n            foo: \"vault@example.com\",\n            bar: \"12345\",\n        },\n    },\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv2 = vault.Mount(\"kvv2\",\n    path=\"kvv2\",\n    type=\"kv\",\n    options={\n        \"version\": \"2\",\n    },\n    description=\"KV Version 2 secret engine mount\")\nexample = vault.kv.SecretV2(\"example\",\n    mount=kvv2.path,\n    name=\"secret\",\n    cas=1,\n    delete_all_versions=True,\n    data_json_wo=json.dumps({\n        \"zip\": \"zap\",\n        \"foo\": \"bar\",\n    }),\n    data_json_wo_version=1,\n    custom_metadata={\n        \"max_versions\": 5,\n        \"data\": {\n            \"foo\": \"vault@example.com\",\n            \"bar\": \"12345\",\n        },\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv2 = new Vault.Mount(\"kvv2\", new()\n    {\n        Path = \"kvv2\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"2\" },\n        },\n        Description = \"KV Version 2 secret engine mount\",\n    });\n\n    var example = new Vault.Kv.SecretV2(\"example\", new()\n    {\n        Mount = kvv2.Path,\n        Name = \"secret\",\n        Cas = 1,\n        DeleteAllVersions = true,\n        DataJsonWo = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"zip\"] = \"zap\",\n            [\"foo\"] = \"bar\",\n        }),\n        DataJsonWoVersion = 1,\n        CustomMetadata = new Vault.kv.Inputs.SecretV2CustomMetadataArgs\n        {\n            MaxVersions = 5,\n            Data = \n            {\n                { \"foo\", \"vault@example.com\" },\n                { \"bar\", \"12345\" },\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv2, err := vault.NewMount(ctx, \"kvv2\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv2\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err = kv.NewSecretV2(ctx, \"example\", \u0026kv.SecretV2Args{\n\t\t\tMount:             kvv2.Path,\n\t\t\tName:              pulumi.String(\"secret\"),\n\t\t\tCas:               pulumi.Int(1),\n\t\t\tDeleteAllVersions: pulumi.Bool(true),\n\t\t\tDataJsonWo:        pulumi.String(json0),\n\t\t\tDataJsonWoVersion: pulumi.Int(1),\n\t\t\tCustomMetadata: \u0026kv.SecretV2CustomMetadataArgs{\n\t\t\t\tMaxVersions: pulumi.Int(5),\n\t\t\t\tData: pulumi.StringMap{\n\t\t\t\t\t\"foo\": pulumi.String(\"vault@example.com\"),\n\t\t\t\t\t\"bar\": pulumi.String(\"12345\"),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.SecretV2;\nimport com.pulumi.vault.kv.SecretV2Args;\nimport com.pulumi.vault.kv.inputs.SecretV2CustomMetadataArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv2 = new Mount(\"kvv2\", MountArgs.builder()\n            .path(\"kvv2\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"2\"))\n            .description(\"KV Version 2 secret engine mount\")\n            .build());\n\n        var example = new SecretV2(\"example\", SecretV2Args.builder()\n            .mount(kvv2.path())\n            .name(\"secret\")\n            .cas(1)\n            .deleteAllVersions(true)\n            .dataJsonWo(serializeJson(\n                jsonObject(\n                    jsonProperty(\"zip\", \"zap\"),\n                    jsonProperty(\"foo\", \"bar\")\n                )))\n            .dataJsonWoVersion(1)\n            .customMetadata(SecretV2CustomMetadataArgs.builder()\n                .maxVersions(5)\n                .data(Map.ofEntries(\n                    Map.entry(\"foo\", \"vault@example.com\"),\n                    Map.entry(\"bar\", \"12345\")\n                ))\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv2:\n    type: vault:Mount\n    properties:\n      path: kvv2\n      type: kv\n      options:\n        version: '2'\n      description: KV Version 2 secret engine mount\n  example:\n    type: vault:kv:SecretV2\n    properties:\n      mount: ${kvv2.path}\n      name: secret\n      cas: 1\n      deleteAllVersions: true\n      dataJsonWo:\n        fn::toJSON:\n          zip: zap\n          foo: bar\n      dataJsonWoVersion: 1\n      customMetadata:\n        maxVersions: 5\n        data:\n          foo: vault@example.com\n          bar: '12345'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`create`\" pulumi-lang-dotnet=\"`Create`\" pulumi-lang-go=\"`create`\" pulumi-lang-python=\"`create`\" pulumi-lang-yaml=\"`create`\" pulumi-lang-java=\"`create`\"\u003e`create`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`update`\" pulumi-lang-dotnet=\"`Update`\" pulumi-lang-go=\"`update`\" pulumi-lang-python=\"`update`\" pulumi-lang-yaml=\"`update`\" pulumi-lang-java=\"`update`\"\u003e`update`\u003c/span\u003e capability\n(depending on whether the resource already exists) on the given path,\nthe \u003cspan pulumi-lang-nodejs=\"`delete`\" pulumi-lang-dotnet=\"`Delete`\" pulumi-lang-go=\"`delete`\" pulumi-lang-python=\"`delete`\" pulumi-lang-yaml=\"`delete`\" pulumi-lang-java=\"`delete`\"\u003e`delete`\u003c/span\u003e capability if the resource is removed from configuration,\nand the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability for drift detection (by default).\n\n### Custom Metadata Configuration Options\n\n* \u003cspan pulumi-lang-nodejs=\"`maxVersions`\" pulumi-lang-dotnet=\"`MaxVersions`\" pulumi-lang-go=\"`maxVersions`\" pulumi-lang-python=\"`max_versions`\" pulumi-lang-yaml=\"`maxVersions`\" pulumi-lang-java=\"`maxVersions`\"\u003e`max_versions`\u003c/span\u003e - (Optional) The number of versions to keep per key.\n\n* \u003cspan pulumi-lang-nodejs=\"`casRequired`\" pulumi-lang-dotnet=\"`CasRequired`\" pulumi-lang-go=\"`casRequired`\" pulumi-lang-python=\"`cas_required`\" pulumi-lang-yaml=\"`casRequired`\" pulumi-lang-java=\"`casRequired`\"\u003e`cas_required`\u003c/span\u003e - (Optional) If true, all keys will require the cas\n  parameter to be set on all write requests.\n\n* \u003cspan pulumi-lang-nodejs=\"`deleteVersionAfter`\" pulumi-lang-dotnet=\"`DeleteVersionAfter`\" pulumi-lang-go=\"`deleteVersionAfter`\" pulumi-lang-python=\"`delete_version_after`\" pulumi-lang-yaml=\"`deleteVersionAfter`\" pulumi-lang-java=\"`deleteVersionAfter`\"\u003e`delete_version_after`\u003c/span\u003e - (Optional) If set, specifies the length of time before\n  a version is deleted. Accepts duration in integer seconds.\n\n* \u003cspan pulumi-lang-nodejs=\"`data`\" pulumi-lang-dotnet=\"`Data`\" pulumi-lang-go=\"`data`\" pulumi-lang-python=\"`data`\" pulumi-lang-yaml=\"`data`\" pulumi-lang-java=\"`data`\"\u003e`data`\u003c/span\u003e - (Optional) A string to string map describing the secret.\n\n## Import\n\nKV-V2 secrets can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:kv/secretV2:SecretV2 example kvv2/data/secret\n```\n","properties":{"cas":{"type":"integer","description":"This flag is required if \u003cspan pulumi-lang-nodejs=\"`casRequired`\" pulumi-lang-dotnet=\"`CasRequired`\" pulumi-lang-go=\"`casRequired`\" pulumi-lang-python=\"`cas_required`\" pulumi-lang-yaml=\"`casRequired`\" pulumi-lang-java=\"`casRequired`\"\u003e`cas_required`\u003c/span\u003e is set to true\non either the secret or the engine's config. In order for a\nwrite operation to be successful, cas must be set to the current version\nof the secret.\n"},"customMetadata":{"$ref":"#/types/vault:kv/SecretV2CustomMetadata:SecretV2CustomMetadata","description":"A nested block that allows configuring metadata for the\nKV secret. Refer to the\nConfiguration Options for more info.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"**Deprecated. Please use new ephemeral resource \u003cspan pulumi-lang-nodejs=\"`vault.kv.SecretV2`\" pulumi-lang-dotnet=\"`vault.kv.SecretV2`\" pulumi-lang-go=\"`kv.SecretV2`\" pulumi-lang-python=\"`kv.SecretV2`\" pulumi-lang-yaml=\"`vault.kv.SecretV2`\" pulumi-lang-java=\"`vault.kv.SecretV2`\"\u003e`vault.kv.SecretV2`\u003c/span\u003e to read back\nsecret data from Vault**. A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only represent string data,\nso any non-string values returned from Vault are serialized as JSON.\n","deprecationMessage":"Deprecated. Will no longer be set on a read.","secret":true},"dataJson":{"type":"string","description":"JSON-encoded string that will be\nwritten as the secret data at the given path. This is required if \u003cspan pulumi-lang-nodejs=\"`dataJsonWo`\" pulumi-lang-dotnet=\"`DataJsonWo`\" pulumi-lang-go=\"`dataJsonWo`\" pulumi-lang-python=\"`data_json_wo`\" pulumi-lang-yaml=\"`dataJsonWo`\" pulumi-lang-java=\"`dataJsonWo`\"\u003e`data_json_wo`\u003c/span\u003e is not set.\n","secret":true},"dataJsonWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nJSON-encoded string that will be\nwritten as the secret data at the given path. This is required if \u003cspan pulumi-lang-nodejs=\"`dataJson`\" pulumi-lang-dotnet=\"`DataJson`\" pulumi-lang-go=\"`dataJson`\" pulumi-lang-python=\"`data_json`\" pulumi-lang-yaml=\"`dataJson`\" pulumi-lang-java=\"`dataJson`\"\u003e`data_json`\u003c/span\u003e is not set. **Note**: This property is write-only and will not be read from the API.\n","secret":true},"dataJsonWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`dataJsonWo`\" pulumi-lang-dotnet=\"`DataJsonWo`\" pulumi-lang-go=\"`dataJsonWo`\" pulumi-lang-python=\"`data_json_wo`\" pulumi-lang-yaml=\"`dataJsonWo`\" pulumi-lang-java=\"`dataJsonWo`\"\u003e`data_json_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"deleteAllVersions":{"type":"boolean","description":"If set to true, permanently deletes all\nversions for the specified key.\n"},"disableRead":{"type":"boolean","description":"If set to true, disables reading secret from Vault;\nnote: drift won't be detected.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Metadata associated with this secret read from Vault.\n"},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n"},"name":{"type":"string","description":"Full name of the secret. For a nested secret\nthe name is the nested path excluding the mount and data\nprefix. For example, for a secret at `kvv2/data/foo/bar/baz`\nthe name is `foo/bar/baz`.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"An object that holds option settings.\n"},"path":{"type":"string","description":"Full path where the KV-V2 secret will be written.\n"}},"required":["customMetadata","data","metadata","mount","name","path"],"inputProperties":{"cas":{"type":"integer","description":"This flag is required if \u003cspan pulumi-lang-nodejs=\"`casRequired`\" pulumi-lang-dotnet=\"`CasRequired`\" pulumi-lang-go=\"`casRequired`\" pulumi-lang-python=\"`cas_required`\" pulumi-lang-yaml=\"`casRequired`\" pulumi-lang-java=\"`casRequired`\"\u003e`cas_required`\u003c/span\u003e is set to true\non either the secret or the engine's config. In order for a\nwrite operation to be successful, cas must be set to the current version\nof the secret.\n"},"customMetadata":{"$ref":"#/types/vault:kv/SecretV2CustomMetadata:SecretV2CustomMetadata","description":"A nested block that allows configuring metadata for the\nKV secret. Refer to the\nConfiguration Options for more info.\n"},"dataJson":{"type":"string","description":"JSON-encoded string that will be\nwritten as the secret data at the given path. This is required if \u003cspan pulumi-lang-nodejs=\"`dataJsonWo`\" pulumi-lang-dotnet=\"`DataJsonWo`\" pulumi-lang-go=\"`dataJsonWo`\" pulumi-lang-python=\"`data_json_wo`\" pulumi-lang-yaml=\"`dataJsonWo`\" pulumi-lang-java=\"`dataJsonWo`\"\u003e`data_json_wo`\u003c/span\u003e is not set.\n","secret":true},"dataJsonWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nJSON-encoded string that will be\nwritten as the secret data at the given path. This is required if \u003cspan pulumi-lang-nodejs=\"`dataJson`\" pulumi-lang-dotnet=\"`DataJson`\" pulumi-lang-go=\"`dataJson`\" pulumi-lang-python=\"`data_json`\" pulumi-lang-yaml=\"`dataJson`\" pulumi-lang-java=\"`dataJson`\"\u003e`data_json`\u003c/span\u003e is not set. **Note**: This property is write-only and will not be read from the API.\n","secret":true},"dataJsonWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`dataJsonWo`\" pulumi-lang-dotnet=\"`DataJsonWo`\" pulumi-lang-go=\"`dataJsonWo`\" pulumi-lang-python=\"`data_json_wo`\" pulumi-lang-yaml=\"`dataJsonWo`\" pulumi-lang-java=\"`dataJsonWo`\"\u003e`data_json_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"deleteAllVersions":{"type":"boolean","description":"If set to true, permanently deletes all\nversions for the specified key.\n"},"disableRead":{"type":"boolean","description":"If set to true, disables reading secret from Vault;\nnote: drift won't be detected.\n"},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret\nthe name is the nested path excluding the mount and data\nprefix. For example, for a secret at `kvv2/data/foo/bar/baz`\nthe name is `foo/bar/baz`.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"An object that holds option settings.\n"}},"requiredInputs":["mount"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretV2 resources.\n","properties":{"cas":{"type":"integer","description":"This flag is required if \u003cspan pulumi-lang-nodejs=\"`casRequired`\" pulumi-lang-dotnet=\"`CasRequired`\" pulumi-lang-go=\"`casRequired`\" pulumi-lang-python=\"`cas_required`\" pulumi-lang-yaml=\"`casRequired`\" pulumi-lang-java=\"`casRequired`\"\u003e`cas_required`\u003c/span\u003e is set to true\non either the secret or the engine's config. In order for a\nwrite operation to be successful, cas must be set to the current version\nof the secret.\n"},"customMetadata":{"$ref":"#/types/vault:kv/SecretV2CustomMetadata:SecretV2CustomMetadata","description":"A nested block that allows configuring metadata for the\nKV secret. Refer to the\nConfiguration Options for more info.\n"},"data":{"type":"object","additionalProperties":{"type":"string"},"description":"**Deprecated. Please use new ephemeral resource \u003cspan pulumi-lang-nodejs=\"`vault.kv.SecretV2`\" pulumi-lang-dotnet=\"`vault.kv.SecretV2`\" pulumi-lang-go=\"`kv.SecretV2`\" pulumi-lang-python=\"`kv.SecretV2`\" pulumi-lang-yaml=\"`vault.kv.SecretV2`\" pulumi-lang-java=\"`vault.kv.SecretV2`\"\u003e`vault.kv.SecretV2`\u003c/span\u003e to read back\nsecret data from Vault**. A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only represent string data,\nso any non-string values returned from Vault are serialized as JSON.\n","deprecationMessage":"Deprecated. Will no longer be set on a read.","secret":true},"dataJson":{"type":"string","description":"JSON-encoded string that will be\nwritten as the secret data at the given path. This is required if \u003cspan pulumi-lang-nodejs=\"`dataJsonWo`\" pulumi-lang-dotnet=\"`DataJsonWo`\" pulumi-lang-go=\"`dataJsonWo`\" pulumi-lang-python=\"`data_json_wo`\" pulumi-lang-yaml=\"`dataJsonWo`\" pulumi-lang-java=\"`dataJsonWo`\"\u003e`data_json_wo`\u003c/span\u003e is not set.\n","secret":true},"dataJsonWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nJSON-encoded string that will be\nwritten as the secret data at the given path. This is required if \u003cspan pulumi-lang-nodejs=\"`dataJson`\" pulumi-lang-dotnet=\"`DataJson`\" pulumi-lang-go=\"`dataJson`\" pulumi-lang-python=\"`data_json`\" pulumi-lang-yaml=\"`dataJson`\" pulumi-lang-java=\"`dataJson`\"\u003e`data_json`\u003c/span\u003e is not set. **Note**: This property is write-only and will not be read from the API.\n","secret":true},"dataJsonWoVersion":{"type":"integer","description":"The version of the \u003cspan pulumi-lang-nodejs=\"`dataJsonWo`\" pulumi-lang-dotnet=\"`DataJsonWo`\" pulumi-lang-go=\"`dataJsonWo`\" pulumi-lang-python=\"`data_json_wo`\" pulumi-lang-yaml=\"`dataJsonWo`\" pulumi-lang-java=\"`dataJsonWo`\"\u003e`data_json_wo`\u003c/span\u003e. For more info see updating write-only attributes.\n"},"deleteAllVersions":{"type":"boolean","description":"If set to true, permanently deletes all\nversions for the specified key.\n"},"disableRead":{"type":"boolean","description":"If set to true, disables reading secret from Vault;\nnote: drift won't be detected.\n"},"metadata":{"type":"object","additionalProperties":{"type":"string"},"description":"Metadata associated with this secret read from Vault.\n"},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"Full name of the secret. For a nested secret\nthe name is the nested path excluding the mount and data\nprefix. For example, for a secret at `kvv2/data/foo/bar/baz`\nthe name is `foo/bar/baz`.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"An object that holds option settings.\n"},"path":{"type":"string","description":"Full path where the KV-V2 secret will be written.\n"}},"type":"object"}},"vault:ldap/authBackend:AuthBackend":{"description":"Provides a resource for managing an [LDAP auth backend within Vault](https://www.vaultproject.io/docs/auth/ldap.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst ldap = new vault.ldap.AuthBackend(\"ldap\", {\n    path: \"ldap\",\n    url: \"ldaps://dc-01.example.org\",\n    userdn: \"OU=Users,OU=Accounts,DC=example,DC=org\",\n    userattr: \"sAMAccountName\",\n    upndomain: \"EXAMPLE.ORG\",\n    discoverdn: false,\n    groupdn: \"OU=Groups,DC=example,DC=org\",\n    groupfilter: \"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\",\n    rotationSchedule: \"0 * * * SAT\",\n    rotationWindow: 3600,\n    requestTimeout: 30,\n    dereferenceAliases: \"always\",\n    enableSamaccountnameLogin: false,\n    anonymousGroupSearch: false,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nldap = vault.ldap.AuthBackend(\"ldap\",\n    path=\"ldap\",\n    url=\"ldaps://dc-01.example.org\",\n    userdn=\"OU=Users,OU=Accounts,DC=example,DC=org\",\n    userattr=\"sAMAccountName\",\n    upndomain=\"EXAMPLE.ORG\",\n    discoverdn=False,\n    groupdn=\"OU=Groups,DC=example,DC=org\",\n    groupfilter=\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\",\n    rotation_schedule=\"0 * * * SAT\",\n    rotation_window=3600,\n    request_timeout=30,\n    dereference_aliases=\"always\",\n    enable_samaccountname_login=False,\n    anonymous_group_search=False)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var ldap = new Vault.Ldap.AuthBackend(\"ldap\", new()\n    {\n        Path = \"ldap\",\n        Url = \"ldaps://dc-01.example.org\",\n        Userdn = \"OU=Users,OU=Accounts,DC=example,DC=org\",\n        Userattr = \"sAMAccountName\",\n        Upndomain = \"EXAMPLE.ORG\",\n        Discoverdn = false,\n        Groupdn = \"OU=Groups,DC=example,DC=org\",\n        Groupfilter = \"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\",\n        RotationSchedule = \"0 * * * SAT\",\n        RotationWindow = 3600,\n        RequestTimeout = 30,\n        DereferenceAliases = \"always\",\n        EnableSamaccountnameLogin = false,\n        AnonymousGroupSearch = false,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ldap.NewAuthBackend(ctx, \"ldap\", \u0026ldap.AuthBackendArgs{\n\t\t\tPath:                      pulumi.String(\"ldap\"),\n\t\t\tUrl:                       pulumi.String(\"ldaps://dc-01.example.org\"),\n\t\t\tUserdn:                    pulumi.String(\"OU=Users,OU=Accounts,DC=example,DC=org\"),\n\t\t\tUserattr:                  pulumi.String(\"sAMAccountName\"),\n\t\t\tUpndomain:                 pulumi.String(\"EXAMPLE.ORG\"),\n\t\t\tDiscoverdn:                pulumi.Bool(false),\n\t\t\tGroupdn:                   pulumi.String(\"OU=Groups,DC=example,DC=org\"),\n\t\t\tGroupfilter:               pulumi.String(\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\"),\n\t\t\tRotationSchedule:          pulumi.String(\"0 * * * SAT\"),\n\t\t\tRotationWindow:            pulumi.Int(3600),\n\t\t\tRequestTimeout:            pulumi.Int(30),\n\t\t\tDereferenceAliases:        pulumi.String(\"always\"),\n\t\t\tEnableSamaccountnameLogin: pulumi.Bool(false),\n\t\t\tAnonymousGroupSearch:      pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ldap.AuthBackend;\nimport com.pulumi.vault.ldap.AuthBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var ldap = new AuthBackend(\"ldap\", AuthBackendArgs.builder()\n            .path(\"ldap\")\n            .url(\"ldaps://dc-01.example.org\")\n            .userdn(\"OU=Users,OU=Accounts,DC=example,DC=org\")\n            .userattr(\"sAMAccountName\")\n            .upndomain(\"EXAMPLE.ORG\")\n            .discoverdn(false)\n            .groupdn(\"OU=Groups,DC=example,DC=org\")\n            .groupfilter(\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\")\n            .rotationSchedule(\"0 * * * SAT\")\n            .rotationWindow(3600)\n            .requestTimeout(30)\n            .dereferenceAliases(\"always\")\n            .enableSamaccountnameLogin(false)\n            .anonymousGroupSearch(false)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  ldap:\n    type: vault:ldap:AuthBackend\n    properties:\n      path: ldap\n      url: ldaps://dc-01.example.org\n      userdn: OU=Users,OU=Accounts,DC=example,DC=org\n      userattr: sAMAccountName\n      upndomain: EXAMPLE.ORG\n      discoverdn: false\n      groupdn: OU=Groups,DC=example,DC=org\n      groupfilter: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\n      rotationSchedule: 0 * * * SAT\n      rotationWindow: 3600\n      requestTimeout: 30\n      dereferenceAliases: always\n      enableSamaccountnameLogin: false\n      anonymousGroupSearch: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported:\n\n* \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e - (Optional) Write-only bind password to use for LDAP authentication. Can be updated. Conflicts with \u003cspan pulumi-lang-nodejs=\"`bindpass`\" pulumi-lang-dotnet=\"`Bindpass`\" pulumi-lang-go=\"`bindpass`\" pulumi-lang-python=\"`bindpass`\" pulumi-lang-yaml=\"`bindpass`\" pulumi-lang-java=\"`bindpass`\"\u003e`bindpass`\u003c/span\u003e.\n  **Note**: This property is write-only and will not be read from the API.\n\n## Import\n\nLDAP authentication backends can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:ldap/authBackend:AuthBackend ldap ldap\n```\n","properties":{"accessor":{"type":"string","description":"The accessor for this auth mount.\n"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"anonymousGroupSearch":{"type":"boolean","description":"Allows anonymous group searches."},"binddn":{"type":"string","description":"DN of object to bind when performing user search\n"},"bindpass":{"type":"string","description":"Password to use with \u003cspan pulumi-lang-nodejs=\"`binddn`\" pulumi-lang-dotnet=\"`Binddn`\" pulumi-lang-go=\"`binddn`\" pulumi-lang-python=\"`binddn`\" pulumi-lang-yaml=\"`binddn`\" pulumi-lang-java=\"`binddn`\"\u003e`binddn`\u003c/span\u003e when performing user search. Conflicts with \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e.\n","secret":true},"bindpassWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only bind password to use for LDAP authentication.","secret":true},"bindpassWoVersion":{"type":"integer","description":"Version counter for write-only bind password.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e. For more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"caseSensitiveNames":{"type":"boolean","description":"Control case senstivity of objects fetched from LDAP, this is used for object matching in vault\n"},"certificate":{"type":"string","description":"Trusted CA to validate TLS certificate\n"},"clientTlsCert":{"type":"string"},"clientTlsKey":{"type":"string","secret":true},"connectionTimeout":{"type":"integer","description":"Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in \u003cspan pulumi-lang-nodejs=\"`url`\" pulumi-lang-dotnet=\"`Url`\" pulumi-lang-go=\"`url`\" pulumi-lang-python=\"`url`\" pulumi-lang-yaml=\"`url`\" pulumi-lang-java=\"`url`\"\u003e`url`\u003c/span\u003e (integer: 30)\n"},"denyNullBind":{"type":"boolean","description":"Prevents users from bypassing authentication when providing an empty password.\n"},"dereferenceAliases":{"type":"string","description":"Specifies how aliases are dereferenced during LDAP searches. Valid values are 'never','searching','finding', and 'always'."},"description":{"type":"string","description":"Description for the LDAP auth backend mount\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"discoverdn":{"type":"boolean","description":"Use anonymous bind to discover the bind DN of a user.\n"},"enableSamaccountnameLogin":{"type":"boolean","description":"Enables login using the sAMAccountName attribute."},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by groupfilter\n"},"groupdn":{"type":"string","description":"Base DN under which to perform group search\n"},"groupfilter":{"type":"string","description":"Go template used to construct group membership query\n"},"insecureTls":{"type":"boolean","description":"Control whether or TLS certificates must be validated\n"},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n"},"maxPageSize":{"type":"integer","description":"Sets the max page size for LDAP lookups, by default it's set to -1.\n*Available only for Vault 1.11.11+, 1.12.7+, and 1.13.3+*.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path to mount the LDAP auth backend under\n"},"requestTimeout":{"type":"integer","description":"The timeout(in sec) for requests to the LDAP server."},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"starttls":{"type":"boolean","description":"Control use of TLS when conecting to LDAP\n"},"tlsMaxVersion":{"type":"string","description":"Maximum acceptable version of TLS\n"},"tlsMinVersion":{"type":"string","description":"Minimum acceptable version of TLS\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"},"tune":{"$ref":"#/types/vault:ldap/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"upndomain":{"type":"string","description":"The `userPrincipalDomain` used to construct the UPN string for the authenticating user.\n"},"url":{"type":"string","description":"The URL of the LDAP server\n"},"useTokenGroups":{"type":"boolean","description":"Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships\n"},"userattr":{"type":"string","description":"Attribute on user object matching username passed in\n"},"userdn":{"type":"string","description":"Base DN under which to perform user search\n"},"userfilter":{"type":"string","description":"LDAP user search filter\n"},"usernameAsAlias":{"type":"boolean","description":"Force the auth method to use the username passed by the user as the alias name.\n"}},"required":["accessor","anonymousGroupSearch","binddn","bindpass","caseSensitiveNames","certificate","clientTlsCert","clientTlsKey","connectionTimeout","denyNullBind","dereferenceAliases","description","discoverdn","enableSamaccountnameLogin","groupattr","groupdn","groupfilter","insecureTls","requestTimeout","starttls","tlsMaxVersion","tlsMinVersion","tune","upndomain","url","useTokenGroups","userattr","userdn","userfilter","usernameAsAlias"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"anonymousGroupSearch":{"type":"boolean","description":"Allows anonymous group searches."},"binddn":{"type":"string","description":"DN of object to bind when performing user search\n"},"bindpass":{"type":"string","description":"Password to use with \u003cspan pulumi-lang-nodejs=\"`binddn`\" pulumi-lang-dotnet=\"`Binddn`\" pulumi-lang-go=\"`binddn`\" pulumi-lang-python=\"`binddn`\" pulumi-lang-yaml=\"`binddn`\" pulumi-lang-java=\"`binddn`\"\u003e`binddn`\u003c/span\u003e when performing user search. Conflicts with \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e.\n","secret":true},"bindpassWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only bind password to use for LDAP authentication.","secret":true},"bindpassWoVersion":{"type":"integer","description":"Version counter for write-only bind password.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e. For more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"caseSensitiveNames":{"type":"boolean","description":"Control case senstivity of objects fetched from LDAP, this is used for object matching in vault\n"},"certificate":{"type":"string","description":"Trusted CA to validate TLS certificate\n"},"clientTlsCert":{"type":"string"},"clientTlsKey":{"type":"string","secret":true},"connectionTimeout":{"type":"integer","description":"Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in \u003cspan pulumi-lang-nodejs=\"`url`\" pulumi-lang-dotnet=\"`Url`\" pulumi-lang-go=\"`url`\" pulumi-lang-python=\"`url`\" pulumi-lang-yaml=\"`url`\" pulumi-lang-java=\"`url`\"\u003e`url`\u003c/span\u003e (integer: 30)\n"},"denyNullBind":{"type":"boolean","description":"Prevents users from bypassing authentication when providing an empty password.\n"},"dereferenceAliases":{"type":"string","description":"Specifies how aliases are dereferenced during LDAP searches. Valid values are 'never','searching','finding', and 'always'."},"description":{"type":"string","description":"Description for the LDAP auth backend mount\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"discoverdn":{"type":"boolean","description":"Use anonymous bind to discover the bind DN of a user.\n"},"enableSamaccountnameLogin":{"type":"boolean","description":"Enables login using the sAMAccountName attribute."},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by groupfilter\n"},"groupdn":{"type":"string","description":"Base DN under which to perform group search\n"},"groupfilter":{"type":"string","description":"Go template used to construct group membership query\n"},"insecureTls":{"type":"boolean","description":"Control whether or TLS certificates must be validated\n"},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n","willReplaceOnChanges":true},"maxPageSize":{"type":"integer","description":"Sets the max page size for LDAP lookups, by default it's set to -1.\n*Available only for Vault 1.11.11+, 1.12.7+, and 1.13.3+*.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to mount the LDAP auth backend under\n"},"requestTimeout":{"type":"integer","description":"The timeout(in sec) for requests to the LDAP server."},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"starttls":{"type":"boolean","description":"Control use of TLS when conecting to LDAP\n"},"tlsMaxVersion":{"type":"string","description":"Maximum acceptable version of TLS\n"},"tlsMinVersion":{"type":"string","description":"Minimum acceptable version of TLS\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"},"tune":{"$ref":"#/types/vault:ldap/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"upndomain":{"type":"string","description":"The `userPrincipalDomain` used to construct the UPN string for the authenticating user.\n"},"url":{"type":"string","description":"The URL of the LDAP server\n"},"useTokenGroups":{"type":"boolean","description":"Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships\n"},"userattr":{"type":"string","description":"Attribute on user object matching username passed in\n"},"userdn":{"type":"string","description":"Base DN under which to perform user search\n"},"userfilter":{"type":"string","description":"LDAP user search filter\n"},"usernameAsAlias":{"type":"boolean","description":"Force the auth method to use the username passed by the user as the alias name.\n"}},"requiredInputs":["url"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackend resources.\n","properties":{"accessor":{"type":"string","description":"The accessor for this auth mount.\n"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"anonymousGroupSearch":{"type":"boolean","description":"Allows anonymous group searches."},"binddn":{"type":"string","description":"DN of object to bind when performing user search\n"},"bindpass":{"type":"string","description":"Password to use with \u003cspan pulumi-lang-nodejs=\"`binddn`\" pulumi-lang-dotnet=\"`Binddn`\" pulumi-lang-go=\"`binddn`\" pulumi-lang-python=\"`binddn`\" pulumi-lang-yaml=\"`binddn`\" pulumi-lang-java=\"`binddn`\"\u003e`binddn`\u003c/span\u003e when performing user search. Conflicts with \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e.\n","secret":true},"bindpassWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only bind password to use for LDAP authentication.","secret":true},"bindpassWoVersion":{"type":"integer","description":"Version counter for write-only bind password.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e. For more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"caseSensitiveNames":{"type":"boolean","description":"Control case senstivity of objects fetched from LDAP, this is used for object matching in vault\n"},"certificate":{"type":"string","description":"Trusted CA to validate TLS certificate\n"},"clientTlsCert":{"type":"string"},"clientTlsKey":{"type":"string","secret":true},"connectionTimeout":{"type":"integer","description":"Timeout in seconds when connecting to LDAP before attempting to connect to the next server in the URL provided in \u003cspan pulumi-lang-nodejs=\"`url`\" pulumi-lang-dotnet=\"`Url`\" pulumi-lang-go=\"`url`\" pulumi-lang-python=\"`url`\" pulumi-lang-yaml=\"`url`\" pulumi-lang-java=\"`url`\"\u003e`url`\u003c/span\u003e (integer: 30)\n"},"denyNullBind":{"type":"boolean","description":"Prevents users from bypassing authentication when providing an empty password.\n"},"dereferenceAliases":{"type":"string","description":"Specifies how aliases are dereferenced during LDAP searches. Valid values are 'never','searching','finding', and 'always'."},"description":{"type":"string","description":"Description for the LDAP auth backend mount\n"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"discoverdn":{"type":"boolean","description":"Use anonymous bind to discover the bind DN of a user.\n"},"enableSamaccountnameLogin":{"type":"boolean","description":"Enables login using the sAMAccountName attribute."},"groupattr":{"type":"string","description":"LDAP attribute to follow on objects returned by groupfilter\n"},"groupdn":{"type":"string","description":"Base DN under which to perform group search\n"},"groupfilter":{"type":"string","description":"Go template used to construct group membership query\n"},"insecureTls":{"type":"boolean","description":"Control whether or TLS certificates must be validated\n"},"local":{"type":"boolean","description":"Specifies if the auth method is local only.\n","willReplaceOnChanges":true},"maxPageSize":{"type":"integer","description":"Sets the max page size for LDAP lookups, by default it's set to -1.\n*Available only for Vault 1.11.11+, 1.12.7+, and 1.13.3+*.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to mount the LDAP auth backend under\n"},"requestTimeout":{"type":"integer","description":"The timeout(in sec) for requests to the LDAP server."},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"starttls":{"type":"boolean","description":"Control use of TLS when conecting to LDAP\n"},"tlsMaxVersion":{"type":"string","description":"Maximum acceptable version of TLS\n"},"tlsMinVersion":{"type":"string","description":"Minimum acceptable version of TLS\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"Specifies the type of tokens that should be returned by\nthe mount. Valid values are \"default-service\", \"default-batch\", \"service\", \"batch\".\n"},"tune":{"$ref":"#/types/vault:ldap/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"upndomain":{"type":"string","description":"The `userPrincipalDomain` used to construct the UPN string for the authenticating user.\n"},"url":{"type":"string","description":"The URL of the LDAP server\n"},"useTokenGroups":{"type":"boolean","description":"Use the Active Directory tokenGroups constructed attribute of the user to find the group memberships\n"},"userattr":{"type":"string","description":"Attribute on user object matching username passed in\n"},"userdn":{"type":"string","description":"Base DN under which to perform user search\n"},"userfilter":{"type":"string","description":"LDAP user search filter\n"},"usernameAsAlias":{"type":"boolean","description":"Force the auth method to use the username passed by the user as the alias name.\n"}},"type":"object"}},"vault:ldap/authBackendGroup:AuthBackendGroup":{"description":"Provides a resource to create a group in an [LDAP auth backend within Vault](https://www.vaultproject.io/docs/auth/ldap.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst ldap = new vault.ldap.AuthBackend(\"ldap\", {\n    path: \"ldap\",\n    url: \"ldaps://dc-01.example.org\",\n    userdn: \"OU=Users,OU=Accounts,DC=example,DC=org\",\n    userattr: \"sAMAccountName\",\n    upndomain: \"EXAMPLE.ORG\",\n    discoverdn: false,\n    groupdn: \"OU=Groups,DC=example,DC=org\",\n    groupfilter: \"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\",\n});\nconst group = new vault.ldap.AuthBackendGroup(\"group\", {\n    groupname: \"dba\",\n    policies: [\"dba\"],\n    backend: ldap.path,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nldap = vault.ldap.AuthBackend(\"ldap\",\n    path=\"ldap\",\n    url=\"ldaps://dc-01.example.org\",\n    userdn=\"OU=Users,OU=Accounts,DC=example,DC=org\",\n    userattr=\"sAMAccountName\",\n    upndomain=\"EXAMPLE.ORG\",\n    discoverdn=False,\n    groupdn=\"OU=Groups,DC=example,DC=org\",\n    groupfilter=\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\")\ngroup = vault.ldap.AuthBackendGroup(\"group\",\n    groupname=\"dba\",\n    policies=[\"dba\"],\n    backend=ldap.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var ldap = new Vault.Ldap.AuthBackend(\"ldap\", new()\n    {\n        Path = \"ldap\",\n        Url = \"ldaps://dc-01.example.org\",\n        Userdn = \"OU=Users,OU=Accounts,DC=example,DC=org\",\n        Userattr = \"sAMAccountName\",\n        Upndomain = \"EXAMPLE.ORG\",\n        Discoverdn = false,\n        Groupdn = \"OU=Groups,DC=example,DC=org\",\n        Groupfilter = \"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\",\n    });\n\n    var @group = new Vault.Ldap.AuthBackendGroup(\"group\", new()\n    {\n        Groupname = \"dba\",\n        Policies = new[]\n        {\n            \"dba\",\n        },\n        Backend = ldap.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tldap, err := ldap.NewAuthBackend(ctx, \"ldap\", \u0026ldap.AuthBackendArgs{\n\t\t\tPath:        pulumi.String(\"ldap\"),\n\t\t\tUrl:         pulumi.String(\"ldaps://dc-01.example.org\"),\n\t\t\tUserdn:      pulumi.String(\"OU=Users,OU=Accounts,DC=example,DC=org\"),\n\t\t\tUserattr:    pulumi.String(\"sAMAccountName\"),\n\t\t\tUpndomain:   pulumi.String(\"EXAMPLE.ORG\"),\n\t\t\tDiscoverdn:  pulumi.Bool(false),\n\t\t\tGroupdn:     pulumi.String(\"OU=Groups,DC=example,DC=org\"),\n\t\t\tGroupfilter: pulumi.String(\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewAuthBackendGroup(ctx, \"group\", \u0026ldap.AuthBackendGroupArgs{\n\t\t\tGroupname: pulumi.String(\"dba\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dba\"),\n\t\t\t},\n\t\t\tBackend: ldap.Path,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ldap.AuthBackend;\nimport com.pulumi.vault.ldap.AuthBackendArgs;\nimport com.pulumi.vault.ldap.AuthBackendGroup;\nimport com.pulumi.vault.ldap.AuthBackendGroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var ldap = new AuthBackend(\"ldap\", AuthBackendArgs.builder()\n            .path(\"ldap\")\n            .url(\"ldaps://dc-01.example.org\")\n            .userdn(\"OU=Users,OU=Accounts,DC=example,DC=org\")\n            .userattr(\"sAMAccountName\")\n            .upndomain(\"EXAMPLE.ORG\")\n            .discoverdn(false)\n            .groupdn(\"OU=Groups,DC=example,DC=org\")\n            .groupfilter(\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\")\n            .build());\n\n        var group = new AuthBackendGroup(\"group\", AuthBackendGroupArgs.builder()\n            .groupname(\"dba\")\n            .policies(\"dba\")\n            .backend(ldap.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  ldap:\n    type: vault:ldap:AuthBackend\n    properties:\n      path: ldap\n      url: ldaps://dc-01.example.org\n      userdn: OU=Users,OU=Accounts,DC=example,DC=org\n      userattr: sAMAccountName\n      upndomain: EXAMPLE.ORG\n      discoverdn: false\n      groupdn: OU=Groups,DC=example,DC=org\n      groupfilter: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\n  group:\n    type: vault:ldap:AuthBackendGroup\n    properties:\n      groupname: dba\n      policies:\n        - dba\n      backend: ${ldap.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP authentication backend groups can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:ldap/authBackendGroup:AuthBackendGroup foo auth/ldap/groups/foo\n```\n","properties":{"backend":{"type":"string","description":"Path to the authentication backend\n\nFor more details on the usage of each argument consult the [Vault LDAP API documentation](https://www.vaultproject.io/api-docs/auth/ldap).\n"},"groupname":{"type":"string","description":"The LDAP groupname\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"Policies which should be granted to members of the group\n"}},"required":["groupname","policies"],"inputProperties":{"backend":{"type":"string","description":"Path to the authentication backend\n\nFor more details on the usage of each argument consult the [Vault LDAP API documentation](https://www.vaultproject.io/api-docs/auth/ldap).\n","willReplaceOnChanges":true},"groupname":{"type":"string","description":"The LDAP groupname\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"Policies which should be granted to members of the group\n"}},"requiredInputs":["groupname"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendGroup resources.\n","properties":{"backend":{"type":"string","description":"Path to the authentication backend\n\nFor more details on the usage of each argument consult the [Vault LDAP API documentation](https://www.vaultproject.io/api-docs/auth/ldap).\n","willReplaceOnChanges":true},"groupname":{"type":"string","description":"The LDAP groupname\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"Policies which should be granted to members of the group\n"}},"type":"object"}},"vault:ldap/authBackendUser:AuthBackendUser":{"description":"Provides a resource to create a user in an [LDAP auth backend within Vault](https://www.vaultproject.io/docs/auth/ldap.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst ldap = new vault.ldap.AuthBackend(\"ldap\", {\n    path: \"ldap\",\n    url: \"ldaps://dc-01.example.org\",\n    userdn: \"OU=Users,OU=Accounts,DC=example,DC=org\",\n    userattr: \"sAMAccountName\",\n    upndomain: \"EXAMPLE.ORG\",\n    discoverdn: false,\n    groupdn: \"OU=Groups,DC=example,DC=org\",\n    groupfilter: \"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\",\n});\nconst user = new vault.ldap.AuthBackendUser(\"user\", {\n    username: \"test-user\",\n    policies: [\n        \"dba\",\n        \"sysops\",\n    ],\n    backend: ldap.path,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nldap = vault.ldap.AuthBackend(\"ldap\",\n    path=\"ldap\",\n    url=\"ldaps://dc-01.example.org\",\n    userdn=\"OU=Users,OU=Accounts,DC=example,DC=org\",\n    userattr=\"sAMAccountName\",\n    upndomain=\"EXAMPLE.ORG\",\n    discoverdn=False,\n    groupdn=\"OU=Groups,DC=example,DC=org\",\n    groupfilter=\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\")\nuser = vault.ldap.AuthBackendUser(\"user\",\n    username=\"test-user\",\n    policies=[\n        \"dba\",\n        \"sysops\",\n    ],\n    backend=ldap.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var ldap = new Vault.Ldap.AuthBackend(\"ldap\", new()\n    {\n        Path = \"ldap\",\n        Url = \"ldaps://dc-01.example.org\",\n        Userdn = \"OU=Users,OU=Accounts,DC=example,DC=org\",\n        Userattr = \"sAMAccountName\",\n        Upndomain = \"EXAMPLE.ORG\",\n        Discoverdn = false,\n        Groupdn = \"OU=Groups,DC=example,DC=org\",\n        Groupfilter = \"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\",\n    });\n\n    var user = new Vault.Ldap.AuthBackendUser(\"user\", new()\n    {\n        Username = \"test-user\",\n        Policies = new[]\n        {\n            \"dba\",\n            \"sysops\",\n        },\n        Backend = ldap.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tldap, err := ldap.NewAuthBackend(ctx, \"ldap\", \u0026ldap.AuthBackendArgs{\n\t\t\tPath:        pulumi.String(\"ldap\"),\n\t\t\tUrl:         pulumi.String(\"ldaps://dc-01.example.org\"),\n\t\t\tUserdn:      pulumi.String(\"OU=Users,OU=Accounts,DC=example,DC=org\"),\n\t\t\tUserattr:    pulumi.String(\"sAMAccountName\"),\n\t\t\tUpndomain:   pulumi.String(\"EXAMPLE.ORG\"),\n\t\t\tDiscoverdn:  pulumi.Bool(false),\n\t\t\tGroupdn:     pulumi.String(\"OU=Groups,DC=example,DC=org\"),\n\t\t\tGroupfilter: pulumi.String(\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewAuthBackendUser(ctx, \"user\", \u0026ldap.AuthBackendUserArgs{\n\t\t\tUsername: pulumi.String(\"test-user\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dba\"),\n\t\t\t\tpulumi.String(\"sysops\"),\n\t\t\t},\n\t\t\tBackend: ldap.Path,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ldap.AuthBackend;\nimport com.pulumi.vault.ldap.AuthBackendArgs;\nimport com.pulumi.vault.ldap.AuthBackendUser;\nimport com.pulumi.vault.ldap.AuthBackendUserArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var ldap = new AuthBackend(\"ldap\", AuthBackendArgs.builder()\n            .path(\"ldap\")\n            .url(\"ldaps://dc-01.example.org\")\n            .userdn(\"OU=Users,OU=Accounts,DC=example,DC=org\")\n            .userattr(\"sAMAccountName\")\n            .upndomain(\"EXAMPLE.ORG\")\n            .discoverdn(false)\n            .groupdn(\"OU=Groups,DC=example,DC=org\")\n            .groupfilter(\"(\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\")\n            .build());\n\n        var user = new AuthBackendUser(\"user\", AuthBackendUserArgs.builder()\n            .username(\"test-user\")\n            .policies(            \n                \"dba\",\n                \"sysops\")\n            .backend(ldap.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  ldap:\n    type: vault:ldap:AuthBackend\n    properties:\n      path: ldap\n      url: ldaps://dc-01.example.org\n      userdn: OU=Users,OU=Accounts,DC=example,DC=org\n      userattr: sAMAccountName\n      upndomain: EXAMPLE.ORG\n      discoverdn: false\n      groupdn: OU=Groups,DC=example,DC=org\n      groupfilter: (\u0026(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))\n  user:\n    type: vault:ldap:AuthBackendUser\n    properties:\n      username: test-user\n      policies:\n        - dba\n        - sysops\n      backend: ${ldap.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP authentication backend users can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:ldap/authBackendUser:AuthBackendUser foo auth/ldap/users/foo\n```\n","properties":{"backend":{"type":"string","description":"Path to the authentication backend\n\nFor more details on the usage of each argument consult the [Vault LDAP API documentation](https://www.vaultproject.io/api-docs/auth/ldap).\n"},"groups":{"type":"array","items":{"type":"string"},"description":"Override LDAP groups which should be granted to user\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"policies":{"type":"array","items":{"type":"string"},"description":"Policies which should be granted to user\n"},"username":{"type":"string","description":"The LDAP username\n"}},"required":["groups","policies","username"],"inputProperties":{"backend":{"type":"string","description":"Path to the authentication backend\n\nFor more details on the usage of each argument consult the [Vault LDAP API documentation](https://www.vaultproject.io/api-docs/auth/ldap).\n","willReplaceOnChanges":true},"groups":{"type":"array","items":{"type":"string"},"description":"Override LDAP groups which should be granted to user\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"Policies which should be granted to user\n"},"username":{"type":"string","description":"The LDAP username\n"}},"requiredInputs":["username"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendUser resources.\n","properties":{"backend":{"type":"string","description":"Path to the authentication backend\n\nFor more details on the usage of each argument consult the [Vault LDAP API documentation](https://www.vaultproject.io/api-docs/auth/ldap).\n","willReplaceOnChanges":true},"groups":{"type":"array","items":{"type":"string"},"description":"Override LDAP groups which should be granted to user\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"Policies which should be granted to user\n"},"username":{"type":"string","description":"The LDAP username\n"}},"type":"object"}},"vault:ldap/secretBackend:SecretBackend":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.ldap.SecretBackend(\"config\", {\n    path: \"my-custom-ldap\",\n    binddn: \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass: \"SuperSecretPassw0rd\",\n    url: \"ldaps://localhost\",\n    insecureTls: true,\n    userdn: \"CN=Users,DC=corp,DC=example,DC=net\",\n    rotationSchedule: \"0 * * * SAT\",\n    rotationWindow: 3600,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.ldap.SecretBackend(\"config\",\n    path=\"my-custom-ldap\",\n    binddn=\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass=\"SuperSecretPassw0rd\",\n    url=\"ldaps://localhost\",\n    insecure_tls=True,\n    userdn=\"CN=Users,DC=corp,DC=example,DC=net\",\n    rotation_schedule=\"0 * * * SAT\",\n    rotation_window=3600)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Ldap.SecretBackend(\"config\", new()\n    {\n        Path = \"my-custom-ldap\",\n        Binddn = \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n        Bindpass = \"SuperSecretPassw0rd\",\n        Url = \"ldaps://localhost\",\n        InsecureTls = true,\n        Userdn = \"CN=Users,DC=corp,DC=example,DC=net\",\n        RotationSchedule = \"0 * * * SAT\",\n        RotationWindow = 3600,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ldap.NewSecretBackend(ctx, \"config\", \u0026ldap.SecretBackendArgs{\n\t\t\tPath:             pulumi.String(\"my-custom-ldap\"),\n\t\t\tBinddn:           pulumi.String(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tBindpass:         pulumi.String(\"SuperSecretPassw0rd\"),\n\t\t\tUrl:              pulumi.String(\"ldaps://localhost\"),\n\t\t\tInsecureTls:      pulumi.Bool(true),\n\t\t\tUserdn:           pulumi.String(\"CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tRotationSchedule: pulumi.String(\"0 * * * SAT\"),\n\t\t\tRotationWindow:   pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ldap.SecretBackend;\nimport com.pulumi.vault.ldap.SecretBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"my-custom-ldap\")\n            .binddn(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\")\n            .bindpass(\"SuperSecretPassw0rd\")\n            .url(\"ldaps://localhost\")\n            .insecureTls(true)\n            .userdn(\"CN=Users,DC=corp,DC=example,DC=net\")\n            .rotationSchedule(\"0 * * * SAT\")\n            .rotationWindow(3600)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:ldap:SecretBackend\n    properties:\n      path: my-custom-ldap\n      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\n      bindpass: SuperSecretPassw0rd\n      url: ldaps://localhost\n      insecureTls: 'true'\n      userdn: CN=Users,DC=corp,DC=example,DC=net\n      rotationSchedule: 0 * * * SAT\n      rotationWindow: 3600\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Ephemeral Attributes Reference\n\nThe following write-only attributes are supported:\n\n* \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e - (Optional) Write-only password to use along with binddn when performing user search. Can be updated. Conflicts with \u003cspan pulumi-lang-nodejs=\"`bindpass`\" pulumi-lang-dotnet=\"`Bindpass`\" pulumi-lang-go=\"`bindpass`\" pulumi-lang-python=\"`bindpass`\" pulumi-lang-yaml=\"`bindpass`\" pulumi-lang-java=\"`bindpass`\"\u003e`bindpass`\u003c/span\u003e.\n  Exactly one of \u003cspan pulumi-lang-nodejs=\"`bindpass`\" pulumi-lang-dotnet=\"`Bindpass`\" pulumi-lang-go=\"`bindpass`\" pulumi-lang-python=\"`bindpass`\" pulumi-lang-yaml=\"`bindpass`\" pulumi-lang-java=\"`bindpass`\"\u003e`bindpass`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e must be provided.\n  **Note**: This property is write-only and will not be read from the API.\n\n## Import\n\nLDAP secret backend can be imported using the `${mount}/config`, e.g.\n\n```sh\n$ pulumi import vault:ldap/secretBackend:SecretBackend config ldap/config\n```\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.\n"},"bindpass":{"type":"string","description":"Password to use along with binddn when performing user search. Conflicts with \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e.\nExactly one of \u003cspan pulumi-lang-nodejs=\"`bindpass`\" pulumi-lang-dotnet=\"`Bindpass`\" pulumi-lang-go=\"`bindpass`\" pulumi-lang-python=\"`bindpass`\" pulumi-lang-yaml=\"`bindpass`\" pulumi-lang-java=\"`bindpass`\"\u003e`bindpass`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e must be provided.\n","secret":true},"bindpassWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only LDAP password for searching for the user DN.","secret":true},"bindpassWoVersion":{"type":"integer","description":"Version counter for write-only bind password.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e. For more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be\nx509 PEM encoded.\n"},"clientTlsCert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"clientTlsKey":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"connectionTimeout":{"type":"integer","description":"Timeout, in seconds, when attempting to connect to the LDAP server before trying\nthe next URL in the configuration.\n"},"credentialType":{"type":"string","description":"The type of credential to generate. Valid values include \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`phrase`\" pulumi-lang-dotnet=\"`Phrase`\" pulumi-lang-go=\"`phrase`\" pulumi-lang-python=\"`phrase`\" pulumi-lang-yaml=\"`phrase`\" pulumi-lang-java=\"`phrase`\"\u003e`phrase`\u003c/span\u003e. Default is \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates."},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"insecureTls":{"type":"boolean","description":"Skip LDAP server SSL Certificate verification. This is not recommended for production.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"passwordPolicy":{"type":"string","description":"Name of the password policy to use to generate passwords.\n"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"requestTimeout":{"type":"integer","description":"Timeout, in seconds, for the connection when making requests against the server\nbefore returning back an error.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"schema":{"type":"string","description":"The LDAP schema to use when storing entry passwords. Valid schemas include \u003cspan pulumi-lang-nodejs=\"`openldap`\" pulumi-lang-dotnet=\"`Openldap`\" pulumi-lang-go=\"`openldap`\" pulumi-lang-python=\"`openldap`\" pulumi-lang-yaml=\"`openldap`\" pulumi-lang-java=\"`openldap`\"\u003e`openldap`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ad`\" pulumi-lang-dotnet=\"`Ad`\" pulumi-lang-go=\"`ad`\" pulumi-lang-python=\"`ad`\" pulumi-lang-yaml=\"`ad`\" pulumi-lang-java=\"`ad`\"\u003e`ad`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`racf`\" pulumi-lang-dotnet=\"`Racf`\" pulumi-lang-go=\"`racf`\" pulumi-lang-python=\"`racf`\" pulumi-lang-yaml=\"`racf`\" pulumi-lang-java=\"`racf`\"\u003e`racf`\u003c/span\u003e. Default is \u003cspan pulumi-lang-nodejs=\"`openldap`\" pulumi-lang-dotnet=\"`Openldap`\" pulumi-lang-go=\"`openldap`\" pulumi-lang-python=\"`openldap`\" pulumi-lang-yaml=\"`openldap`\" pulumi-lang-java=\"`openldap`\"\u003e`openldap`\u003c/span\u003e.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"skipStaticRoleImportRotation":{"type":"boolean","description":"If set to true, static roles will not be rotated during import.\nDefaults to false. Requires Vault 1.16 or above.\n"},"starttls":{"type":"boolean","description":"Issue a StartTLS command after establishing unencrypted connection.\n"},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.\n"},"url":{"type":"string","description":"LDAP URL to connect to. Multiple URLs can be specified by concatenating\nthem with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.\n"},"userattr":{"type":"string","description":"Attribute used when searching users. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.\n"}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","binddn","credentialType","defaultLeaseTtlSeconds","forceNoCache","maxLeaseTtlSeconds","requestTimeout","schema","sealWrap","starttls","upndomain","url","userattr"],"inputProperties":{"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.\n"},"bindpass":{"type":"string","description":"Password to use along with binddn when performing user search. Conflicts with \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e.\nExactly one of \u003cspan pulumi-lang-nodejs=\"`bindpass`\" pulumi-lang-dotnet=\"`Bindpass`\" pulumi-lang-go=\"`bindpass`\" pulumi-lang-python=\"`bindpass`\" pulumi-lang-yaml=\"`bindpass`\" pulumi-lang-java=\"`bindpass`\"\u003e`bindpass`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e must be provided.\n","secret":true},"bindpassWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only LDAP password for searching for the user DN.","secret":true},"bindpassWoVersion":{"type":"integer","description":"Version counter for write-only bind password.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e. For more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be\nx509 PEM encoded.\n"},"clientTlsCert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"clientTlsKey":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"connectionTimeout":{"type":"integer","description":"Timeout, in seconds, when attempting to connect to the LDAP server before trying\nthe next URL in the configuration.\n"},"credentialType":{"type":"string","description":"The type of credential to generate. Valid values include \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`phrase`\" pulumi-lang-dotnet=\"`Phrase`\" pulumi-lang-go=\"`phrase`\" pulumi-lang-python=\"`phrase`\" pulumi-lang-yaml=\"`phrase`\" pulumi-lang-java=\"`phrase`\"\u003e`phrase`\u003c/span\u003e. Default is \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates."},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"insecureTls":{"type":"boolean","description":"Skip LDAP server SSL Certificate verification. This is not recommended for production.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"passwordPolicy":{"type":"string","description":"Name of the password policy to use to generate passwords.\n"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"requestTimeout":{"type":"integer","description":"Timeout, in seconds, for the connection when making requests against the server\nbefore returning back an error.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"schema":{"type":"string","description":"The LDAP schema to use when storing entry passwords. Valid schemas include \u003cspan pulumi-lang-nodejs=\"`openldap`\" pulumi-lang-dotnet=\"`Openldap`\" pulumi-lang-go=\"`openldap`\" pulumi-lang-python=\"`openldap`\" pulumi-lang-yaml=\"`openldap`\" pulumi-lang-java=\"`openldap`\"\u003e`openldap`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ad`\" pulumi-lang-dotnet=\"`Ad`\" pulumi-lang-go=\"`ad`\" pulumi-lang-python=\"`ad`\" pulumi-lang-yaml=\"`ad`\" pulumi-lang-java=\"`ad`\"\u003e`ad`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`racf`\" pulumi-lang-dotnet=\"`Racf`\" pulumi-lang-go=\"`racf`\" pulumi-lang-python=\"`racf`\" pulumi-lang-yaml=\"`racf`\" pulumi-lang-java=\"`racf`\"\u003e`racf`\u003c/span\u003e. Default is \u003cspan pulumi-lang-nodejs=\"`openldap`\" pulumi-lang-dotnet=\"`Openldap`\" pulumi-lang-go=\"`openldap`\" pulumi-lang-python=\"`openldap`\" pulumi-lang-yaml=\"`openldap`\" pulumi-lang-java=\"`openldap`\"\u003e`openldap`\u003c/span\u003e.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"skipStaticRoleImportRotation":{"type":"boolean","description":"If set to true, static roles will not be rotated during import.\nDefaults to false. Requires Vault 1.16 or above.\n"},"starttls":{"type":"boolean","description":"Issue a StartTLS command after establishing unencrypted connection.\n"},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.\n"},"url":{"type":"string","description":"LDAP URL to connect to. Multiple URLs can be specified by concatenating\nthem with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.\n"},"userattr":{"type":"string","description":"Attribute used when searching users. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.\n"}},"requiredInputs":["binddn"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"binddn":{"type":"string","description":"Distinguished name of object to bind when performing user and group search.\n"},"bindpass":{"type":"string","description":"Password to use along with binddn when performing user search. Conflicts with \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e.\nExactly one of \u003cspan pulumi-lang-nodejs=\"`bindpass`\" pulumi-lang-dotnet=\"`Bindpass`\" pulumi-lang-go=\"`bindpass`\" pulumi-lang-python=\"`bindpass`\" pulumi-lang-yaml=\"`bindpass`\" pulumi-lang-java=\"`bindpass`\"\u003e`bindpass`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e must be provided.\n","secret":true},"bindpassWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nWrite-only LDAP password for searching for the user DN.","secret":true},"bindpassWoVersion":{"type":"integer","description":"Version counter for write-only bind password.\nRequired when using \u003cspan pulumi-lang-nodejs=\"`bindpassWo`\" pulumi-lang-dotnet=\"`BindpassWo`\" pulumi-lang-go=\"`bindpassWo`\" pulumi-lang-python=\"`bindpass_wo`\" pulumi-lang-yaml=\"`bindpassWo`\" pulumi-lang-java=\"`bindpassWo`\"\u003e`bindpass_wo`\u003c/span\u003e. For more information about write-only attributes, see\n[using write-only attributes](https://www.terraform.io/docs/providers/vault/guides/using_write_only_attributes).\n"},"certificate":{"type":"string","description":"CA certificate to use when verifying LDAP server certificate, must be\nx509 PEM encoded.\n"},"clientTlsCert":{"type":"string","description":"Client certificate to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"clientTlsKey":{"type":"string","description":"Client certificate key to provide to the LDAP server, must be x509 PEM encoded.\n","secret":true},"connectionTimeout":{"type":"integer","description":"Timeout, in seconds, when attempting to connect to the LDAP server before trying\nthe next URL in the configuration.\n"},"credentialType":{"type":"string","description":"The type of credential to generate. Valid values include \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`phrase`\" pulumi-lang-dotnet=\"`Phrase`\" pulumi-lang-go=\"`phrase`\" pulumi-lang-python=\"`phrase`\" pulumi-lang-yaml=\"`phrase`\" pulumi-lang-java=\"`phrase`\"\u003e`phrase`\u003c/span\u003e. Default is \u003cspan pulumi-lang-nodejs=\"`password`\" pulumi-lang-dotnet=\"`Password`\" pulumi-lang-go=\"`password`\" pulumi-lang-python=\"`password`\" pulumi-lang-yaml=\"`password`\" pulumi-lang-java=\"`password`\"\u003e`password`\u003c/span\u003e.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for tokens and secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount"},"disableAutomatedRotation":{"type":"boolean","description":"Cancels all upcoming rotations of the root credential until unset. Requires Vault Enterprise 1.19+.\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates."},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"insecureTls":{"type":"boolean","description":"Skip LDAP server SSL Certificate verification. This is not recommended for production.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for tokens and secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"passwordPolicy":{"type":"string","description":"Name of the password policy to use to generate passwords.\n"},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"requestTimeout":{"type":"integer","description":"Timeout, in seconds, for the connection when making requests against the server\nbefore returning back an error.\n"},"rotationPeriod":{"type":"integer","description":"The amount of time in seconds Vault should wait before rotating the root credential.\nA zero value tells Vault not to rotate the root credential. The minimum rotation period is 10 seconds. Requires Vault Enterprise 1.19+.\n"},"rotationSchedule":{"type":"string","description":"The schedule, in [cron-style time format](https://en.wikipedia.org/wiki/Cron),\ndefining the schedule on which Vault should rotate the root token. Requires Vault Enterprise 1.19+.\n"},"rotationWindow":{"type":"integer","description":"The maximum amount of time in seconds allowed to complete\na rotation when a scheduled token rotation occurs. The default rotation window is\nunbound and the minimum allowable window is \u003cspan pulumi-lang-nodejs=\"`3600`\" pulumi-lang-dotnet=\"`3600`\" pulumi-lang-go=\"`3600`\" pulumi-lang-python=\"`3600`\" pulumi-lang-yaml=\"`3600`\" pulumi-lang-java=\"`3600`\"\u003e`3600`\u003c/span\u003e. Requires Vault Enterprise 1.19+.\n"},"schema":{"type":"string","description":"The LDAP schema to use when storing entry passwords. Valid schemas include \u003cspan pulumi-lang-nodejs=\"`openldap`\" pulumi-lang-dotnet=\"`Openldap`\" pulumi-lang-go=\"`openldap`\" pulumi-lang-python=\"`openldap`\" pulumi-lang-yaml=\"`openldap`\" pulumi-lang-java=\"`openldap`\"\u003e`openldap`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ad`\" pulumi-lang-dotnet=\"`Ad`\" pulumi-lang-go=\"`ad`\" pulumi-lang-python=\"`ad`\" pulumi-lang-yaml=\"`ad`\" pulumi-lang-java=\"`ad`\"\u003e`ad`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`racf`\" pulumi-lang-dotnet=\"`Racf`\" pulumi-lang-go=\"`racf`\" pulumi-lang-python=\"`racf`\" pulumi-lang-yaml=\"`racf`\" pulumi-lang-java=\"`racf`\"\u003e`racf`\u003c/span\u003e. Default is \u003cspan pulumi-lang-nodejs=\"`openldap`\" pulumi-lang-dotnet=\"`Openldap`\" pulumi-lang-go=\"`openldap`\" pulumi-lang-python=\"`openldap`\" pulumi-lang-yaml=\"`openldap`\" pulumi-lang-java=\"`openldap`\"\u003e`openldap`\u003c/span\u003e.\n"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"skipStaticRoleImportRotation":{"type":"boolean","description":"If set to true, static roles will not be rotated during import.\nDefaults to false. Requires Vault 1.16 or above.\n"},"starttls":{"type":"boolean","description":"Issue a StartTLS command after establishing unencrypted connection.\n"},"upndomain":{"type":"string","description":"Enables userPrincipalDomain login with [username]@UPNDomain.\n"},"url":{"type":"string","description":"LDAP URL to connect to. Multiple URLs can be specified by concatenating\nthem with commas; they will be tried in-order. Defaults to `ldap://127.0.0.1`.\n"},"userattr":{"type":"string","description":"Attribute used when searching users. Defaults to \u003cspan pulumi-lang-nodejs=\"`cn`\" pulumi-lang-dotnet=\"`Cn`\" pulumi-lang-go=\"`cn`\" pulumi-lang-python=\"`cn`\" pulumi-lang-yaml=\"`cn`\" pulumi-lang-java=\"`cn`\"\u003e`cn`\u003c/span\u003e.\n"},"userdn":{"type":"string","description":"LDAP domain to use for users (eg: ou=People,dc=example,dc=org)`.\n"}},"type":"object"}},"vault:ldap/secretBackendDynamicRole:SecretBackendDynamicRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.ldap.SecretBackend(\"config\", {\n    path: \"my-custom-ldap\",\n    binddn: \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass: \"SuperSecretPassw0rd\",\n    url: \"ldaps://localhost\",\n    userdn: \"CN=Users,DC=corp,DC=example,DC=net\",\n});\nconst role = new vault.ldap.SecretBackendDynamicRole(\"role\", {\n    mount: config.path,\n    roleName: \"alice\",\n    creationLdif: `dn: cn={{.Username}},ou=users,dc=learn,dc=example\nobjectClass: person\nobjectClass: top\ncn: learn\nsn: {{ random 20 }}\nmemberOf: cn=dev,ou=groups,dc=learn,dc=example\nuserPassword: {{.Password}}\n`,\n    deletionLdif: `dn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n`,\n    rollbackLdif: `dn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n`,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.ldap.SecretBackend(\"config\",\n    path=\"my-custom-ldap\",\n    binddn=\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass=\"SuperSecretPassw0rd\",\n    url=\"ldaps://localhost\",\n    userdn=\"CN=Users,DC=corp,DC=example,DC=net\")\nrole = vault.ldap.SecretBackendDynamicRole(\"role\",\n    mount=config.path,\n    role_name=\"alice\",\n    creation_ldif=\"\"\"dn: cn={{.Username}},ou=users,dc=learn,dc=example\nobjectClass: person\nobjectClass: top\ncn: learn\nsn: {{ random 20 }}\nmemberOf: cn=dev,ou=groups,dc=learn,dc=example\nuserPassword: {{.Password}}\n\"\"\",\n    deletion_ldif=\"\"\"dn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n\"\"\",\n    rollback_ldif=\"\"\"dn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n\"\"\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Ldap.SecretBackend(\"config\", new()\n    {\n        Path = \"my-custom-ldap\",\n        Binddn = \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n        Bindpass = \"SuperSecretPassw0rd\",\n        Url = \"ldaps://localhost\",\n        Userdn = \"CN=Users,DC=corp,DC=example,DC=net\",\n    });\n\n    var role = new Vault.Ldap.SecretBackendDynamicRole(\"role\", new()\n    {\n        Mount = config.Path,\n        RoleName = \"alice\",\n        CreationLdif = @\"dn: cn={{.Username}},ou=users,dc=learn,dc=example\nobjectClass: person\nobjectClass: top\ncn: learn\nsn: {{ random 20 }}\nmemberOf: cn=dev,ou=groups,dc=learn,dc=example\nuserPassword: {{.Password}}\n\",\n        DeletionLdif = @\"dn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n\",\n        RollbackLdif = @\"dn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tconfig, err := ldap.NewSecretBackend(ctx, \"config\", \u0026ldap.SecretBackendArgs{\n\t\t\tPath:     pulumi.String(\"my-custom-ldap\"),\n\t\t\tBinddn:   pulumi.String(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tBindpass: pulumi.String(\"SuperSecretPassw0rd\"),\n\t\t\tUrl:      pulumi.String(\"ldaps://localhost\"),\n\t\t\tUserdn:   pulumi.String(\"CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewSecretBackendDynamicRole(ctx, \"role\", \u0026ldap.SecretBackendDynamicRoleArgs{\n\t\t\tMount:    config.Path,\n\t\t\tRoleName: pulumi.String(\"alice\"),\n\t\t\tCreationLdif: pulumi.String(`dn: cn={{.Username}},ou=users,dc=learn,dc=example\nobjectClass: person\nobjectClass: top\ncn: learn\nsn: {{ random 20 }}\nmemberOf: cn=dev,ou=groups,dc=learn,dc=example\nuserPassword: {{.Password}}\n`),\n\t\t\tDeletionLdif: pulumi.String(\"dn: cn={{.Username}},ou=users,dc=learn,dc=example\\nchangetype: delete\\n\"),\n\t\t\tRollbackLdif: pulumi.String(\"dn: cn={{.Username}},ou=users,dc=learn,dc=example\\nchangetype: delete\\n\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ldap.SecretBackend;\nimport com.pulumi.vault.ldap.SecretBackendArgs;\nimport com.pulumi.vault.ldap.SecretBackendDynamicRole;\nimport com.pulumi.vault.ldap.SecretBackendDynamicRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"my-custom-ldap\")\n            .binddn(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\")\n            .bindpass(\"SuperSecretPassw0rd\")\n            .url(\"ldaps://localhost\")\n            .userdn(\"CN=Users,DC=corp,DC=example,DC=net\")\n            .build());\n\n        var role = new SecretBackendDynamicRole(\"role\", SecretBackendDynamicRoleArgs.builder()\n            .mount(config.path())\n            .roleName(\"alice\")\n            .creationLdif(\"\"\"\ndn: cn={{.Username}},ou=users,dc=learn,dc=example\nobjectClass: person\nobjectClass: top\ncn: learn\nsn: {{ random 20 }}\nmemberOf: cn=dev,ou=groups,dc=learn,dc=example\nuserPassword: {{.Password}}\n            \"\"\")\n            .deletionLdif(\"\"\"\ndn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n            \"\"\")\n            .rollbackLdif(\"\"\"\ndn: cn={{.Username}},ou=users,dc=learn,dc=example\nchangetype: delete\n            \"\"\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:ldap:SecretBackend\n    properties:\n      path: my-custom-ldap\n      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\n      bindpass: SuperSecretPassw0rd\n      url: ldaps://localhost\n      userdn: CN=Users,DC=corp,DC=example,DC=net\n  role:\n    type: vault:ldap:SecretBackendDynamicRole\n    properties:\n      mount: ${config.path}\n      roleName: alice\n      creationLdif: |\n        dn: cn={{.Username}},ou=users,dc=learn,dc=example\n        objectClass: person\n        objectClass: top\n        cn: learn\n        sn: {{ random 20 }}\n        memberOf: cn=dev,ou=groups,dc=learn,dc=example\n        userPassword: {{.Password}}\n      deletionLdif: |\n        dn: cn={{.Username}},ou=users,dc=learn,dc=example\n        changetype: delete\n      rollbackLdif: |\n        dn: cn={{.Username}},ou=users,dc=learn,dc=example\n        changetype: delete\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP secret backend dynamic role can be imported using the full path to the role\nof the form: `\u003cmount_path\u003e/dynamic-role/\u003crole_name\u003e` e.g.\n\n```sh\n$ pulumi import vault:ldap/secretBackendDynamicRole:SecretBackendDynamicRole role ldap/role/dynamic-role\n```\n","properties":{"creationLdif":{"type":"string","description":"A templatized LDIF string used to create a user\naccount. This may contain multiple LDIF entries. The \u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e can also\nbe used to add the user account to an existing group. All LDIF entries are\nperformed in order. If Vault encounters an error while executing the\n\u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e it will stop at the first error and not execute any remaining\nLDIF entries. If an error occurs and \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e is specified, the LDIF\nentries in \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e will be executed. See \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e for more\ndetails. This field may optionally be provided as a base64 encoded string.\n"},"defaultTtl":{"type":"integer","description":"Specifies the TTL for the leases associated with this role.\n"},"deletionLdif":{"type":"string","description":"A templatized LDIF string used to delete the\nuser account once its TTL has expired. This may contain multiple LDIF\nentries. All LDIF entries are performed in order. If Vault encounters an\nerror while executing an entry in the \u003cspan pulumi-lang-nodejs=\"`deletionLdif`\" pulumi-lang-dotnet=\"`DeletionLdif`\" pulumi-lang-go=\"`deletionLdif`\" pulumi-lang-python=\"`deletion_ldif`\" pulumi-lang-yaml=\"`deletionLdif`\" pulumi-lang-java=\"`deletionLdif`\"\u003e`deletion_ldif`\u003c/span\u003e it will attempt to\ncontinue executing any remaining entries. This field may optionally be\nprovided as a base64 encoded string.\n"},"maxTtl":{"type":"integer","description":"Specifies the maximum TTL for the leases associated with this role.\n"},"mount":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"roleName":{"type":"string","description":"Name of the role.\n"},"rollbackLdif":{"type":"string","description":"A templatized LDIF string used to attempt to\nrollback any changes in the event that execution of the \u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e results\nin an error. This may contain multiple LDIF entries. All LDIF entries are\nperformed in order. If Vault encounters an error while executing an entry in\nthe \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e it will attempt to continue executing any remaining\nentries. This field may optionally be provided as a base64 encoded string.\n"},"usernameTemplate":{"type":"string","description":"A template used to generate a dynamic\nusername. This will be used to fill in the `.Username` field within the\n\u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e string.\n"}},"required":["creationLdif","deletionLdif","roleName"],"inputProperties":{"creationLdif":{"type":"string","description":"A templatized LDIF string used to create a user\naccount. This may contain multiple LDIF entries. The \u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e can also\nbe used to add the user account to an existing group. All LDIF entries are\nperformed in order. If Vault encounters an error while executing the\n\u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e it will stop at the first error and not execute any remaining\nLDIF entries. If an error occurs and \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e is specified, the LDIF\nentries in \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e will be executed. See \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e for more\ndetails. This field may optionally be provided as a base64 encoded string.\n"},"defaultTtl":{"type":"integer","description":"Specifies the TTL for the leases associated with this role.\n"},"deletionLdif":{"type":"string","description":"A templatized LDIF string used to delete the\nuser account once its TTL has expired. This may contain multiple LDIF\nentries. All LDIF entries are performed in order. If Vault encounters an\nerror while executing an entry in the \u003cspan pulumi-lang-nodejs=\"`deletionLdif`\" pulumi-lang-dotnet=\"`DeletionLdif`\" pulumi-lang-go=\"`deletionLdif`\" pulumi-lang-python=\"`deletion_ldif`\" pulumi-lang-yaml=\"`deletionLdif`\" pulumi-lang-java=\"`deletionLdif`\"\u003e`deletion_ldif`\u003c/span\u003e it will attempt to\ncontinue executing any remaining entries. This field may optionally be\nprovided as a base64 encoded string.\n"},"maxTtl":{"type":"integer","description":"Specifies the maximum TTL for the leases associated with this role.\n"},"mount":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"rollbackLdif":{"type":"string","description":"A templatized LDIF string used to attempt to\nrollback any changes in the event that execution of the \u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e results\nin an error. This may contain multiple LDIF entries. All LDIF entries are\nperformed in order. If Vault encounters an error while executing an entry in\nthe \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e it will attempt to continue executing any remaining\nentries. This field may optionally be provided as a base64 encoded string.\n"},"usernameTemplate":{"type":"string","description":"A template used to generate a dynamic\nusername. This will be used to fill in the `.Username` field within the\n\u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e string.\n"}},"requiredInputs":["creationLdif","deletionLdif","roleName"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendDynamicRole resources.\n","properties":{"creationLdif":{"type":"string","description":"A templatized LDIF string used to create a user\naccount. This may contain multiple LDIF entries. The \u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e can also\nbe used to add the user account to an existing group. All LDIF entries are\nperformed in order. If Vault encounters an error while executing the\n\u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e it will stop at the first error and not execute any remaining\nLDIF entries. If an error occurs and \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e is specified, the LDIF\nentries in \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e will be executed. See \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e for more\ndetails. This field may optionally be provided as a base64 encoded string.\n"},"defaultTtl":{"type":"integer","description":"Specifies the TTL for the leases associated with this role.\n"},"deletionLdif":{"type":"string","description":"A templatized LDIF string used to delete the\nuser account once its TTL has expired. This may contain multiple LDIF\nentries. All LDIF entries are performed in order. If Vault encounters an\nerror while executing an entry in the \u003cspan pulumi-lang-nodejs=\"`deletionLdif`\" pulumi-lang-dotnet=\"`DeletionLdif`\" pulumi-lang-go=\"`deletionLdif`\" pulumi-lang-python=\"`deletion_ldif`\" pulumi-lang-yaml=\"`deletionLdif`\" pulumi-lang-java=\"`deletionLdif`\"\u003e`deletion_ldif`\u003c/span\u003e it will attempt to\ncontinue executing any remaining entries. This field may optionally be\nprovided as a base64 encoded string.\n"},"maxTtl":{"type":"integer","description":"Specifies the maximum TTL for the leases associated with this role.\n"},"mount":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"rollbackLdif":{"type":"string","description":"A templatized LDIF string used to attempt to\nrollback any changes in the event that execution of the \u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e results\nin an error. This may contain multiple LDIF entries. All LDIF entries are\nperformed in order. If Vault encounters an error while executing an entry in\nthe \u003cspan pulumi-lang-nodejs=\"`rollbackLdif`\" pulumi-lang-dotnet=\"`RollbackLdif`\" pulumi-lang-go=\"`rollbackLdif`\" pulumi-lang-python=\"`rollback_ldif`\" pulumi-lang-yaml=\"`rollbackLdif`\" pulumi-lang-java=\"`rollbackLdif`\"\u003e`rollback_ldif`\u003c/span\u003e it will attempt to continue executing any remaining\nentries. This field may optionally be provided as a base64 encoded string.\n"},"usernameTemplate":{"type":"string","description":"A template used to generate a dynamic\nusername. This will be used to fill in the `.Username` field within the\n\u003cspan pulumi-lang-nodejs=\"`creationLdif`\" pulumi-lang-dotnet=\"`CreationLdif`\" pulumi-lang-go=\"`creationLdif`\" pulumi-lang-python=\"`creation_ldif`\" pulumi-lang-yaml=\"`creationLdif`\" pulumi-lang-java=\"`creationLdif`\"\u003e`creation_ldif`\u003c/span\u003e string.\n"}},"type":"object"}},"vault:ldap/secretBackendLibrarySet:SecretBackendLibrarySet":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.ldap.SecretBackend(\"config\", {\n    path: \"ldap\",\n    binddn: \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass: \"SuperSecretPassw0rd\",\n    url: \"ldaps://localhost\",\n    insecureTls: true,\n    userdn: \"CN=Users,DC=corp,DC=example,DC=net\",\n});\nconst qa = new vault.ldap.SecretBackendLibrarySet(\"qa\", {\n    mount: config.path,\n    name: \"qa\",\n    serviceAccountNames: [\n        \"Bob\",\n        \"Mary\",\n    ],\n    ttl: 60,\n    disableCheckInEnforcement: true,\n    maxTtl: 120,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.ldap.SecretBackend(\"config\",\n    path=\"ldap\",\n    binddn=\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass=\"SuperSecretPassw0rd\",\n    url=\"ldaps://localhost\",\n    insecure_tls=True,\n    userdn=\"CN=Users,DC=corp,DC=example,DC=net\")\nqa = vault.ldap.SecretBackendLibrarySet(\"qa\",\n    mount=config.path,\n    name=\"qa\",\n    service_account_names=[\n        \"Bob\",\n        \"Mary\",\n    ],\n    ttl=60,\n    disable_check_in_enforcement=True,\n    max_ttl=120)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Ldap.SecretBackend(\"config\", new()\n    {\n        Path = \"ldap\",\n        Binddn = \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n        Bindpass = \"SuperSecretPassw0rd\",\n        Url = \"ldaps://localhost\",\n        InsecureTls = true,\n        Userdn = \"CN=Users,DC=corp,DC=example,DC=net\",\n    });\n\n    var qa = new Vault.Ldap.SecretBackendLibrarySet(\"qa\", new()\n    {\n        Mount = config.Path,\n        Name = \"qa\",\n        ServiceAccountNames = new[]\n        {\n            \"Bob\",\n            \"Mary\",\n        },\n        Ttl = 60,\n        DisableCheckInEnforcement = true,\n        MaxTtl = 120,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tconfig, err := ldap.NewSecretBackend(ctx, \"config\", \u0026ldap.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"ldap\"),\n\t\t\tBinddn:      pulumi.String(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tBindpass:    pulumi.String(\"SuperSecretPassw0rd\"),\n\t\t\tUrl:         pulumi.String(\"ldaps://localhost\"),\n\t\t\tInsecureTls: pulumi.Bool(true),\n\t\t\tUserdn:      pulumi.String(\"CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewSecretBackendLibrarySet(ctx, \"qa\", \u0026ldap.SecretBackendLibrarySetArgs{\n\t\t\tMount: config.Path,\n\t\t\tName:  pulumi.String(\"qa\"),\n\t\t\tServiceAccountNames: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"Bob\"),\n\t\t\t\tpulumi.String(\"Mary\"),\n\t\t\t},\n\t\t\tTtl:                       pulumi.Int(60),\n\t\t\tDisableCheckInEnforcement: pulumi.Bool(true),\n\t\t\tMaxTtl:                    pulumi.Int(120),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ldap.SecretBackend;\nimport com.pulumi.vault.ldap.SecretBackendArgs;\nimport com.pulumi.vault.ldap.SecretBackendLibrarySet;\nimport com.pulumi.vault.ldap.SecretBackendLibrarySetArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"ldap\")\n            .binddn(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\")\n            .bindpass(\"SuperSecretPassw0rd\")\n            .url(\"ldaps://localhost\")\n            .insecureTls(true)\n            .userdn(\"CN=Users,DC=corp,DC=example,DC=net\")\n            .build());\n\n        var qa = new SecretBackendLibrarySet(\"qa\", SecretBackendLibrarySetArgs.builder()\n            .mount(config.path())\n            .name(\"qa\")\n            .serviceAccountNames(            \n                \"Bob\",\n                \"Mary\")\n            .ttl(60)\n            .disableCheckInEnforcement(true)\n            .maxTtl(120)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:ldap:SecretBackend\n    properties:\n      path: ldap\n      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\n      bindpass: SuperSecretPassw0rd\n      url: ldaps://localhost\n      insecureTls: 'true'\n      userdn: CN=Users,DC=corp,DC=example,DC=net\n  qa:\n    type: vault:ldap:SecretBackendLibrarySet\n    properties:\n      mount: ${config.path}\n      name: qa\n      serviceAccountNames:\n        - Bob\n        - Mary\n      ttl: 60\n      disableCheckInEnforcement: true\n      maxTtl: 120\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP secret backend libraries can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:ldap/secretBackendLibrarySet:SecretBackendLibrarySet qa ldap/library/bob\n```\n","properties":{"disableCheckInEnforcement":{"type":"boolean","description":"Disable enforcing that service\naccounts must be checked in by the entity or client token that checked them\nout. Defaults to false.\n"},"maxTtl":{"type":"integer","description":"The maximum password time-to-live in seconds. Defaults\nto the configuration\u003cspan pulumi-lang-nodejs=\" maxTtl \" pulumi-lang-dotnet=\" MaxTtl \" pulumi-lang-go=\" maxTtl \" pulumi-lang-python=\" max_ttl \" pulumi-lang-yaml=\" maxTtl \" pulumi-lang-java=\" maxTtl \"\u003e max_ttl \u003c/span\u003eif not provided.\n"},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted."},"name":{"type":"string","description":"The name to identify this set of service accounts.\nMust be unique within the backend.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"serviceAccountNames":{"type":"array","items":{"type":"string"},"description":"Specifies the slice of service accounts mapped to this set.\n"},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"required":["maxTtl","name","serviceAccountNames","ttl"],"inputProperties":{"disableCheckInEnforcement":{"type":"boolean","description":"Disable enforcing that service\naccounts must be checked in by the entity or client token that checked them\nout. Defaults to false.\n"},"maxTtl":{"type":"integer","description":"The maximum password time-to-live in seconds. Defaults\nto the configuration\u003cspan pulumi-lang-nodejs=\" maxTtl \" pulumi-lang-dotnet=\" MaxTtl \" pulumi-lang-go=\" maxTtl \" pulumi-lang-python=\" max_ttl \" pulumi-lang-yaml=\" maxTtl \" pulumi-lang-java=\" maxTtl \"\u003e max_ttl \u003c/span\u003eif not provided.\n"},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted."},"name":{"type":"string","description":"The name to identify this set of service accounts.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"serviceAccountNames":{"type":"array","items":{"type":"string"},"description":"Specifies the slice of service accounts mapped to this set.\n","willReplaceOnChanges":true},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"requiredInputs":["serviceAccountNames"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendLibrarySet resources.\n","properties":{"disableCheckInEnforcement":{"type":"boolean","description":"Disable enforcing that service\naccounts must be checked in by the entity or client token that checked them\nout. Defaults to false.\n"},"maxTtl":{"type":"integer","description":"The maximum password time-to-live in seconds. Defaults\nto the configuration\u003cspan pulumi-lang-nodejs=\" maxTtl \" pulumi-lang-dotnet=\" MaxTtl \" pulumi-lang-go=\" maxTtl \" pulumi-lang-python=\" max_ttl \" pulumi-lang-yaml=\" maxTtl \" pulumi-lang-java=\" maxTtl \"\u003e max_ttl \u003c/span\u003eif not provided.\n"},"mount":{"type":"string","description":"The path where the LDAP secrets backend is mounted."},"name":{"type":"string","description":"The name to identify this set of service accounts.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"serviceAccountNames":{"type":"array","items":{"type":"string"},"description":"Specifies the slice of service accounts mapped to this set.\n","willReplaceOnChanges":true},"ttl":{"type":"integer","description":"The password time-to-live in seconds. Defaults to the configuration\nttl if not provided.\n"}},"type":"object"}},"vault:ldap/secretBackendStaticRole:SecretBackendStaticRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.ldap.SecretBackend(\"config\", {\n    path: \"my-custom-ldap\",\n    binddn: \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass: \"SuperSecretPassw0rd\",\n    url: \"ldaps://localhost\",\n    insecureTls: true,\n    userdn: \"CN=Users,DC=corp,DC=example,DC=net\",\n});\nconst role = new vault.ldap.SecretBackendStaticRole(\"role\", {\n    mount: config.path,\n    username: \"alice\",\n    dn: \"cn=alice,ou=Users,DC=corp,DC=example,DC=net\",\n    roleName: \"alice\",\n    rotationPeriod: 60,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.ldap.SecretBackend(\"config\",\n    path=\"my-custom-ldap\",\n    binddn=\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n    bindpass=\"SuperSecretPassw0rd\",\n    url=\"ldaps://localhost\",\n    insecure_tls=True,\n    userdn=\"CN=Users,DC=corp,DC=example,DC=net\")\nrole = vault.ldap.SecretBackendStaticRole(\"role\",\n    mount=config.path,\n    username=\"alice\",\n    dn=\"cn=alice,ou=Users,DC=corp,DC=example,DC=net\",\n    role_name=\"alice\",\n    rotation_period=60)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Ldap.SecretBackend(\"config\", new()\n    {\n        Path = \"my-custom-ldap\",\n        Binddn = \"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\",\n        Bindpass = \"SuperSecretPassw0rd\",\n        Url = \"ldaps://localhost\",\n        InsecureTls = true,\n        Userdn = \"CN=Users,DC=corp,DC=example,DC=net\",\n    });\n\n    var role = new Vault.Ldap.SecretBackendStaticRole(\"role\", new()\n    {\n        Mount = config.Path,\n        Username = \"alice\",\n        Dn = \"cn=alice,ou=Users,DC=corp,DC=example,DC=net\",\n        RoleName = \"alice\",\n        RotationPeriod = 60,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ldap\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tconfig, err := ldap.NewSecretBackend(ctx, \"config\", \u0026ldap.SecretBackendArgs{\n\t\t\tPath:        pulumi.String(\"my-custom-ldap\"),\n\t\t\tBinddn:      pulumi.String(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tBindpass:    pulumi.String(\"SuperSecretPassw0rd\"),\n\t\t\tUrl:         pulumi.String(\"ldaps://localhost\"),\n\t\t\tInsecureTls: pulumi.Bool(true),\n\t\t\tUserdn:      pulumi.String(\"CN=Users,DC=corp,DC=example,DC=net\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ldap.NewSecretBackendStaticRole(ctx, \"role\", \u0026ldap.SecretBackendStaticRoleArgs{\n\t\t\tMount:          config.Path,\n\t\t\tUsername:       pulumi.String(\"alice\"),\n\t\t\tDn:             pulumi.String(\"cn=alice,ou=Users,DC=corp,DC=example,DC=net\"),\n\t\t\tRoleName:       pulumi.String(\"alice\"),\n\t\t\tRotationPeriod: pulumi.Int(60),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ldap.SecretBackend;\nimport com.pulumi.vault.ldap.SecretBackendArgs;\nimport com.pulumi.vault.ldap.SecretBackendStaticRole;\nimport com.pulumi.vault.ldap.SecretBackendStaticRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"my-custom-ldap\")\n            .binddn(\"CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\")\n            .bindpass(\"SuperSecretPassw0rd\")\n            .url(\"ldaps://localhost\")\n            .insecureTls(true)\n            .userdn(\"CN=Users,DC=corp,DC=example,DC=net\")\n            .build());\n\n        var role = new SecretBackendStaticRole(\"role\", SecretBackendStaticRoleArgs.builder()\n            .mount(config.path())\n            .username(\"alice\")\n            .dn(\"cn=alice,ou=Users,DC=corp,DC=example,DC=net\")\n            .roleName(\"alice\")\n            .rotationPeriod(60)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:ldap:SecretBackend\n    properties:\n      path: my-custom-ldap\n      binddn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=net\n      bindpass: SuperSecretPassw0rd\n      url: ldaps://localhost\n      insecureTls: 'true'\n      userdn: CN=Users,DC=corp,DC=example,DC=net\n  role:\n    type: vault:ldap:SecretBackendStaticRole\n    properties:\n      mount: ${config.path}\n      username: alice\n      dn: cn=alice,ou=Users,DC=corp,DC=example,DC=net\n      roleName: alice\n      rotationPeriod: 60\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nLDAP secret backend static role can be imported using the full path to the role\nof the form: `\u003cmount_path\u003e/static-role/\u003crole_name\u003e` e.g.\n\n```sh\n$ pulumi import vault:ldap/secretBackendStaticRole:SecretBackendStaticRole role ldap/static-role/example-role\n```\n","properties":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage\npassword rotation for. If given, it will take precedence over \u003cspan pulumi-lang-nodejs=\"`username`\" pulumi-lang-dotnet=\"`Username`\" pulumi-lang-go=\"`username`\" pulumi-lang-python=\"`username`\" pulumi-lang-yaml=\"`username`\" pulumi-lang-java=\"`username`\"\u003e`username`\u003c/span\u003e for the LDAP\nsearch performed during password rotation. Cannot be modified after creation.\n"},"mount":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"roleName":{"type":"string","description":"Name of the role.\n"},"rotationPeriod":{"type":"integer","description":"How often Vault should rotate the password of the user entry.\n"},"skipImportRotation":{"type":"boolean","description":"Causes vault to skip the initial secret rotation on import. Not applicable to updates.\nRequires Vault 1.16 or above.\n"},"username":{"type":"string","description":"The username of the existing LDAP entry to manage password rotation for.\n"}},"required":["roleName","rotationPeriod","username"],"inputProperties":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage\npassword rotation for. If given, it will take precedence over \u003cspan pulumi-lang-nodejs=\"`username`\" pulumi-lang-dotnet=\"`Username`\" pulumi-lang-go=\"`username`\" pulumi-lang-python=\"`username`\" pulumi-lang-yaml=\"`username`\" pulumi-lang-java=\"`username`\"\u003e`username`\u003c/span\u003e for the LDAP\nsearch performed during password rotation. Cannot be modified after creation.\n"},"mount":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"rotationPeriod":{"type":"integer","description":"How often Vault should rotate the password of the user entry.\n"},"skipImportRotation":{"type":"boolean","description":"Causes vault to skip the initial secret rotation on import. Not applicable to updates.\nRequires Vault 1.16 or above.\n"},"username":{"type":"string","description":"The username of the existing LDAP entry to manage password rotation for.\n","willReplaceOnChanges":true}},"requiredInputs":["roleName","rotationPeriod","username"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendStaticRole resources.\n","properties":{"dn":{"type":"string","description":"Distinguished name (DN) of the existing LDAP entry to manage\npassword rotation for. If given, it will take precedence over \u003cspan pulumi-lang-nodejs=\"`username`\" pulumi-lang-dotnet=\"`Username`\" pulumi-lang-go=\"`username`\" pulumi-lang-python=\"`username`\" pulumi-lang-yaml=\"`username`\" pulumi-lang-java=\"`username`\"\u003e`username`\u003c/span\u003e for the LDAP\nsearch performed during password rotation. Cannot be modified after creation.\n"},"mount":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`ldap`\" pulumi-lang-dotnet=\"`Ldap`\" pulumi-lang-go=\"`ldap`\" pulumi-lang-python=\"`ldap`\" pulumi-lang-yaml=\"`ldap`\" pulumi-lang-java=\"`ldap`\"\u003e`ldap`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"Name of the role.\n","willReplaceOnChanges":true},"rotationPeriod":{"type":"integer","description":"How often Vault should rotate the password of the user entry.\n"},"skipImportRotation":{"type":"boolean","description":"Causes vault to skip the initial secret rotation on import. Not applicable to updates.\nRequires Vault 1.16 or above.\n"},"username":{"type":"string","description":"The username of the existing LDAP entry to manage password rotation for.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:managed/keys:Keys":{"description":"A resource that manages the lifecycle of all [Managed Keys](https://www.vaultproject.io/docs/enterprise/managed-keys) in Vault.\n\n**Note** this feature is available only with Vault Enterprise.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst keys = new vault.managed.Keys(\"keys\", {aws: [\n    {\n        name: \"aws-key-1\",\n        accessKey: awsAccessKey,\n        secretKey: awsSecretKey,\n        keyBits: \"2048\",\n        keyType: \"RSA\",\n        kmsKey: \"alias/vault_aws_key_1\",\n    },\n    {\n        name: \"aws-key-2\",\n        accessKey: awsAccessKey,\n        secretKey: awsSecretKey,\n        keyBits: \"4096\",\n        keyType: \"RSA\",\n        kmsKey: \"alias/vault_aws_key_2\",\n    },\n]});\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"Example mount for managed keys\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 36000,\n    allowedManagedKeys: [\n        keys.aws.apply(aws =\u003e aws?.[0]?.name),\n        keys.aws.apply(aws =\u003e aws?.[1]?.name),\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkeys = vault.managed.Keys(\"keys\", aws=[\n    {\n        \"name\": \"aws-key-1\",\n        \"access_key\": aws_access_key,\n        \"secret_key\": aws_secret_key,\n        \"key_bits\": \"2048\",\n        \"key_type\": \"RSA\",\n        \"kms_key\": \"alias/vault_aws_key_1\",\n    },\n    {\n        \"name\": \"aws-key-2\",\n        \"access_key\": aws_access_key,\n        \"secret_key\": aws_secret_key,\n        \"key_bits\": \"4096\",\n        \"key_type\": \"RSA\",\n        \"kms_key\": \"alias/vault_aws_key_2\",\n    },\n])\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"Example mount for managed keys\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=36000,\n    allowed_managed_keys=[\n        keys.aws[0].name,\n        keys.aws[1].name,\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var keys = new Vault.Managed.Keys(\"keys\", new()\n    {\n        Aws = new[]\n        {\n            new Vault.Managed.Inputs.KeysAwArgs\n            {\n                Name = \"aws-key-1\",\n                AccessKey = awsAccessKey,\n                SecretKey = awsSecretKey,\n                KeyBits = \"2048\",\n                KeyType = \"RSA\",\n                KmsKey = \"alias/vault_aws_key_1\",\n            },\n            new Vault.Managed.Inputs.KeysAwArgs\n            {\n                Name = \"aws-key-2\",\n                AccessKey = awsAccessKey,\n                SecretKey = awsSecretKey,\n                KeyBits = \"4096\",\n                KeyType = \"RSA\",\n                KmsKey = \"alias/vault_aws_key_2\",\n            },\n        },\n    });\n\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"Example mount for managed keys\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 36000,\n        AllowedManagedKeys = new[]\n        {\n            keys.Aws.Apply(aws =\u003e aws[0]?.Name),\n            keys.Aws.Apply(aws =\u003e aws[1]?.Name),\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/managed\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkeys, err := managed.NewKeys(ctx, \"keys\", \u0026managed.KeysArgs{\n\t\t\tAws: managed.KeysAwArray{\n\t\t\t\t\u0026managed.KeysAwArgs{\n\t\t\t\t\tName:      pulumi.String(\"aws-key-1\"),\n\t\t\t\t\tAccessKey: pulumi.Any(awsAccessKey),\n\t\t\t\t\tSecretKey: pulumi.Any(awsSecretKey),\n\t\t\t\t\tKeyBits:   pulumi.String(\"2048\"),\n\t\t\t\t\tKeyType:   pulumi.String(\"RSA\"),\n\t\t\t\t\tKmsKey:    pulumi.String(\"alias/vault_aws_key_1\"),\n\t\t\t\t},\n\t\t\t\t\u0026managed.KeysAwArgs{\n\t\t\t\t\tName:      pulumi.String(\"aws-key-2\"),\n\t\t\t\t\tAccessKey: pulumi.Any(awsAccessKey),\n\t\t\t\t\tSecretKey: pulumi.Any(awsSecretKey),\n\t\t\t\t\tKeyBits:   pulumi.String(\"4096\"),\n\t\t\t\t\tKeyType:   pulumi.String(\"RSA\"),\n\t\t\t\t\tKmsKey:    pulumi.String(\"alias/vault_aws_key_2\"),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDescription:            pulumi.String(\"Example mount for managed keys\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(36000),\n\t\t\tAllowedManagedKeys: pulumi.StringArray{\n\t\t\t\tpulumi.String(keys.Aws.ApplyT(func(aws []managed.KeysAw) (*string, error) {\n\t\t\t\t\treturn \u0026aws[0].Name, nil\n\t\t\t\t}).(pulumi.StringPtrOutput)),\n\t\t\t\tpulumi.String(keys.Aws.ApplyT(func(aws []managed.KeysAw) (*string, error) {\n\t\t\t\t\treturn \u0026aws[1].Name, nil\n\t\t\t\t}).(pulumi.StringPtrOutput)),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.managed.Keys;\nimport com.pulumi.vault.managed.KeysArgs;\nimport com.pulumi.vault.managed.inputs.KeysAwArgs;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var keys = new Keys(\"keys\", KeysArgs.builder()\n            .aws(            \n                KeysAwArgs.builder()\n                    .name(\"aws-key-1\")\n                    .accessKey(awsAccessKey)\n                    .secretKey(awsSecretKey)\n                    .keyBits(\"2048\")\n                    .keyType(\"RSA\")\n                    .kmsKey(\"alias/vault_aws_key_1\")\n                    .build(),\n                KeysAwArgs.builder()\n                    .name(\"aws-key-2\")\n                    .accessKey(awsAccessKey)\n                    .secretKey(awsSecretKey)\n                    .keyBits(\"4096\")\n                    .keyType(\"RSA\")\n                    .kmsKey(\"alias/vault_aws_key_2\")\n                    .build())\n            .build());\n\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"Example mount for managed keys\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(36000)\n            .allowedManagedKeys(            \n                keys.aws().applyValue(_aws -\u003e _aws[0].name()),\n                keys.aws().applyValue(_aws -\u003e _aws[1].name()))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  keys:\n    type: vault:managed:Keys\n    properties:\n      aws:\n        - name: aws-key-1\n          accessKey: ${awsAccessKey}\n          secretKey: ${awsSecretKey}\n          keyBits: '2048'\n          keyType: RSA\n          kmsKey: alias/vault_aws_key_1\n        - name: aws-key-2\n          accessKey: ${awsAccessKey}\n          secretKey: ${awsSecretKey}\n          keyBits: '4096'\n          keyType: RSA\n          kmsKey: alias/vault_aws_key_2\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: Example mount for managed keys\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 36000\n      allowedManagedKeys:\n        - ${keys.aws[0].name}\n        - ${keys.aws[1].name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\n## Caveats\n\nThis single resource handles the lifecycle of _all_ the managed keys that must be created in Vault.\nThere can only be one such resource in the TF state, and if there are already provisioned managed\nkeys in Vault, we recommend using `pulumi import` instead.\n\n## Import\n\nMounts can be imported using the `id` of `default`, e.g.\n\n```sh\n$ pulumi import vault:managed/keys:Keys keys default\n```\n","properties":{"aws":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysAw:KeysAw"},"description":"Configuration block for AWS Managed Keys"},"azures":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysAzure:KeysAzure"},"description":"Configuration block for Azure Managed Keys"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)"},"pkcs":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysPkc:KeysPkc"},"description":"Configuration block for PKCS Managed Keys"}},"inputProperties":{"aws":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysAw:KeysAw"},"description":"Configuration block for AWS Managed Keys"},"azures":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysAzure:KeysAzure"},"description":"Configuration block for Azure Managed Keys"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true},"pkcs":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysPkc:KeysPkc"},"description":"Configuration block for PKCS Managed Keys"}},"stateInputs":{"description":"Input properties used for looking up and filtering Keys resources.\n","properties":{"aws":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysAw:KeysAw"},"description":"Configuration block for AWS Managed Keys"},"azures":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysAzure:KeysAzure"},"description":"Configuration block for Azure Managed Keys"},"namespace":{"type":"string","description":"Target namespace. (requires Enterprise)","willReplaceOnChanges":true},"pkcs":{"type":"array","items":{"$ref":"#/types/vault:managed/KeysPkc:KeysPkc"},"description":"Configuration block for PKCS Managed Keys"}},"type":"object"}},"vault:mongodbatlas/secretBackend:SecretBackend":{"description":"\n\n## Import\n\nMongoDB Atlas secret backends can be imported using the `${mount}/config`, e.g.\n\n```sh\n$ pulumi import vault:mongodbatlas/secretBackend:SecretBackend config mongodbatlas/config\n```\n","properties":{"mount":{"type":"string","description":"Path where the MongoDB Atlas Secrets Engine is mounted.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path where MongoDB Atlas configuration is located"},"privateKey":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","secret":true},"privateKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe Private Programmatic API Key used to connect with MongoDB Atlas API. This is a write-only field that is not stored in state.","secret":true},"privateKeyWoVersion":{"type":"integer","description":"An incrementing version counter. Increment this value to force an update \nto the private key. Required when using \u003cspan pulumi-lang-nodejs=\"`privateKeyWo`\" pulumi-lang-dotnet=\"`PrivateKeyWo`\" pulumi-lang-go=\"`privateKeyWo`\" pulumi-lang-python=\"`private_key_wo`\" pulumi-lang-yaml=\"`privateKeyWo`\" pulumi-lang-java=\"`privateKeyWo`\"\u003e`private_key_wo`\u003c/span\u003e.\n"},"publicKey":{"type":"string","description":"Specifies the Public API Key used to authenticate with the MongoDB Atlas API.\n"}},"required":["mount","path","publicKey"],"inputProperties":{"mount":{"type":"string","description":"Path where the MongoDB Atlas Secrets Engine is mounted.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"privateKey":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","secret":true},"privateKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe Private Programmatic API Key used to connect with MongoDB Atlas API. This is a write-only field that is not stored in state.","secret":true},"privateKeyWoVersion":{"type":"integer","description":"An incrementing version counter. Increment this value to force an update \nto the private key. Required when using \u003cspan pulumi-lang-nodejs=\"`privateKeyWo`\" pulumi-lang-dotnet=\"`PrivateKeyWo`\" pulumi-lang-go=\"`privateKeyWo`\" pulumi-lang-python=\"`private_key_wo`\" pulumi-lang-yaml=\"`privateKeyWo`\" pulumi-lang-java=\"`privateKeyWo`\"\u003e`private_key_wo`\u003c/span\u003e.\n"},"publicKey":{"type":"string","description":"Specifies the Public API Key used to authenticate with the MongoDB Atlas API.\n"}},"requiredInputs":["mount","publicKey"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"mount":{"type":"string","description":"Path where the MongoDB Atlas Secrets Engine is mounted.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path where MongoDB Atlas configuration is located"},"privateKey":{"type":"string","description":"The Private Programmatic API Key used to connect with MongoDB Atlas API","secret":true},"privateKeyWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nThe Private Programmatic API Key used to connect with MongoDB Atlas API. This is a write-only field that is not stored in state.","secret":true},"privateKeyWoVersion":{"type":"integer","description":"An incrementing version counter. Increment this value to force an update \nto the private key. Required when using \u003cspan pulumi-lang-nodejs=\"`privateKeyWo`\" pulumi-lang-dotnet=\"`PrivateKeyWo`\" pulumi-lang-go=\"`privateKeyWo`\" pulumi-lang-python=\"`private_key_wo`\" pulumi-lang-yaml=\"`privateKeyWo`\" pulumi-lang-java=\"`privateKeyWo`\"\u003e`private_key_wo`\u003c/span\u003e.\n"},"publicKey":{"type":"string","description":"Specifies the Public API Key used to authenticate with the MongoDB Atlas API.\n"}},"type":"object"}},"vault:mongodbatlas/secretRole:SecretRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst mongo = new vault.Mount(\"mongo\", {\n    path: \"%s\",\n    type: \"mongodbatlas\",\n    description: \"MongoDB Atlas secret engine mount\",\n});\nconst config = new vault.mongodbatlas.SecretBackend(\"config\", {\n    mount: mongo.path,\n    privateKey: \"privateKey\",\n    publicKey: \"publicKey\",\n});\nconst role = new vault.mongodbatlas.SecretRole(\"role\", {\n    mount: mongo.path,\n    name: \"tf-test-role\",\n    organizationId: \"7cf5a45a9ccf6400e60981b7\",\n    projectId: \"5cf5a45a9ccf6400e60981b6\",\n    roles: [\"ORG_READ_ONLY\"],\n    ipAddresses: \"192.168.1.5, 192.168.1.6\",\n    cidrBlocks: \"192.168.1.3/35\",\n    projectRoles: [\"GROUP_READ_ONLY\"],\n    ttl: \"60\",\n    maxTtl: \"120\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nmongo = vault.Mount(\"mongo\",\n    path=\"%s\",\n    type=\"mongodbatlas\",\n    description=\"MongoDB Atlas secret engine mount\")\nconfig = vault.mongodbatlas.SecretBackend(\"config\",\n    mount=mongo.path,\n    private_key=\"privateKey\",\n    public_key=\"publicKey\")\nrole = vault.mongodbatlas.SecretRole(\"role\",\n    mount=mongo.path,\n    name=\"tf-test-role\",\n    organization_id=\"7cf5a45a9ccf6400e60981b7\",\n    project_id=\"5cf5a45a9ccf6400e60981b6\",\n    roles=[\"ORG_READ_ONLY\"],\n    ip_addresses=\"192.168.1.5, 192.168.1.6\",\n    cidr_blocks=\"192.168.1.3/35\",\n    project_roles=[\"GROUP_READ_ONLY\"],\n    ttl=\"60\",\n    max_ttl=\"120\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var mongo = new Vault.Mount(\"mongo\", new()\n    {\n        Path = \"%s\",\n        Type = \"mongodbatlas\",\n        Description = \"MongoDB Atlas secret engine mount\",\n    });\n\n    var config = new Vault.MongoDBAtlas.SecretBackend(\"config\", new()\n    {\n        Mount = mongo.Path,\n        PrivateKey = \"privateKey\",\n        PublicKey = \"publicKey\",\n    });\n\n    var role = new Vault.MongoDBAtlas.SecretRole(\"role\", new()\n    {\n        Mount = mongo.Path,\n        Name = \"tf-test-role\",\n        OrganizationId = \"7cf5a45a9ccf6400e60981b7\",\n        ProjectId = \"5cf5a45a9ccf6400e60981b6\",\n        Roles = new[]\n        {\n            \"ORG_READ_ONLY\",\n        },\n        IpAddresses = \"192.168.1.5, 192.168.1.6\",\n        CidrBlocks = \"192.168.1.3/35\",\n        ProjectRoles = new[]\n        {\n            \"GROUP_READ_ONLY\",\n        },\n        Ttl = \"60\",\n        MaxTtl = \"120\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/mongodbatlas\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tmongo, err := vault.NewMount(ctx, \"mongo\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"%s\"),\n\t\t\tType:        pulumi.String(\"mongodbatlas\"),\n\t\t\tDescription: pulumi.String(\"MongoDB Atlas secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = mongodbatlas.NewSecretBackend(ctx, \"config\", \u0026mongodbatlas.SecretBackendArgs{\n\t\t\tMount:      mongo.Path,\n\t\t\tPrivateKey: pulumi.String(\"privateKey\"),\n\t\t\tPublicKey:  pulumi.String(\"publicKey\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = mongodbatlas.NewSecretRole(ctx, \"role\", \u0026mongodbatlas.SecretRoleArgs{\n\t\t\tMount:          mongo.Path,\n\t\t\tName:           pulumi.String(\"tf-test-role\"),\n\t\t\tOrganizationId: pulumi.String(\"7cf5a45a9ccf6400e60981b7\"),\n\t\t\tProjectId:      pulumi.String(\"5cf5a45a9ccf6400e60981b6\"),\n\t\t\tRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ORG_READ_ONLY\"),\n\t\t\t},\n\t\t\tIpAddresses: pulumi.StringArray(\"192.168.1.5, 192.168.1.6\"),\n\t\t\tCidrBlocks:  pulumi.StringArray(\"192.168.1.3/35\"),\n\t\t\tProjectRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"GROUP_READ_ONLY\"),\n\t\t\t},\n\t\t\tTtl:    pulumi.String(\"60\"),\n\t\t\tMaxTtl: pulumi.String(\"120\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.mongodbatlas.SecretBackend;\nimport com.pulumi.vault.mongodbatlas.SecretBackendArgs;\nimport com.pulumi.vault.mongodbatlas.SecretRole;\nimport com.pulumi.vault.mongodbatlas.SecretRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var mongo = new Mount(\"mongo\", MountArgs.builder()\n            .path(\"%s\")\n            .type(\"mongodbatlas\")\n            .description(\"MongoDB Atlas secret engine mount\")\n            .build());\n\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .mount(mongo.path())\n            .privateKey(\"privateKey\")\n            .publicKey(\"publicKey\")\n            .build());\n\n        var role = new SecretRole(\"role\", SecretRoleArgs.builder()\n            .mount(mongo.path())\n            .name(\"tf-test-role\")\n            .organizationId(\"7cf5a45a9ccf6400e60981b7\")\n            .projectId(\"5cf5a45a9ccf6400e60981b6\")\n            .roles(\"ORG_READ_ONLY\")\n            .ipAddresses(\"192.168.1.5, 192.168.1.6\")\n            .cidrBlocks(\"192.168.1.3/35\")\n            .projectRoles(\"GROUP_READ_ONLY\")\n            .ttl(\"60\")\n            .maxTtl(\"120\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  mongo:\n    type: vault:Mount\n    properties:\n      path: '%s'\n      type: mongodbatlas\n      description: MongoDB Atlas secret engine mount\n  config:\n    type: vault:mongodbatlas:SecretBackend\n    properties:\n      mount: ${mongo.path}\n      privateKey: privateKey\n      publicKey: publicKey\n  role:\n    type: vault:mongodbatlas:SecretRole\n    properties:\n      mount: ${mongo.path}\n      name: tf-test-role\n      organizationId: 7cf5a45a9ccf6400e60981b7\n      projectId: 5cf5a45a9ccf6400e60981b6\n      roles:\n        - ORG_READ_ONLY\n      ipAddresses: 192.168.1.5, 192.168.1.6\n      cidrBlocks: 192.168.1.3/35\n      projectRoles:\n        - GROUP_READ_ONLY\n      ttl: '60'\n      maxTtl: '120'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe MongoDB Atlas secret role can be imported using the full path to the role\nof the form: `\u003cmount_path\u003e/roles/\u003crole_name\u003e` e.g.\n\n```sh\n$ pulumi import vault:mongodbatlas/secretRole:SecretRole example mongodbatlas/roles/example-role\n```\n","properties":{"cidrBlocks":{"type":"array","items":{"type":"string"},"description":"Whitelist entry in CIDR notation to be added for the API key.\n"},"ipAddresses":{"type":"array","items":{"type":"string"},"description":"IP address to be added to the whitelist for the API key.\n"},"maxTtl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role.\n"},"mount":{"type":"string","description":"Path where the MongoDB Atlas Secrets Engine is mounted.\n"},"name":{"type":"string","description":"The name of the role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"organizationId":{"type":"string","description":"Unique identifier for the organization to which the target API Key belongs. \nRequired if \u003cspan pulumi-lang-nodejs=\"`projectId`\" pulumi-lang-dotnet=\"`ProjectId`\" pulumi-lang-go=\"`projectId`\" pulumi-lang-python=\"`project_id`\" pulumi-lang-yaml=\"`projectId`\" pulumi-lang-java=\"`projectId`\"\u003e`project_id`\u003c/span\u003e is not set.\n"},"projectId":{"type":"string","description":"Unique identifier for the project to which the target API Key belongs.\nRequired if \u003cspan pulumi-lang-nodejs=\"`organizationId`\" pulumi-lang-dotnet=\"`OrganizationId`\" pulumi-lang-go=\"`organizationId`\" pulumi-lang-python=\"`organization_id`\" pulumi-lang-yaml=\"`organizationId`\" pulumi-lang-java=\"`organizationId`\"\u003e`organization_id`\u003c/span\u003e is not set.\n"},"projectRoles":{"type":"array","items":{"type":"string"},"description":"Roles assigned when an org API key is assigned to a project API key. Possible values are `GROUP_CLUSTER_MANAGER`, `GROUP_DATA_ACCESS_ADMIN`, `GROUP_DATA_ACCESS_READ_ONLY`, `GROUP_DATA_ACCESS_READ_WRITE`, `GROUP_OWNER` and `GROUP_READ_ONLY`.\n"},"roles":{"type":"array","items":{"type":"string"},"description":"List of roles that the API Key needs to have. Possible values are `ORG_OWNER`, `ORG_MEMBER`, `ORG_GROUP_CREATOR`, `ORG_BILLING_ADMIN` and `ORG_READ_ONLY`.\n"},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire.\n"}},"required":["mount","name","roles"],"inputProperties":{"cidrBlocks":{"type":"array","items":{"type":"string"},"description":"Whitelist entry in CIDR notation to be added for the API key.\n"},"ipAddresses":{"type":"array","items":{"type":"string"},"description":"IP address to be added to the whitelist for the API key.\n"},"maxTtl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role.\n"},"mount":{"type":"string","description":"Path where the MongoDB Atlas Secrets Engine is mounted.\n"},"name":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organizationId":{"type":"string","description":"Unique identifier for the organization to which the target API Key belongs. \nRequired if \u003cspan pulumi-lang-nodejs=\"`projectId`\" pulumi-lang-dotnet=\"`ProjectId`\" pulumi-lang-go=\"`projectId`\" pulumi-lang-python=\"`project_id`\" pulumi-lang-yaml=\"`projectId`\" pulumi-lang-java=\"`projectId`\"\u003e`project_id`\u003c/span\u003e is not set.\n"},"projectId":{"type":"string","description":"Unique identifier for the project to which the target API Key belongs.\nRequired if \u003cspan pulumi-lang-nodejs=\"`organizationId`\" pulumi-lang-dotnet=\"`OrganizationId`\" pulumi-lang-go=\"`organizationId`\" pulumi-lang-python=\"`organization_id`\" pulumi-lang-yaml=\"`organizationId`\" pulumi-lang-java=\"`organizationId`\"\u003e`organization_id`\u003c/span\u003e is not set.\n"},"projectRoles":{"type":"array","items":{"type":"string"},"description":"Roles assigned when an org API key is assigned to a project API key. Possible values are `GROUP_CLUSTER_MANAGER`, `GROUP_DATA_ACCESS_ADMIN`, `GROUP_DATA_ACCESS_READ_ONLY`, `GROUP_DATA_ACCESS_READ_WRITE`, `GROUP_OWNER` and `GROUP_READ_ONLY`.\n"},"roles":{"type":"array","items":{"type":"string"},"description":"List of roles that the API Key needs to have. Possible values are `ORG_OWNER`, `ORG_MEMBER`, `ORG_GROUP_CREATOR`, `ORG_BILLING_ADMIN` and `ORG_READ_ONLY`.\n"},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire.\n"}},"requiredInputs":["mount","roles"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretRole resources.\n","properties":{"cidrBlocks":{"type":"array","items":{"type":"string"},"description":"Whitelist entry in CIDR notation to be added for the API key.\n"},"ipAddresses":{"type":"array","items":{"type":"string"},"description":"IP address to be added to the whitelist for the API key.\n"},"maxTtl":{"type":"string","description":"The maximum allowed lifetime of credentials issued using this role.\n"},"mount":{"type":"string","description":"Path where the MongoDB Atlas Secrets Engine is mounted.\n"},"name":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organizationId":{"type":"string","description":"Unique identifier for the organization to which the target API Key belongs. \nRequired if \u003cspan pulumi-lang-nodejs=\"`projectId`\" pulumi-lang-dotnet=\"`ProjectId`\" pulumi-lang-go=\"`projectId`\" pulumi-lang-python=\"`project_id`\" pulumi-lang-yaml=\"`projectId`\" pulumi-lang-java=\"`projectId`\"\u003e`project_id`\u003c/span\u003e is not set.\n"},"projectId":{"type":"string","description":"Unique identifier for the project to which the target API Key belongs.\nRequired if \u003cspan pulumi-lang-nodejs=\"`organizationId`\" pulumi-lang-dotnet=\"`OrganizationId`\" pulumi-lang-go=\"`organizationId`\" pulumi-lang-python=\"`organization_id`\" pulumi-lang-yaml=\"`organizationId`\" pulumi-lang-java=\"`organizationId`\"\u003e`organization_id`\u003c/span\u003e is not set.\n"},"projectRoles":{"type":"array","items":{"type":"string"},"description":"Roles assigned when an org API key is assigned to a project API key. Possible values are `GROUP_CLUSTER_MANAGER`, `GROUP_DATA_ACCESS_ADMIN`, `GROUP_DATA_ACCESS_READ_ONLY`, `GROUP_DATA_ACCESS_READ_WRITE`, `GROUP_OWNER` and `GROUP_READ_ONLY`.\n"},"roles":{"type":"array","items":{"type":"string"},"description":"List of roles that the API Key needs to have. Possible values are `ORG_OWNER`, `ORG_MEMBER`, `ORG_GROUP_CREATOR`, `ORG_BILLING_ADMIN` and `ORG_READ_ONLY`.\n"},"ttl":{"type":"string","description":"Duration in seconds after which the issued credential should expire.\n"}},"type":"object"}},"vault:okta/authBackend:AuthBackend":{"description":"Provides a resource for managing an\n[Okta auth backend within Vault](https://www.vaultproject.io/docs/auth/okta.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.okta.AuthBackend(\"example\", {\n    description: \"Demonstration of the Terraform Okta auth backend\",\n    organization: \"example\",\n    token: \"something that should be kept secret\",\n    groups: [{\n        groupName: \"foo\",\n        policies: [\n            \"one\",\n            \"two\",\n        ],\n    }],\n    users: [{\n        username: \"bar\",\n        groups: [\"foo\"],\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.okta.AuthBackend(\"example\",\n    description=\"Demonstration of the Terraform Okta auth backend\",\n    organization=\"example\",\n    token=\"something that should be kept secret\",\n    groups=[{\n        \"group_name\": \"foo\",\n        \"policies\": [\n            \"one\",\n            \"two\",\n        ],\n    }],\n    users=[{\n        \"username\": \"bar\",\n        \"groups\": [\"foo\"],\n    }])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Okta.AuthBackend(\"example\", new()\n    {\n        Description = \"Demonstration of the Terraform Okta auth backend\",\n        Organization = \"example\",\n        Token = \"something that should be kept secret\",\n        Groups = new[]\n        {\n            new Vault.Okta.Inputs.AuthBackendGroupArgs\n            {\n                GroupName = \"foo\",\n                Policies = new[]\n                {\n                    \"one\",\n                    \"two\",\n                },\n            },\n        },\n        Users = new[]\n        {\n            new Vault.Okta.Inputs.AuthBackendUserArgs\n            {\n                Username = \"bar\",\n                Groups = new[]\n                {\n                    \"foo\",\n                },\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/okta\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := okta.NewAuthBackend(ctx, \"example\", \u0026okta.AuthBackendArgs{\n\t\t\tDescription:  pulumi.String(\"Demonstration of the Terraform Okta auth backend\"),\n\t\t\tOrganization: pulumi.String(\"example\"),\n\t\t\tToken:        pulumi.String(\"something that should be kept secret\"),\n\t\t\tGroups: okta.AuthBackendGroupTypeArray{\n\t\t\t\t\u0026okta.AuthBackendGroupTypeArgs{\n\t\t\t\t\tGroupName: pulumi.String(\"foo\"),\n\t\t\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"one\"),\n\t\t\t\t\t\tpulumi.String(\"two\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tUsers: okta.AuthBackendUserTypeArray{\n\t\t\t\t\u0026okta.AuthBackendUserTypeArgs{\n\t\t\t\t\tUsername: pulumi.String(\"bar\"),\n\t\t\t\t\tGroups: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"foo\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.okta.AuthBackend;\nimport com.pulumi.vault.okta.AuthBackendArgs;\nimport com.pulumi.vault.okta.inputs.AuthBackendGroupArgs;\nimport com.pulumi.vault.okta.inputs.AuthBackendUserArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .description(\"Demonstration of the Terraform Okta auth backend\")\n            .organization(\"example\")\n            .token(\"something that should be kept secret\")\n            .groups(AuthBackendGroupArgs.builder()\n                .groupName(\"foo\")\n                .policies(                \n                    \"one\",\n                    \"two\")\n                .build())\n            .users(AuthBackendUserArgs.builder()\n                .username(\"bar\")\n                .groups(\"foo\")\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:okta:AuthBackend\n    properties:\n      description: Demonstration of the Terraform Okta auth backend\n      organization: example\n      token: something that should be kept secret\n      groups:\n        - groupName: foo\n          policies:\n            - one\n            - two\n      users:\n        - username: bar\n          groups:\n            - foo\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOkta authentication backends can be imported using its `path`, e.g.\n\n```sh\n$ pulumi import vault:okta/authBackend:AuthBackend example okta\n```\n","properties":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).\n"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"baseUrl":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com\n"},"bypassOktaMfa":{"type":"boolean","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.\n"},"description":{"type":"string","description":"The description of the auth backend\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"groups":{"type":"array","items":{"$ref":"#/types/vault:okta/AuthBackendGroup:AuthBackendGroup"},"description":"Associate Okta groups with policies within Vault.\nSee below for more details.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url `https://XXX.okta.com`\n"},"path":{"type":"string","description":"Path to mount the Okta auth backend. Default to path \u003cspan pulumi-lang-nodejs=\"`okta`\" pulumi-lang-dotnet=\"`Okta`\" pulumi-lang-go=\"`okta`\" pulumi-lang-python=\"`okta`\" pulumi-lang-yaml=\"`okta`\" pulumi-lang-java=\"`okta`\"\u003e`okta`\u003c/span\u003e.\n"},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership.\nIf this is not supplied only locally configured groups will be enabled.\n","secret":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"tune":{"$ref":"#/types/vault:okta/AuthBackendTune:AuthBackendTune"},"users":{"type":"array","items":{"$ref":"#/types/vault:okta/AuthBackendUser:AuthBackendUser"},"description":"Associate Okta users with groups or policies within Vault.\nSee below for more details.\n"}},"required":["accessor","groups","organization","tune","users"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"baseUrl":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com\n"},"bypassOktaMfa":{"type":"boolean","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.\n"},"description":{"type":"string","description":"The description of the auth backend\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"groups":{"type":"array","items":{"$ref":"#/types/vault:okta/AuthBackendGroup:AuthBackendGroup"},"description":"Associate Okta groups with policies within Vault.\nSee below for more details.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url `https://XXX.okta.com`\n"},"path":{"type":"string","description":"Path to mount the Okta auth backend. Default to path \u003cspan pulumi-lang-nodejs=\"`okta`\" pulumi-lang-dotnet=\"`Okta`\" pulumi-lang-go=\"`okta`\" pulumi-lang-python=\"`okta`\" pulumi-lang-yaml=\"`okta`\" pulumi-lang-java=\"`okta`\"\u003e`okta`\u003c/span\u003e.\n"},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership.\nIf this is not supplied only locally configured groups will be enabled.\n","secret":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"tune":{"$ref":"#/types/vault:okta/AuthBackendTune:AuthBackendTune"},"users":{"type":"array","items":{"$ref":"#/types/vault:okta/AuthBackendUser:AuthBackendUser"},"description":"Associate Okta users with groups or policies within Vault.\nSee below for more details.\n"}},"requiredInputs":["organization"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackend resources.\n","properties":{"accessor":{"type":"string","description":"The mount accessor related to the auth mount. It is useful for integration with [Identity Secrets Engine](https://www.vaultproject.io/docs/secrets/identity/index.html).\n"},"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"baseUrl":{"type":"string","description":"The Okta url. Examples: oktapreview.com, okta.com\n"},"bypassOktaMfa":{"type":"boolean","description":"When true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.\n"},"description":{"type":"string","description":"The description of the auth backend\n"},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"groups":{"type":"array","items":{"$ref":"#/types/vault:okta/AuthBackendGroup:AuthBackendGroup"},"description":"Associate Okta groups with policies within Vault.\nSee below for more details.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The Okta organization. This will be the first part of the url `https://XXX.okta.com`\n"},"path":{"type":"string","description":"Path to mount the Okta auth backend. Default to path \u003cspan pulumi-lang-nodejs=\"`okta`\" pulumi-lang-dotnet=\"`Okta`\" pulumi-lang-go=\"`okta`\" pulumi-lang-python=\"`okta`\" pulumi-lang-yaml=\"`okta`\" pulumi-lang-java=\"`okta`\"\u003e`okta`\u003c/span\u003e.\n"},"token":{"type":"string","description":"The Okta API token. This is required to query Okta for user group membership.\nIf this is not supplied only locally configured groups will be enabled.\n","secret":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"},"tune":{"$ref":"#/types/vault:okta/AuthBackendTune:AuthBackendTune"},"users":{"type":"array","items":{"$ref":"#/types/vault:okta/AuthBackendUser:AuthBackendUser"},"description":"Associate Okta users with groups or policies within Vault.\nSee below for more details.\n"}},"type":"object"}},"vault:okta/authBackendGroup:AuthBackendGroup":{"description":"Provides a resource to create a group in an\n[Okta auth backend within Vault](https://www.vaultproject.io/docs/auth/okta.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.okta.AuthBackend(\"example\", {\n    path: \"group_okta\",\n    organization: \"dummy\",\n});\nconst foo = new vault.okta.AuthBackendGroup(\"foo\", {\n    path: example.path,\n    groupName: \"foo\",\n    policies: [\n        \"one\",\n        \"two\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.okta.AuthBackend(\"example\",\n    path=\"group_okta\",\n    organization=\"dummy\")\nfoo = vault.okta.AuthBackendGroup(\"foo\",\n    path=example.path,\n    group_name=\"foo\",\n    policies=[\n        \"one\",\n        \"two\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Okta.AuthBackend(\"example\", new()\n    {\n        Path = \"group_okta\",\n        Organization = \"dummy\",\n    });\n\n    var foo = new Vault.Okta.AuthBackendGroup(\"foo\", new()\n    {\n        Path = example.Path,\n        GroupName = \"foo\",\n        Policies = new[]\n        {\n            \"one\",\n            \"two\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/okta\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := okta.NewAuthBackend(ctx, \"example\", \u0026okta.AuthBackendArgs{\n\t\t\tPath:         pulumi.String(\"group_okta\"),\n\t\t\tOrganization: pulumi.String(\"dummy\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = okta.NewAuthBackendGroup(ctx, \"foo\", \u0026okta.AuthBackendGroupArgs{\n\t\t\tPath:      example.Path,\n\t\t\tGroupName: pulumi.String(\"foo\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"one\"),\n\t\t\t\tpulumi.String(\"two\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.okta.AuthBackend;\nimport com.pulumi.vault.okta.AuthBackendArgs;\nimport com.pulumi.vault.okta.AuthBackendGroup;\nimport com.pulumi.vault.okta.AuthBackendGroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .path(\"group_okta\")\n            .organization(\"dummy\")\n            .build());\n\n        var foo = new AuthBackendGroup(\"foo\", AuthBackendGroupArgs.builder()\n            .path(example.path())\n            .groupName(\"foo\")\n            .policies(            \n                \"one\",\n                \"two\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:okta:AuthBackend\n    properties:\n      path: group_okta\n      organization: dummy\n  foo:\n    type: vault:okta:AuthBackendGroup\n    properties:\n      path: ${example.path}\n      groupName: foo\n      policies:\n        - one\n        - two\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOkta authentication backend groups can be imported using the format `backend/groupName` e.g.\n\n```sh\n$ pulumi import vault:okta/authBackendGroup:AuthBackendGroup foo okta/foo\n```\n","properties":{"groupName":{"type":"string","description":"Name of the group within the Okta\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"The path where the Okta auth backend is mounted\n"},"policies":{"type":"array","items":{"type":"string"},"description":"Vault policies to associate with this group\n"}},"required":["groupName","path"],"inputProperties":{"groupName":{"type":"string","description":"Name of the group within the Okta\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path where the Okta auth backend is mounted\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"Vault policies to associate with this group\n"}},"requiredInputs":["groupName","path"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendGroup resources.\n","properties":{"groupName":{"type":"string","description":"Name of the group within the Okta\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path where the Okta auth backend is mounted\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"Vault policies to associate with this group\n"}},"type":"object"}},"vault:okta/authBackendUser:AuthBackendUser":{"description":"Provides a resource to create a user in an\n[Okta auth backend within Vault](https://www.vaultproject.io/docs/auth/okta.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.okta.AuthBackend(\"example\", {\n    path: \"user_okta\",\n    organization: \"dummy\",\n});\nconst foo = new vault.okta.AuthBackendUser(\"foo\", {\n    path: example.path,\n    username: \"foo\",\n    groups: [\n        \"one\",\n        \"two\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.okta.AuthBackend(\"example\",\n    path=\"user_okta\",\n    organization=\"dummy\")\nfoo = vault.okta.AuthBackendUser(\"foo\",\n    path=example.path,\n    username=\"foo\",\n    groups=[\n        \"one\",\n        \"two\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Okta.AuthBackend(\"example\", new()\n    {\n        Path = \"user_okta\",\n        Organization = \"dummy\",\n    });\n\n    var foo = new Vault.Okta.AuthBackendUser(\"foo\", new()\n    {\n        Path = example.Path,\n        Username = \"foo\",\n        Groups = new[]\n        {\n            \"one\",\n            \"two\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/okta\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := okta.NewAuthBackend(ctx, \"example\", \u0026okta.AuthBackendArgs{\n\t\t\tPath:         pulumi.String(\"user_okta\"),\n\t\t\tOrganization: pulumi.String(\"dummy\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = okta.NewAuthBackendUser(ctx, \"foo\", \u0026okta.AuthBackendUserArgs{\n\t\t\tPath:     example.Path,\n\t\t\tUsername: pulumi.String(\"foo\"),\n\t\t\tGroups: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"one\"),\n\t\t\t\tpulumi.String(\"two\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.okta.AuthBackend;\nimport com.pulumi.vault.okta.AuthBackendArgs;\nimport com.pulumi.vault.okta.AuthBackendUser;\nimport com.pulumi.vault.okta.AuthBackendUserArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .path(\"user_okta\")\n            .organization(\"dummy\")\n            .build());\n\n        var foo = new AuthBackendUser(\"foo\", AuthBackendUserArgs.builder()\n            .path(example.path())\n            .username(\"foo\")\n            .groups(            \n                \"one\",\n                \"two\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:okta:AuthBackend\n    properties:\n      path: user_okta\n      organization: dummy\n  foo:\n    type: vault:okta:AuthBackendUser\n    properties:\n      path: ${example.path}\n      username: foo\n      groups:\n        - one\n        - two\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nOkta authentication backend users can be imported using its `path/user` ID format, e.g.\n\n```sh\n$ pulumi import vault:okta/authBackendUser:AuthBackendUser example okta/foo\n```\n","properties":{"groups":{"type":"array","items":{"type":"string"},"description":"List of Okta groups to associate with this user\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"The path where the Okta auth backend is mounted\n"},"policies":{"type":"array","items":{"type":"string"},"description":"List of Vault policies to associate with this user\n"},"username":{"type":"string","description":"Name of the user within Okta\n"}},"required":["path","username"],"inputProperties":{"groups":{"type":"array","items":{"type":"string"},"description":"List of Okta groups to associate with this user\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path where the Okta auth backend is mounted\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of Vault policies to associate with this user\n"},"username":{"type":"string","description":"Name of the user within Okta\n","willReplaceOnChanges":true}},"requiredInputs":["path","username"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendUser resources.\n","properties":{"groups":{"type":"array","items":{"type":"string"},"description":"List of Okta groups to associate with this user\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path where the Okta auth backend is mounted\n","willReplaceOnChanges":true},"policies":{"type":"array","items":{"type":"string"},"description":"List of Vault policies to associate with this user\n"},"username":{"type":"string","description":"Name of the user within Okta\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/backendAcmeEab:BackendAcmeEab":{"description":"Allows creating ACME EAB (External Account Binding) tokens and deleting unused ones.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.Mount(\"test\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst testBackendAcmeEab = new vault.pkisecret.BackendAcmeEab(\"test\", {backend: test.path});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.Mount(\"test\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\ntest_backend_acme_eab = vault.pkisecret.BackendAcmeEab(\"test\", backend=test.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Mount(\"test\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var testBackendAcmeEab = new Vault.PkiSecret.BackendAcmeEab(\"test\", new()\n    {\n        Backend = test.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttest, err := vault.NewMount(ctx, \"test\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendAcmeEab(ctx, \"test\", \u0026pkisecret.BackendAcmeEabArgs{\n\t\t\tBackend: test.Path,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.BackendAcmeEab;\nimport com.pulumi.vault.pkiSecret.BackendAcmeEabArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new Mount(\"test\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var testBackendAcmeEab = new BackendAcmeEab(\"testBackendAcmeEab\", BackendAcmeEabArgs.builder()\n            .backend(test.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\n  testBackendAcmeEab:\n    type: vault:pkiSecret:BackendAcmeEab\n    name: test\n    properties:\n      backend: ${test.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAs EAB tokens are only available on initial creation there is no possibility to \n\nimport or update this resource.\n\n","properties":{"acmeDirectory":{"type":"string","description":"The ACME directory to which the key belongs\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\ncreate the EAB token within, with no leading or trailing `/`s.\n"},"createdOn":{"type":"string","description":"An RFC3339 formatted date time when the EAB token was created\n"},"eabId":{"type":"string","description":"The identifier of a specific ACME EAB token\n"},"issuer":{"type":"string","description":"Create an EAB token that is specific to an issuer's ACME directory.\n"},"key":{"type":"string","description":"The EAB token\n","secret":true},"keyType":{"type":"string","description":"The key type of the EAB key\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"role":{"type":"string","description":"Create an EAB token that is specific to a role's ACME directory.\n\n**NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with;\n\n1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters.\n2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter\n3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter\n4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters\n"}},"required":["acmeDirectory","backend","createdOn","eabId","key","keyType"],"inputProperties":{"backend":{"type":"string","description":"The path to the PKI secret backend to\ncreate the EAB token within, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"issuer":{"type":"string","description":"Create an EAB token that is specific to an issuer's ACME directory.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"Create an EAB token that is specific to a role's ACME directory.\n\n**NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with;\n\n1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters.\n2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter\n3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter\n4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters\n","willReplaceOnChanges":true}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering BackendAcmeEab resources.\n","properties":{"acmeDirectory":{"type":"string","description":"The ACME directory to which the key belongs\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\ncreate the EAB token within, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"createdOn":{"type":"string","description":"An RFC3339 formatted date time when the EAB token was created\n"},"eabId":{"type":"string","description":"The identifier of a specific ACME EAB token\n"},"issuer":{"type":"string","description":"Create an EAB token that is specific to an issuer's ACME directory.\n","willReplaceOnChanges":true},"key":{"type":"string","description":"The EAB token\n","secret":true},"keyType":{"type":"string","description":"The key type of the EAB key\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"Create an EAB token that is specific to a role's ACME directory.\n\n**NOTE**: Within Vault ACME there are different ACME directories which an EAB token is associated with;\n\n1. Default directory (`pki/acme/`) - Do not specify a value for issuer nor role parameters.\n2. Issuer specific (`pki/issuer/:issuer_ref/acme/`) - Specify a value for the issuer parameter\n3. Role specific (`pki/roles/:role/acme/`) - Specify a value for the role parameter\n4. Issuer and Role specific (`pki/issuer/:issuer_ref/roles/:role/acme/`) - Specify a value for both the issuer and role parameters\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/backendConfigAcme:BackendConfigAcme":{"description":"Allows setting the ACME server configuration used by specified mount.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst pkiConfigCluster = new vault.pkisecret.BackendConfigCluster(\"pki_config_cluster\", {\n    backend: pki.path,\n    path: \"http://127.0.0.1:8200/v1/pki\",\n    aiaPath: \"http://127.0.0.1:8200/v1/pki\",\n});\nconst example = new vault.pkisecret.BackendConfigAcme(\"example\", {\n    backend: pki.path,\n    enabled: true,\n    allowedIssuers: [\"*\"],\n    allowedRoles: [\"*\"],\n    allowRoleExtKeyUsage: false,\n    defaultDirectoryPolicy: \"sign-verbatim\",\n    dnsResolver: \"\",\n    eabPolicy: \"not-required\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\npki_config_cluster = vault.pkisecret.BackendConfigCluster(\"pki_config_cluster\",\n    backend=pki.path,\n    path=\"http://127.0.0.1:8200/v1/pki\",\n    aia_path=\"http://127.0.0.1:8200/v1/pki\")\nexample = vault.pkisecret.BackendConfigAcme(\"example\",\n    backend=pki.path,\n    enabled=True,\n    allowed_issuers=[\"*\"],\n    allowed_roles=[\"*\"],\n    allow_role_ext_key_usage=False,\n    default_directory_policy=\"sign-verbatim\",\n    dns_resolver=\"\",\n    eab_policy=\"not-required\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var pkiConfigCluster = new Vault.PkiSecret.BackendConfigCluster(\"pki_config_cluster\", new()\n    {\n        Backend = pki.Path,\n        Path = \"http://127.0.0.1:8200/v1/pki\",\n        AiaPath = \"http://127.0.0.1:8200/v1/pki\",\n    });\n\n    var example = new Vault.PkiSecret.BackendConfigAcme(\"example\", new()\n    {\n        Backend = pki.Path,\n        Enabled = true,\n        AllowedIssuers = new[]\n        {\n            \"*\",\n        },\n        AllowedRoles = new[]\n        {\n            \"*\",\n        },\n        AllowRoleExtKeyUsage = false,\n        DefaultDirectoryPolicy = \"sign-verbatim\",\n        DnsResolver = \"\",\n        EabPolicy = \"not-required\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigCluster(ctx, \"pki_config_cluster\", \u0026pkisecret.BackendConfigClusterArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tPath:    pulumi.String(\"http://127.0.0.1:8200/v1/pki\"),\n\t\t\tAiaPath: pulumi.String(\"http://127.0.0.1:8200/v1/pki\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigAcme(ctx, \"example\", \u0026pkisecret.BackendConfigAcmeArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tAllowedIssuers: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tAllowRoleExtKeyUsage:   pulumi.Bool(false),\n\t\t\tDefaultDirectoryPolicy: pulumi.String(\"sign-verbatim\"),\n\t\t\tDnsResolver:            pulumi.String(\"\"),\n\t\t\tEabPolicy:              pulumi.String(\"not-required\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigCluster;\nimport com.pulumi.vault.pkiSecret.BackendConfigClusterArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigAcme;\nimport com.pulumi.vault.pkiSecret.BackendConfigAcmeArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var pkiConfigCluster = new BackendConfigCluster(\"pkiConfigCluster\", BackendConfigClusterArgs.builder()\n            .backend(pki.path())\n            .path(\"http://127.0.0.1:8200/v1/pki\")\n            .aiaPath(\"http://127.0.0.1:8200/v1/pki\")\n            .build());\n\n        var example = new BackendConfigAcme(\"example\", BackendConfigAcmeArgs.builder()\n            .backend(pki.path())\n            .enabled(true)\n            .allowedIssuers(\"*\")\n            .allowedRoles(\"*\")\n            .allowRoleExtKeyUsage(false)\n            .defaultDirectoryPolicy(\"sign-verbatim\")\n            .dnsResolver(\"\")\n            .eabPolicy(\"not-required\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  pkiConfigCluster:\n    type: vault:pkiSecret:BackendConfigCluster\n    name: pki_config_cluster\n    properties:\n      backend: ${pki.path}\n      path: http://127.0.0.1:8200/v1/pki\n      aiaPath: http://127.0.0.1:8200/v1/pki\n  example:\n    type: vault:pkiSecret:BackendConfigAcme\n    properties:\n      backend: ${pki.path}\n      enabled: true\n      allowedIssuers:\n        - '*'\n      allowedRoles:\n        - '*'\n      allowRoleExtKeyUsage: false\n      defaultDirectoryPolicy: sign-verbatim\n      dnsResolver: \"\"\n      eabPolicy: not-required\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe ACME configuration can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki/config/acme`,\nwhere the `pki` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigAcme:BackendConfigAcme example pki/config/acme\n```\n","properties":{"allowRoleExtKeyUsage":{"type":"boolean","description":"Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+**\n"},"allowedIssuers":{"type":"array","items":{"type":"string"},"description":"Specifies which issuers are allowed for use with ACME.\n"},"allowedRoles":{"type":"array","items":{"type":"string"},"description":"Specifies which roles are allowed for use with ACME.\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n"},"defaultDirectoryPolicy":{"type":"string","description":"Specifies the policy to be used for non-role-qualified ACME requests.\nAllowed values are \u003cspan pulumi-lang-nodejs=\"`forbid`\" pulumi-lang-dotnet=\"`Forbid`\" pulumi-lang-go=\"`forbid`\" pulumi-lang-python=\"`forbid`\" pulumi-lang-yaml=\"`forbid`\" pulumi-lang-java=\"`forbid`\"\u003e`forbid`\u003c/span\u003e, `sign-verbatim`, `role:\u003crole_name\u003e`, `external-policy` or `external-policy:\u003cpolicy\u003e`.\n"},"dnsResolver":{"type":"string","description":"DNS resolver to use for domain resolution on this mount.\nMust be in the format `\u003chost\u003e:\u003cport\u003e`, with both parts mandatory.\n"},"eabPolicy":{"type":"string","description":"Specifies the policy to use for external account binding behaviour.\nAllowed values are `not-required`, `new-account-required` or `always-required`.\n"},"enabled":{"type":"boolean","description":"Specifies whether ACME is enabled.\n"},"maxTtl":{"type":"integer","description":"The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["allowedIssuers","allowedRoles","backend","defaultDirectoryPolicy","eabPolicy","enabled","maxTtl"],"inputProperties":{"allowRoleExtKeyUsage":{"type":"boolean","description":"Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+**\n"},"allowedIssuers":{"type":"array","items":{"type":"string"},"description":"Specifies which issuers are allowed for use with ACME.\n"},"allowedRoles":{"type":"array","items":{"type":"string"},"description":"Specifies which roles are allowed for use with ACME.\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"defaultDirectoryPolicy":{"type":"string","description":"Specifies the policy to be used for non-role-qualified ACME requests.\nAllowed values are \u003cspan pulumi-lang-nodejs=\"`forbid`\" pulumi-lang-dotnet=\"`Forbid`\" pulumi-lang-go=\"`forbid`\" pulumi-lang-python=\"`forbid`\" pulumi-lang-yaml=\"`forbid`\" pulumi-lang-java=\"`forbid`\"\u003e`forbid`\u003c/span\u003e, `sign-verbatim`, `role:\u003crole_name\u003e`, `external-policy` or `external-policy:\u003cpolicy\u003e`.\n"},"dnsResolver":{"type":"string","description":"DNS resolver to use for domain resolution on this mount.\nMust be in the format `\u003chost\u003e:\u003cport\u003e`, with both parts mandatory.\n"},"eabPolicy":{"type":"string","description":"Specifies the policy to use for external account binding behaviour.\nAllowed values are `not-required`, `new-account-required` or `always-required`.\n"},"enabled":{"type":"boolean","description":"Specifies whether ACME is enabled.\n"},"maxTtl":{"type":"integer","description":"The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["backend","enabled"],"stateInputs":{"description":"Input properties used for looking up and filtering BackendConfigAcme resources.\n","properties":{"allowRoleExtKeyUsage":{"type":"boolean","description":"Specifies whether the ExtKeyUsage field from a role is used. **Vault 1.14.1+**\n"},"allowedIssuers":{"type":"array","items":{"type":"string"},"description":"Specifies which issuers are allowed for use with ACME.\n"},"allowedRoles":{"type":"array","items":{"type":"string"},"description":"Specifies which roles are allowed for use with ACME.\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"defaultDirectoryPolicy":{"type":"string","description":"Specifies the policy to be used for non-role-qualified ACME requests.\nAllowed values are \u003cspan pulumi-lang-nodejs=\"`forbid`\" pulumi-lang-dotnet=\"`Forbid`\" pulumi-lang-go=\"`forbid`\" pulumi-lang-python=\"`forbid`\" pulumi-lang-yaml=\"`forbid`\" pulumi-lang-java=\"`forbid`\"\u003e`forbid`\u003c/span\u003e, `sign-verbatim`, `role:\u003crole_name\u003e`, `external-policy` or `external-policy:\u003cpolicy\u003e`.\n"},"dnsResolver":{"type":"string","description":"DNS resolver to use for domain resolution on this mount.\nMust be in the format `\u003chost\u003e:\u003cport\u003e`, with both parts mandatory.\n"},"eabPolicy":{"type":"string","description":"Specifies the policy to use for external account binding behaviour.\nAllowed values are `not-required`, `new-account-required` or `always-required`.\n"},"enabled":{"type":"boolean","description":"Specifies whether ACME is enabled.\n"},"maxTtl":{"type":"integer","description":"The maximum TTL in seconds for certificates issued by ACME. **Vault 1.17.0+**\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/backendConfigAutoTidy:BackendConfigAutoTidy":{"description":"Allows setting the Auto Tidy configuration on a PKI Secret Backend\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst test = new vault.pkisecret.BackendConfigAutoTidy(\"test\", {\n    backend: pki.path,\n    enabled: true,\n    tidyCertStore: true,\n    intervalDuration: \"1h\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\ntest = vault.pkisecret.BackendConfigAutoTidy(\"test\",\n    backend=pki.path,\n    enabled=True,\n    tidy_cert_store=True,\n    interval_duration=\"1h\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var test = new Vault.PkiSecret.BackendConfigAutoTidy(\"test\", new()\n    {\n        Backend = pki.Path,\n        Enabled = true,\n        TidyCertStore = true,\n        IntervalDuration = \"1h\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigAutoTidy(ctx, \"test\", \u0026pkisecret.BackendConfigAutoTidyArgs{\n\t\t\tBackend:          pki.Path,\n\t\t\tEnabled:          pulumi.Bool(true),\n\t\t\tTidyCertStore:    pulumi.Bool(true),\n\t\t\tIntervalDuration: pulumi.String(\"1h\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigAutoTidy;\nimport com.pulumi.vault.pkiSecret.BackendConfigAutoTidyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var test = new BackendConfigAutoTidy(\"test\", BackendConfigAutoTidyArgs.builder()\n            .backend(pki.path())\n            .enabled(true)\n            .tidyCertStore(true)\n            .intervalDuration(\"1h\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  test:\n    type: vault:pkiSecret:BackendConfigAutoTidy\n    properties:\n      backend: ${pki.path}\n      enabled: true\n      tidyCertStore: true\n      intervalDuration: 1h\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"acmeAccountSafetyBuffer":{"type":"string","description":"The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated."},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the configuration from, with no leading or trailing `/`s.\n"},"enabled":{"type":"boolean","description":"Specifies whether automatic tidy is enabled or not.\n"},"intervalDuration":{"type":"string","description":"Interval at which to run an auto-tidy operation. This is the time\nbetween tidy invocations (after one finishes to the start of the next).\n"},"issuerSafetyBuffer":{"type":"string","description":"The amount of extra time that must have passed beyond issuer's\nexpiration before it is removed from the backend storage.\n"},"maintainStoredCertificateCounts":{"type":"boolean","description":"This configures whether stored certificate are\ncounted upon initialization of the backend, and whether during normal operation, a running count\nof certificates stored is maintained.\n"},"maxStartupBackoffDuration":{"type":"string","description":"The maximum amount of time auto-tidy will be delayed\nafter startup.\n"},"minStartupBackoffDuration":{"type":"string","description":"The minimum amount of time auto-tidy will be delayed\nafter startup.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"pauseDuration":{"type":"string","description":"The amount of time to wait between processing certificates.\n"},"publishStoredCertificateCountMetrics":{"type":"boolean","description":"This configures whether the stored\ncertificate count is published to the metrics consumer.\n"},"revocationQueueSafetyBuffer":{"type":"string","description":"The amount of time that must pass from the\ncross-cluster revocation request being initiated to when it will be slated for removal.\n"},"safetyBuffer":{"type":"string","description":"The amount of extra time that must have passed beyond certificate\nexpiration before it is removed from the backend storage and/or revocation list.\n"},"tidyAcme":{"type":"boolean","description":"Set to true to enable tidying ACME accounts, orders and authorizations.\n"},"tidyCertMetadata":{"type":"boolean","description":"Set to true to enable tidying up certificate metadata.\n"},"tidyCertStore":{"type":"boolean","description":"Set to true to enable tidying up the certificate store\n"},"tidyCmpv2NonceStore":{"type":"boolean","description":"Set to true to enable tidying up the CMPv2 nonce store.\n"},"tidyCrossClusterRevokedCerts":{"type":"boolean","description":"Set to true to enable tidying up the cross-cluster\nrevoked certificate store.\n"},"tidyExpiredIssuers":{"type":"boolean","description":"Set to true to automatically remove expired issuers past the\n\u003cspan pulumi-lang-nodejs=\"`issuerSafetyBuffer`\" pulumi-lang-dotnet=\"`IssuerSafetyBuffer`\" pulumi-lang-go=\"`issuerSafetyBuffer`\" pulumi-lang-python=\"`issuer_safety_buffer`\" pulumi-lang-yaml=\"`issuerSafetyBuffer`\" pulumi-lang-java=\"`issuerSafetyBuffer`\"\u003e`issuer_safety_buffer`\u003c/span\u003e. No keys will be removed as part of this operation.\n"},"tidyMoveLegacyCaBundle":{"type":"boolean","description":"Set to true to move the legacy \u003cspan pulumi-lang-nodejs=\"`caBundle`\" pulumi-lang-dotnet=\"`CaBundle`\" pulumi-lang-go=\"`caBundle`\" pulumi-lang-python=\"`ca_bundle`\" pulumi-lang-yaml=\"`caBundle`\" pulumi-lang-java=\"`caBundle`\"\u003e`ca_bundle`\u003c/span\u003e from\n`/config/ca_bundle` to `/config/ca_bundle.bak`.\n"},"tidyRevocationQueue":{"type":"boolean","description":"Set to true to remove stale revocation queue entries that\nhaven't been confirmed by any active cluster.\n"},"tidyRevokedCertIssuerAssociations":{"type":"boolean","description":"Set to true to validate issuer associations\non revocation entries. This helps increase the performance of CRL building and OCSP responses.\n"},"tidyRevokedCerts":{"type":"boolean","description":"Set to true to remove all invalid and expired certificates from\nstorage. A revoked storage entry is considered invalid if the entry is empty, or the value within\nthe entry is empty. If a certificate is removed due to expiry, the entry will also be removed from\nthe CRL, and the CRL will be rotated.\n"}},"required":["acmeAccountSafetyBuffer","backend","enabled","intervalDuration","issuerSafetyBuffer","maxStartupBackoffDuration","minStartupBackoffDuration","pauseDuration","revocationQueueSafetyBuffer","safetyBuffer"],"inputProperties":{"acmeAccountSafetyBuffer":{"type":"string","description":"The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated."},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the configuration from, with no leading or trailing `/`s.\n"},"enabled":{"type":"boolean","description":"Specifies whether automatic tidy is enabled or not.\n"},"intervalDuration":{"type":"string","description":"Interval at which to run an auto-tidy operation. This is the time\nbetween tidy invocations (after one finishes to the start of the next).\n"},"issuerSafetyBuffer":{"type":"string","description":"The amount of extra time that must have passed beyond issuer's\nexpiration before it is removed from the backend storage.\n"},"maintainStoredCertificateCounts":{"type":"boolean","description":"This configures whether stored certificate are\ncounted upon initialization of the backend, and whether during normal operation, a running count\nof certificates stored is maintained.\n"},"maxStartupBackoffDuration":{"type":"string","description":"The maximum amount of time auto-tidy will be delayed\nafter startup.\n"},"minStartupBackoffDuration":{"type":"string","description":"The minimum amount of time auto-tidy will be delayed\nafter startup.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pauseDuration":{"type":"string","description":"The amount of time to wait between processing certificates.\n"},"publishStoredCertificateCountMetrics":{"type":"boolean","description":"This configures whether the stored\ncertificate count is published to the metrics consumer.\n"},"revocationQueueSafetyBuffer":{"type":"string","description":"The amount of time that must pass from the\ncross-cluster revocation request being initiated to when it will be slated for removal.\n"},"safetyBuffer":{"type":"string","description":"The amount of extra time that must have passed beyond certificate\nexpiration before it is removed from the backend storage and/or revocation list.\n"},"tidyAcme":{"type":"boolean","description":"Set to true to enable tidying ACME accounts, orders and authorizations.\n"},"tidyCertMetadata":{"type":"boolean","description":"Set to true to enable tidying up certificate metadata.\n"},"tidyCertStore":{"type":"boolean","description":"Set to true to enable tidying up the certificate store\n"},"tidyCmpv2NonceStore":{"type":"boolean","description":"Set to true to enable tidying up the CMPv2 nonce store.\n"},"tidyCrossClusterRevokedCerts":{"type":"boolean","description":"Set to true to enable tidying up the cross-cluster\nrevoked certificate store.\n"},"tidyExpiredIssuers":{"type":"boolean","description":"Set to true to automatically remove expired issuers past the\n\u003cspan pulumi-lang-nodejs=\"`issuerSafetyBuffer`\" pulumi-lang-dotnet=\"`IssuerSafetyBuffer`\" pulumi-lang-go=\"`issuerSafetyBuffer`\" pulumi-lang-python=\"`issuer_safety_buffer`\" pulumi-lang-yaml=\"`issuerSafetyBuffer`\" pulumi-lang-java=\"`issuerSafetyBuffer`\"\u003e`issuer_safety_buffer`\u003c/span\u003e. No keys will be removed as part of this operation.\n"},"tidyMoveLegacyCaBundle":{"type":"boolean","description":"Set to true to move the legacy \u003cspan pulumi-lang-nodejs=\"`caBundle`\" pulumi-lang-dotnet=\"`CaBundle`\" pulumi-lang-go=\"`caBundle`\" pulumi-lang-python=\"`ca_bundle`\" pulumi-lang-yaml=\"`caBundle`\" pulumi-lang-java=\"`caBundle`\"\u003e`ca_bundle`\u003c/span\u003e from\n`/config/ca_bundle` to `/config/ca_bundle.bak`.\n"},"tidyRevocationQueue":{"type":"boolean","description":"Set to true to remove stale revocation queue entries that\nhaven't been confirmed by any active cluster.\n"},"tidyRevokedCertIssuerAssociations":{"type":"boolean","description":"Set to true to validate issuer associations\non revocation entries. This helps increase the performance of CRL building and OCSP responses.\n"},"tidyRevokedCerts":{"type":"boolean","description":"Set to true to remove all invalid and expired certificates from\nstorage. A revoked storage entry is considered invalid if the entry is empty, or the value within\nthe entry is empty. If a certificate is removed due to expiry, the entry will also be removed from\nthe CRL, and the CRL will be rotated.\n"}},"requiredInputs":["backend","enabled"],"stateInputs":{"description":"Input properties used for looking up and filtering BackendConfigAutoTidy resources.\n","properties":{"acmeAccountSafetyBuffer":{"type":"string","description":"The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated."},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the configuration from, with no leading or trailing `/`s.\n"},"enabled":{"type":"boolean","description":"Specifies whether automatic tidy is enabled or not.\n"},"intervalDuration":{"type":"string","description":"Interval at which to run an auto-tidy operation. This is the time\nbetween tidy invocations (after one finishes to the start of the next).\n"},"issuerSafetyBuffer":{"type":"string","description":"The amount of extra time that must have passed beyond issuer's\nexpiration before it is removed from the backend storage.\n"},"maintainStoredCertificateCounts":{"type":"boolean","description":"This configures whether stored certificate are\ncounted upon initialization of the backend, and whether during normal operation, a running count\nof certificates stored is maintained.\n"},"maxStartupBackoffDuration":{"type":"string","description":"The maximum amount of time auto-tidy will be delayed\nafter startup.\n"},"minStartupBackoffDuration":{"type":"string","description":"The minimum amount of time auto-tidy will be delayed\nafter startup.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pauseDuration":{"type":"string","description":"The amount of time to wait between processing certificates.\n"},"publishStoredCertificateCountMetrics":{"type":"boolean","description":"This configures whether the stored\ncertificate count is published to the metrics consumer.\n"},"revocationQueueSafetyBuffer":{"type":"string","description":"The amount of time that must pass from the\ncross-cluster revocation request being initiated to when it will be slated for removal.\n"},"safetyBuffer":{"type":"string","description":"The amount of extra time that must have passed beyond certificate\nexpiration before it is removed from the backend storage and/or revocation list.\n"},"tidyAcme":{"type":"boolean","description":"Set to true to enable tidying ACME accounts, orders and authorizations.\n"},"tidyCertMetadata":{"type":"boolean","description":"Set to true to enable tidying up certificate metadata.\n"},"tidyCertStore":{"type":"boolean","description":"Set to true to enable tidying up the certificate store\n"},"tidyCmpv2NonceStore":{"type":"boolean","description":"Set to true to enable tidying up the CMPv2 nonce store.\n"},"tidyCrossClusterRevokedCerts":{"type":"boolean","description":"Set to true to enable tidying up the cross-cluster\nrevoked certificate store.\n"},"tidyExpiredIssuers":{"type":"boolean","description":"Set to true to automatically remove expired issuers past the\n\u003cspan pulumi-lang-nodejs=\"`issuerSafetyBuffer`\" pulumi-lang-dotnet=\"`IssuerSafetyBuffer`\" pulumi-lang-go=\"`issuerSafetyBuffer`\" pulumi-lang-python=\"`issuer_safety_buffer`\" pulumi-lang-yaml=\"`issuerSafetyBuffer`\" pulumi-lang-java=\"`issuerSafetyBuffer`\"\u003e`issuer_safety_buffer`\u003c/span\u003e. No keys will be removed as part of this operation.\n"},"tidyMoveLegacyCaBundle":{"type":"boolean","description":"Set to true to move the legacy \u003cspan pulumi-lang-nodejs=\"`caBundle`\" pulumi-lang-dotnet=\"`CaBundle`\" pulumi-lang-go=\"`caBundle`\" pulumi-lang-python=\"`ca_bundle`\" pulumi-lang-yaml=\"`caBundle`\" pulumi-lang-java=\"`caBundle`\"\u003e`ca_bundle`\u003c/span\u003e from\n`/config/ca_bundle` to `/config/ca_bundle.bak`.\n"},"tidyRevocationQueue":{"type":"boolean","description":"Set to true to remove stale revocation queue entries that\nhaven't been confirmed by any active cluster.\n"},"tidyRevokedCertIssuerAssociations":{"type":"boolean","description":"Set to true to validate issuer associations\non revocation entries. This helps increase the performance of CRL building and OCSP responses.\n"},"tidyRevokedCerts":{"type":"boolean","description":"Set to true to remove all invalid and expired certificates from\nstorage. A revoked storage entry is considered invalid if the entry is empty, or the value within\nthe entry is empty. If a certificate is removed due to expiry, the entry will also be removed from\nthe CRL, and the CRL will be rotated.\n"}},"type":"object"}},"vault:pkiSecret/backendConfigCluster:BackendConfigCluster":{"description":"Allows setting the cluster-local's API mount path and AIA distribution point on a particular performance replication cluster.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst root = new vault.Mount(\"root\", {\n    path: \"pki-root\",\n    type: \"pki\",\n    description: \"root PKI\",\n    defaultLeaseTtlSeconds: 8640000,\n    maxLeaseTtlSeconds: 8640000,\n});\nconst example = new vault.pkisecret.BackendConfigCluster(\"example\", {\n    backend: root.path,\n    path: \"http://127.0.0.1:8200/v1/pki-root\",\n    aiaPath: \"http://127.0.0.1:8200/v1/pki-root\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nroot = vault.Mount(\"root\",\n    path=\"pki-root\",\n    type=\"pki\",\n    description=\"root PKI\",\n    default_lease_ttl_seconds=8640000,\n    max_lease_ttl_seconds=8640000)\nexample = vault.pkisecret.BackendConfigCluster(\"example\",\n    backend=root.path,\n    path=\"http://127.0.0.1:8200/v1/pki-root\",\n    aia_path=\"http://127.0.0.1:8200/v1/pki-root\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var root = new Vault.Mount(\"root\", new()\n    {\n        Path = \"pki-root\",\n        Type = \"pki\",\n        Description = \"root PKI\",\n        DefaultLeaseTtlSeconds = 8640000,\n        MaxLeaseTtlSeconds = 8640000,\n    });\n\n    var example = new Vault.PkiSecret.BackendConfigCluster(\"example\", new()\n    {\n        Backend = root.Path,\n        Path = \"http://127.0.0.1:8200/v1/pki-root\",\n        AiaPath = \"http://127.0.0.1:8200/v1/pki-root\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\troot, err := vault.NewMount(ctx, \"root\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki-root\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDescription:            pulumi.String(\"root PKI\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(8640000),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(8640000),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigCluster(ctx, \"example\", \u0026pkisecret.BackendConfigClusterArgs{\n\t\t\tBackend: root.Path,\n\t\t\tPath:    pulumi.String(\"http://127.0.0.1:8200/v1/pki-root\"),\n\t\t\tAiaPath: pulumi.String(\"http://127.0.0.1:8200/v1/pki-root\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigCluster;\nimport com.pulumi.vault.pkiSecret.BackendConfigClusterArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var root = new Mount(\"root\", MountArgs.builder()\n            .path(\"pki-root\")\n            .type(\"pki\")\n            .description(\"root PKI\")\n            .defaultLeaseTtlSeconds(8640000)\n            .maxLeaseTtlSeconds(8640000)\n            .build());\n\n        var example = new BackendConfigCluster(\"example\", BackendConfigClusterArgs.builder()\n            .backend(root.path())\n            .path(\"http://127.0.0.1:8200/v1/pki-root\")\n            .aiaPath(\"http://127.0.0.1:8200/v1/pki-root\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  root:\n    type: vault:Mount\n    properties:\n      path: pki-root\n      type: pki\n      description: root PKI\n      defaultLeaseTtlSeconds: 8.64e+06\n      maxLeaseTtlSeconds: 8.64e+06\n  example:\n    type: vault:pkiSecret:BackendConfigCluster\n    properties:\n      backend: ${root.path}\n      path: http://127.0.0.1:8200/v1/pki-root\n      aiaPath: http://127.0.0.1:8200/v1/pki-root\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe PKI config cluster can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki-root/config/cluster`,\nwhere the `pki-root` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigCluster:BackendConfigCluster example pki-root/config/cluster\n```\n","properties":{"aiaPath":{"type":"string","description":"Specifies the path to this performance replication cluster's AIA distribution point.\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Specifies the path to this performance replication cluster's API mount path.\n"}},"required":["backend"],"inputProperties":{"aiaPath":{"type":"string","description":"Specifies the path to this performance replication cluster's AIA distribution point.\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Specifies the path to this performance replication cluster's API mount path.\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering BackendConfigCluster resources.\n","properties":{"aiaPath":{"type":"string","description":"Specifies the path to this performance replication cluster's AIA distribution point.\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Specifies the path to this performance replication cluster's API mount path.\n"}},"type":"object"}},"vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2":{"description":"Allows setting the CMPv2 configuration on a PKI Secret Backend\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki-root\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst cmpv2Role = new vault.pkisecret.SecretBackendRole(\"cmpv2_role\", {\n    backend: pki.path,\n    name: \"cmpv2-role\",\n    ttl: \"3600\",\n    keyType: \"ec\",\n    keyBits: 256,\n});\nconst cmpv2Role2 = new vault.pkisecret.SecretBackendRole(\"cmpv2_role_2\", {\n    backend: pki.path,\n    name: \"cmpv2-role-2\",\n    ttl: \"3600\",\n    keyType: \"ec\",\n    keyBits: 256,\n});\nconst example = new vault.pkisecret.BackendConfigCmpv2(\"example\", {\n    backend: pki.path,\n    enabled: true,\n    defaultPathPolicy: std.format({\n        input: \"role:%s\",\n        args: [cmpv2Role.name],\n    }).then(invoke =\u003e invoke.result),\n    authenticators: {\n        cert: {\n            accessor: \"test\",\n            cert_role: \"cert-auth-role\",\n        },\n    },\n    enableSentinelParsing: true,\n    auditFields: [\n        \"csr\",\n        \"common_name\",\n        \"alt_names\",\n        \"ip_sans\",\n        \"uri_sans\",\n        \"other_sans\",\n        \"signature_bits\",\n        \"exclude_cn_from_sans\",\n        \"ou\",\n        \"organization\",\n        \"country\",\n        \"locality\",\n        \"province\",\n        \"street_address\",\n        \"postal_code\",\n        \"serial_number\",\n        \"use_pss\",\n        \"key_type\",\n        \"key_bits\",\n        \"add_basic_constraints\",\n    ],\n    disabledValidations: [\"DisableMatchingKeyIdValidation\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki-root\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\ncmpv2_role = vault.pkisecret.SecretBackendRole(\"cmpv2_role\",\n    backend=pki.path,\n    name=\"cmpv2-role\",\n    ttl=\"3600\",\n    key_type=\"ec\",\n    key_bits=256)\ncmpv2_role2 = vault.pkisecret.SecretBackendRole(\"cmpv2_role_2\",\n    backend=pki.path,\n    name=\"cmpv2-role-2\",\n    ttl=\"3600\",\n    key_type=\"ec\",\n    key_bits=256)\nexample = vault.pkisecret.BackendConfigCmpv2(\"example\",\n    backend=pki.path,\n    enabled=True,\n    default_path_policy=std.format(input=\"role:%s\",\n        args=[cmpv2_role.name]).result,\n    authenticators={\n        \"cert\": {\n            \"accessor\": \"test\",\n            \"cert_role\": \"cert-auth-role\",\n        },\n    },\n    enable_sentinel_parsing=True,\n    audit_fields=[\n        \"csr\",\n        \"common_name\",\n        \"alt_names\",\n        \"ip_sans\",\n        \"uri_sans\",\n        \"other_sans\",\n        \"signature_bits\",\n        \"exclude_cn_from_sans\",\n        \"ou\",\n        \"organization\",\n        \"country\",\n        \"locality\",\n        \"province\",\n        \"street_address\",\n        \"postal_code\",\n        \"serial_number\",\n        \"use_pss\",\n        \"key_type\",\n        \"key_bits\",\n        \"add_basic_constraints\",\n    ],\n    disabled_validations=[\"DisableMatchingKeyIdValidation\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki-root\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var cmpv2Role = new Vault.PkiSecret.SecretBackendRole(\"cmpv2_role\", new()\n    {\n        Backend = pki.Path,\n        Name = \"cmpv2-role\",\n        Ttl = \"3600\",\n        KeyType = \"ec\",\n        KeyBits = 256,\n    });\n\n    var cmpv2Role2 = new Vault.PkiSecret.SecretBackendRole(\"cmpv2_role_2\", new()\n    {\n        Backend = pki.Path,\n        Name = \"cmpv2-role-2\",\n        Ttl = \"3600\",\n        KeyType = \"ec\",\n        KeyBits = 256,\n    });\n\n    var example = new Vault.PkiSecret.BackendConfigCmpv2(\"example\", new()\n    {\n        Backend = pki.Path,\n        Enabled = true,\n        DefaultPathPolicy = Std.Format.Invoke(new()\n        {\n            Input = \"role:%s\",\n            Args = new[]\n            {\n                cmpv2Role.Name,\n            },\n        }).Apply(invoke =\u003e invoke.Result),\n        Authenticators = new Vault.PkiSecret.Inputs.BackendConfigCmpv2AuthenticatorsArgs\n        {\n            Cert = \n            {\n                { \"accessor\", \"test\" },\n                { \"cert_role\", \"cert-auth-role\" },\n            },\n        },\n        EnableSentinelParsing = true,\n        AuditFields = new[]\n        {\n            \"csr\",\n            \"common_name\",\n            \"alt_names\",\n            \"ip_sans\",\n            \"uri_sans\",\n            \"other_sans\",\n            \"signature_bits\",\n            \"exclude_cn_from_sans\",\n            \"ou\",\n            \"organization\",\n            \"country\",\n            \"locality\",\n            \"province\",\n            \"street_address\",\n            \"postal_code\",\n            \"serial_number\",\n            \"use_pss\",\n            \"key_type\",\n            \"key_bits\",\n            \"add_basic_constraints\",\n        },\n        DisabledValidations = new[]\n        {\n            \"DisableMatchingKeyIdValidation\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki-root\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcmpv2Role, err := pkisecret.NewSecretBackendRole(ctx, \"cmpv2_role\", \u0026pkisecret.SecretBackendRoleArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tName:    pulumi.String(\"cmpv2-role\"),\n\t\t\tTtl:     pulumi.String(\"3600\"),\n\t\t\tKeyType: pulumi.String(\"ec\"),\n\t\t\tKeyBits: pulumi.Int(256),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendRole(ctx, \"cmpv2_role_2\", \u0026pkisecret.SecretBackendRoleArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tName:    pulumi.String(\"cmpv2-role-2\"),\n\t\t\tTtl:     pulumi.String(\"3600\"),\n\t\t\tKeyType: pulumi.String(\"ec\"),\n\t\t\tKeyBits: pulumi.Int(256),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFormat, err := std.Format(ctx, \u0026std.FormatArgs{\n\t\t\tInput: \"role:%s\",\n\t\t\tArgs: pulumi.StringArray{\n\t\t\t\tcmpv2Role.Name,\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigCmpv2(ctx, \"example\", \u0026pkisecret.BackendConfigCmpv2Args{\n\t\t\tBackend:           pki.Path,\n\t\t\tEnabled:           pulumi.Bool(true),\n\t\t\tDefaultPathPolicy: pulumi.String(invokeFormat.Result),\n\t\t\tAuthenticators: \u0026pkisecret.BackendConfigCmpv2AuthenticatorsArgs{\n\t\t\t\tCert: pulumi.StringMap{\n\t\t\t\t\t\"accessor\":  pulumi.String(\"test\"),\n\t\t\t\t\t\"cert_role\": pulumi.String(\"cert-auth-role\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tEnableSentinelParsing: pulumi.Bool(true),\n\t\t\tAuditFields: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"csr\"),\n\t\t\t\tpulumi.String(\"common_name\"),\n\t\t\t\tpulumi.String(\"alt_names\"),\n\t\t\t\tpulumi.String(\"ip_sans\"),\n\t\t\t\tpulumi.String(\"uri_sans\"),\n\t\t\t\tpulumi.String(\"other_sans\"),\n\t\t\t\tpulumi.String(\"signature_bits\"),\n\t\t\t\tpulumi.String(\"exclude_cn_from_sans\"),\n\t\t\t\tpulumi.String(\"ou\"),\n\t\t\t\tpulumi.String(\"organization\"),\n\t\t\t\tpulumi.String(\"country\"),\n\t\t\t\tpulumi.String(\"locality\"),\n\t\t\t\tpulumi.String(\"province\"),\n\t\t\t\tpulumi.String(\"street_address\"),\n\t\t\t\tpulumi.String(\"postal_code\"),\n\t\t\t\tpulumi.String(\"serial_number\"),\n\t\t\t\tpulumi.String(\"use_pss\"),\n\t\t\t\tpulumi.String(\"key_type\"),\n\t\t\t\tpulumi.String(\"key_bits\"),\n\t\t\t\tpulumi.String(\"add_basic_constraints\"),\n\t\t\t},\n\t\t\tDisabledValidations: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"DisableMatchingKeyIdValidation\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRole;\nimport com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigCmpv2;\nimport com.pulumi.vault.pkiSecret.BackendConfigCmpv2Args;\nimport com.pulumi.vault.pkiSecret.inputs.BackendConfigCmpv2AuthenticatorsArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FormatArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki-root\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var cmpv2Role = new SecretBackendRole(\"cmpv2Role\", SecretBackendRoleArgs.builder()\n            .backend(pki.path())\n            .name(\"cmpv2-role\")\n            .ttl(\"3600\")\n            .keyType(\"ec\")\n            .keyBits(256)\n            .build());\n\n        var cmpv2Role2 = new SecretBackendRole(\"cmpv2Role2\", SecretBackendRoleArgs.builder()\n            .backend(pki.path())\n            .name(\"cmpv2-role-2\")\n            .ttl(\"3600\")\n            .keyType(\"ec\")\n            .keyBits(256)\n            .build());\n\n        var example = new BackendConfigCmpv2(\"example\", BackendConfigCmpv2Args.builder()\n            .backend(pki.path())\n            .enabled(true)\n            .defaultPathPolicy(StdFunctions.format(FormatArgs.builder()\n                .input(\"role:%s\")\n                .args(cmpv2Role.name())\n                .build()).result())\n            .authenticators(BackendConfigCmpv2AuthenticatorsArgs.builder()\n                .cert(Map.ofEntries(\n                    Map.entry(\"accessor\", \"test\"),\n                    Map.entry(\"cert_role\", \"cert-auth-role\")\n                ))\n                .build())\n            .enableSentinelParsing(true)\n            .auditFields(            \n                \"csr\",\n                \"common_name\",\n                \"alt_names\",\n                \"ip_sans\",\n                \"uri_sans\",\n                \"other_sans\",\n                \"signature_bits\",\n                \"exclude_cn_from_sans\",\n                \"ou\",\n                \"organization\",\n                \"country\",\n                \"locality\",\n                \"province\",\n                \"street_address\",\n                \"postal_code\",\n                \"serial_number\",\n                \"use_pss\",\n                \"key_type\",\n                \"key_bits\",\n                \"add_basic_constraints\")\n            .disabledValidations(\"DisableMatchingKeyIdValidation\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki-root\n      type: pki\n      description: PKI secret engine mount\n  cmpv2Role:\n    type: vault:pkiSecret:SecretBackendRole\n    name: cmpv2_role\n    properties:\n      backend: ${pki.path}\n      name: cmpv2-role\n      ttl: 3600\n      keyType: ec\n      keyBits: '256'\n  cmpv2Role2:\n    type: vault:pkiSecret:SecretBackendRole\n    name: cmpv2_role_2\n    properties:\n      backend: ${pki.path}\n      name: cmpv2-role-2\n      ttl: 3600\n      keyType: ec\n      keyBits: '256'\n  example:\n    type: vault:pkiSecret:BackendConfigCmpv2\n    properties:\n      backend: ${pki.path}\n      enabled: true\n      defaultPathPolicy:\n        fn::invoke:\n          function: std:format\n          arguments:\n            input: role:%s\n            args:\n              - ${cmpv2Role.name}\n          return: result\n      authenticators:\n        cert:\n          accessor: test\n          cert_role: cert-auth-role\n      enableSentinelParsing: true\n      auditFields:\n        - csr\n        - common_name\n        - alt_names\n        - ip_sans\n        - uri_sans\n        - other_sans\n        - signature_bits\n        - exclude_cn_from_sans\n        - ou\n        - organization\n        - country\n        - locality\n        - province\n        - street_address\n        - postal_code\n        - serial_number\n        - use_pss\n        - key_type\n        - key_bits\n        - add_basic_constraints\n      disabledValidations:\n        - DisableMatchingKeyIdValidation\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe PKI config cluster can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki-root/config/cmpv2`,\nwhere the `pki-root` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigCmpv2:BackendConfigCmpv2 example pki-root/config/cmpv2\n```\n","properties":{"auditFields":{"type":"array","items":{"type":"string"},"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigCmpv2Authenticators:BackendConfigCmpv2Authenticators","description":"Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the CMPv2 configuration from, with no leading or trailing `/`s.\n"},"defaultPathPolicy":{"type":"string","description":"Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n"},"disabledValidations":{"type":"array","items":{"type":"string"},"description":"A comma-separated list of validations not to perform on CMPv2 messages.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"enableSentinelParsing":{"type":"boolean","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies.\n"},"enabled":{"type":"boolean","description":"Specifies whether CMPv2 is enabled.\n"},"lastUpdated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["auditFields","authenticators","backend","lastUpdated"],"inputProperties":{"auditFields":{"type":"array","items":{"type":"string"},"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigCmpv2Authenticators:BackendConfigCmpv2Authenticators","description":"Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the CMPv2 configuration from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"defaultPathPolicy":{"type":"string","description":"Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n"},"disabledValidations":{"type":"array","items":{"type":"string"},"description":"A comma-separated list of validations not to perform on CMPv2 messages.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"enableSentinelParsing":{"type":"boolean","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies.\n"},"enabled":{"type":"boolean","description":"Specifies whether CMPv2 is enabled.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering BackendConfigCmpv2 resources.\n","properties":{"auditFields":{"type":"array","items":{"type":"string"},"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigCmpv2Authenticators:BackendConfigCmpv2Authenticators","description":"Lists the mount accessors CMPv2 should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the CMPv2 configuration from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"defaultPathPolicy":{"type":"string","description":"Specifies the behavior for requests using the non-role-qualified CMPv2 requests. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n"},"disabledValidations":{"type":"array","items":{"type":"string"},"description":"A comma-separated list of validations not to perform on CMPv2 messages.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"enableSentinelParsing":{"type":"boolean","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies.\n"},"enabled":{"type":"boolean","description":"Specifies whether CMPv2 is enabled.\n"},"lastUpdated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/backendConfigEst:BackendConfigEst":{"description":"Allows setting the EST configuration on a PKI Secret Backend\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki-root\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst estRole = new vault.pkisecret.SecretBackendRole(\"est_role\", {\n    backend: pki.path,\n    name: \"est-role\",\n    ttl: \"3600\",\n    keyType: \"ec\",\n    keyBits: 256,\n});\nconst estRole2 = new vault.pkisecret.SecretBackendRole(\"est_role_2\", {\n    backend: pki.path,\n    name: \"est-role-2\",\n    ttl: \"3600\",\n    keyType: \"ec\",\n    keyBits: 256,\n});\nconst example = new vault.pkisecret.BackendConfigEst(\"example\", {\n    backend: pki.path,\n    enabled: true,\n    defaultMount: true,\n    defaultPathPolicy: std.format({\n        input: \"role:%s\",\n        args: [estRole.name],\n    }).then(invoke =\u003e invoke.result),\n    labelToPathPolicy: {\n        \"test-label\": \"sign-verbatim\",\n        \"test-label-2\": std.format({\n            input: \"role:%s\",\n            args: [estRole2.name],\n        }).then(invoke =\u003e invoke.result),\n    },\n    authenticators: {\n        cert: {\n            accessor: \"test\",\n            cert_role: \"cert-auth-role\",\n        },\n        userpass: {\n            accessor: \"test2\",\n        },\n    },\n    enableSentinelParsing: true,\n    auditFields: [\n        \"csr\",\n        \"common_name\",\n        \"alt_names\",\n        \"ip_sans\",\n        \"uri_sans\",\n        \"other_sans\",\n        \"signature_bits\",\n        \"exclude_cn_from_sans\",\n        \"ou\",\n        \"organization\",\n        \"country\",\n        \"locality\",\n        \"province\",\n        \"street_address\",\n        \"postal_code\",\n        \"serial_number\",\n        \"use_pss\",\n        \"key_type\",\n        \"key_bits\",\n        \"add_basic_constraints\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki-root\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\nest_role = vault.pkisecret.SecretBackendRole(\"est_role\",\n    backend=pki.path,\n    name=\"est-role\",\n    ttl=\"3600\",\n    key_type=\"ec\",\n    key_bits=256)\nest_role2 = vault.pkisecret.SecretBackendRole(\"est_role_2\",\n    backend=pki.path,\n    name=\"est-role-2\",\n    ttl=\"3600\",\n    key_type=\"ec\",\n    key_bits=256)\nexample = vault.pkisecret.BackendConfigEst(\"example\",\n    backend=pki.path,\n    enabled=True,\n    default_mount=True,\n    default_path_policy=std.format(input=\"role:%s\",\n        args=[est_role.name]).result,\n    label_to_path_policy={\n        \"test-label\": \"sign-verbatim\",\n        \"test-label-2\": std.format(input=\"role:%s\",\n            args=[est_role2.name]).result,\n    },\n    authenticators={\n        \"cert\": {\n            \"accessor\": \"test\",\n            \"cert_role\": \"cert-auth-role\",\n        },\n        \"userpass\": {\n            \"accessor\": \"test2\",\n        },\n    },\n    enable_sentinel_parsing=True,\n    audit_fields=[\n        \"csr\",\n        \"common_name\",\n        \"alt_names\",\n        \"ip_sans\",\n        \"uri_sans\",\n        \"other_sans\",\n        \"signature_bits\",\n        \"exclude_cn_from_sans\",\n        \"ou\",\n        \"organization\",\n        \"country\",\n        \"locality\",\n        \"province\",\n        \"street_address\",\n        \"postal_code\",\n        \"serial_number\",\n        \"use_pss\",\n        \"key_type\",\n        \"key_bits\",\n        \"add_basic_constraints\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki-root\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var estRole = new Vault.PkiSecret.SecretBackendRole(\"est_role\", new()\n    {\n        Backend = pki.Path,\n        Name = \"est-role\",\n        Ttl = \"3600\",\n        KeyType = \"ec\",\n        KeyBits = 256,\n    });\n\n    var estRole2 = new Vault.PkiSecret.SecretBackendRole(\"est_role_2\", new()\n    {\n        Backend = pki.Path,\n        Name = \"est-role-2\",\n        Ttl = \"3600\",\n        KeyType = \"ec\",\n        KeyBits = 256,\n    });\n\n    var example = new Vault.PkiSecret.BackendConfigEst(\"example\", new()\n    {\n        Backend = pki.Path,\n        Enabled = true,\n        DefaultMount = true,\n        DefaultPathPolicy = Std.Format.Invoke(new()\n        {\n            Input = \"role:%s\",\n            Args = new[]\n            {\n                estRole.Name,\n            },\n        }).Apply(invoke =\u003e invoke.Result),\n        LabelToPathPolicy = \n        {\n            { \"test-label\", \"sign-verbatim\" },\n            { \"test-label-2\", Std.Format.Invoke(new()\n            {\n                Input = \"role:%s\",\n                Args = new[]\n                {\n                    estRole2.Name,\n                },\n            }).Apply(invoke =\u003e invoke.Result) },\n        },\n        Authenticators = new Vault.PkiSecret.Inputs.BackendConfigEstAuthenticatorsArgs\n        {\n            Cert = \n            {\n                { \"accessor\", \"test\" },\n                { \"cert_role\", \"cert-auth-role\" },\n            },\n            Userpass = \n            {\n                { \"accessor\", \"test2\" },\n            },\n        },\n        EnableSentinelParsing = true,\n        AuditFields = new[]\n        {\n            \"csr\",\n            \"common_name\",\n            \"alt_names\",\n            \"ip_sans\",\n            \"uri_sans\",\n            \"other_sans\",\n            \"signature_bits\",\n            \"exclude_cn_from_sans\",\n            \"ou\",\n            \"organization\",\n            \"country\",\n            \"locality\",\n            \"province\",\n            \"street_address\",\n            \"postal_code\",\n            \"serial_number\",\n            \"use_pss\",\n            \"key_type\",\n            \"key_bits\",\n            \"add_basic_constraints\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki-root\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\testRole, err := pkisecret.NewSecretBackendRole(ctx, \"est_role\", \u0026pkisecret.SecretBackendRoleArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tName:    pulumi.String(\"est-role\"),\n\t\t\tTtl:     pulumi.String(\"3600\"),\n\t\t\tKeyType: pulumi.String(\"ec\"),\n\t\t\tKeyBits: pulumi.Int(256),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\testRole2, err := pkisecret.NewSecretBackendRole(ctx, \"est_role_2\", \u0026pkisecret.SecretBackendRoleArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tName:    pulumi.String(\"est-role-2\"),\n\t\t\tTtl:     pulumi.String(\"3600\"),\n\t\t\tKeyType: pulumi.String(\"ec\"),\n\t\t\tKeyBits: pulumi.Int(256),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFormat, err := std.Format(ctx, \u0026std.FormatArgs{\n\t\t\tInput: \"role:%s\",\n\t\t\tArgs: pulumi.StringArray{\n\t\t\t\testRole.Name,\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFormat1, err := std.Format(ctx, \u0026std.FormatArgs{\n\t\t\tInput: \"role:%s\",\n\t\t\tArgs: pulumi.StringArray{\n\t\t\t\testRole2.Name,\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigEst(ctx, \"example\", \u0026pkisecret.BackendConfigEstArgs{\n\t\t\tBackend:           pki.Path,\n\t\t\tEnabled:           pulumi.Bool(true),\n\t\t\tDefaultMount:      pulumi.Bool(true),\n\t\t\tDefaultPathPolicy: pulumi.String(invokeFormat.Result),\n\t\t\tLabelToPathPolicy: pulumi.StringMap{\n\t\t\t\t\"test-label\":   pulumi.String(\"sign-verbatim\"),\n\t\t\t\t\"test-label-2\": pulumi.String(invokeFormat1.Result),\n\t\t\t},\n\t\t\tAuthenticators: \u0026pkisecret.BackendConfigEstAuthenticatorsArgs{\n\t\t\t\tCert: pulumi.StringMap{\n\t\t\t\t\t\"accessor\":  pulumi.String(\"test\"),\n\t\t\t\t\t\"cert_role\": pulumi.String(\"cert-auth-role\"),\n\t\t\t\t},\n\t\t\t\tUserpass: pulumi.StringMap{\n\t\t\t\t\t\"accessor\": pulumi.String(\"test2\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tEnableSentinelParsing: pulumi.Bool(true),\n\t\t\tAuditFields: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"csr\"),\n\t\t\t\tpulumi.String(\"common_name\"),\n\t\t\t\tpulumi.String(\"alt_names\"),\n\t\t\t\tpulumi.String(\"ip_sans\"),\n\t\t\t\tpulumi.String(\"uri_sans\"),\n\t\t\t\tpulumi.String(\"other_sans\"),\n\t\t\t\tpulumi.String(\"signature_bits\"),\n\t\t\t\tpulumi.String(\"exclude_cn_from_sans\"),\n\t\t\t\tpulumi.String(\"ou\"),\n\t\t\t\tpulumi.String(\"organization\"),\n\t\t\t\tpulumi.String(\"country\"),\n\t\t\t\tpulumi.String(\"locality\"),\n\t\t\t\tpulumi.String(\"province\"),\n\t\t\t\tpulumi.String(\"street_address\"),\n\t\t\t\tpulumi.String(\"postal_code\"),\n\t\t\t\tpulumi.String(\"serial_number\"),\n\t\t\t\tpulumi.String(\"use_pss\"),\n\t\t\t\tpulumi.String(\"key_type\"),\n\t\t\t\tpulumi.String(\"key_bits\"),\n\t\t\t\tpulumi.String(\"add_basic_constraints\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRole;\nimport com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigEst;\nimport com.pulumi.vault.pkiSecret.BackendConfigEstArgs;\nimport com.pulumi.vault.pkiSecret.inputs.BackendConfigEstAuthenticatorsArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FormatArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki-root\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var estRole = new SecretBackendRole(\"estRole\", SecretBackendRoleArgs.builder()\n            .backend(pki.path())\n            .name(\"est-role\")\n            .ttl(\"3600\")\n            .keyType(\"ec\")\n            .keyBits(256)\n            .build());\n\n        var estRole2 = new SecretBackendRole(\"estRole2\", SecretBackendRoleArgs.builder()\n            .backend(pki.path())\n            .name(\"est-role-2\")\n            .ttl(\"3600\")\n            .keyType(\"ec\")\n            .keyBits(256)\n            .build());\n\n        var example = new BackendConfigEst(\"example\", BackendConfigEstArgs.builder()\n            .backend(pki.path())\n            .enabled(true)\n            .defaultMount(true)\n            .defaultPathPolicy(StdFunctions.format(FormatArgs.builder()\n                .input(\"role:%s\")\n                .args(estRole.name())\n                .build()).result())\n            .labelToPathPolicy(Map.ofEntries(\n                Map.entry(\"test-label\", \"sign-verbatim\"),\n                Map.entry(\"test-label-2\", StdFunctions.format(FormatArgs.builder()\n                    .input(\"role:%s\")\n                    .args(estRole2.name())\n                    .build()).result())\n            ))\n            .authenticators(BackendConfigEstAuthenticatorsArgs.builder()\n                .cert(Map.ofEntries(\n                    Map.entry(\"accessor\", \"test\"),\n                    Map.entry(\"cert_role\", \"cert-auth-role\")\n                ))\n                .userpass(Map.of(\"accessor\", \"test2\"))\n                .build())\n            .enableSentinelParsing(true)\n            .auditFields(            \n                \"csr\",\n                \"common_name\",\n                \"alt_names\",\n                \"ip_sans\",\n                \"uri_sans\",\n                \"other_sans\",\n                \"signature_bits\",\n                \"exclude_cn_from_sans\",\n                \"ou\",\n                \"organization\",\n                \"country\",\n                \"locality\",\n                \"province\",\n                \"street_address\",\n                \"postal_code\",\n                \"serial_number\",\n                \"use_pss\",\n                \"key_type\",\n                \"key_bits\",\n                \"add_basic_constraints\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki-root\n      type: pki\n      description: PKI secret engine mount\n  estRole:\n    type: vault:pkiSecret:SecretBackendRole\n    name: est_role\n    properties:\n      backend: ${pki.path}\n      name: est-role\n      ttl: 3600\n      keyType: ec\n      keyBits: '256'\n  estRole2:\n    type: vault:pkiSecret:SecretBackendRole\n    name: est_role_2\n    properties:\n      backend: ${pki.path}\n      name: est-role-2\n      ttl: 3600\n      keyType: ec\n      keyBits: '256'\n  example:\n    type: vault:pkiSecret:BackendConfigEst\n    properties:\n      backend: ${pki.path}\n      enabled: true\n      defaultMount: true\n      defaultPathPolicy:\n        fn::invoke:\n          function: std:format\n          arguments:\n            input: role:%s\n            args:\n              - ${estRole.name}\n          return: result\n      labelToPathPolicy:\n        test-label: sign-verbatim\n        test-label-2:\n          fn::invoke:\n            function: std:format\n            arguments:\n              input: role:%s\n              args:\n                - ${estRole2.name}\n            return: result\n      authenticators:\n        cert:\n          accessor: test\n          cert_role: cert-auth-role\n        userpass:\n          accessor: test2\n      enableSentinelParsing: true\n      auditFields:\n        - csr\n        - common_name\n        - alt_names\n        - ip_sans\n        - uri_sans\n        - other_sans\n        - signature_bits\n        - exclude_cn_from_sans\n        - ou\n        - organization\n        - country\n        - locality\n        - province\n        - street_address\n        - postal_code\n        - serial_number\n        - use_pss\n        - key_type\n        - key_bits\n        - add_basic_constraints\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe PKI config cluster can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki-root/config/est`,\nwhere the `pki-root` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigEst:BackendConfigEst example pki-root/config/est\n```\n","properties":{"auditFields":{"type":"array","items":{"type":"string"},"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigEstAuthenticators:BackendConfigEstAuthenticators","description":"Lists the mount accessors EST should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the EST configuration from, with no leading or trailing `/`s.\n"},"defaultMount":{"type":"boolean","description":"If set, this mount will register the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster.\n"},"defaultPathPolicy":{"type":"string","description":"Required to be set if\u003cspan pulumi-lang-nodejs=\" defaultMount \" pulumi-lang-dotnet=\" DefaultMount \" pulumi-lang-go=\" defaultMount \" pulumi-lang-python=\" default_mount \" pulumi-lang-yaml=\" defaultMount \" pulumi-lang-java=\" defaultMount \"\u003e default_mount \u003c/span\u003eis enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n"},"enableSentinelParsing":{"type":"boolean","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies.\n"},"enabled":{"type":"boolean","description":"Specifies whether EST is enabled.\n"},"labelToPathPolicy":{"type":"object","additionalProperties":{"type":"string"},"description":"Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:\u003crole_name\u003e. Labels must be unique across Vault cluster, and will register .well-known/est/\u003clabel\u003e URL paths.\n"},"lastUpdated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["auditFields","authenticators","backend","lastUpdated"],"inputProperties":{"auditFields":{"type":"array","items":{"type":"string"},"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigEstAuthenticators:BackendConfigEstAuthenticators","description":"Lists the mount accessors EST should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the EST configuration from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"defaultMount":{"type":"boolean","description":"If set, this mount will register the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster.\n"},"defaultPathPolicy":{"type":"string","description":"Required to be set if\u003cspan pulumi-lang-nodejs=\" defaultMount \" pulumi-lang-dotnet=\" DefaultMount \" pulumi-lang-go=\" defaultMount \" pulumi-lang-python=\" default_mount \" pulumi-lang-yaml=\" defaultMount \" pulumi-lang-java=\" defaultMount \"\u003e default_mount \u003c/span\u003eis enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n"},"enableSentinelParsing":{"type":"boolean","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies.\n"},"enabled":{"type":"boolean","description":"Specifies whether EST is enabled.\n"},"labelToPathPolicy":{"type":"object","additionalProperties":{"type":"string"},"description":"Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:\u003crole_name\u003e. Labels must be unique across Vault cluster, and will register .well-known/est/\u003clabel\u003e URL paths.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering BackendConfigEst resources.\n","properties":{"auditFields":{"type":"array","items":{"type":"string"},"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigEstAuthenticators:BackendConfigEstAuthenticators","description":"Lists the mount accessors EST should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the EST configuration from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"defaultMount":{"type":"boolean","description":"If set, this mount will register the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster.\n"},"defaultPathPolicy":{"type":"string","description":"Required to be set if\u003cspan pulumi-lang-nodejs=\" defaultMount \" pulumi-lang-dotnet=\" DefaultMount \" pulumi-lang-go=\" defaultMount \" pulumi-lang-python=\" default_mount \" pulumi-lang-yaml=\" defaultMount \" pulumi-lang-java=\" defaultMount \"\u003e default_mount \u003c/span\u003eis enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n"},"enableSentinelParsing":{"type":"boolean","description":"If set, parse out fields from the provided CSR making them available for Sentinel policies.\n"},"enabled":{"type":"boolean","description":"Specifies whether EST is enabled.\n"},"labelToPathPolicy":{"type":"object","additionalProperties":{"type":"string"},"description":"Configures a pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:\u003crole_name\u003e. Labels must be unique across Vault cluster, and will register .well-known/est/\u003clabel\u003e URL paths.\n"},"lastUpdated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/backendConfigScep:BackendConfigScep":{"description":"Allows setting the SCEP configuration on a PKI Secret Backend.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst scep = new vault.AuthBackend(\"scep\", {\n    path: \"scep-auth\",\n    type: \"scep\",\n});\nconst scepChallenge = new vault.ScepAuthBackendRole(\"scep_challenge\", {\n    backend: scep.id,\n    name: \"scep-auth\",\n    displayName: \"Static challenge for SCEP clients\",\n    authType: \"static-challenge\",\n    challenge: \"ac7e4ada-c8ef-4393-9098-d69d08736833\",\n});\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki_scep\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst test = new vault.pkisecret.BackendConfigScep(\"test\", {\n    backend: pki.path,\n    enabled: true,\n    defaultPathPolicy: \"sign-verbatim\",\n    restrictCaChainToIssuer: true,\n    authenticators: {\n        scep: {\n            accessor: scep.accessor,\n            scep_role: scepChallenge.name,\n        },\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nscep = vault.AuthBackend(\"scep\",\n    path=\"scep-auth\",\n    type=\"scep\")\nscep_challenge = vault.ScepAuthBackendRole(\"scep_challenge\",\n    backend=scep.id,\n    name=\"scep-auth\",\n    display_name=\"Static challenge for SCEP clients\",\n    auth_type=\"static-challenge\",\n    challenge=\"ac7e4ada-c8ef-4393-9098-d69d08736833\")\npki = vault.Mount(\"pki\",\n    path=\"pki_scep\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\ntest = vault.pkisecret.BackendConfigScep(\"test\",\n    backend=pki.path,\n    enabled=True,\n    default_path_policy=\"sign-verbatim\",\n    restrict_ca_chain_to_issuer=True,\n    authenticators={\n        \"scep\": {\n            \"accessor\": scep.accessor,\n            \"scep_role\": scep_challenge.name,\n        },\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var scep = new Vault.AuthBackend(\"scep\", new()\n    {\n        Path = \"scep-auth\",\n        Type = \"scep\",\n    });\n\n    var scepChallenge = new Vault.ScepAuthBackendRole(\"scep_challenge\", new()\n    {\n        Backend = scep.Id,\n        Name = \"scep-auth\",\n        DisplayName = \"Static challenge for SCEP clients\",\n        AuthType = \"static-challenge\",\n        Challenge = \"ac7e4ada-c8ef-4393-9098-d69d08736833\",\n    });\n\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki_scep\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var test = new Vault.PkiSecret.BackendConfigScep(\"test\", new()\n    {\n        Backend = pki.Path,\n        Enabled = true,\n        DefaultPathPolicy = \"sign-verbatim\",\n        RestrictCaChainToIssuer = true,\n        Authenticators = new Vault.PkiSecret.Inputs.BackendConfigScepAuthenticatorsArgs\n        {\n            Scep = \n            {\n                { \"accessor\", scep.Accessor },\n                { \"scep_role\", scepChallenge.Name },\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tscep, err := vault.NewAuthBackend(ctx, \"scep\", \u0026vault.AuthBackendArgs{\n\t\t\tPath: pulumi.String(\"scep-auth\"),\n\t\t\tType: pulumi.String(\"scep\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tscepChallenge, err := vault.NewScepAuthBackendRole(ctx, \"scep_challenge\", \u0026vault.ScepAuthBackendRoleArgs{\n\t\t\tBackend:     scep.ID(),\n\t\t\tName:        pulumi.String(\"scep-auth\"),\n\t\t\tDisplayName: pulumi.String(\"Static challenge for SCEP clients\"),\n\t\t\tAuthType:    pulumi.String(\"static-challenge\"),\n\t\t\tChallenge:   pulumi.String(\"ac7e4ada-c8ef-4393-9098-d69d08736833\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki_scep\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewBackendConfigScep(ctx, \"test\", \u0026pkisecret.BackendConfigScepArgs{\n\t\t\tBackend:                 pki.Path,\n\t\t\tEnabled:                 pulumi.Bool(true),\n\t\t\tDefaultPathPolicy:       pulumi.String(\"sign-verbatim\"),\n\t\t\tRestrictCaChainToIssuer: pulumi.Bool(true),\n\t\t\tAuthenticators: \u0026pkisecret.BackendConfigScepAuthenticatorsArgs{\n\t\t\t\tScep: pulumi.StringMap{\n\t\t\t\t\t\"accessor\":  scep.Accessor,\n\t\t\t\t\t\"scep_role\": scepChallenge.Name,\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.AuthBackend;\nimport com.pulumi.vault.AuthBackendArgs;\nimport com.pulumi.vault.ScepAuthBackendRole;\nimport com.pulumi.vault.ScepAuthBackendRoleArgs;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.BackendConfigScep;\nimport com.pulumi.vault.pkiSecret.BackendConfigScepArgs;\nimport com.pulumi.vault.pkiSecret.inputs.BackendConfigScepAuthenticatorsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var scep = new AuthBackend(\"scep\", AuthBackendArgs.builder()\n            .path(\"scep-auth\")\n            .type(\"scep\")\n            .build());\n\n        var scepChallenge = new ScepAuthBackendRole(\"scepChallenge\", ScepAuthBackendRoleArgs.builder()\n            .backend(scep.id())\n            .name(\"scep-auth\")\n            .displayName(\"Static challenge for SCEP clients\")\n            .authType(\"static-challenge\")\n            .challenge(\"ac7e4ada-c8ef-4393-9098-d69d08736833\")\n            .build());\n\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki_scep\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var test = new BackendConfigScep(\"test\", BackendConfigScepArgs.builder()\n            .backend(pki.path())\n            .enabled(true)\n            .defaultPathPolicy(\"sign-verbatim\")\n            .restrictCaChainToIssuer(true)\n            .authenticators(BackendConfigScepAuthenticatorsArgs.builder()\n                .scep(Map.ofEntries(\n                    Map.entry(\"accessor\", scep.accessor()),\n                    Map.entry(\"scep_role\", scepChallenge.name())\n                ))\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  scep:\n    type: vault:AuthBackend\n    properties:\n      path: scep-auth\n      type: scep\n  scepChallenge:\n    type: vault:ScepAuthBackendRole\n    name: scep_challenge\n    properties:\n      backend: ${scep.id}\n      name: scep-auth\n      displayName: Static challenge for SCEP clients\n      authType: static-challenge\n      challenge: ac7e4ada-c8ef-4393-9098-d69d08736833\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki_scep\n      type: pki\n      description: PKI secret engine mount\n  test:\n    type: vault:pkiSecret:BackendConfigScep\n    properties:\n      backend: ${pki.path}\n      enabled: true\n      defaultPathPolicy: sign-verbatim\n      restrictCaChainToIssuer: true\n      authenticators:\n        scep:\n          accessor: ${scep.accessor}\n          scep_role: ${scepChallenge.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe PKI config cluster can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki-root/config/scep`,\nwhere the `pki-root` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/backendConfigScep:BackendConfigScep example pki-root/config/scep\n```\n","properties":{"allowedDigestAlgorithms":{"type":"array","items":{"type":"string"},"description":"List of allowed digest algorithms for SCEP requests.\n"},"allowedEncryptionAlgorithms":{"type":"array","items":{"type":"string"},"description":"List of allowed encryption algorithms for SCEP requests.\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigScepAuthenticators:BackendConfigScepAuthenticators","description":"Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the SCEP configuration from, with no leading or trailing `/`s.\n"},"defaultPathPolicy":{"type":"string","description":"Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or \"role:\u003crole_name\u003e\" to specify a role to use as this policy.\n"},"enabled":{"type":"boolean","description":"Specifies whether SCEP is enabled.\n"},"externalValidations":{"type":"array","items":{"$ref":"#/types/vault:pkiSecret/BackendConfigScepExternalValidation:BackendConfigScepExternalValidation"},"description":"Lists the 3rd party validation of SCEP requests (see below for nested schema).\n"},"lastUpdated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated.\n"},"logLevel":{"type":"string","description":"The level of logging verbosity, affects only SCEP logs on this mount.\n\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"restrictCaChainToIssuer":{"type":"boolean","description":"If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.\n"}},"required":["allowedDigestAlgorithms","allowedEncryptionAlgorithms","authenticators","backend","externalValidations","lastUpdated","logLevel"],"inputProperties":{"allowedDigestAlgorithms":{"type":"array","items":{"type":"string"},"description":"List of allowed digest algorithms for SCEP requests.\n"},"allowedEncryptionAlgorithms":{"type":"array","items":{"type":"string"},"description":"List of allowed encryption algorithms for SCEP requests.\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigScepAuthenticators:BackendConfigScepAuthenticators","description":"Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the SCEP configuration from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"defaultPathPolicy":{"type":"string","description":"Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or \"role:\u003crole_name\u003e\" to specify a role to use as this policy.\n"},"enabled":{"type":"boolean","description":"Specifies whether SCEP is enabled.\n"},"externalValidations":{"type":"array","items":{"$ref":"#/types/vault:pkiSecret/BackendConfigScepExternalValidation:BackendConfigScepExternalValidation"},"description":"Lists the 3rd party validation of SCEP requests (see below for nested schema).\n"},"logLevel":{"type":"string","description":"The level of logging verbosity, affects only SCEP logs on this mount.\n\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"restrictCaChainToIssuer":{"type":"boolean","description":"If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering BackendConfigScep resources.\n","properties":{"allowedDigestAlgorithms":{"type":"array","items":{"type":"string"},"description":"List of allowed digest algorithms for SCEP requests.\n"},"allowedEncryptionAlgorithms":{"type":"array","items":{"type":"string"},"description":"List of allowed encryption algorithms for SCEP requests.\n"},"authenticators":{"$ref":"#/types/vault:pkiSecret/BackendConfigScepAuthenticators:BackendConfigScepAuthenticators","description":"Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).\n"},"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the SCEP configuration from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"defaultPathPolicy":{"type":"string","description":"Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or \"role:\u003crole_name\u003e\" to specify a role to use as this policy.\n"},"enabled":{"type":"boolean","description":"Specifies whether SCEP is enabled.\n"},"externalValidations":{"type":"array","items":{"$ref":"#/types/vault:pkiSecret/BackendConfigScepExternalValidation:BackendConfigScepExternalValidation"},"description":"Lists the 3rd party validation of SCEP requests (see below for nested schema).\n"},"lastUpdated":{"type":"string","description":"A read-only timestamp representing the last time the configuration was updated.\n"},"logLevel":{"type":"string","description":"The level of logging verbosity, affects only SCEP logs on this mount.\n\n\n\u003ca id=\"nestedatt--authenticators\"\u003e\u003c/a\u003e\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"restrictCaChainToIssuer":{"type":"boolean","description":"If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.\n"}},"type":"object"}},"vault:pkiSecret/secretBackendCert:SecretBackendCert":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst app = new vault.pkisecret.SecretBackendCert(\"app\", {\n    backend: intermediate.path,\n    name: test.name,\n    commonName: \"app.my.domain\",\n}, {\n    dependsOn: [admin],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\napp = vault.pkisecret.SecretBackendCert(\"app\",\n    backend=intermediate[\"path\"],\n    name=test[\"name\"],\n    common_name=\"app.my.domain\",\n    opts = pulumi.ResourceOptions(depends_on=[admin]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var app = new Vault.PkiSecret.SecretBackendCert(\"app\", new()\n    {\n        Backend = intermediate.Path,\n        Name = test.Name,\n        CommonName = \"app.my.domain\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            admin,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := pkisecret.NewSecretBackendCert(ctx, \"app\", \u0026pkisecret.SecretBackendCertArgs{\n\t\t\tBackend:    pulumi.Any(intermediate.Path),\n\t\t\tName:       pulumi.Any(test.Name),\n\t\t\tCommonName: pulumi.String(\"app.my.domain\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tadmin,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.pkiSecret.SecretBackendCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendCertArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var app = new SecretBackendCert(\"app\", SecretBackendCertArgs.builder()\n            .backend(intermediate.path())\n            .name(test.name())\n            .commonName(\"app.my.domain\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(admin)\n                .build());\n\n    }\n}\n```\n```yaml\nresources:\n  app:\n    type: vault:pkiSecret:SecretBackendCert\n    properties:\n      backend: ${intermediate.path}\n      name: ${test.name}\n      commonName: app.my.domain\n    options:\n      dependsOn:\n        - ${admin}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n"},"autoRenew":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, certs will be renewed if the expiration is within \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n"},"caChain":{"type":"string","description":"The CA chain\n"},"certMetadata":{"type":"string","description":"A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's\u003cspan pulumi-lang-nodejs=\" noStoreMetadata \" pulumi-lang-dotnet=\" NoStoreMetadata \" pulumi-lang-go=\" noStoreMetadata \" pulumi-lang-python=\" no_store_metadata \" pulumi-lang-yaml=\" noStoreMetadata \" pulumi-lang-java=\" noStoreMetadata \"\u003e no_store_metadata \u003c/span\u003emust be set to false, otherwise an error is returned when specified.\n"},"certificate":{"type":"string","description":"The certificate\n"},"commonName":{"type":"string","description":"CN of certificate to create\n"},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n"},"expiration":{"type":"integer","description":"The expiration date of the certificate in unix epoch format\n"},"format":{"type":"string","description":"The format of data\n"},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n"},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request."},"issuingCa":{"type":"string","description":"The issuing CA\n"},"minSecondsRemaining":{"type":"integer","description":"Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)\n"},"name":{"type":"string","description":"Name of the role to create the certificate against\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n"},"privateKey":{"type":"string","description":"The private key\n","secret":true},"privateKeyFormat":{"type":"string","description":"The private key format\n"},"privateKeyType":{"type":"string","description":"The private key type\n"},"renewPending":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the current time (during refresh) is after the start of the early renewal window declared by \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e otherwise; if \u003cspan pulumi-lang-nodejs=\"`autoRenew`\" pulumi-lang-dotnet=\"`AutoRenew`\" pulumi-lang-go=\"`autoRenew`\" pulumi-lang-python=\"`auto_renew`\" pulumi-lang-yaml=\"`autoRenew`\" pulumi-lang-java=\"`autoRenew`\"\u003e`auto_renew`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e then the provider will plan to replace the certificate once renewal is pending.\n"},"revoke":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction using the \u003cspan pulumi-lang-nodejs=\"`revoke`\" pulumi-lang-dotnet=\"`Revoke`\" pulumi-lang-go=\"`revoke`\" pulumi-lang-python=\"`revoke`\" pulumi-lang-yaml=\"`revoke`\" pulumi-lang-java=\"`revoke`\"\u003e`revoke`\u003c/span\u003e PKI API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`revokeWithKey`\" pulumi-lang-dotnet=\"`RevokeWithKey`\" pulumi-lang-go=\"`revokeWithKey`\" pulumi-lang-python=\"`revoke_with_key`\" pulumi-lang-yaml=\"`revokeWithKey`\" pulumi-lang-java=\"`revokeWithKey`\"\u003e`revoke_with_key`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"revokeWithKey":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction using the `revoke-with-key` PKI API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`revoke`\" pulumi-lang-dotnet=\"`Revoke`\" pulumi-lang-go=\"`revoke`\" pulumi-lang-python=\"`revoke`\" pulumi-lang-yaml=\"`revoke`\" pulumi-lang-java=\"`revoke`\"\u003e`revoke`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"serialNumber":{"type":"string","description":"The serial number\n"},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n"},"userIds":{"type":"array","items":{"type":"string"},"description":"List of Subject User IDs\n"}},"required":["backend","caChain","certificate","commonName","expiration","issuingCa","name","privateKey","privateKeyType","renewPending","serialNumber"],"inputProperties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"autoRenew":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, certs will be renewed if the expiration is within \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"certMetadata":{"type":"string","description":"A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's\u003cspan pulumi-lang-nodejs=\" noStoreMetadata \" pulumi-lang-dotnet=\" NoStoreMetadata \" pulumi-lang-go=\" noStoreMetadata \" pulumi-lang-python=\" no_store_metadata \" pulumi-lang-yaml=\" noStoreMetadata \" pulumi-lang-java=\" noStoreMetadata \"\u003e no_store_metadata \u003c/span\u003emust be set to false, otherwise an error is returned when specified.\n"},"commonName":{"type":"string","description":"CN of certificate to create\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request."},"minSecondsRemaining":{"type":"integer","description":"Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)\n"},"name":{"type":"string","description":"Name of the role to create the certificate against\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"privateKeyFormat":{"type":"string","description":"The private key format\n","willReplaceOnChanges":true},"revoke":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction using the \u003cspan pulumi-lang-nodejs=\"`revoke`\" pulumi-lang-dotnet=\"`Revoke`\" pulumi-lang-go=\"`revoke`\" pulumi-lang-python=\"`revoke`\" pulumi-lang-yaml=\"`revoke`\" pulumi-lang-java=\"`revoke`\"\u003e`revoke`\u003c/span\u003e PKI API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`revokeWithKey`\" pulumi-lang-dotnet=\"`RevokeWithKey`\" pulumi-lang-go=\"`revokeWithKey`\" pulumi-lang-python=\"`revoke_with_key`\" pulumi-lang-yaml=\"`revokeWithKey`\" pulumi-lang-java=\"`revokeWithKey`\"\u003e`revoke_with_key`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"revokeWithKey":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction using the `revoke-with-key` PKI API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`revoke`\" pulumi-lang-dotnet=\"`Revoke`\" pulumi-lang-go=\"`revoke`\" pulumi-lang-python=\"`revoke`\" pulumi-lang-yaml=\"`revoke`\" pulumi-lang-java=\"`revoke`\"\u003e`revoke`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true},"userIds":{"type":"array","items":{"type":"string"},"description":"List of Subject User IDs\n","willReplaceOnChanges":true}},"requiredInputs":["backend","commonName"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendCert resources.\n","properties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"autoRenew":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, certs will be renewed if the expiration is within \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"caChain":{"type":"string","description":"The CA chain\n"},"certMetadata":{"type":"string","description":"A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's\u003cspan pulumi-lang-nodejs=\" noStoreMetadata \" pulumi-lang-dotnet=\" NoStoreMetadata \" pulumi-lang-go=\" noStoreMetadata \" pulumi-lang-python=\" no_store_metadata \" pulumi-lang-yaml=\" noStoreMetadata \" pulumi-lang-java=\" noStoreMetadata \"\u003e no_store_metadata \u003c/span\u003emust be set to false, otherwise an error is returned when specified.\n"},"certificate":{"type":"string","description":"The certificate\n"},"commonName":{"type":"string","description":"CN of certificate to create\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"expiration":{"type":"integer","description":"The expiration date of the certificate in unix epoch format\n"},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request."},"issuingCa":{"type":"string","description":"The issuing CA\n"},"minSecondsRemaining":{"type":"integer","description":"Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)\n"},"name":{"type":"string","description":"Name of the role to create the certificate against\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"privateKey":{"type":"string","description":"The private key\n","secret":true},"privateKeyFormat":{"type":"string","description":"The private key format\n","willReplaceOnChanges":true},"privateKeyType":{"type":"string","description":"The private key type\n"},"renewPending":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the current time (during refresh) is after the start of the early renewal window declared by \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e otherwise; if \u003cspan pulumi-lang-nodejs=\"`autoRenew`\" pulumi-lang-dotnet=\"`AutoRenew`\" pulumi-lang-go=\"`autoRenew`\" pulumi-lang-python=\"`auto_renew`\" pulumi-lang-yaml=\"`autoRenew`\" pulumi-lang-java=\"`autoRenew`\"\u003e`auto_renew`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e then the provider will plan to replace the certificate once renewal is pending.\n"},"revoke":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction using the \u003cspan pulumi-lang-nodejs=\"`revoke`\" pulumi-lang-dotnet=\"`Revoke`\" pulumi-lang-go=\"`revoke`\" pulumi-lang-python=\"`revoke`\" pulumi-lang-yaml=\"`revoke`\" pulumi-lang-java=\"`revoke`\"\u003e`revoke`\u003c/span\u003e PKI API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`revokeWithKey`\" pulumi-lang-dotnet=\"`RevokeWithKey`\" pulumi-lang-go=\"`revokeWithKey`\" pulumi-lang-python=\"`revoke_with_key`\" pulumi-lang-yaml=\"`revokeWithKey`\" pulumi-lang-java=\"`revokeWithKey`\"\u003e`revoke_with_key`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"revokeWithKey":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction using the `revoke-with-key` PKI API. Conflicts with \u003cspan pulumi-lang-nodejs=\"`revoke`\" pulumi-lang-dotnet=\"`Revoke`\" pulumi-lang-go=\"`revoke`\" pulumi-lang-python=\"`revoke`\" pulumi-lang-yaml=\"`revoke`\" pulumi-lang-java=\"`revoke`\"\u003e`revoke`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"serialNumber":{"type":"string","description":"The serial number\n"},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true},"userIds":{"type":"array","items":{"type":"string"},"description":"List of Subject User IDs\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/secretBackendConfigCa:SecretBackendConfigCa":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst intermediate = new vault.pkisecret.SecretBackendConfigCa(\"intermediate\", {\n    backend: intermediateVaultMount.path,\n    pemBundle: `-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwvEHeJCXnFgi88rE1dTX6FHdBPK0wSjedh0ywVnCZxLWbBv/\n5PytjTcCPdrfW7g2sfbPwOge/WF3X2KeYSP8SxZA0czmz6QDspeG921JkZWtyp5o\n++N0leLTIUAhq339p3O1onAOUO1k4sHfmCwfrDpTn2hcx4URa5Pzzb1fHigusjIH\n1mcGdncaA6Z2CzO1w4E8kPOUukIDrcZT4faOZrWUIQZKQw2JzTyKJ+ZMDCZq2TFz\nWwpL3eG48wB7J7mibFQ/9nFvxpIflBjDAZ8QiqkwYr5N0DNsTxcfTCSeubfJDCUf\nIWwFZhLitzwOxazazUQKXX/SPMQ1l/L9o3nnHwIDAQABAoIBAAQidJQcDPsl62fc\nTxxx7TpiMhvewfKu2TkMGX18V+EzxxR364+BxHSQTB3fvIkHeTGBGJrw0WdyX8PI\nJa/NwZYeHLXWcLbKtcFd8WDiEoNh91Oq1HMzOc/MBcpYv94RSAX7MEkHs2YIAvHE\nRufFV86hVhC1d/JLYjkz5CHi+Fd9XTYjBK78tHhJd4IJPu5LYvwlmzC1zeS7s1Tg\nQW1FQuVDV8tWa4PMTrQHwfaGqn95AKc+tbg+ubpCiWl5bBNI3Ghuh4sAC9dMdAkd\nw27i29O9/Y3XJSSGUZlZqDBP4YU388RgHpzLDUxgRcaQt9vdeEz6frULPW67e9D2\nmPPDzjECgYEA4aPOwvnSwGoOKsS6vANGy4Ajsq09PR+1ltMJUR5kDlXGuZWI72eX\n3/GAnovDuCp0tbYt0r7Fmkfel0Ore7SYM18TH5QGpPddcZLvKUf7AchCIOYY0Te3\npS9+7S1lEGrLXyuox4N26Ov6wHVrmZTcQoZsDWbjYxNNsNACsiQNjGMCgYEA3SvQ\nJets9e9SgNVvao2TijX+/vcNKRfcWB71T9Xc4BuSNEu5+ZLtptlwaSnVCVu1Xilk\nsWDh+3EhByl4EteENPvE/7A2s1sfcDOprvg0r52aBZKeTp0AukrT8+Ad4hap7g1x\n2Lz11MFDkhRqt2KqQaIL+5Mq5WfptbBJ0YI7ARUCgYAD6iSfK1hlsDFYupsGwgPL\nagi0g97pHZC38idaOe3AdeqBs79xb9mpr/XsSj52Bn6J3IRFALxK5e5Nr4XdGo/9\nbCvXw2iuGgCMBOGTVMVdDY1gJr3Ne2r7Oay5Dq2PMFsg5pACDhzVA6sRBbh9LKD5\non1jaiKNyHrzk1hIoOl/QwKBgA+Ov2uLbfS2yvTpDpdOMiyss603r6NOXF+Ofe8J\nuinBhr1K/mAB59muveuH18Z6vv1KqByaFgtb39jjH+Eja9dWRns95/sh08pOuAbo\nyrv3uBfgQmaBQMXZ8aLcBv4aXgWyyGlYkWpP1fL2oLMZq6RGQ9WEeqX8c0ImjmrA\nYGopAoGBAJZPFlZi2Rfq4MfFZp/X1/zM09hphZwkxkSI+RnsjDUjTgB8CuQul5ep\nKWE98yLw4C25Cqw5fKKQ2addizLnZCAIfJKVNRjYLWlWyGQydDEUzqwXlSLS9LVX\nLxLkWDajIyjeFn21Ttb42L9pBo3TAQIxUenom/lP2SQTvCKBiPai\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIUahce2sCO7Bom/Rznd5HsNAlr1NgwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODEyMDIwMTAxNDRaFw00NjEy\nMTUwMTAxNDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDC8Qd4kJecWCLzysTV1NfoUd0E8rTBKN52HTLBWcJn\nEtZsG//k/K2NNwI92t9buDax9s/A6B79YXdfYp5hI/xLFkDRzObPpAOyl4b3bUmR\nla3Knmj743SV4tMhQCGrff2nc7WicA5Q7WTiwd+YLB+sOlOfaFzHhRFrk/PNvV8e\nKC6yMgfWZwZ2dxoDpnYLM7XDgTyQ85S6QgOtxlPh9o5mtZQhBkpDDYnNPIon5kwM\nJmrZMXNbCkvd4bjzAHsnuaJsVD/2cW/Gkh+UGMMBnxCKqTBivk3QM2xPFx9MJJ65\nt8kMJR8hbAVmEuK3PA7FrNrNRApdf9I8xDWX8v2jeecfAgMBAAGjUzBRMB0GA1Ud\nDgQWBBQXGfrns8OqxTGKsXG5pDZS/WyyYDAfBgNVHSMEGDAWgBQXGfrns8OqxTGK\nsXG5pDZS/WyyYDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCt\n8aUX26cl2PgdIEByZSHAX5G+2b0IEtTclPkl4uDyyKRY4dVq6gK3ueVSU5eUmBip\nJbV5aRetovGOcV//8vbxkZm/ntQ8Oo+2sfGR5lIzd0UdlOr5pkD6g3bFy/zJ+4DR\nDAe8fklUacfz6CFmD+H8GyHm+fKmF+mjr4oOGQW6OegRDJHuiipUk2lJyuXdlPSa\nFpNRO2sGbjn000ANinFgnFiVzGDnx0/G1Kii/6GWrI6rrdVmXioQzF+8AloWckeB\n+hbmbwkwQa/JrLb5SWcBDOXSgtn1Li3XF5AQQBBjA3pOlyBXqnI94Irw89Lv9uPT\nMUR4qFxeUOW/GJGccMUd\n-----END CERTIFICATE-----\n`,\n}, {\n    dependsOn: [intermediateVaultMount],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nintermediate = vault.pkisecret.SecretBackendConfigCa(\"intermediate\",\n    backend=intermediate_vault_mount[\"path\"],\n    pem_bundle=\"\"\"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwvEHeJCXnFgi88rE1dTX6FHdBPK0wSjedh0ywVnCZxLWbBv/\n5PytjTcCPdrfW7g2sfbPwOge/WF3X2KeYSP8SxZA0czmz6QDspeG921JkZWtyp5o\n++N0leLTIUAhq339p3O1onAOUO1k4sHfmCwfrDpTn2hcx4URa5Pzzb1fHigusjIH\n1mcGdncaA6Z2CzO1w4E8kPOUukIDrcZT4faOZrWUIQZKQw2JzTyKJ+ZMDCZq2TFz\nWwpL3eG48wB7J7mibFQ/9nFvxpIflBjDAZ8QiqkwYr5N0DNsTxcfTCSeubfJDCUf\nIWwFZhLitzwOxazazUQKXX/SPMQ1l/L9o3nnHwIDAQABAoIBAAQidJQcDPsl62fc\nTxxx7TpiMhvewfKu2TkMGX18V+EzxxR364+BxHSQTB3fvIkHeTGBGJrw0WdyX8PI\nJa/NwZYeHLXWcLbKtcFd8WDiEoNh91Oq1HMzOc/MBcpYv94RSAX7MEkHs2YIAvHE\nRufFV86hVhC1d/JLYjkz5CHi+Fd9XTYjBK78tHhJd4IJPu5LYvwlmzC1zeS7s1Tg\nQW1FQuVDV8tWa4PMTrQHwfaGqn95AKc+tbg+ubpCiWl5bBNI3Ghuh4sAC9dMdAkd\nw27i29O9/Y3XJSSGUZlZqDBP4YU388RgHpzLDUxgRcaQt9vdeEz6frULPW67e9D2\nmPPDzjECgYEA4aPOwvnSwGoOKsS6vANGy4Ajsq09PR+1ltMJUR5kDlXGuZWI72eX\n3/GAnovDuCp0tbYt0r7Fmkfel0Ore7SYM18TH5QGpPddcZLvKUf7AchCIOYY0Te3\npS9+7S1lEGrLXyuox4N26Ov6wHVrmZTcQoZsDWbjYxNNsNACsiQNjGMCgYEA3SvQ\nJets9e9SgNVvao2TijX+/vcNKRfcWB71T9Xc4BuSNEu5+ZLtptlwaSnVCVu1Xilk\nsWDh+3EhByl4EteENPvE/7A2s1sfcDOprvg0r52aBZKeTp0AukrT8+Ad4hap7g1x\n2Lz11MFDkhRqt2KqQaIL+5Mq5WfptbBJ0YI7ARUCgYAD6iSfK1hlsDFYupsGwgPL\nagi0g97pHZC38idaOe3AdeqBs79xb9mpr/XsSj52Bn6J3IRFALxK5e5Nr4XdGo/9\nbCvXw2iuGgCMBOGTVMVdDY1gJr3Ne2r7Oay5Dq2PMFsg5pACDhzVA6sRBbh9LKD5\non1jaiKNyHrzk1hIoOl/QwKBgA+Ov2uLbfS2yvTpDpdOMiyss603r6NOXF+Ofe8J\nuinBhr1K/mAB59muveuH18Z6vv1KqByaFgtb39jjH+Eja9dWRns95/sh08pOuAbo\nyrv3uBfgQmaBQMXZ8aLcBv4aXgWyyGlYkWpP1fL2oLMZq6RGQ9WEeqX8c0ImjmrA\nYGopAoGBAJZPFlZi2Rfq4MfFZp/X1/zM09hphZwkxkSI+RnsjDUjTgB8CuQul5ep\nKWE98yLw4C25Cqw5fKKQ2addizLnZCAIfJKVNRjYLWlWyGQydDEUzqwXlSLS9LVX\nLxLkWDajIyjeFn21Ttb42L9pBo3TAQIxUenom/lP2SQTvCKBiPai\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIUahce2sCO7Bom/Rznd5HsNAlr1NgwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODEyMDIwMTAxNDRaFw00NjEy\nMTUwMTAxNDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDC8Qd4kJecWCLzysTV1NfoUd0E8rTBKN52HTLBWcJn\nEtZsG//k/K2NNwI92t9buDax9s/A6B79YXdfYp5hI/xLFkDRzObPpAOyl4b3bUmR\nla3Knmj743SV4tMhQCGrff2nc7WicA5Q7WTiwd+YLB+sOlOfaFzHhRFrk/PNvV8e\nKC6yMgfWZwZ2dxoDpnYLM7XDgTyQ85S6QgOtxlPh9o5mtZQhBkpDDYnNPIon5kwM\nJmrZMXNbCkvd4bjzAHsnuaJsVD/2cW/Gkh+UGMMBnxCKqTBivk3QM2xPFx9MJJ65\nt8kMJR8hbAVmEuK3PA7FrNrNRApdf9I8xDWX8v2jeecfAgMBAAGjUzBRMB0GA1Ud\nDgQWBBQXGfrns8OqxTGKsXG5pDZS/WyyYDAfBgNVHSMEGDAWgBQXGfrns8OqxTGK\nsXG5pDZS/WyyYDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCt\n8aUX26cl2PgdIEByZSHAX5G+2b0IEtTclPkl4uDyyKRY4dVq6gK3ueVSU5eUmBip\nJbV5aRetovGOcV//8vbxkZm/ntQ8Oo+2sfGR5lIzd0UdlOr5pkD6g3bFy/zJ+4DR\nDAe8fklUacfz6CFmD+H8GyHm+fKmF+mjr4oOGQW6OegRDJHuiipUk2lJyuXdlPSa\nFpNRO2sGbjn000ANinFgnFiVzGDnx0/G1Kii/6GWrI6rrdVmXioQzF+8AloWckeB\n+hbmbwkwQa/JrLb5SWcBDOXSgtn1Li3XF5AQQBBjA3pOlyBXqnI94Irw89Lv9uPT\nMUR4qFxeUOW/GJGccMUd\n-----END CERTIFICATE-----\n\"\"\",\n    opts = pulumi.ResourceOptions(depends_on=[intermediate_vault_mount]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var intermediate = new Vault.PkiSecret.SecretBackendConfigCa(\"intermediate\", new()\n    {\n        Backend = intermediateVaultMount.Path,\n        PemBundle = @\"-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwvEHeJCXnFgi88rE1dTX6FHdBPK0wSjedh0ywVnCZxLWbBv/\n5PytjTcCPdrfW7g2sfbPwOge/WF3X2KeYSP8SxZA0czmz6QDspeG921JkZWtyp5o\n++N0leLTIUAhq339p3O1onAOUO1k4sHfmCwfrDpTn2hcx4URa5Pzzb1fHigusjIH\n1mcGdncaA6Z2CzO1w4E8kPOUukIDrcZT4faOZrWUIQZKQw2JzTyKJ+ZMDCZq2TFz\nWwpL3eG48wB7J7mibFQ/9nFvxpIflBjDAZ8QiqkwYr5N0DNsTxcfTCSeubfJDCUf\nIWwFZhLitzwOxazazUQKXX/SPMQ1l/L9o3nnHwIDAQABAoIBAAQidJQcDPsl62fc\nTxxx7TpiMhvewfKu2TkMGX18V+EzxxR364+BxHSQTB3fvIkHeTGBGJrw0WdyX8PI\nJa/NwZYeHLXWcLbKtcFd8WDiEoNh91Oq1HMzOc/MBcpYv94RSAX7MEkHs2YIAvHE\nRufFV86hVhC1d/JLYjkz5CHi+Fd9XTYjBK78tHhJd4IJPu5LYvwlmzC1zeS7s1Tg\nQW1FQuVDV8tWa4PMTrQHwfaGqn95AKc+tbg+ubpCiWl5bBNI3Ghuh4sAC9dMdAkd\nw27i29O9/Y3XJSSGUZlZqDBP4YU388RgHpzLDUxgRcaQt9vdeEz6frULPW67e9D2\nmPPDzjECgYEA4aPOwvnSwGoOKsS6vANGy4Ajsq09PR+1ltMJUR5kDlXGuZWI72eX\n3/GAnovDuCp0tbYt0r7Fmkfel0Ore7SYM18TH5QGpPddcZLvKUf7AchCIOYY0Te3\npS9+7S1lEGrLXyuox4N26Ov6wHVrmZTcQoZsDWbjYxNNsNACsiQNjGMCgYEA3SvQ\nJets9e9SgNVvao2TijX+/vcNKRfcWB71T9Xc4BuSNEu5+ZLtptlwaSnVCVu1Xilk\nsWDh+3EhByl4EteENPvE/7A2s1sfcDOprvg0r52aBZKeTp0AukrT8+Ad4hap7g1x\n2Lz11MFDkhRqt2KqQaIL+5Mq5WfptbBJ0YI7ARUCgYAD6iSfK1hlsDFYupsGwgPL\nagi0g97pHZC38idaOe3AdeqBs79xb9mpr/XsSj52Bn6J3IRFALxK5e5Nr4XdGo/9\nbCvXw2iuGgCMBOGTVMVdDY1gJr3Ne2r7Oay5Dq2PMFsg5pACDhzVA6sRBbh9LKD5\non1jaiKNyHrzk1hIoOl/QwKBgA+Ov2uLbfS2yvTpDpdOMiyss603r6NOXF+Ofe8J\nuinBhr1K/mAB59muveuH18Z6vv1KqByaFgtb39jjH+Eja9dWRns95/sh08pOuAbo\nyrv3uBfgQmaBQMXZ8aLcBv4aXgWyyGlYkWpP1fL2oLMZq6RGQ9WEeqX8c0ImjmrA\nYGopAoGBAJZPFlZi2Rfq4MfFZp/X1/zM09hphZwkxkSI+RnsjDUjTgB8CuQul5ep\nKWE98yLw4C25Cqw5fKKQ2addizLnZCAIfJKVNRjYLWlWyGQydDEUzqwXlSLS9LVX\nLxLkWDajIyjeFn21Ttb42L9pBo3TAQIxUenom/lP2SQTvCKBiPai\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIUahce2sCO7Bom/Rznd5HsNAlr1NgwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODEyMDIwMTAxNDRaFw00NjEy\nMTUwMTAxNDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDC8Qd4kJecWCLzysTV1NfoUd0E8rTBKN52HTLBWcJn\nEtZsG//k/K2NNwI92t9buDax9s/A6B79YXdfYp5hI/xLFkDRzObPpAOyl4b3bUmR\nla3Knmj743SV4tMhQCGrff2nc7WicA5Q7WTiwd+YLB+sOlOfaFzHhRFrk/PNvV8e\nKC6yMgfWZwZ2dxoDpnYLM7XDgTyQ85S6QgOtxlPh9o5mtZQhBkpDDYnNPIon5kwM\nJmrZMXNbCkvd4bjzAHsnuaJsVD/2cW/Gkh+UGMMBnxCKqTBivk3QM2xPFx9MJJ65\nt8kMJR8hbAVmEuK3PA7FrNrNRApdf9I8xDWX8v2jeecfAgMBAAGjUzBRMB0GA1Ud\nDgQWBBQXGfrns8OqxTGKsXG5pDZS/WyyYDAfBgNVHSMEGDAWgBQXGfrns8OqxTGK\nsXG5pDZS/WyyYDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCt\n8aUX26cl2PgdIEByZSHAX5G+2b0IEtTclPkl4uDyyKRY4dVq6gK3ueVSU5eUmBip\nJbV5aRetovGOcV//8vbxkZm/ntQ8Oo+2sfGR5lIzd0UdlOr5pkD6g3bFy/zJ+4DR\nDAe8fklUacfz6CFmD+H8GyHm+fKmF+mjr4oOGQW6OegRDJHuiipUk2lJyuXdlPSa\nFpNRO2sGbjn000ANinFgnFiVzGDnx0/G1Kii/6GWrI6rrdVmXioQzF+8AloWckeB\n+hbmbwkwQa/JrLb5SWcBDOXSgtn1Li3XF5AQQBBjA3pOlyBXqnI94Irw89Lv9uPT\nMUR4qFxeUOW/GJGccMUd\n-----END CERTIFICATE-----\n\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            intermediateVaultMount,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := pkisecret.NewSecretBackendConfigCa(ctx, \"intermediate\", \u0026pkisecret.SecretBackendConfigCaArgs{\n\t\t\tBackend: pulumi.Any(intermediateVaultMount.Path),\n\t\t\tPemBundle: pulumi.String(`-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwvEHeJCXnFgi88rE1dTX6FHdBPK0wSjedh0ywVnCZxLWbBv/\n5PytjTcCPdrfW7g2sfbPwOge/WF3X2KeYSP8SxZA0czmz6QDspeG921JkZWtyp5o\n++N0leLTIUAhq339p3O1onAOUO1k4sHfmCwfrDpTn2hcx4URa5Pzzb1fHigusjIH\n1mcGdncaA6Z2CzO1w4E8kPOUukIDrcZT4faOZrWUIQZKQw2JzTyKJ+ZMDCZq2TFz\nWwpL3eG48wB7J7mibFQ/9nFvxpIflBjDAZ8QiqkwYr5N0DNsTxcfTCSeubfJDCUf\nIWwFZhLitzwOxazazUQKXX/SPMQ1l/L9o3nnHwIDAQABAoIBAAQidJQcDPsl62fc\nTxxx7TpiMhvewfKu2TkMGX18V+EzxxR364+BxHSQTB3fvIkHeTGBGJrw0WdyX8PI\nJa/NwZYeHLXWcLbKtcFd8WDiEoNh91Oq1HMzOc/MBcpYv94RSAX7MEkHs2YIAvHE\nRufFV86hVhC1d/JLYjkz5CHi+Fd9XTYjBK78tHhJd4IJPu5LYvwlmzC1zeS7s1Tg\nQW1FQuVDV8tWa4PMTrQHwfaGqn95AKc+tbg+ubpCiWl5bBNI3Ghuh4sAC9dMdAkd\nw27i29O9/Y3XJSSGUZlZqDBP4YU388RgHpzLDUxgRcaQt9vdeEz6frULPW67e9D2\nmPPDzjECgYEA4aPOwvnSwGoOKsS6vANGy4Ajsq09PR+1ltMJUR5kDlXGuZWI72eX\n3/GAnovDuCp0tbYt0r7Fmkfel0Ore7SYM18TH5QGpPddcZLvKUf7AchCIOYY0Te3\npS9+7S1lEGrLXyuox4N26Ov6wHVrmZTcQoZsDWbjYxNNsNACsiQNjGMCgYEA3SvQ\nJets9e9SgNVvao2TijX+/vcNKRfcWB71T9Xc4BuSNEu5+ZLtptlwaSnVCVu1Xilk\nsWDh+3EhByl4EteENPvE/7A2s1sfcDOprvg0r52aBZKeTp0AukrT8+Ad4hap7g1x\n2Lz11MFDkhRqt2KqQaIL+5Mq5WfptbBJ0YI7ARUCgYAD6iSfK1hlsDFYupsGwgPL\nagi0g97pHZC38idaOe3AdeqBs79xb9mpr/XsSj52Bn6J3IRFALxK5e5Nr4XdGo/9\nbCvXw2iuGgCMBOGTVMVdDY1gJr3Ne2r7Oay5Dq2PMFsg5pACDhzVA6sRBbh9LKD5\non1jaiKNyHrzk1hIoOl/QwKBgA+Ov2uLbfS2yvTpDpdOMiyss603r6NOXF+Ofe8J\nuinBhr1K/mAB59muveuH18Z6vv1KqByaFgtb39jjH+Eja9dWRns95/sh08pOuAbo\nyrv3uBfgQmaBQMXZ8aLcBv4aXgWyyGlYkWpP1fL2oLMZq6RGQ9WEeqX8c0ImjmrA\nYGopAoGBAJZPFlZi2Rfq4MfFZp/X1/zM09hphZwkxkSI+RnsjDUjTgB8CuQul5ep\nKWE98yLw4C25Cqw5fKKQ2addizLnZCAIfJKVNRjYLWlWyGQydDEUzqwXlSLS9LVX\nLxLkWDajIyjeFn21Ttb42L9pBo3TAQIxUenom/lP2SQTvCKBiPai\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIUahce2sCO7Bom/Rznd5HsNAlr1NgwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODEyMDIwMTAxNDRaFw00NjEy\nMTUwMTAxNDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDC8Qd4kJecWCLzysTV1NfoUd0E8rTBKN52HTLBWcJn\nEtZsG//k/K2NNwI92t9buDax9s/A6B79YXdfYp5hI/xLFkDRzObPpAOyl4b3bUmR\nla3Knmj743SV4tMhQCGrff2nc7WicA5Q7WTiwd+YLB+sOlOfaFzHhRFrk/PNvV8e\nKC6yMgfWZwZ2dxoDpnYLM7XDgTyQ85S6QgOtxlPh9o5mtZQhBkpDDYnNPIon5kwM\nJmrZMXNbCkvd4bjzAHsnuaJsVD/2cW/Gkh+UGMMBnxCKqTBivk3QM2xPFx9MJJ65\nt8kMJR8hbAVmEuK3PA7FrNrNRApdf9I8xDWX8v2jeecfAgMBAAGjUzBRMB0GA1Ud\nDgQWBBQXGfrns8OqxTGKsXG5pDZS/WyyYDAfBgNVHSMEGDAWgBQXGfrns8OqxTGK\nsXG5pDZS/WyyYDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCt\n8aUX26cl2PgdIEByZSHAX5G+2b0IEtTclPkl4uDyyKRY4dVq6gK3ueVSU5eUmBip\nJbV5aRetovGOcV//8vbxkZm/ntQ8Oo+2sfGR5lIzd0UdlOr5pkD6g3bFy/zJ+4DR\nDAe8fklUacfz6CFmD+H8GyHm+fKmF+mjr4oOGQW6OegRDJHuiipUk2lJyuXdlPSa\nFpNRO2sGbjn000ANinFgnFiVzGDnx0/G1Kii/6GWrI6rrdVmXioQzF+8AloWckeB\n+hbmbwkwQa/JrLb5SWcBDOXSgtn1Li3XF5AQQBBjA3pOlyBXqnI94Irw89Lv9uPT\nMUR4qFxeUOW/GJGccMUd\n-----END CERTIFICATE-----\n`),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tintermediateVaultMount,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.pkiSecret.SecretBackendConfigCa;\nimport com.pulumi.vault.pkiSecret.SecretBackendConfigCaArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var intermediate = new SecretBackendConfigCa(\"intermediate\", SecretBackendConfigCaArgs.builder()\n            .backend(intermediateVaultMount.path())\n            .pemBundle(\"\"\"\n-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwvEHeJCXnFgi88rE1dTX6FHdBPK0wSjedh0ywVnCZxLWbBv/\n5PytjTcCPdrfW7g2sfbPwOge/WF3X2KeYSP8SxZA0czmz6QDspeG921JkZWtyp5o\n++N0leLTIUAhq339p3O1onAOUO1k4sHfmCwfrDpTn2hcx4URa5Pzzb1fHigusjIH\n1mcGdncaA6Z2CzO1w4E8kPOUukIDrcZT4faOZrWUIQZKQw2JzTyKJ+ZMDCZq2TFz\nWwpL3eG48wB7J7mibFQ/9nFvxpIflBjDAZ8QiqkwYr5N0DNsTxcfTCSeubfJDCUf\nIWwFZhLitzwOxazazUQKXX/SPMQ1l/L9o3nnHwIDAQABAoIBAAQidJQcDPsl62fc\nTxxx7TpiMhvewfKu2TkMGX18V+EzxxR364+BxHSQTB3fvIkHeTGBGJrw0WdyX8PI\nJa/NwZYeHLXWcLbKtcFd8WDiEoNh91Oq1HMzOc/MBcpYv94RSAX7MEkHs2YIAvHE\nRufFV86hVhC1d/JLYjkz5CHi+Fd9XTYjBK78tHhJd4IJPu5LYvwlmzC1zeS7s1Tg\nQW1FQuVDV8tWa4PMTrQHwfaGqn95AKc+tbg+ubpCiWl5bBNI3Ghuh4sAC9dMdAkd\nw27i29O9/Y3XJSSGUZlZqDBP4YU388RgHpzLDUxgRcaQt9vdeEz6frULPW67e9D2\nmPPDzjECgYEA4aPOwvnSwGoOKsS6vANGy4Ajsq09PR+1ltMJUR5kDlXGuZWI72eX\n3/GAnovDuCp0tbYt0r7Fmkfel0Ore7SYM18TH5QGpPddcZLvKUf7AchCIOYY0Te3\npS9+7S1lEGrLXyuox4N26Ov6wHVrmZTcQoZsDWbjYxNNsNACsiQNjGMCgYEA3SvQ\nJets9e9SgNVvao2TijX+/vcNKRfcWB71T9Xc4BuSNEu5+ZLtptlwaSnVCVu1Xilk\nsWDh+3EhByl4EteENPvE/7A2s1sfcDOprvg0r52aBZKeTp0AukrT8+Ad4hap7g1x\n2Lz11MFDkhRqt2KqQaIL+5Mq5WfptbBJ0YI7ARUCgYAD6iSfK1hlsDFYupsGwgPL\nagi0g97pHZC38idaOe3AdeqBs79xb9mpr/XsSj52Bn6J3IRFALxK5e5Nr4XdGo/9\nbCvXw2iuGgCMBOGTVMVdDY1gJr3Ne2r7Oay5Dq2PMFsg5pACDhzVA6sRBbh9LKD5\non1jaiKNyHrzk1hIoOl/QwKBgA+Ov2uLbfS2yvTpDpdOMiyss603r6NOXF+Ofe8J\nuinBhr1K/mAB59muveuH18Z6vv1KqByaFgtb39jjH+Eja9dWRns95/sh08pOuAbo\nyrv3uBfgQmaBQMXZ8aLcBv4aXgWyyGlYkWpP1fL2oLMZq6RGQ9WEeqX8c0ImjmrA\nYGopAoGBAJZPFlZi2Rfq4MfFZp/X1/zM09hphZwkxkSI+RnsjDUjTgB8CuQul5ep\nKWE98yLw4C25Cqw5fKKQ2addizLnZCAIfJKVNRjYLWlWyGQydDEUzqwXlSLS9LVX\nLxLkWDajIyjeFn21Ttb42L9pBo3TAQIxUenom/lP2SQTvCKBiPai\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIUahce2sCO7Bom/Rznd5HsNAlr1NgwDQYJKoZIhvcNAQEL\nBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\nGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODEyMDIwMTAxNDRaFw00NjEy\nMTUwMTAxNDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\nHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDC8Qd4kJecWCLzysTV1NfoUd0E8rTBKN52HTLBWcJn\nEtZsG//k/K2NNwI92t9buDax9s/A6B79YXdfYp5hI/xLFkDRzObPpAOyl4b3bUmR\nla3Knmj743SV4tMhQCGrff2nc7WicA5Q7WTiwd+YLB+sOlOfaFzHhRFrk/PNvV8e\nKC6yMgfWZwZ2dxoDpnYLM7XDgTyQ85S6QgOtxlPh9o5mtZQhBkpDDYnNPIon5kwM\nJmrZMXNbCkvd4bjzAHsnuaJsVD/2cW/Gkh+UGMMBnxCKqTBivk3QM2xPFx9MJJ65\nt8kMJR8hbAVmEuK3PA7FrNrNRApdf9I8xDWX8v2jeecfAgMBAAGjUzBRMB0GA1Ud\nDgQWBBQXGfrns8OqxTGKsXG5pDZS/WyyYDAfBgNVHSMEGDAWgBQXGfrns8OqxTGK\nsXG5pDZS/WyyYDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCt\n8aUX26cl2PgdIEByZSHAX5G+2b0IEtTclPkl4uDyyKRY4dVq6gK3ueVSU5eUmBip\nJbV5aRetovGOcV//8vbxkZm/ntQ8Oo+2sfGR5lIzd0UdlOr5pkD6g3bFy/zJ+4DR\nDAe8fklUacfz6CFmD+H8GyHm+fKmF+mjr4oOGQW6OegRDJHuiipUk2lJyuXdlPSa\nFpNRO2sGbjn000ANinFgnFiVzGDnx0/G1Kii/6GWrI6rrdVmXioQzF+8AloWckeB\n+hbmbwkwQa/JrLb5SWcBDOXSgtn1Li3XF5AQQBBjA3pOlyBXqnI94Irw89Lv9uPT\nMUR4qFxeUOW/GJGccMUd\n-----END CERTIFICATE-----\n            \"\"\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(intermediateVaultMount)\n                .build());\n\n    }\n}\n```\n```yaml\nresources:\n  intermediate:\n    type: vault:pkiSecret:SecretBackendConfigCa\n    properties:\n      backend: ${intermediateVaultMount.path}\n      pemBundle: |\n        -----BEGIN RSA PRIVATE KEY-----\n        MIIEowIBAAKCAQEAwvEHeJCXnFgi88rE1dTX6FHdBPK0wSjedh0ywVnCZxLWbBv/\n        5PytjTcCPdrfW7g2sfbPwOge/WF3X2KeYSP8SxZA0czmz6QDspeG921JkZWtyp5o\n        ++N0leLTIUAhq339p3O1onAOUO1k4sHfmCwfrDpTn2hcx4URa5Pzzb1fHigusjIH\n        1mcGdncaA6Z2CzO1w4E8kPOUukIDrcZT4faOZrWUIQZKQw2JzTyKJ+ZMDCZq2TFz\n        WwpL3eG48wB7J7mibFQ/9nFvxpIflBjDAZ8QiqkwYr5N0DNsTxcfTCSeubfJDCUf\n        IWwFZhLitzwOxazazUQKXX/SPMQ1l/L9o3nnHwIDAQABAoIBAAQidJQcDPsl62fc\n        Txxx7TpiMhvewfKu2TkMGX18V+EzxxR364+BxHSQTB3fvIkHeTGBGJrw0WdyX8PI\n        Ja/NwZYeHLXWcLbKtcFd8WDiEoNh91Oq1HMzOc/MBcpYv94RSAX7MEkHs2YIAvHE\n        RufFV86hVhC1d/JLYjkz5CHi+Fd9XTYjBK78tHhJd4IJPu5LYvwlmzC1zeS7s1Tg\n        QW1FQuVDV8tWa4PMTrQHwfaGqn95AKc+tbg+ubpCiWl5bBNI3Ghuh4sAC9dMdAkd\n        w27i29O9/Y3XJSSGUZlZqDBP4YU388RgHpzLDUxgRcaQt9vdeEz6frULPW67e9D2\n        mPPDzjECgYEA4aPOwvnSwGoOKsS6vANGy4Ajsq09PR+1ltMJUR5kDlXGuZWI72eX\n        3/GAnovDuCp0tbYt0r7Fmkfel0Ore7SYM18TH5QGpPddcZLvKUf7AchCIOYY0Te3\n        pS9+7S1lEGrLXyuox4N26Ov6wHVrmZTcQoZsDWbjYxNNsNACsiQNjGMCgYEA3SvQ\n        Jets9e9SgNVvao2TijX+/vcNKRfcWB71T9Xc4BuSNEu5+ZLtptlwaSnVCVu1Xilk\n        sWDh+3EhByl4EteENPvE/7A2s1sfcDOprvg0r52aBZKeTp0AukrT8+Ad4hap7g1x\n        2Lz11MFDkhRqt2KqQaIL+5Mq5WfptbBJ0YI7ARUCgYAD6iSfK1hlsDFYupsGwgPL\n        agi0g97pHZC38idaOe3AdeqBs79xb9mpr/XsSj52Bn6J3IRFALxK5e5Nr4XdGo/9\n        bCvXw2iuGgCMBOGTVMVdDY1gJr3Ne2r7Oay5Dq2PMFsg5pACDhzVA6sRBbh9LKD5\n        on1jaiKNyHrzk1hIoOl/QwKBgA+Ov2uLbfS2yvTpDpdOMiyss603r6NOXF+Ofe8J\n        uinBhr1K/mAB59muveuH18Z6vv1KqByaFgtb39jjH+Eja9dWRns95/sh08pOuAbo\n        yrv3uBfgQmaBQMXZ8aLcBv4aXgWyyGlYkWpP1fL2oLMZq6RGQ9WEeqX8c0ImjmrA\n        YGopAoGBAJZPFlZi2Rfq4MfFZp/X1/zM09hphZwkxkSI+RnsjDUjTgB8CuQul5ep\n        KWE98yLw4C25Cqw5fKKQ2addizLnZCAIfJKVNRjYLWlWyGQydDEUzqwXlSLS9LVX\n        LxLkWDajIyjeFn21Ttb42L9pBo3TAQIxUenom/lP2SQTvCKBiPai\n        -----END RSA PRIVATE KEY-----\n        -----BEGIN CERTIFICATE-----\n        MIIDazCCAlOgAwIBAgIUahce2sCO7Bom/Rznd5HsNAlr1NgwDQYJKoZIhvcNAQEL\n        BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\n        GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODEyMDIwMTAxNDRaFw00NjEy\n        MTUwMTAxNDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\n        HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\n        AQUAA4IBDwAwggEKAoIBAQDC8Qd4kJecWCLzysTV1NfoUd0E8rTBKN52HTLBWcJn\n        EtZsG//k/K2NNwI92t9buDax9s/A6B79YXdfYp5hI/xLFkDRzObPpAOyl4b3bUmR\n        la3Knmj743SV4tMhQCGrff2nc7WicA5Q7WTiwd+YLB+sOlOfaFzHhRFrk/PNvV8e\n        KC6yMgfWZwZ2dxoDpnYLM7XDgTyQ85S6QgOtxlPh9o5mtZQhBkpDDYnNPIon5kwM\n        JmrZMXNbCkvd4bjzAHsnuaJsVD/2cW/Gkh+UGMMBnxCKqTBivk3QM2xPFx9MJJ65\n        t8kMJR8hbAVmEuK3PA7FrNrNRApdf9I8xDWX8v2jeecfAgMBAAGjUzBRMB0GA1Ud\n        DgQWBBQXGfrns8OqxTGKsXG5pDZS/WyyYDAfBgNVHSMEGDAWgBQXGfrns8OqxTGK\n        sXG5pDZS/WyyYDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCt\n        8aUX26cl2PgdIEByZSHAX5G+2b0IEtTclPkl4uDyyKRY4dVq6gK3ueVSU5eUmBip\n        JbV5aRetovGOcV//8vbxkZm/ntQ8Oo+2sfGR5lIzd0UdlOr5pkD6g3bFy/zJ+4DR\n        DAe8fklUacfz6CFmD+H8GyHm+fKmF+mjr4oOGQW6OegRDJHuiipUk2lJyuXdlPSa\n        FpNRO2sGbjn000ANinFgnFiVzGDnx0/G1Kii/6GWrI6rrdVmXioQzF+8AloWckeB\n        +hbmbwkwQa/JrLb5SWcBDOXSgtn1Li3XF5AQQBBjA3pOlyBXqnI94Irw89Lv9uPT\n        MUR4qFxeUOW/GJGccMUd\n        -----END CERTIFICATE-----\n    options:\n      dependsOn:\n        - ${intermediateVaultMount}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"pemBundle":{"type":"string","description":"The key and certificate PEM bundle\n","secret":true}},"required":["backend","pemBundle"],"inputProperties":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pemBundle":{"type":"string","description":"The key and certificate PEM bundle\n","secret":true,"willReplaceOnChanges":true}},"requiredInputs":["backend","pemBundle"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendConfigCa resources.\n","properties":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pemBundle":{"type":"string","description":"The key and certificate PEM bundle\n","secret":true,"willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/secretBackendConfigIssuers:SecretBackendConfigIssuers":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst root = new vault.pkisecret.SecretBackendRootCert(\"root\", {\n    backend: pki.path,\n    type: \"internal\",\n    commonName: \"test\",\n    ttl: \"86400\",\n});\nconst example = new vault.pkisecret.SecretBackendIssuer(\"example\", {\n    backend: root.backend,\n    issuerRef: root.issuerId,\n    issuerName: \"example-issuer\",\n});\nconst config = new vault.pkisecret.SecretBackendConfigIssuers(\"config\", {\n    backend: pki.path,\n    \"default\": example.issuerId,\n    defaultFollowsLatestIssuer: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\nroot = vault.pkisecret.SecretBackendRootCert(\"root\",\n    backend=pki.path,\n    type=\"internal\",\n    common_name=\"test\",\n    ttl=\"86400\")\nexample = vault.pkisecret.SecretBackendIssuer(\"example\",\n    backend=root.backend,\n    issuer_ref=root.issuer_id,\n    issuer_name=\"example-issuer\")\nconfig = vault.pkisecret.SecretBackendConfigIssuers(\"config\",\n    backend=pki.path,\n    default=example.issuer_id,\n    default_follows_latest_issuer=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var root = new Vault.PkiSecret.SecretBackendRootCert(\"root\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        CommonName = \"test\",\n        Ttl = \"86400\",\n    });\n\n    var example = new Vault.PkiSecret.SecretBackendIssuer(\"example\", new()\n    {\n        Backend = root.Backend,\n        IssuerRef = root.IssuerId,\n        IssuerName = \"example-issuer\",\n    });\n\n    var config = new Vault.PkiSecret.SecretBackendConfigIssuers(\"config\", new()\n    {\n        Backend = pki.Path,\n        Default = example.IssuerId,\n        DefaultFollowsLatestIssuer = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\troot, err := pkisecret.NewSecretBackendRootCert(ctx, \"root\", \u0026pkisecret.SecretBackendRootCertArgs{\n\t\t\tBackend:    pki.Path,\n\t\t\tType:       pulumi.String(\"internal\"),\n\t\t\tCommonName: pulumi.String(\"test\"),\n\t\t\tTtl:        pulumi.String(\"86400\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texample, err := pkisecret.NewSecretBackendIssuer(ctx, \"example\", \u0026pkisecret.SecretBackendIssuerArgs{\n\t\t\tBackend:    root.Backend,\n\t\t\tIssuerRef:  root.IssuerId,\n\t\t\tIssuerName: pulumi.String(\"example-issuer\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendConfigIssuers(ctx, \"config\", \u0026pkisecret.SecretBackendConfigIssuersArgs{\n\t\t\tBackend:                    pki.Path,\n\t\t\tDefault:                    example.IssuerId,\n\t\t\tDefaultFollowsLatestIssuer: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendIssuer;\nimport com.pulumi.vault.pkiSecret.SecretBackendIssuerArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendConfigIssuers;\nimport com.pulumi.vault.pkiSecret.SecretBackendConfigIssuersArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var root = new SecretBackendRootCert(\"root\", SecretBackendRootCertArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .commonName(\"test\")\n            .ttl(\"86400\")\n            .build());\n\n        var example = new SecretBackendIssuer(\"example\", SecretBackendIssuerArgs.builder()\n            .backend(root.backend())\n            .issuerRef(root.issuerId())\n            .issuerName(\"example-issuer\")\n            .build());\n\n        var config = new SecretBackendConfigIssuers(\"config\", SecretBackendConfigIssuersArgs.builder()\n            .backend(pki.path())\n            .default_(example.issuerId())\n            .defaultFollowsLatestIssuer(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  root:\n    type: vault:pkiSecret:SecretBackendRootCert\n    properties:\n      backend: ${pki.path}\n      type: internal\n      commonName: test\n      ttl: '86400'\n  example:\n    type: vault:pkiSecret:SecretBackendIssuer\n    properties:\n      backend: ${root.backend}\n      issuerRef: ${root.issuerId}\n      issuerName: example-issuer\n  config:\n    type: vault:pkiSecret:SecretBackendConfigIssuers\n    properties:\n      backend: ${pki.path}\n      default: ${example.issuerId}\n      defaultFollowsLatestIssuer: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nPKI secret backend config issuers can be imported using the path, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/secretBackendConfigIssuers:SecretBackendConfigIssuers config pki/config/issuers\n```\n","properties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no\nleading or trailing `/`s.\n"},"default":{"type":"string","description":"Specifies the default issuer by ID."},"defaultFollowsLatestIssuer":{"type":"boolean","description":"Specifies whether a root creation\nor an issuer import operation updates the default issuer to the newly added issuer.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["backend","defaultFollowsLatestIssuer"],"inputProperties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no\nleading or trailing `/`s.\n"},"default":{"type":"string","description":"Specifies the default issuer by ID."},"defaultFollowsLatestIssuer":{"type":"boolean","description":"Specifies whether a root creation\nor an issuer import operation updates the default issuer to the newly added issuer.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendConfigIssuers resources.\n","properties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no\nleading or trailing `/`s.\n"},"default":{"type":"string","description":"Specifies the default issuer by ID."},"defaultFollowsLatestIssuer":{"type":"boolean","description":"Specifies whether a root creation\nor an issuer import operation updates the default issuer to the newly added issuer.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/secretBackendConfigUrls:SecretBackendConfigUrls":{"description":"Allows setting the issuing certificate endpoints, CRL distribution points, and OCSP server endpoints that will be encoded into issued certificates.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst root = new vault.Mount(\"root\", {\n    path: \"pki-root\",\n    type: \"pki\",\n    description: \"root PKI\",\n    defaultLeaseTtlSeconds: 8640000,\n    maxLeaseTtlSeconds: 8640000,\n});\nconst example = new vault.pkisecret.SecretBackendConfigUrls(\"example\", {\n    backend: root.path,\n    issuingCertificates: [\"http://127.0.0.1:8200/v1/pki/ca\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nroot = vault.Mount(\"root\",\n    path=\"pki-root\",\n    type=\"pki\",\n    description=\"root PKI\",\n    default_lease_ttl_seconds=8640000,\n    max_lease_ttl_seconds=8640000)\nexample = vault.pkisecret.SecretBackendConfigUrls(\"example\",\n    backend=root.path,\n    issuing_certificates=[\"http://127.0.0.1:8200/v1/pki/ca\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var root = new Vault.Mount(\"root\", new()\n    {\n        Path = \"pki-root\",\n        Type = \"pki\",\n        Description = \"root PKI\",\n        DefaultLeaseTtlSeconds = 8640000,\n        MaxLeaseTtlSeconds = 8640000,\n    });\n\n    var example = new Vault.PkiSecret.SecretBackendConfigUrls(\"example\", new()\n    {\n        Backend = root.Path,\n        IssuingCertificates = new[]\n        {\n            \"http://127.0.0.1:8200/v1/pki/ca\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\troot, err := vault.NewMount(ctx, \"root\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki-root\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDescription:            pulumi.String(\"root PKI\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(8640000),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(8640000),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendConfigUrls(ctx, \"example\", \u0026pkisecret.SecretBackendConfigUrlsArgs{\n\t\t\tBackend: root.Path,\n\t\t\tIssuingCertificates: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8200/v1/pki/ca\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendConfigUrls;\nimport com.pulumi.vault.pkiSecret.SecretBackendConfigUrlsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var root = new Mount(\"root\", MountArgs.builder()\n            .path(\"pki-root\")\n            .type(\"pki\")\n            .description(\"root PKI\")\n            .defaultLeaseTtlSeconds(8640000)\n            .maxLeaseTtlSeconds(8640000)\n            .build());\n\n        var example = new SecretBackendConfigUrls(\"example\", SecretBackendConfigUrlsArgs.builder()\n            .backend(root.path())\n            .issuingCertificates(\"http://127.0.0.1:8200/v1/pki/ca\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  root:\n    type: vault:Mount\n    properties:\n      path: pki-root\n      type: pki\n      description: root PKI\n      defaultLeaseTtlSeconds: 8.64e+06\n      maxLeaseTtlSeconds: 8.64e+06\n  example:\n    type: vault:pkiSecret:SecretBackendConfigUrls\n    properties:\n      backend: ${root.path}\n      issuingCertificates:\n        - http://127.0.0.1:8200/v1/pki/ca\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nThe PKI config URLs can be imported using the resource's `id`.\nIn the case of the example above the `id` would be `pki-root/config/urls`,\nwhere the `pki-root` component is the resource's `backend`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/secretBackendConfigUrls:SecretBackendConfigUrls example pki-root/config/urls\n```\n","properties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n"},"crlDistributionPoints":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the CRL Distribution Points field.\n"},"enableTemplating":{"type":"boolean","description":"Specifies that templating of AIA fields is allowed.\n"},"issuingCertificates":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the Issuing Certificate field.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"ocspServers":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the OCSP Servers field.\n"}},"required":["backend"],"inputProperties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n"},"crlDistributionPoints":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the CRL Distribution Points field.\n"},"enableTemplating":{"type":"boolean","description":"Specifies that templating of AIA fields is allowed.\n"},"issuingCertificates":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the Issuing Certificate field.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocspServers":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the OCSP Servers field.\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendConfigUrls resources.\n","properties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n"},"crlDistributionPoints":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the CRL Distribution Points field.\n"},"enableTemplating":{"type":"boolean","description":"Specifies that templating of AIA fields is allowed.\n"},"issuingCertificates":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the Issuing Certificate field.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocspServers":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the OCSP Servers field.\n"}},"type":"object"}},"vault:pkiSecret/secretBackendCrlConfig:SecretBackendCrlConfig":{"description":"Allows setting the duration for which the generated CRL should be marked valid. If the CRL is disabled, it will return a signed but zero-length CRL for any request. If enabled, it will re-build the CRL.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"%s\",\n    type: \"pki\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst crlConfig = new vault.pkisecret.SecretBackendCrlConfig(\"crl_config\", {\n    backend: pki.path,\n    expiry: \"72h\",\n    disable: false,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"%s\",\n    type=\"pki\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\ncrl_config = vault.pkisecret.SecretBackendCrlConfig(\"crl_config\",\n    backend=pki.path,\n    expiry=\"72h\",\n    disable=False)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"%s\",\n        Type = \"pki\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var crlConfig = new Vault.PkiSecret.SecretBackendCrlConfig(\"crl_config\", new()\n    {\n        Backend = pki.Path,\n        Expiry = \"72h\",\n        Disable = false,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"%s\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendCrlConfig(ctx, \"crl_config\", \u0026pkisecret.SecretBackendCrlConfigArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tExpiry:  pulumi.String(\"72h\"),\n\t\t\tDisable: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendCrlConfig;\nimport com.pulumi.vault.pkiSecret.SecretBackendCrlConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"%s\")\n            .type(\"pki\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var crlConfig = new SecretBackendCrlConfig(\"crlConfig\", SecretBackendCrlConfigArgs.builder()\n            .backend(pki.path())\n            .expiry(\"72h\")\n            .disable(false)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: '%s'\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  crlConfig:\n    type: vault:pkiSecret:SecretBackendCrlConfig\n    name: crl_config\n    properties:\n      backend: ${pki.path}\n      expiry: 72h\n      disable: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"autoRebuild":{"type":"boolean","description":"Enables periodic rebuilding of the CRL upon expiry. **Vault 1.12+**\n"},"autoRebuildGracePeriod":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL. **Vault 1.12+**\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n"},"crossClusterRevocation":{"type":"boolean","description":"Enable cross-cluster revocation request queues. **Vault 1.13+**\n"},"deltaRebuildInterval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.\n"},"disable":{"type":"boolean","description":"Disables or enables CRL building.\n"},"enableDelta":{"type":"boolean","description":"Enables building of delta CRLs with up-to-date revocation information, \naugmenting the last complete CRL.  **Vault 1.12+**\n"},"expiry":{"type":"string","description":"Specifies the time until expiration.\n"},"maxCrlEntries":{"type":"integer","description":"The maximum number of entries a CRL can contain. This option exists to prevent \naccidental runaway issuance/revocation from overloading Vault. If set to -1, the limit is disabled. **Vault 1.19**\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"ocspDisable":{"type":"boolean","description":"Disables the OCSP responder in Vault. **Vault 1.12+**\n"},"ocspExpiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling \nrefresh durations. **Vault 1.12+**\n"},"unifiedCrl":{"type":"boolean","description":"Enables unified CRL and OCSP building. **Vault 1.13+**\n"},"unifiedCrlOnExistingPaths":{"type":"boolean","description":"Enables serving the unified CRL and OCSP on the existing, previously\ncluster-local paths. **Vault 1.13+**\n"}},"required":["autoRebuildGracePeriod","backend","crossClusterRevocation","deltaRebuildInterval","maxCrlEntries","ocspExpiry","unifiedCrl","unifiedCrlOnExistingPaths"],"inputProperties":{"autoRebuild":{"type":"boolean","description":"Enables periodic rebuilding of the CRL upon expiry. **Vault 1.12+**\n"},"autoRebuildGracePeriod":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL. **Vault 1.12+**\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"crossClusterRevocation":{"type":"boolean","description":"Enable cross-cluster revocation request queues. **Vault 1.13+**\n"},"deltaRebuildInterval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.\n"},"disable":{"type":"boolean","description":"Disables or enables CRL building.\n"},"enableDelta":{"type":"boolean","description":"Enables building of delta CRLs with up-to-date revocation information, \naugmenting the last complete CRL.  **Vault 1.12+**\n"},"expiry":{"type":"string","description":"Specifies the time until expiration.\n"},"maxCrlEntries":{"type":"integer","description":"The maximum number of entries a CRL can contain. This option exists to prevent \naccidental runaway issuance/revocation from overloading Vault. If set to -1, the limit is disabled. **Vault 1.19**\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocspDisable":{"type":"boolean","description":"Disables the OCSP responder in Vault. **Vault 1.12+**\n"},"ocspExpiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling \nrefresh durations. **Vault 1.12+**\n"},"unifiedCrl":{"type":"boolean","description":"Enables unified CRL and OCSP building. **Vault 1.13+**\n"},"unifiedCrlOnExistingPaths":{"type":"boolean","description":"Enables serving the unified CRL and OCSP on the existing, previously\ncluster-local paths. **Vault 1.13+**\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendCrlConfig resources.\n","properties":{"autoRebuild":{"type":"boolean","description":"Enables periodic rebuilding of the CRL upon expiry. **Vault 1.12+**\n"},"autoRebuildGracePeriod":{"type":"string","description":"Grace period before CRL expiry to attempt rebuild of CRL. **Vault 1.12+**\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"crossClusterRevocation":{"type":"boolean","description":"Enable cross-cluster revocation request queues. **Vault 1.13+**\n"},"deltaRebuildInterval":{"type":"string","description":"Interval to check for new revocations on, to regenerate the delta CRL.\n"},"disable":{"type":"boolean","description":"Disables or enables CRL building.\n"},"enableDelta":{"type":"boolean","description":"Enables building of delta CRLs with up-to-date revocation information, \naugmenting the last complete CRL.  **Vault 1.12+**\n"},"expiry":{"type":"string","description":"Specifies the time until expiration.\n"},"maxCrlEntries":{"type":"integer","description":"The maximum number of entries a CRL can contain. This option exists to prevent \naccidental runaway issuance/revocation from overloading Vault. If set to -1, the limit is disabled. **Vault 1.19**\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocspDisable":{"type":"boolean","description":"Disables the OCSP responder in Vault. **Vault 1.12+**\n"},"ocspExpiry":{"type":"string","description":"The amount of time an OCSP response can be cached for, useful for OCSP stapling \nrefresh durations. **Vault 1.12+**\n"},"unifiedCrl":{"type":"boolean","description":"Enables unified CRL and OCSP building. **Vault 1.13+**\n"},"unifiedCrlOnExistingPaths":{"type":"boolean","description":"Enables serving the unified CRL and OCSP on the existing, previously\ncluster-local paths. **Vault 1.13+**\n"}},"type":"object"}},"vault:pkiSecret/secretBackendIntermediateCertRequest:SecretBackendIntermediateCertRequest":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.pkisecret.SecretBackendIntermediateCertRequest(\"test\", {\n    backend: pki.path,\n    type: \"internal\",\n    commonName: \"app.my.domain\",\n}, {\n    dependsOn: [pki],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.pkisecret.SecretBackendIntermediateCertRequest(\"test\",\n    backend=pki[\"path\"],\n    type=\"internal\",\n    common_name=\"app.my.domain\",\n    opts = pulumi.ResourceOptions(depends_on=[pki]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.PkiSecret.SecretBackendIntermediateCertRequest(\"test\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        CommonName = \"app.my.domain\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            pki,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := pkisecret.NewSecretBackendIntermediateCertRequest(ctx, \"test\", \u0026pkisecret.SecretBackendIntermediateCertRequestArgs{\n\t\t\tBackend:    pulumi.Any(pki.Path),\n\t\t\tType:       pulumi.String(\"internal\"),\n\t\t\tCommonName: pulumi.String(\"app.my.domain\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tpki,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.pkiSecret.SecretBackendIntermediateCertRequest;\nimport com.pulumi.vault.pkiSecret.SecretBackendIntermediateCertRequestArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new SecretBackendIntermediateCertRequest(\"test\", SecretBackendIntermediateCertRequestArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .commonName(\"app.my.domain\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(pki)\n                .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:pkiSecret:SecretBackendIntermediateCertRequest\n    properties:\n      backend: ${pki.path}\n      type: internal\n      commonName: app.my.domain\n    options:\n      dependsOn:\n        - ${pki}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"addBasicConstraints":{"type":"boolean","description":"Adds a Basic Constraints extension with 'CA: true'.\nOnly needed as a workaround in some compatibility scenarios with Active Directory\nCertificate Services\n"},"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n"},"commonName":{"type":"string","description":"CN of intermediate to create\n"},"country":{"type":"string","description":"The country\n"},"csr":{"type":"string","description":"The CSR\n"},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n"},"format":{"type":"string","description":"The format of data\n"},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n"},"keyBits":{"type":"integer","description":"The number of bits to use\n"},"keyId":{"type":"string","description":"The ID of the generated key.\n"},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies\nthe name for this. The global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n"},"keyRef":{"type":"string","description":"Specifies the key (either default, by name, or by identifier) to use\nfor generating this request. Only suitable for `type=existing` requests.\n"},"keyType":{"type":"string","description":"The desired key type\n"},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specifies\u003cspan pulumi-lang-nodejs=\" keyUsage \" pulumi-lang-dotnet=\" KeyUsage \" pulumi-lang-go=\" keyUsage \" pulumi-lang-python=\" key_usage \" pulumi-lang-yaml=\" keyUsage \" pulumi-lang-java=\" keyUsage \"\u003e key_usage \u003c/span\u003eto encode in the generated certificate.\n"},"locality":{"type":"string","description":"The locality\n"},"managedKeyId":{"type":"string","description":"The ID of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e\n"},"managedKeyName":{"type":"string","description":"The name of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e  and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"organization":{"type":"string","description":"The organization\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n"},"ou":{"type":"string","description":"The organization unit\n"},"postalCode":{"type":"string","description":"The postal code\n"},"privateKey":{"type":"string","description":"The private key\n","secret":true},"privateKeyFormat":{"type":"string","description":"The private key format\n"},"privateKeyType":{"type":"string","description":"The private key type\n"},"province":{"type":"string","description":"The province\n"},"serialNumber":{"type":"string","description":"The requested Subject's named Serial Number\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n"},"streetAddress":{"type":"string","description":"The street address\n"},"type":{"type":"string","description":"Type of intermediate to create. Must be either \\\"exported\\\" or \\\"internal\\\"\nor \\\"kms\\\"\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n"}},"required":["backend","commonName","csr","keyId","keyName","keyRef","privateKey","privateKeyType","type"],"inputProperties":{"addBasicConstraints":{"type":"boolean","description":"Adds a Basic Constraints extension with 'CA: true'.\nOnly needed as a workaround in some compatibility scenarios with Active Directory\nCertificate Services\n","willReplaceOnChanges":true},"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"commonName":{"type":"string","description":"CN of intermediate to create\n","willReplaceOnChanges":true},"country":{"type":"string","description":"The country\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"keyBits":{"type":"integer","description":"The number of bits to use\n","willReplaceOnChanges":true},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies\nthe name for this. The global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n","willReplaceOnChanges":true},"keyRef":{"type":"string","description":"Specifies the key (either default, by name, or by identifier) to use\nfor generating this request. Only suitable for `type=existing` requests.\n","willReplaceOnChanges":true},"keyType":{"type":"string","description":"The desired key type\n","willReplaceOnChanges":true},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specifies\u003cspan pulumi-lang-nodejs=\" keyUsage \" pulumi-lang-dotnet=\" KeyUsage \" pulumi-lang-go=\" keyUsage \" pulumi-lang-python=\" key_usage \" pulumi-lang-yaml=\" keyUsage \" pulumi-lang-java=\" keyUsage \"\u003e key_usage \u003c/span\u003eto encode in the generated certificate.\n","willReplaceOnChanges":true},"locality":{"type":"string","description":"The locality\n","willReplaceOnChanges":true},"managedKeyId":{"type":"string","description":"The ID of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e\n","willReplaceOnChanges":true},"managedKeyName":{"type":"string","description":"The name of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e  and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization\n","willReplaceOnChanges":true},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"ou":{"type":"string","description":"The organization unit\n","willReplaceOnChanges":true},"postalCode":{"type":"string","description":"The postal code\n","willReplaceOnChanges":true},"privateKeyFormat":{"type":"string","description":"The private key format\n","willReplaceOnChanges":true},"province":{"type":"string","description":"The province\n","willReplaceOnChanges":true},"serialNumber":{"type":"string","description":"The requested Subject's named Serial Number\n","willReplaceOnChanges":true},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n","willReplaceOnChanges":true},"streetAddress":{"type":"string","description":"The street address\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Type of intermediate to create. Must be either \\\"exported\\\" or \\\"internal\\\"\nor \\\"kms\\\"\n","willReplaceOnChanges":true},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true}},"requiredInputs":["backend","commonName","type"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendIntermediateCertRequest resources.\n","properties":{"addBasicConstraints":{"type":"boolean","description":"Adds a Basic Constraints extension with 'CA: true'.\nOnly needed as a workaround in some compatibility scenarios with Active Directory\nCertificate Services\n","willReplaceOnChanges":true},"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"commonName":{"type":"string","description":"CN of intermediate to create\n","willReplaceOnChanges":true},"country":{"type":"string","description":"The country\n","willReplaceOnChanges":true},"csr":{"type":"string","description":"The CSR\n"},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"keyBits":{"type":"integer","description":"The number of bits to use\n","willReplaceOnChanges":true},"keyId":{"type":"string","description":"The ID of the generated key.\n","willReplaceOnChanges":true},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies\nthe name for this. The global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n","willReplaceOnChanges":true},"keyRef":{"type":"string","description":"Specifies the key (either default, by name, or by identifier) to use\nfor generating this request. Only suitable for `type=existing` requests.\n","willReplaceOnChanges":true},"keyType":{"type":"string","description":"The desired key type\n","willReplaceOnChanges":true},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specifies\u003cspan pulumi-lang-nodejs=\" keyUsage \" pulumi-lang-dotnet=\" KeyUsage \" pulumi-lang-go=\" keyUsage \" pulumi-lang-python=\" key_usage \" pulumi-lang-yaml=\" keyUsage \" pulumi-lang-java=\" keyUsage \"\u003e key_usage \u003c/span\u003eto encode in the generated certificate.\n","willReplaceOnChanges":true},"locality":{"type":"string","description":"The locality\n","willReplaceOnChanges":true},"managedKeyId":{"type":"string","description":"The ID of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e\n","willReplaceOnChanges":true},"managedKeyName":{"type":"string","description":"The name of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e  and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization\n","willReplaceOnChanges":true},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"ou":{"type":"string","description":"The organization unit\n","willReplaceOnChanges":true},"postalCode":{"type":"string","description":"The postal code\n","willReplaceOnChanges":true},"privateKey":{"type":"string","description":"The private key\n","secret":true},"privateKeyFormat":{"type":"string","description":"The private key format\n","willReplaceOnChanges":true},"privateKeyType":{"type":"string","description":"The private key type\n"},"province":{"type":"string","description":"The province\n","willReplaceOnChanges":true},"serialNumber":{"type":"string","description":"The requested Subject's named Serial Number\n","willReplaceOnChanges":true},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n","willReplaceOnChanges":true},"streetAddress":{"type":"string","description":"The street address\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Type of intermediate to create. Must be either \\\"exported\\\" or \\\"internal\\\"\nor \\\"kms\\\"\n","willReplaceOnChanges":true},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/secretBackendIntermediateSetSigned:SecretBackendIntermediateSetSigned":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst root = new vault.Mount(\"root\", {\n    path: \"pki-root\",\n    type: \"pki\",\n    description: \"root\",\n    defaultLeaseTtlSeconds: 8640000,\n    maxLeaseTtlSeconds: 8640000,\n});\nconst intermediate = new vault.Mount(\"intermediate\", {\n    path: \"pki-int\",\n    type: root.type,\n    description: \"intermediate\",\n    defaultLeaseTtlSeconds: 86400,\n    maxLeaseTtlSeconds: 86400,\n});\nconst example = new vault.pkisecret.SecretBackendRootCert(\"example\", {\n    backend: root.path,\n    type: \"internal\",\n    commonName: \"RootOrg Root CA\",\n    ttl: \"86400\",\n    format: \"pem\",\n    privateKeyFormat: \"der\",\n    keyType: \"rsa\",\n    keyBits: 4096,\n    excludeCnFromSans: true,\n    ou: \"Organizational Unit\",\n    organization: \"RootOrg\",\n    country: \"US\",\n    locality: \"San Francisco\",\n    province: \"CA\",\n});\nconst exampleSecretBackendIntermediateCertRequest = new vault.pkisecret.SecretBackendIntermediateCertRequest(\"example\", {\n    backend: intermediate.path,\n    type: example.type,\n    commonName: \"SubOrg Intermediate CA\",\n});\nconst exampleSecretBackendRootSignIntermediate = new vault.pkisecret.SecretBackendRootSignIntermediate(\"example\", {\n    backend: root.path,\n    csr: exampleSecretBackendIntermediateCertRequest.csr,\n    commonName: \"SubOrg Intermediate CA\",\n    excludeCnFromSans: true,\n    ou: \"SubUnit\",\n    organization: \"SubOrg\",\n    country: \"US\",\n    locality: \"San Francisco\",\n    province: \"CA\",\n    revoke: true,\n});\nconst exampleSecretBackendIntermediateSetSigned = new vault.pkisecret.SecretBackendIntermediateSetSigned(\"example\", {\n    backend: intermediate.path,\n    certificate: exampleSecretBackendRootSignIntermediate.certificate,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nroot = vault.Mount(\"root\",\n    path=\"pki-root\",\n    type=\"pki\",\n    description=\"root\",\n    default_lease_ttl_seconds=8640000,\n    max_lease_ttl_seconds=8640000)\nintermediate = vault.Mount(\"intermediate\",\n    path=\"pki-int\",\n    type=root.type,\n    description=\"intermediate\",\n    default_lease_ttl_seconds=86400,\n    max_lease_ttl_seconds=86400)\nexample = vault.pkisecret.SecretBackendRootCert(\"example\",\n    backend=root.path,\n    type=\"internal\",\n    common_name=\"RootOrg Root CA\",\n    ttl=\"86400\",\n    format=\"pem\",\n    private_key_format=\"der\",\n    key_type=\"rsa\",\n    key_bits=4096,\n    exclude_cn_from_sans=True,\n    ou=\"Organizational Unit\",\n    organization=\"RootOrg\",\n    country=\"US\",\n    locality=\"San Francisco\",\n    province=\"CA\")\nexample_secret_backend_intermediate_cert_request = vault.pkisecret.SecretBackendIntermediateCertRequest(\"example\",\n    backend=intermediate.path,\n    type=example.type,\n    common_name=\"SubOrg Intermediate CA\")\nexample_secret_backend_root_sign_intermediate = vault.pkisecret.SecretBackendRootSignIntermediate(\"example\",\n    backend=root.path,\n    csr=example_secret_backend_intermediate_cert_request.csr,\n    common_name=\"SubOrg Intermediate CA\",\n    exclude_cn_from_sans=True,\n    ou=\"SubUnit\",\n    organization=\"SubOrg\",\n    country=\"US\",\n    locality=\"San Francisco\",\n    province=\"CA\",\n    revoke=True)\nexample_secret_backend_intermediate_set_signed = vault.pkisecret.SecretBackendIntermediateSetSigned(\"example\",\n    backend=intermediate.path,\n    certificate=example_secret_backend_root_sign_intermediate.certificate)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var root = new Vault.Mount(\"root\", new()\n    {\n        Path = \"pki-root\",\n        Type = \"pki\",\n        Description = \"root\",\n        DefaultLeaseTtlSeconds = 8640000,\n        MaxLeaseTtlSeconds = 8640000,\n    });\n\n    var intermediate = new Vault.Mount(\"intermediate\", new()\n    {\n        Path = \"pki-int\",\n        Type = root.Type,\n        Description = \"intermediate\",\n        DefaultLeaseTtlSeconds = 86400,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var example = new Vault.PkiSecret.SecretBackendRootCert(\"example\", new()\n    {\n        Backend = root.Path,\n        Type = \"internal\",\n        CommonName = \"RootOrg Root CA\",\n        Ttl = \"86400\",\n        Format = \"pem\",\n        PrivateKeyFormat = \"der\",\n        KeyType = \"rsa\",\n        KeyBits = 4096,\n        ExcludeCnFromSans = true,\n        Ou = \"Organizational Unit\",\n        Organization = \"RootOrg\",\n        Country = \"US\",\n        Locality = \"San Francisco\",\n        Province = \"CA\",\n    });\n\n    var exampleSecretBackendIntermediateCertRequest = new Vault.PkiSecret.SecretBackendIntermediateCertRequest(\"example\", new()\n    {\n        Backend = intermediate.Path,\n        Type = example.Type,\n        CommonName = \"SubOrg Intermediate CA\",\n    });\n\n    var exampleSecretBackendRootSignIntermediate = new Vault.PkiSecret.SecretBackendRootSignIntermediate(\"example\", new()\n    {\n        Backend = root.Path,\n        Csr = exampleSecretBackendIntermediateCertRequest.Csr,\n        CommonName = \"SubOrg Intermediate CA\",\n        ExcludeCnFromSans = true,\n        Ou = \"SubUnit\",\n        Organization = \"SubOrg\",\n        Country = \"US\",\n        Locality = \"San Francisco\",\n        Province = \"CA\",\n        Revoke = true,\n    });\n\n    var exampleSecretBackendIntermediateSetSigned = new Vault.PkiSecret.SecretBackendIntermediateSetSigned(\"example\", new()\n    {\n        Backend = intermediate.Path,\n        Certificate = exampleSecretBackendRootSignIntermediate.Certificate,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\troot, err := vault.NewMount(ctx, \"root\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki-root\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDescription:            pulumi.String(\"root\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(8640000),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(8640000),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tintermediate, err := vault.NewMount(ctx, \"intermediate\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki-int\"),\n\t\t\tType:                   root.Type,\n\t\t\tDescription:            pulumi.String(\"intermediate\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(86400),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texample, err := pkisecret.NewSecretBackendRootCert(ctx, \"example\", \u0026pkisecret.SecretBackendRootCertArgs{\n\t\t\tBackend:           root.Path,\n\t\t\tType:              pulumi.String(\"internal\"),\n\t\t\tCommonName:        pulumi.String(\"RootOrg Root CA\"),\n\t\t\tTtl:               pulumi.String(\"86400\"),\n\t\t\tFormat:            pulumi.String(\"pem\"),\n\t\t\tPrivateKeyFormat:  pulumi.String(\"der\"),\n\t\t\tKeyType:           pulumi.String(\"rsa\"),\n\t\t\tKeyBits:           pulumi.Int(4096),\n\t\t\tExcludeCnFromSans: pulumi.Bool(true),\n\t\t\tOu:                pulumi.String(\"Organizational Unit\"),\n\t\t\tOrganization:      pulumi.String(\"RootOrg\"),\n\t\t\tCountry:           pulumi.String(\"US\"),\n\t\t\tLocality:          pulumi.String(\"San Francisco\"),\n\t\t\tProvince:          pulumi.String(\"CA\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleSecretBackendIntermediateCertRequest, err := pkisecret.NewSecretBackendIntermediateCertRequest(ctx, \"example\", \u0026pkisecret.SecretBackendIntermediateCertRequestArgs{\n\t\t\tBackend:    intermediate.Path,\n\t\t\tType:       example.Type,\n\t\t\tCommonName: pulumi.String(\"SubOrg Intermediate CA\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleSecretBackendRootSignIntermediate, err := pkisecret.NewSecretBackendRootSignIntermediate(ctx, \"example\", \u0026pkisecret.SecretBackendRootSignIntermediateArgs{\n\t\t\tBackend:           root.Path,\n\t\t\tCsr:               exampleSecretBackendIntermediateCertRequest.Csr,\n\t\t\tCommonName:        pulumi.String(\"SubOrg Intermediate CA\"),\n\t\t\tExcludeCnFromSans: pulumi.Bool(true),\n\t\t\tOu:                pulumi.String(\"SubUnit\"),\n\t\t\tOrganization:      pulumi.String(\"SubOrg\"),\n\t\t\tCountry:           pulumi.String(\"US\"),\n\t\t\tLocality:          pulumi.String(\"San Francisco\"),\n\t\t\tProvince:          pulumi.String(\"CA\"),\n\t\t\tRevoke:            pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendIntermediateSetSigned(ctx, \"example\", \u0026pkisecret.SecretBackendIntermediateSetSignedArgs{\n\t\t\tBackend:     intermediate.Path,\n\t\t\tCertificate: exampleSecretBackendRootSignIntermediate.Certificate,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendIntermediateCertRequest;\nimport com.pulumi.vault.pkiSecret.SecretBackendIntermediateCertRequestArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootSignIntermediate;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootSignIntermediateArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendIntermediateSetSigned;\nimport com.pulumi.vault.pkiSecret.SecretBackendIntermediateSetSignedArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var root = new Mount(\"root\", MountArgs.builder()\n            .path(\"pki-root\")\n            .type(\"pki\")\n            .description(\"root\")\n            .defaultLeaseTtlSeconds(8640000)\n            .maxLeaseTtlSeconds(8640000)\n            .build());\n\n        var intermediate = new Mount(\"intermediate\", MountArgs.builder()\n            .path(\"pki-int\")\n            .type(root.type())\n            .description(\"intermediate\")\n            .defaultLeaseTtlSeconds(86400)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var example = new SecretBackendRootCert(\"example\", SecretBackendRootCertArgs.builder()\n            .backend(root.path())\n            .type(\"internal\")\n            .commonName(\"RootOrg Root CA\")\n            .ttl(\"86400\")\n            .format(\"pem\")\n            .privateKeyFormat(\"der\")\n            .keyType(\"rsa\")\n            .keyBits(4096)\n            .excludeCnFromSans(true)\n            .ou(\"Organizational Unit\")\n            .organization(\"RootOrg\")\n            .country(\"US\")\n            .locality(\"San Francisco\")\n            .province(\"CA\")\n            .build());\n\n        var exampleSecretBackendIntermediateCertRequest = new SecretBackendIntermediateCertRequest(\"exampleSecretBackendIntermediateCertRequest\", SecretBackendIntermediateCertRequestArgs.builder()\n            .backend(intermediate.path())\n            .type(example.type())\n            .commonName(\"SubOrg Intermediate CA\")\n            .build());\n\n        var exampleSecretBackendRootSignIntermediate = new SecretBackendRootSignIntermediate(\"exampleSecretBackendRootSignIntermediate\", SecretBackendRootSignIntermediateArgs.builder()\n            .backend(root.path())\n            .csr(exampleSecretBackendIntermediateCertRequest.csr())\n            .commonName(\"SubOrg Intermediate CA\")\n            .excludeCnFromSans(true)\n            .ou(\"SubUnit\")\n            .organization(\"SubOrg\")\n            .country(\"US\")\n            .locality(\"San Francisco\")\n            .province(\"CA\")\n            .revoke(true)\n            .build());\n\n        var exampleSecretBackendIntermediateSetSigned = new SecretBackendIntermediateSetSigned(\"exampleSecretBackendIntermediateSetSigned\", SecretBackendIntermediateSetSignedArgs.builder()\n            .backend(intermediate.path())\n            .certificate(exampleSecretBackendRootSignIntermediate.certificate())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  root:\n    type: vault:Mount\n    properties:\n      path: pki-root\n      type: pki\n      description: root\n      defaultLeaseTtlSeconds: 8.64e+06\n      maxLeaseTtlSeconds: 8.64e+06\n  intermediate:\n    type: vault:Mount\n    properties:\n      path: pki-int\n      type: ${root.type}\n      description: intermediate\n      defaultLeaseTtlSeconds: 86400\n      maxLeaseTtlSeconds: 86400\n  example:\n    type: vault:pkiSecret:SecretBackendRootCert\n    properties:\n      backend: ${root.path}\n      type: internal\n      commonName: RootOrg Root CA\n      ttl: 86400\n      format: pem\n      privateKeyFormat: der\n      keyType: rsa\n      keyBits: 4096\n      excludeCnFromSans: true\n      ou: Organizational Unit\n      organization: RootOrg\n      country: US\n      locality: San Francisco\n      province: CA\n  exampleSecretBackendIntermediateCertRequest:\n    type: vault:pkiSecret:SecretBackendIntermediateCertRequest\n    name: example\n    properties:\n      backend: ${intermediate.path}\n      type: ${example.type}\n      commonName: SubOrg Intermediate CA\n  exampleSecretBackendRootSignIntermediate:\n    type: vault:pkiSecret:SecretBackendRootSignIntermediate\n    name: example\n    properties:\n      backend: ${root.path}\n      csr: ${exampleSecretBackendIntermediateCertRequest.csr}\n      commonName: SubOrg Intermediate CA\n      excludeCnFromSans: true\n      ou: SubUnit\n      organization: SubOrg\n      country: US\n      locality: San Francisco\n      province: CA\n      revoke: true\n  exampleSecretBackendIntermediateSetSigned:\n    type: vault:pkiSecret:SecretBackendIntermediateSetSigned\n    name: example\n    properties:\n      backend: ${intermediate.path}\n      certificate: ${exampleSecretBackendRootSignIntermediate.certificate}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n"},"certificate":{"type":"string","description":"Specifies the PEM encoded certificate. May optionally append additional\nCA certificates to populate the whole chain, which will then enable returning the full chain from\nissue and sign operations.\n"},"importedIssuers":{"type":"array","items":{"type":"string"},"description":"The imported issuers indicating which issuers were created as part of\nthis request.\n"},"importedKeys":{"type":"array","items":{"type":"string"},"description":"The imported keys indicating which keys were created as part of this request.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"}},"required":["backend","certificate","importedIssuers","importedKeys"],"inputProperties":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"certificate":{"type":"string","description":"Specifies the PEM encoded certificate. May optionally append additional\nCA certificates to populate the whole chain, which will then enable returning the full chain from\nissue and sign operations.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"requiredInputs":["backend","certificate"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendIntermediateSetSigned resources.\n","properties":{"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"certificate":{"type":"string","description":"Specifies the PEM encoded certificate. May optionally append additional\nCA certificates to populate the whole chain, which will then enable returning the full chain from\nissue and sign operations.\n","willReplaceOnChanges":true},"importedIssuers":{"type":"array","items":{"type":"string"},"description":"The imported issuers indicating which issuers were created as part of\nthis request.\n","willReplaceOnChanges":true},"importedKeys":{"type":"array","items":{"type":"string"},"description":"The imported keys indicating which keys were created as part of this request.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/secretBackendIssuer:SecretBackendIssuer":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst root = new vault.pkisecret.SecretBackendRootCert(\"root\", {\n    backend: pki.path,\n    type: \"internal\",\n    commonName: \"test\",\n    ttl: \"86400\",\n});\nconst example = new vault.pkisecret.SecretBackendIssuer(\"example\", {\n    backend: root.backend,\n    issuerRef: root.issuerId,\n    issuerName: \"example-issuer\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\nroot = vault.pkisecret.SecretBackendRootCert(\"root\",\n    backend=pki.path,\n    type=\"internal\",\n    common_name=\"test\",\n    ttl=\"86400\")\nexample = vault.pkisecret.SecretBackendIssuer(\"example\",\n    backend=root.backend,\n    issuer_ref=root.issuer_id,\n    issuer_name=\"example-issuer\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var root = new Vault.PkiSecret.SecretBackendRootCert(\"root\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        CommonName = \"test\",\n        Ttl = \"86400\",\n    });\n\n    var example = new Vault.PkiSecret.SecretBackendIssuer(\"example\", new()\n    {\n        Backend = root.Backend,\n        IssuerRef = root.IssuerId,\n        IssuerName = \"example-issuer\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\troot, err := pkisecret.NewSecretBackendRootCert(ctx, \"root\", \u0026pkisecret.SecretBackendRootCertArgs{\n\t\t\tBackend:    pki.Path,\n\t\t\tType:       pulumi.String(\"internal\"),\n\t\t\tCommonName: pulumi.String(\"test\"),\n\t\t\tTtl:        pulumi.String(\"86400\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendIssuer(ctx, \"example\", \u0026pkisecret.SecretBackendIssuerArgs{\n\t\t\tBackend:    root.Backend,\n\t\t\tIssuerRef:  root.IssuerId,\n\t\t\tIssuerName: pulumi.String(\"example-issuer\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendIssuer;\nimport com.pulumi.vault.pkiSecret.SecretBackendIssuerArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var root = new SecretBackendRootCert(\"root\", SecretBackendRootCertArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .commonName(\"test\")\n            .ttl(\"86400\")\n            .build());\n\n        var example = new SecretBackendIssuer(\"example\", SecretBackendIssuerArgs.builder()\n            .backend(root.backend())\n            .issuerRef(root.issuerId())\n            .issuerName(\"example-issuer\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  root:\n    type: vault:pkiSecret:SecretBackendRootCert\n    properties:\n      backend: ${pki.path}\n      type: internal\n      commonName: test\n      ttl: '86400'\n  example:\n    type: vault:pkiSecret:SecretBackendIssuer\n    properties:\n      backend: ${root.backend}\n      issuerRef: ${root.issuerId}\n      issuerName: example-issuer\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nPKI secret backend issuer can be imported using the `id`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/secretBackendIssuer:SecretBackendIssuer example pki/issuer/bf9b0d48-d0dd-652c-30be-77d04fc7e94d\n```\n","properties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no\nleading or trailing `/`s.\n"},"crlDistributionPoints":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the CRL\nDistribution Points field.\n"},"disableCriticalExtensionChecks":{"type":"boolean","description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nissued certificate) contain critical extensions not processed by Vault.\n"},"disableNameChecks":{"type":"boolean","description":"This determines whether this issuer is able\nto issue certificates where the chain of trust (including the final issued\ncertificate) contains a link in which the subject of the issuing certificate\ndoes not match the named issuer of the certificate it signed.\n"},"disableNameConstraintChecks":{"type":"boolean","description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nfinal issued certificate) violates the name constraints critical extension of\none of the issuer certificates in the chain.\n"},"disablePathLengthChecks":{"type":"boolean","description":"This determines whether this issuer\nis able to issue certificates where the chain of trust (including the final\nissued certificate) is longer than allowed by a certificate authority in that\nchain.\n"},"enableAiaUrlTemplating":{"type":"boolean","description":"Specifies that the AIA URL values should\nbe templated.\n"},"issuerId":{"type":"string","description":"ID of the issuer.\n"},"issuerName":{"type":"string","description":"Name of the issuer.\n"},"issuerRef":{"type":"string","description":"Reference to an existing issuer.\n"},"issuingCertificates":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the Issuing\nCertificate field.\n"},"leafNotAfterBehavior":{"type":"string","description":"Behavior of a leaf's NotAfter field during\nissuance.\n"},"manualChains":{"type":"array","items":{"type":"string"},"description":"Chain of issuer references to build this issuer's\ncomputed CAChain field from, when non-empty.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"ocspServers":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the OCSP Servers field.\n"},"revocationSignatureAlgorithm":{"type":"string","description":"Which signature algorithm to use\nwhen building CRLs.\n"},"usage":{"type":"string","description":"Allowed usages for this issuer.\n"}},"required":["backend","issuerId","issuerRef","leafNotAfterBehavior","revocationSignatureAlgorithm","usage"],"inputProperties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no\nleading or trailing `/`s.\n","willReplaceOnChanges":true},"crlDistributionPoints":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the CRL\nDistribution Points field.\n"},"disableCriticalExtensionChecks":{"type":"boolean","description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nissued certificate) contain critical extensions not processed by Vault.\n"},"disableNameChecks":{"type":"boolean","description":"This determines whether this issuer is able\nto issue certificates where the chain of trust (including the final issued\ncertificate) contains a link in which the subject of the issuing certificate\ndoes not match the named issuer of the certificate it signed.\n"},"disableNameConstraintChecks":{"type":"boolean","description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nfinal issued certificate) violates the name constraints critical extension of\none of the issuer certificates in the chain.\n"},"disablePathLengthChecks":{"type":"boolean","description":"This determines whether this issuer\nis able to issue certificates where the chain of trust (including the final\nissued certificate) is longer than allowed by a certificate authority in that\nchain.\n"},"enableAiaUrlTemplating":{"type":"boolean","description":"Specifies that the AIA URL values should\nbe templated.\n"},"issuerName":{"type":"string","description":"Name of the issuer.\n"},"issuerRef":{"type":"string","description":"Reference to an existing issuer.\n"},"issuingCertificates":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the Issuing\nCertificate field.\n"},"leafNotAfterBehavior":{"type":"string","description":"Behavior of a leaf's NotAfter field during\nissuance.\n"},"manualChains":{"type":"array","items":{"type":"string"},"description":"Chain of issuer references to build this issuer's\ncomputed CAChain field from, when non-empty.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocspServers":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the OCSP Servers field.\n"},"revocationSignatureAlgorithm":{"type":"string","description":"Which signature algorithm to use\nwhen building CRLs.\n"},"usage":{"type":"string","description":"Allowed usages for this issuer.\n"}},"requiredInputs":["backend","issuerRef"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendIssuer resources.\n","properties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no\nleading or trailing `/`s.\n","willReplaceOnChanges":true},"crlDistributionPoints":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the CRL\nDistribution Points field.\n"},"disableCriticalExtensionChecks":{"type":"boolean","description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nissued certificate) contain critical extensions not processed by Vault.\n"},"disableNameChecks":{"type":"boolean","description":"This determines whether this issuer is able\nto issue certificates where the chain of trust (including the final issued\ncertificate) contains a link in which the subject of the issuing certificate\ndoes not match the named issuer of the certificate it signed.\n"},"disableNameConstraintChecks":{"type":"boolean","description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nfinal issued certificate) violates the name constraints critical extension of\none of the issuer certificates in the chain.\n"},"disablePathLengthChecks":{"type":"boolean","description":"This determines whether this issuer\nis able to issue certificates where the chain of trust (including the final\nissued certificate) is longer than allowed by a certificate authority in that\nchain.\n"},"enableAiaUrlTemplating":{"type":"boolean","description":"Specifies that the AIA URL values should\nbe templated.\n"},"issuerId":{"type":"string","description":"ID of the issuer.\n"},"issuerName":{"type":"string","description":"Name of the issuer.\n"},"issuerRef":{"type":"string","description":"Reference to an existing issuer.\n"},"issuingCertificates":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the Issuing\nCertificate field.\n"},"leafNotAfterBehavior":{"type":"string","description":"Behavior of a leaf's NotAfter field during\nissuance.\n"},"manualChains":{"type":"array","items":{"type":"string"},"description":"Chain of issuer references to build this issuer's\ncomputed CAChain field from, when non-empty.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"ocspServers":{"type":"array","items":{"type":"string"},"description":"Specifies the URL values for the OCSP Servers field.\n"},"revocationSignatureAlgorithm":{"type":"string","description":"Which signature algorithm to use\nwhen building CRLs.\n"},"usage":{"type":"string","description":"Allowed usages for this issuer.\n"}},"type":"object"}},"vault:pkiSecret/secretBackendKey:SecretBackendKey":{"description":"Creates a key on a PKI Secret Backend for Vault.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst key = new vault.pkisecret.SecretBackendKey(\"key\", {\n    mount: pki.path,\n    type: \"exported\",\n    keyName: \"example-key\",\n    keyType: \"rsa\",\n    keyBits: 2048,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\nkey = vault.pkisecret.SecretBackendKey(\"key\",\n    mount=pki.path,\n    type=\"exported\",\n    key_name=\"example-key\",\n    key_type=\"rsa\",\n    key_bits=2048)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var key = new Vault.PkiSecret.SecretBackendKey(\"key\", new()\n    {\n        Mount = pki.Path,\n        Type = \"exported\",\n        KeyName = \"example-key\",\n        KeyType = \"rsa\",\n        KeyBits = 2048,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendKey(ctx, \"key\", \u0026pkisecret.SecretBackendKeyArgs{\n\t\t\tMount:   pki.Path,\n\t\t\tType:    pulumi.String(\"exported\"),\n\t\t\tKeyName: pulumi.String(\"example-key\"),\n\t\t\tKeyType: pulumi.String(\"rsa\"),\n\t\t\tKeyBits: pulumi.Int(2048),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendKey;\nimport com.pulumi.vault.pkiSecret.SecretBackendKeyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var key = new SecretBackendKey(\"key\", SecretBackendKeyArgs.builder()\n            .mount(pki.path())\n            .type(\"exported\")\n            .keyName(\"example-key\")\n            .keyType(\"rsa\")\n            .keyBits(2048)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  key:\n    type: vault:pkiSecret:SecretBackendKey\n    properties:\n      mount: ${pki.path}\n      type: exported\n      keyName: example-key\n      keyType: rsa\n      keyBits: '2048'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nPKI secret backend key can be imported using the `id`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/secretBackendKey:SecretBackendKey key pki/key/bf9b0d48-d0dd-652c-30be-77d04fc7e94d\n```\n","properties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n"},"keyBits":{"type":"integer","description":"Specifies the number of bits to use for the generated keys. \nAllowed values are 0 (universal default); with `key_type=rsa`, allowed values are:\n2048 (default), 3072, or 4096; with `key_type=ec`, allowed values are: 224, 256 (default),\n384, or 521; ignored with `key_type=ed25519`.\n"},"keyId":{"type":"string","description":"ID of the generated key.\n"},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this. \nThe global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n"},"keyType":{"type":"string","description":"Specifies the desired key type; must be \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n"},"managedKeyId":{"type":"string","description":"The managed key's UUID.\n"},"managedKeyName":{"type":"string","description":"The managed key's configured name.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"type":{"type":"string","description":"Specifies the type of the key to create. Can be \u003cspan pulumi-lang-nodejs=\"`exported`\" pulumi-lang-dotnet=\"`Exported`\" pulumi-lang-go=\"`exported`\" pulumi-lang-python=\"`exported`\" pulumi-lang-yaml=\"`exported`\" pulumi-lang-java=\"`exported`\"\u003e`exported`\u003c/span\u003e,\u003cspan pulumi-lang-nodejs=\"`internal`\" pulumi-lang-dotnet=\"`Internal`\" pulumi-lang-go=\"`internal`\" pulumi-lang-python=\"`internal`\" pulumi-lang-yaml=\"`internal`\" pulumi-lang-java=\"`internal`\"\u003e`internal`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e.\n"}},"required":["backend","keyBits","keyId","keyType","type"],"inputProperties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"keyBits":{"type":"integer","description":"Specifies the number of bits to use for the generated keys. \nAllowed values are 0 (universal default); with `key_type=rsa`, allowed values are:\n2048 (default), 3072, or 4096; with `key_type=ec`, allowed values are: 224, 256 (default),\n384, or 521; ignored with `key_type=ed25519`.\n","willReplaceOnChanges":true},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this. \nThe global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n"},"keyType":{"type":"string","description":"Specifies the desired key type; must be \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n","willReplaceOnChanges":true},"managedKeyId":{"type":"string","description":"The managed key's UUID.\n"},"managedKeyName":{"type":"string","description":"The managed key's configured name.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Specifies the type of the key to create. Can be \u003cspan pulumi-lang-nodejs=\"`exported`\" pulumi-lang-dotnet=\"`Exported`\" pulumi-lang-go=\"`exported`\" pulumi-lang-python=\"`exported`\" pulumi-lang-yaml=\"`exported`\" pulumi-lang-java=\"`exported`\"\u003e`exported`\u003c/span\u003e,\u003cspan pulumi-lang-nodejs=\"`internal`\" pulumi-lang-dotnet=\"`Internal`\" pulumi-lang-go=\"`internal`\" pulumi-lang-python=\"`internal`\" pulumi-lang-yaml=\"`internal`\" pulumi-lang-java=\"`internal`\"\u003e`internal`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e.\n","willReplaceOnChanges":true}},"requiredInputs":["backend","type"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendKey resources.\n","properties":{"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"keyBits":{"type":"integer","description":"Specifies the number of bits to use for the generated keys. \nAllowed values are 0 (universal default); with `key_type=rsa`, allowed values are:\n2048 (default), 3072, or 4096; with `key_type=ec`, allowed values are: 224, 256 (default),\n384, or 521; ignored with `key_type=ed25519`.\n","willReplaceOnChanges":true},"keyId":{"type":"string","description":"ID of the generated key.\n"},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies the name for this. \nThe global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n"},"keyType":{"type":"string","description":"Specifies the desired key type; must be \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e.\n","willReplaceOnChanges":true},"managedKeyId":{"type":"string","description":"The managed key's UUID.\n"},"managedKeyName":{"type":"string","description":"The managed key's configured name.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Specifies the type of the key to create. Can be \u003cspan pulumi-lang-nodejs=\"`exported`\" pulumi-lang-dotnet=\"`Exported`\" pulumi-lang-go=\"`exported`\" pulumi-lang-python=\"`exported`\" pulumi-lang-yaml=\"`exported`\" pulumi-lang-java=\"`exported`\"\u003e`exported`\u003c/span\u003e,\u003cspan pulumi-lang-nodejs=\"`internal`\" pulumi-lang-dotnet=\"`Internal`\" pulumi-lang-go=\"`internal`\" pulumi-lang-python=\"`internal`\" pulumi-lang-yaml=\"`internal`\" pulumi-lang-java=\"`internal`\"\u003e`internal`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/secretBackendRole:SecretBackendRole":{"description":"Creates a role on an PKI Secret Backend for Vault.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst role = new vault.pkisecret.SecretBackendRole(\"role\", {\n    backend: pki.path,\n    name: \"my_role\",\n    ttl: \"3600\",\n    allowIpSans: true,\n    keyType: \"rsa\",\n    keyBits: 4096,\n    allowedDomains: [\n        \"example.com\",\n        \"my.domain\",\n    ],\n    allowSubdomains: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\nrole = vault.pkisecret.SecretBackendRole(\"role\",\n    backend=pki.path,\n    name=\"my_role\",\n    ttl=\"3600\",\n    allow_ip_sans=True,\n    key_type=\"rsa\",\n    key_bits=4096,\n    allowed_domains=[\n        \"example.com\",\n        \"my.domain\",\n    ],\n    allow_subdomains=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var role = new Vault.PkiSecret.SecretBackendRole(\"role\", new()\n    {\n        Backend = pki.Path,\n        Name = \"my_role\",\n        Ttl = \"3600\",\n        AllowIpSans = true,\n        KeyType = \"rsa\",\n        KeyBits = 4096,\n        AllowedDomains = new[]\n        {\n            \"example.com\",\n            \"my.domain\",\n        },\n        AllowSubdomains = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"pki\"),\n\t\t\tType:                   pulumi.String(\"pki\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendRole(ctx, \"role\", \u0026pkisecret.SecretBackendRoleArgs{\n\t\t\tBackend:     pki.Path,\n\t\t\tName:        pulumi.String(\"my_role\"),\n\t\t\tTtl:         pulumi.String(\"3600\"),\n\t\t\tAllowIpSans: pulumi.Bool(true),\n\t\t\tKeyType:     pulumi.String(\"rsa\"),\n\t\t\tKeyBits:     pulumi.Int(4096),\n\t\t\tAllowedDomains: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"example.com\"),\n\t\t\t\tpulumi.String(\"my.domain\"),\n\t\t\t},\n\t\t\tAllowSubdomains: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRole;\nimport com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var role = new SecretBackendRole(\"role\", SecretBackendRoleArgs.builder()\n            .backend(pki.path())\n            .name(\"my_role\")\n            .ttl(\"3600\")\n            .allowIpSans(true)\n            .keyType(\"rsa\")\n            .keyBits(4096)\n            .allowedDomains(            \n                \"example.com\",\n                \"my.domain\")\n            .allowSubdomains(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  role:\n    type: vault:pkiSecret:SecretBackendRole\n    properties:\n      backend: ${pki.path}\n      name: my_role\n      ttl: 3600\n      allowIpSans: true\n      keyType: rsa\n      keyBits: 4096\n      allowedDomains:\n        - example.com\n        - my.domain\n      allowSubdomains: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nPKI secret backend roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:pkiSecret/secretBackendRole:SecretBackendRole role pki/roles/my_role\n```\n","properties":{"allowAnyName":{"type":"boolean","description":"Flag to allow any name\n"},"allowBareDomains":{"type":"boolean","description":"Flag to allow certificates matching the actual domain\n"},"allowGlobDomains":{"type":"boolean","description":"Flag to allow names containing glob patterns.\n"},"allowIpSans":{"type":"boolean","description":"Flag to allow IP SANs\n"},"allowLocalhost":{"type":"boolean","description":"Flag to allow certificates for localhost\n"},"allowSubdomains":{"type":"boolean","description":"Flag to allow certificates matching subdomains\n"},"allowWildcardCertificates":{"type":"boolean","description":"Flag to allow wildcard certificates.\n"},"allowedDomains":{"type":"array","items":{"type":"string"},"description":"List of allowed domains for certificates\n"},"allowedDomainsTemplate":{"type":"boolean","description":"Flag, if set, \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e can be specified using identity template expressions such as `{{identity.entity.aliases.\u003cmount accessor\u003e.name}}`.\n"},"allowedOtherSans":{"type":"array","items":{"type":"string"},"description":"Defines allowed custom SANs\n"},"allowedSerialNumbers":{"type":"array","items":{"type":"string"},"description":"An array of allowed serial numbers to put in Subject\n"},"allowedUriSans":{"type":"array","items":{"type":"string"},"description":"Defines allowed URI SANs\n"},"allowedUriSansTemplate":{"type":"boolean","description":"Flag, if set, \u003cspan pulumi-lang-nodejs=\"`allowedUriSans`\" pulumi-lang-dotnet=\"`AllowedUriSans`\" pulumi-lang-go=\"`allowedUriSans`\" pulumi-lang-python=\"`allowed_uri_sans`\" pulumi-lang-yaml=\"`allowedUriSans`\" pulumi-lang-java=\"`allowedUriSans`\"\u003e`allowed_uri_sans`\u003c/span\u003e can be specified using identity template expressions such as `{{identity.entity.aliases.\u003cmount accessor\u003e.name}}`.\n"},"allowedUserIds":{"type":"array","items":{"type":"string"},"description":"Defines allowed User IDs\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n"},"basicConstraintsValidForNonCa":{"type":"boolean","description":"Flag to mark basic constraints valid when issuing non-CA certificates\n"},"clientFlag":{"type":"boolean","description":"Flag to specify certificates for client use\n"},"cnValidations":{"type":"array","items":{"type":"string"},"description":"Validations to run on the Common Name field of the certificate, choices: \u003cspan pulumi-lang-nodejs=\"`email`\" pulumi-lang-dotnet=\"`Email`\" pulumi-lang-go=\"`email`\" pulumi-lang-python=\"`email`\" pulumi-lang-yaml=\"`email`\" pulumi-lang-java=\"`email`\"\u003e`email`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`hostname`\" pulumi-lang-dotnet=\"`Hostname`\" pulumi-lang-go=\"`hostname`\" pulumi-lang-python=\"`hostname`\" pulumi-lang-yaml=\"`hostname`\" pulumi-lang-java=\"`hostname`\"\u003e`hostname`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`disabled`\" pulumi-lang-dotnet=\"`Disabled`\" pulumi-lang-go=\"`disabled`\" pulumi-lang-python=\"`disabled`\" pulumi-lang-yaml=\"`disabled`\" pulumi-lang-java=\"`disabled`\"\u003e`disabled`\u003c/span\u003e\n"},"codeSigningFlag":{"type":"boolean","description":"Flag to specify certificates for code signing use\n"},"countries":{"type":"array","items":{"type":"string"},"description":"The country of generated certificates\n"},"emailProtectionFlag":{"type":"boolean","description":"Flag to specify certificates for email protection use\n"},"enforceHostnames":{"type":"boolean","description":"Flag to allow only valid host names\n"},"extKeyUsageOids":{"type":"array","items":{"type":"string"},"description":"Specify the allowed extended key usage OIDs constraint on issued certificates\n"},"extKeyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the allowed extended key usage constraint on issued certificates\n"},"generateLease":{"type":"boolean","description":"Flag to generate leases with certificates\n"},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. May\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"keyBits":{"type":"integer","description":"The number of bits of generated keys\n"},"keyType":{"type":"string","description":"The generated key type, choices: \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`any`\" pulumi-lang-dotnet=\"`Any`\" pulumi-lang-go=\"`any`\" pulumi-lang-python=\"`any`\" pulumi-lang-yaml=\"`any`\" pulumi-lang-java=\"`any`\"\u003e`any`\u003c/span\u003e\nDefaults to \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e\n"},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the allowed key usage constraint on issued\ncertificates. Defaults to `[\"DigitalSignature\", \"KeyAgreement\", \"KeyEncipherment\"])`.\nTo specify no default key usage constraints, set this to an empty list `[]`.\n"},"localities":{"type":"array","items":{"type":"string"},"description":"The locality of generated certificates\n"},"maxTtl":{"type":"string","description":"The maximum lease TTL, in seconds, for the role.\n"},"name":{"type":"string","description":"The name to identify this role within the backend. Must be unique within the backend.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"noStore":{"type":"boolean","description":"Flag to not store certificates in the storage backend\n"},"noStoreMetadata":{"type":"boolean","description":"Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs\n"},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property."},"organizationUnit":{"type":"array","items":{"type":"string"},"description":"The organization unit of generated certificates\n"},"organizations":{"type":"array","items":{"type":"string"},"description":"The organization of generated certificates\n"},"policyIdentifier":{"type":"array","items":{"$ref":"#/types/vault:pkiSecret/SecretBackendRolePolicyIdentifier:SecretBackendRolePolicyIdentifier"},"description":"(Vault 1.11+ only) A block for specifying policy identifers. The \u003cspan pulumi-lang-nodejs=\"`policyIdentifier`\" pulumi-lang-dotnet=\"`PolicyIdentifier`\" pulumi-lang-go=\"`policyIdentifier`\" pulumi-lang-python=\"`policy_identifier`\" pulumi-lang-yaml=\"`policyIdentifier`\" pulumi-lang-java=\"`policyIdentifier`\"\u003e`policy_identifier`\u003c/span\u003e block can be repeated, and supports the following arguments:\n"},"policyIdentifiers":{"type":"array","items":{"type":"string"},"description":"Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use \u003cspan pulumi-lang-nodejs=\"`policyIdentifier`\" pulumi-lang-dotnet=\"`PolicyIdentifier`\" pulumi-lang-go=\"`policyIdentifier`\" pulumi-lang-python=\"`policy_identifier`\" pulumi-lang-yaml=\"`policyIdentifier`\" pulumi-lang-java=\"`policyIdentifier`\"\u003e`policy_identifier`\u003c/span\u003e blocks instead\n"},"postalCodes":{"type":"array","items":{"type":"string"},"description":"The postal code of generated certificates\n"},"provinces":{"type":"array","items":{"type":"string"},"description":"The province of generated certificates\n"},"requireCn":{"type":"boolean","description":"Flag to force CN usage\n"},"serialNumberSource":{"type":"string","description":"Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the\u003cspan pulumi-lang-nodejs=\" serialNumber \" pulumi-lang-dotnet=\" SerialNumber \" pulumi-lang-go=\" serialNumber \" pulumi-lang-python=\" serial_number \" pulumi-lang-yaml=\" serialNumber \" pulumi-lang-java=\" serialNumber \"\u003e serial_number \u003c/span\u003eparameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the\u003cspan pulumi-lang-nodejs=\" serialNumber \" pulumi-lang-dotnet=\" SerialNumber \" pulumi-lang-go=\" serialNumber \" pulumi-lang-python=\" serial_number \" pulumi-lang-yaml=\" serialNumber \" pulumi-lang-java=\" serialNumber \"\u003e serial_number \u003c/span\u003eparameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.\n\nExample usage:\n\u003c!--Start PulumiCodeChooser --\u003e\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  role:\n    type: vault:pkiSecret:SecretBackendRole\n    properties:\n      backend: ${pki.path}\n      name: my_role\n      ttl: 3600\n      allowIpSans: true\n      keyType: rsa\n      keyBits: 4096\n      allowedDomains:\n        - example.com\n        - my.domain\n      allowSubdomains: true\n      policyIdentifiers:\n        - oid: 1.3.6.1.4.1.7.8\n          notice: I am a user Notice\n        - oid: 1.3.6.1.4.1.32473.1.2.4\n          cps: https://example.com\n```\n\u003c!--End PulumiCodeChooser --\u003e\n"},"serverFlag":{"type":"boolean","description":"Flag to specify certificates for server use\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n"},"streetAddresses":{"type":"array","items":{"type":"string"},"description":"The street address of generated certificates\n"},"ttl":{"type":"string","description":"The TTL, in seconds, for any certificate issued against this role.\n"},"useCsrCommonName":{"type":"boolean","description":"Flag to use the CN in the CSR\n"},"useCsrSans":{"type":"boolean","description":"Flag to use the SANs in the CSR\n"},"usePss":{"type":"boolean","description":"Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.\n"}},"required":["allowedUriSansTemplate","backend","cnValidations","issuerRef","keyUsages","maxTtl","name","notBeforeDuration","serialNumberSource","signatureBits","ttl"],"inputProperties":{"allowAnyName":{"type":"boolean","description":"Flag to allow any name\n"},"allowBareDomains":{"type":"boolean","description":"Flag to allow certificates matching the actual domain\n"},"allowGlobDomains":{"type":"boolean","description":"Flag to allow names containing glob patterns.\n"},"allowIpSans":{"type":"boolean","description":"Flag to allow IP SANs\n"},"allowLocalhost":{"type":"boolean","description":"Flag to allow certificates for localhost\n"},"allowSubdomains":{"type":"boolean","description":"Flag to allow certificates matching subdomains\n"},"allowWildcardCertificates":{"type":"boolean","description":"Flag to allow wildcard certificates.\n"},"allowedDomains":{"type":"array","items":{"type":"string"},"description":"List of allowed domains for certificates\n"},"allowedDomainsTemplate":{"type":"boolean","description":"Flag, if set, \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e can be specified using identity template expressions such as `{{identity.entity.aliases.\u003cmount accessor\u003e.name}}`.\n"},"allowedOtherSans":{"type":"array","items":{"type":"string"},"description":"Defines allowed custom SANs\n"},"allowedSerialNumbers":{"type":"array","items":{"type":"string"},"description":"An array of allowed serial numbers to put in Subject\n"},"allowedUriSans":{"type":"array","items":{"type":"string"},"description":"Defines allowed URI SANs\n"},"allowedUriSansTemplate":{"type":"boolean","description":"Flag, if set, \u003cspan pulumi-lang-nodejs=\"`allowedUriSans`\" pulumi-lang-dotnet=\"`AllowedUriSans`\" pulumi-lang-go=\"`allowedUriSans`\" pulumi-lang-python=\"`allowed_uri_sans`\" pulumi-lang-yaml=\"`allowedUriSans`\" pulumi-lang-java=\"`allowedUriSans`\"\u003e`allowed_uri_sans`\u003c/span\u003e can be specified using identity template expressions such as `{{identity.entity.aliases.\u003cmount accessor\u003e.name}}`.\n"},"allowedUserIds":{"type":"array","items":{"type":"string"},"description":"Defines allowed User IDs\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"basicConstraintsValidForNonCa":{"type":"boolean","description":"Flag to mark basic constraints valid when issuing non-CA certificates\n"},"clientFlag":{"type":"boolean","description":"Flag to specify certificates for client use\n"},"cnValidations":{"type":"array","items":{"type":"string"},"description":"Validations to run on the Common Name field of the certificate, choices: \u003cspan pulumi-lang-nodejs=\"`email`\" pulumi-lang-dotnet=\"`Email`\" pulumi-lang-go=\"`email`\" pulumi-lang-python=\"`email`\" pulumi-lang-yaml=\"`email`\" pulumi-lang-java=\"`email`\"\u003e`email`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`hostname`\" pulumi-lang-dotnet=\"`Hostname`\" pulumi-lang-go=\"`hostname`\" pulumi-lang-python=\"`hostname`\" pulumi-lang-yaml=\"`hostname`\" pulumi-lang-java=\"`hostname`\"\u003e`hostname`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`disabled`\" pulumi-lang-dotnet=\"`Disabled`\" pulumi-lang-go=\"`disabled`\" pulumi-lang-python=\"`disabled`\" pulumi-lang-yaml=\"`disabled`\" pulumi-lang-java=\"`disabled`\"\u003e`disabled`\u003c/span\u003e\n"},"codeSigningFlag":{"type":"boolean","description":"Flag to specify certificates for code signing use\n"},"countries":{"type":"array","items":{"type":"string"},"description":"The country of generated certificates\n"},"emailProtectionFlag":{"type":"boolean","description":"Flag to specify certificates for email protection use\n"},"enforceHostnames":{"type":"boolean","description":"Flag to allow only valid host names\n"},"extKeyUsageOids":{"type":"array","items":{"type":"string"},"description":"Specify the allowed extended key usage OIDs constraint on issued certificates\n"},"extKeyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the allowed extended key usage constraint on issued certificates\n"},"generateLease":{"type":"boolean","description":"Flag to generate leases with certificates\n"},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. May\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"keyBits":{"type":"integer","description":"The number of bits of generated keys\n"},"keyType":{"type":"string","description":"The generated key type, choices: \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`any`\" pulumi-lang-dotnet=\"`Any`\" pulumi-lang-go=\"`any`\" pulumi-lang-python=\"`any`\" pulumi-lang-yaml=\"`any`\" pulumi-lang-java=\"`any`\"\u003e`any`\u003c/span\u003e\nDefaults to \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e\n"},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the allowed key usage constraint on issued\ncertificates. Defaults to `[\"DigitalSignature\", \"KeyAgreement\", \"KeyEncipherment\"])`.\nTo specify no default key usage constraints, set this to an empty list `[]`.\n"},"localities":{"type":"array","items":{"type":"string"},"description":"The locality of generated certificates\n"},"maxTtl":{"type":"string","description":"The maximum lease TTL, in seconds, for the role.\n"},"name":{"type":"string","description":"The name to identify this role within the backend. Must be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"noStore":{"type":"boolean","description":"Flag to not store certificates in the storage backend\n"},"noStoreMetadata":{"type":"boolean","description":"Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs\n"},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property."},"organizationUnit":{"type":"array","items":{"type":"string"},"description":"The organization unit of generated certificates\n"},"organizations":{"type":"array","items":{"type":"string"},"description":"The organization of generated certificates\n"},"policyIdentifier":{"type":"array","items":{"$ref":"#/types/vault:pkiSecret/SecretBackendRolePolicyIdentifier:SecretBackendRolePolicyIdentifier"},"description":"(Vault 1.11+ only) A block for specifying policy identifers. The \u003cspan pulumi-lang-nodejs=\"`policyIdentifier`\" pulumi-lang-dotnet=\"`PolicyIdentifier`\" pulumi-lang-go=\"`policyIdentifier`\" pulumi-lang-python=\"`policy_identifier`\" pulumi-lang-yaml=\"`policyIdentifier`\" pulumi-lang-java=\"`policyIdentifier`\"\u003e`policy_identifier`\u003c/span\u003e block can be repeated, and supports the following arguments:\n"},"policyIdentifiers":{"type":"array","items":{"type":"string"},"description":"Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use \u003cspan pulumi-lang-nodejs=\"`policyIdentifier`\" pulumi-lang-dotnet=\"`PolicyIdentifier`\" pulumi-lang-go=\"`policyIdentifier`\" pulumi-lang-python=\"`policy_identifier`\" pulumi-lang-yaml=\"`policyIdentifier`\" pulumi-lang-java=\"`policyIdentifier`\"\u003e`policy_identifier`\u003c/span\u003e blocks instead\n"},"postalCodes":{"type":"array","items":{"type":"string"},"description":"The postal code of generated certificates\n"},"provinces":{"type":"array","items":{"type":"string"},"description":"The province of generated certificates\n"},"requireCn":{"type":"boolean","description":"Flag to force CN usage\n"},"serialNumberSource":{"type":"string","description":"Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the\u003cspan pulumi-lang-nodejs=\" serialNumber \" pulumi-lang-dotnet=\" SerialNumber \" pulumi-lang-go=\" serialNumber \" pulumi-lang-python=\" serial_number \" pulumi-lang-yaml=\" serialNumber \" pulumi-lang-java=\" serialNumber \"\u003e serial_number \u003c/span\u003eparameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the\u003cspan pulumi-lang-nodejs=\" serialNumber \" pulumi-lang-dotnet=\" SerialNumber \" pulumi-lang-go=\" serialNumber \" pulumi-lang-python=\" serial_number \" pulumi-lang-yaml=\" serialNumber \" pulumi-lang-java=\" serialNumber \"\u003e serial_number \u003c/span\u003eparameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.\n\nExample usage:\n\u003c!--Start PulumiCodeChooser --\u003e\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  role:\n    type: vault:pkiSecret:SecretBackendRole\n    properties:\n      backend: ${pki.path}\n      name: my_role\n      ttl: 3600\n      allowIpSans: true\n      keyType: rsa\n      keyBits: 4096\n      allowedDomains:\n        - example.com\n        - my.domain\n      allowSubdomains: true\n      policyIdentifiers:\n        - oid: 1.3.6.1.4.1.7.8\n          notice: I am a user Notice\n        - oid: 1.3.6.1.4.1.32473.1.2.4\n          cps: https://example.com\n```\n\u003c!--End PulumiCodeChooser --\u003e\n"},"serverFlag":{"type":"boolean","description":"Flag to specify certificates for server use\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n"},"streetAddresses":{"type":"array","items":{"type":"string"},"description":"The street address of generated certificates\n"},"ttl":{"type":"string","description":"The TTL, in seconds, for any certificate issued against this role.\n"},"useCsrCommonName":{"type":"boolean","description":"Flag to use the CN in the CSR\n"},"useCsrSans":{"type":"boolean","description":"Flag to use the SANs in the CSR\n"},"usePss":{"type":"boolean","description":"Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRole resources.\n","properties":{"allowAnyName":{"type":"boolean","description":"Flag to allow any name\n"},"allowBareDomains":{"type":"boolean","description":"Flag to allow certificates matching the actual domain\n"},"allowGlobDomains":{"type":"boolean","description":"Flag to allow names containing glob patterns.\n"},"allowIpSans":{"type":"boolean","description":"Flag to allow IP SANs\n"},"allowLocalhost":{"type":"boolean","description":"Flag to allow certificates for localhost\n"},"allowSubdomains":{"type":"boolean","description":"Flag to allow certificates matching subdomains\n"},"allowWildcardCertificates":{"type":"boolean","description":"Flag to allow wildcard certificates.\n"},"allowedDomains":{"type":"array","items":{"type":"string"},"description":"List of allowed domains for certificates\n"},"allowedDomainsTemplate":{"type":"boolean","description":"Flag, if set, \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e can be specified using identity template expressions such as `{{identity.entity.aliases.\u003cmount accessor\u003e.name}}`.\n"},"allowedOtherSans":{"type":"array","items":{"type":"string"},"description":"Defines allowed custom SANs\n"},"allowedSerialNumbers":{"type":"array","items":{"type":"string"},"description":"An array of allowed serial numbers to put in Subject\n"},"allowedUriSans":{"type":"array","items":{"type":"string"},"description":"Defines allowed URI SANs\n"},"allowedUriSansTemplate":{"type":"boolean","description":"Flag, if set, \u003cspan pulumi-lang-nodejs=\"`allowedUriSans`\" pulumi-lang-dotnet=\"`AllowedUriSans`\" pulumi-lang-go=\"`allowedUriSans`\" pulumi-lang-python=\"`allowed_uri_sans`\" pulumi-lang-yaml=\"`allowedUriSans`\" pulumi-lang-java=\"`allowedUriSans`\"\u003e`allowed_uri_sans`\u003c/span\u003e can be specified using identity template expressions such as `{{identity.entity.aliases.\u003cmount accessor\u003e.name}}`.\n"},"allowedUserIds":{"type":"array","items":{"type":"string"},"description":"Defines allowed User IDs\n"},"backend":{"type":"string","description":"The path the PKI secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"basicConstraintsValidForNonCa":{"type":"boolean","description":"Flag to mark basic constraints valid when issuing non-CA certificates\n"},"clientFlag":{"type":"boolean","description":"Flag to specify certificates for client use\n"},"cnValidations":{"type":"array","items":{"type":"string"},"description":"Validations to run on the Common Name field of the certificate, choices: \u003cspan pulumi-lang-nodejs=\"`email`\" pulumi-lang-dotnet=\"`Email`\" pulumi-lang-go=\"`email`\" pulumi-lang-python=\"`email`\" pulumi-lang-yaml=\"`email`\" pulumi-lang-java=\"`email`\"\u003e`email`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`hostname`\" pulumi-lang-dotnet=\"`Hostname`\" pulumi-lang-go=\"`hostname`\" pulumi-lang-python=\"`hostname`\" pulumi-lang-yaml=\"`hostname`\" pulumi-lang-java=\"`hostname`\"\u003e`hostname`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`disabled`\" pulumi-lang-dotnet=\"`Disabled`\" pulumi-lang-go=\"`disabled`\" pulumi-lang-python=\"`disabled`\" pulumi-lang-yaml=\"`disabled`\" pulumi-lang-java=\"`disabled`\"\u003e`disabled`\u003c/span\u003e\n"},"codeSigningFlag":{"type":"boolean","description":"Flag to specify certificates for code signing use\n"},"countries":{"type":"array","items":{"type":"string"},"description":"The country of generated certificates\n"},"emailProtectionFlag":{"type":"boolean","description":"Flag to specify certificates for email protection use\n"},"enforceHostnames":{"type":"boolean","description":"Flag to allow only valid host names\n"},"extKeyUsageOids":{"type":"array","items":{"type":"string"},"description":"Specify the allowed extended key usage OIDs constraint on issued certificates\n"},"extKeyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the allowed extended key usage constraint on issued certificates\n"},"generateLease":{"type":"boolean","description":"Flag to generate leases with certificates\n"},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. May\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"keyBits":{"type":"integer","description":"The number of bits of generated keys\n"},"keyType":{"type":"string","description":"The generated key type, choices: \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ec`\" pulumi-lang-dotnet=\"`Ec`\" pulumi-lang-go=\"`ec`\" pulumi-lang-python=\"`ec`\" pulumi-lang-yaml=\"`ec`\" pulumi-lang-java=\"`ec`\"\u003e`ec`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`any`\" pulumi-lang-dotnet=\"`Any`\" pulumi-lang-go=\"`any`\" pulumi-lang-python=\"`any`\" pulumi-lang-yaml=\"`any`\" pulumi-lang-java=\"`any`\"\u003e`any`\u003c/span\u003e\nDefaults to \u003cspan pulumi-lang-nodejs=\"`rsa`\" pulumi-lang-dotnet=\"`Rsa`\" pulumi-lang-go=\"`rsa`\" pulumi-lang-python=\"`rsa`\" pulumi-lang-yaml=\"`rsa`\" pulumi-lang-java=\"`rsa`\"\u003e`rsa`\u003c/span\u003e\n"},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the allowed key usage constraint on issued\ncertificates. Defaults to `[\"DigitalSignature\", \"KeyAgreement\", \"KeyEncipherment\"])`.\nTo specify no default key usage constraints, set this to an empty list `[]`.\n"},"localities":{"type":"array","items":{"type":"string"},"description":"The locality of generated certificates\n"},"maxTtl":{"type":"string","description":"The maximum lease TTL, in seconds, for the role.\n"},"name":{"type":"string","description":"The name to identify this role within the backend. Must be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"noStore":{"type":"boolean","description":"Flag to not store certificates in the storage backend\n"},"noStoreMetadata":{"type":"boolean","description":"Allows metadata to be stored keyed on the certificate's serial number. The field is independent of no_store, allowing metadata storage regardless of whether certificates are stored. If true, metadata is not stored and an error is returned if the metadata field is specified on issuance APIs\n"},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property."},"organizationUnit":{"type":"array","items":{"type":"string"},"description":"The organization unit of generated certificates\n"},"organizations":{"type":"array","items":{"type":"string"},"description":"The organization of generated certificates\n"},"policyIdentifier":{"type":"array","items":{"$ref":"#/types/vault:pkiSecret/SecretBackendRolePolicyIdentifier:SecretBackendRolePolicyIdentifier"},"description":"(Vault 1.11+ only) A block for specifying policy identifers. The \u003cspan pulumi-lang-nodejs=\"`policyIdentifier`\" pulumi-lang-dotnet=\"`PolicyIdentifier`\" pulumi-lang-go=\"`policyIdentifier`\" pulumi-lang-python=\"`policy_identifier`\" pulumi-lang-yaml=\"`policyIdentifier`\" pulumi-lang-java=\"`policyIdentifier`\"\u003e`policy_identifier`\u003c/span\u003e block can be repeated, and supports the following arguments:\n"},"policyIdentifiers":{"type":"array","items":{"type":"string"},"description":"Specify the list of allowed policies OIDs. Use with Vault 1.10 or before. For Vault 1.11+, use \u003cspan pulumi-lang-nodejs=\"`policyIdentifier`\" pulumi-lang-dotnet=\"`PolicyIdentifier`\" pulumi-lang-go=\"`policyIdentifier`\" pulumi-lang-python=\"`policy_identifier`\" pulumi-lang-yaml=\"`policyIdentifier`\" pulumi-lang-java=\"`policyIdentifier`\"\u003e`policy_identifier`\u003c/span\u003e blocks instead\n"},"postalCodes":{"type":"array","items":{"type":"string"},"description":"The postal code of generated certificates\n"},"provinces":{"type":"array","items":{"type":"string"},"description":"The province of generated certificates\n"},"requireCn":{"type":"boolean","description":"Flag to force CN usage\n"},"serialNumberSource":{"type":"string","description":"Specifies the source of the subject serial number. Valid values are json-csr (default) or json. When set to json-csr, the subject serial number is taken from the\u003cspan pulumi-lang-nodejs=\" serialNumber \" pulumi-lang-dotnet=\" SerialNumber \" pulumi-lang-go=\" serialNumber \" pulumi-lang-python=\" serial_number \" pulumi-lang-yaml=\" serialNumber \" pulumi-lang-java=\" serialNumber \"\u003e serial_number \u003c/span\u003eparameter and falls back to the serial number in the CSR. When set to json, the subject serial number is taken from the\u003cspan pulumi-lang-nodejs=\" serialNumber \" pulumi-lang-dotnet=\" SerialNumber \" pulumi-lang-go=\" serialNumber \" pulumi-lang-python=\" serial_number \" pulumi-lang-yaml=\" serialNumber \" pulumi-lang-java=\" serialNumber \"\u003e serial_number \u003c/span\u003eparameter but will ignore any value in the CSR. For backwards compatibility an empty value for this field will default to the json-csr behavior.\n\nExample usage:\n\u003c!--Start PulumiCodeChooser --\u003e\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  role:\n    type: vault:pkiSecret:SecretBackendRole\n    properties:\n      backend: ${pki.path}\n      name: my_role\n      ttl: 3600\n      allowIpSans: true\n      keyType: rsa\n      keyBits: 4096\n      allowedDomains:\n        - example.com\n        - my.domain\n      allowSubdomains: true\n      policyIdentifiers:\n        - oid: 1.3.6.1.4.1.7.8\n          notice: I am a user Notice\n        - oid: 1.3.6.1.4.1.32473.1.2.4\n          cps: https://example.com\n```\n\u003c!--End PulumiCodeChooser --\u003e\n"},"serverFlag":{"type":"boolean","description":"Flag to specify certificates for server use\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n"},"streetAddresses":{"type":"array","items":{"type":"string"},"description":"The street address of generated certificates\n"},"ttl":{"type":"string","description":"The TTL, in seconds, for any certificate issued against this role.\n"},"useCsrCommonName":{"type":"boolean","description":"Flag to use the CN in the CSR\n"},"useCsrSans":{"type":"boolean","description":"Flag to use the SANs in the CSR\n"},"usePss":{"type":"boolean","description":"Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.\n"}},"type":"object"}},"vault:pkiSecret/secretBackendRootCert:SecretBackendRootCert":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.pkisecret.SecretBackendRootCert(\"test\", {\n    backend: pki.path,\n    type: \"internal\",\n    commonName: \"Root CA\",\n    ttl: \"315360000\",\n    format: \"pem\",\n    privateKeyFormat: \"der\",\n    keyType: \"rsa\",\n    keyBits: 4096,\n    excludeCnFromSans: true,\n    ou: \"My OU\",\n    organization: \"My organization\",\n}, {\n    dependsOn: [pki],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.pkisecret.SecretBackendRootCert(\"test\",\n    backend=pki[\"path\"],\n    type=\"internal\",\n    common_name=\"Root CA\",\n    ttl=\"315360000\",\n    format=\"pem\",\n    private_key_format=\"der\",\n    key_type=\"rsa\",\n    key_bits=4096,\n    exclude_cn_from_sans=True,\n    ou=\"My OU\",\n    organization=\"My organization\",\n    opts = pulumi.ResourceOptions(depends_on=[pki]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.PkiSecret.SecretBackendRootCert(\"test\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        CommonName = \"Root CA\",\n        Ttl = \"315360000\",\n        Format = \"pem\",\n        PrivateKeyFormat = \"der\",\n        KeyType = \"rsa\",\n        KeyBits = 4096,\n        ExcludeCnFromSans = true,\n        Ou = \"My OU\",\n        Organization = \"My organization\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            pki,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := pkisecret.NewSecretBackendRootCert(ctx, \"test\", \u0026pkisecret.SecretBackendRootCertArgs{\n\t\t\tBackend:           pulumi.Any(pki.Path),\n\t\t\tType:              pulumi.String(\"internal\"),\n\t\t\tCommonName:        pulumi.String(\"Root CA\"),\n\t\t\tTtl:               pulumi.String(\"315360000\"),\n\t\t\tFormat:            pulumi.String(\"pem\"),\n\t\t\tPrivateKeyFormat:  pulumi.String(\"der\"),\n\t\t\tKeyType:           pulumi.String(\"rsa\"),\n\t\t\tKeyBits:           pulumi.Int(4096),\n\t\t\tExcludeCnFromSans: pulumi.Bool(true),\n\t\t\tOu:                pulumi.String(\"My OU\"),\n\t\t\tOrganization:      pulumi.String(\"My organization\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tpki,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new SecretBackendRootCert(\"test\", SecretBackendRootCertArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .commonName(\"Root CA\")\n            .ttl(\"315360000\")\n            .format(\"pem\")\n            .privateKeyFormat(\"der\")\n            .keyType(\"rsa\")\n            .keyBits(4096)\n            .excludeCnFromSans(true)\n            .ou(\"My OU\")\n            .organization(\"My organization\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(pki)\n                .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:pkiSecret:SecretBackendRootCert\n    properties:\n      backend: ${pki.path}\n      type: internal\n      commonName: Root CA\n      ttl: '315360000'\n      format: pem\n      privateKeyFormat: der\n      keyType: rsa\n      keyBits: 4096\n      excludeCnFromSans: true\n      ou: My OU\n      organization: My organization\n    options:\n      dependsOn:\n        - ${pki}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n"},"certificate":{"type":"string","description":"The certificate.\n"},"commonName":{"type":"string","description":"CN of intermediate to create\n"},"country":{"type":"string","description":"The country\n"},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n"},"excludedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n"},"excludedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n"},"excludedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n"},"excludedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n"},"format":{"type":"string","description":"The format of data\n"},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n"},"issuerId":{"type":"string","description":"The ID of the generated issuer.\n"},"issuerName":{"type":"string","description":"Provides a name to the specified issuer. The name must be unique\nacross all issuers and not be the reserved value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e\n"},"issuingCa":{"type":"string","description":"The issuing CA certificate.\n"},"keyBits":{"type":"integer","description":"The number of bits to use\n"},"keyId":{"type":"string","description":"The ID of the generated key.\n"},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies\nthe name for this. The global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n"},"keyRef":{"type":"string","description":"Specifies the key (either default, by name, or by identifier) to use\nfor generating this request. Only suitable for `type=existing` requests.\n"},"keyType":{"type":"string","description":"The desired key type\n"},"locality":{"type":"string","description":"The locality\n"},"managedKeyId":{"type":"string","description":"The ID of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e\n"},"managedKeyName":{"type":"string","description":"The name of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e  and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e\n"},"maxPathLength":{"type":"integer","description":"The maximum path length to encode in the generated certificate\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.\n"},"organization":{"type":"string","description":"The organization\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n"},"ou":{"type":"string","description":"The organization unit\n"},"permittedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are allowed to be issued\n"},"permittedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.\n"},"permittedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.\n"},"permittedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.\n"},"postalCode":{"type":"string","description":"The postal code\n"},"privateKeyFormat":{"type":"string","description":"The private key format\n"},"province":{"type":"string","description":"The province\n"},"serialNumber":{"type":"string","description":"The certificate's serial number, hex formatted.\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n"},"streetAddress":{"type":"string","description":"The street address\n"},"ttl":{"type":"string","description":"Time to live\n"},"type":{"type":"string","description":"Type of intermediate to create. Must be either \\\"exported\\\", \\\"internal\\\"\nor \\\"kms\\\"\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n"}},"required":["backend","certificate","commonName","issuerId","issuerName","issuingCa","keyId","keyName","keyRef","managedKeyId","managedKeyName","serialNumber","signatureBits","type"],"inputProperties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"commonName":{"type":"string","description":"CN of intermediate to create\n","willReplaceOnChanges":true},"country":{"type":"string","description":"The country\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"excludedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"issuerName":{"type":"string","description":"Provides a name to the specified issuer. The name must be unique\nacross all issuers and not be the reserved value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e\n","willReplaceOnChanges":true},"keyBits":{"type":"integer","description":"The number of bits to use\n","willReplaceOnChanges":true},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies\nthe name for this. The global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n","willReplaceOnChanges":true},"keyRef":{"type":"string","description":"Specifies the key (either default, by name, or by identifier) to use\nfor generating this request. Only suitable for `type=existing` requests.\n","willReplaceOnChanges":true},"keyType":{"type":"string","description":"The desired key type\n","willReplaceOnChanges":true},"locality":{"type":"string","description":"The locality\n","willReplaceOnChanges":true},"managedKeyId":{"type":"string","description":"The ID of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e\n","willReplaceOnChanges":true},"managedKeyName":{"type":"string","description":"The name of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e  and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e\n","willReplaceOnChanges":true},"maxPathLength":{"type":"integer","description":"The maximum path length to encode in the generated certificate\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization\n","willReplaceOnChanges":true},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"ou":{"type":"string","description":"The organization unit\n","willReplaceOnChanges":true},"permittedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are allowed to be issued\n","willReplaceOnChanges":true},"permittedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"permittedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"permittedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"postalCode":{"type":"string","description":"The postal code\n","willReplaceOnChanges":true},"privateKeyFormat":{"type":"string","description":"The private key format\n","willReplaceOnChanges":true},"province":{"type":"string","description":"The province\n","willReplaceOnChanges":true},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n"},"streetAddress":{"type":"string","description":"The street address\n","willReplaceOnChanges":true},"ttl":{"type":"string","description":"Time to live\n"},"type":{"type":"string","description":"Type of intermediate to create. Must be either \\\"exported\\\", \\\"internal\\\"\nor \\\"kms\\\"\n","willReplaceOnChanges":true},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true}},"requiredInputs":["backend","commonName","type"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRootCert resources.\n","properties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"certificate":{"type":"string","description":"The certificate.\n"},"commonName":{"type":"string","description":"CN of intermediate to create\n","willReplaceOnChanges":true},"country":{"type":"string","description":"The country\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"excludedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"issuerId":{"type":"string","description":"The ID of the generated issuer.\n","willReplaceOnChanges":true},"issuerName":{"type":"string","description":"Provides a name to the specified issuer. The name must be unique\nacross all issuers and not be the reserved value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e\n","willReplaceOnChanges":true},"issuingCa":{"type":"string","description":"The issuing CA certificate.\n"},"keyBits":{"type":"integer","description":"The number of bits to use\n","willReplaceOnChanges":true},"keyId":{"type":"string","description":"The ID of the generated key.\n","willReplaceOnChanges":true},"keyName":{"type":"string","description":"When a new key is created with this request, optionally specifies\nthe name for this. The global ref \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e may not be used as a name.\n","willReplaceOnChanges":true},"keyRef":{"type":"string","description":"Specifies the key (either default, by name, or by identifier) to use\nfor generating this request. Only suitable for `type=existing` requests.\n","willReplaceOnChanges":true},"keyType":{"type":"string","description":"The desired key type\n","willReplaceOnChanges":true},"locality":{"type":"string","description":"The locality\n","willReplaceOnChanges":true},"managedKeyId":{"type":"string","description":"The ID of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e\n","willReplaceOnChanges":true},"managedKeyName":{"type":"string","description":"The name of the previously configured managed key. This field is\nrequired if \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`kms`\" pulumi-lang-dotnet=\"`Kms`\" pulumi-lang-go=\"`kms`\" pulumi-lang-python=\"`kms`\" pulumi-lang-yaml=\"`kms`\" pulumi-lang-java=\"`kms`\"\u003e`kms`\u003c/span\u003e  and it conflicts with \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e\n","willReplaceOnChanges":true},"maxPathLength":{"type":"integer","description":"The maximum path length to encode in the generated certificate\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization\n","willReplaceOnChanges":true},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"ou":{"type":"string","description":"The organization unit\n","willReplaceOnChanges":true},"permittedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are allowed to be issued\n","willReplaceOnChanges":true},"permittedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"permittedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"permittedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"postalCode":{"type":"string","description":"The postal code\n","willReplaceOnChanges":true},"privateKeyFormat":{"type":"string","description":"The private key format\n","willReplaceOnChanges":true},"province":{"type":"string","description":"The province\n","willReplaceOnChanges":true},"serialNumber":{"type":"string","description":"The certificate's serial number, hex formatted.\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n"},"streetAddress":{"type":"string","description":"The street address\n","willReplaceOnChanges":true},"ttl":{"type":"string","description":"Time to live\n"},"type":{"type":"string","description":"Type of intermediate to create. Must be either \\\"exported\\\", \\\"internal\\\"\nor \\\"kms\\\"\n","willReplaceOnChanges":true},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/secretBackendRootSignIntermediate:SecretBackendRootSignIntermediate":{"description":"Creates PKI certificate.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst root = new vault.pkisecret.SecretBackendRootSignIntermediate(\"root\", {\n    backend: rootVaultMount.path,\n    csr: intermediate.csr,\n    commonName: \"Intermediate CA\",\n    excludeCnFromSans: true,\n    ou: \"My OU\",\n    organization: \"My organization\",\n}, {\n    dependsOn: [intermediate],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nroot = vault.pkisecret.SecretBackendRootSignIntermediate(\"root\",\n    backend=root_vault_mount[\"path\"],\n    csr=intermediate[\"csr\"],\n    common_name=\"Intermediate CA\",\n    exclude_cn_from_sans=True,\n    ou=\"My OU\",\n    organization=\"My organization\",\n    opts = pulumi.ResourceOptions(depends_on=[intermediate]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var root = new Vault.PkiSecret.SecretBackendRootSignIntermediate(\"root\", new()\n    {\n        Backend = rootVaultMount.Path,\n        Csr = intermediate.Csr,\n        CommonName = \"Intermediate CA\",\n        ExcludeCnFromSans = true,\n        Ou = \"My OU\",\n        Organization = \"My organization\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            intermediate,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := pkisecret.NewSecretBackendRootSignIntermediate(ctx, \"root\", \u0026pkisecret.SecretBackendRootSignIntermediateArgs{\n\t\t\tBackend:           pulumi.Any(rootVaultMount.Path),\n\t\t\tCsr:               pulumi.Any(intermediate.Csr),\n\t\t\tCommonName:        pulumi.String(\"Intermediate CA\"),\n\t\t\tExcludeCnFromSans: pulumi.Bool(true),\n\t\t\tOu:                pulumi.String(\"My OU\"),\n\t\t\tOrganization:      pulumi.String(\"My organization\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tintermediate,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootSignIntermediate;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootSignIntermediateArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var root = new SecretBackendRootSignIntermediate(\"root\", SecretBackendRootSignIntermediateArgs.builder()\n            .backend(rootVaultMount.path())\n            .csr(intermediate.csr())\n            .commonName(\"Intermediate CA\")\n            .excludeCnFromSans(true)\n            .ou(\"My OU\")\n            .organization(\"My organization\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(intermediate)\n                .build());\n\n    }\n}\n```\n```yaml\nresources:\n  root:\n    type: vault:pkiSecret:SecretBackendRootSignIntermediate\n    properties:\n      backend: ${rootVaultMount.path}\n      csr: ${intermediate.csr}\n      commonName: Intermediate CA\n      excludeCnFromSans: true\n      ou: My OU\n      organization: My organization\n    options:\n      dependsOn:\n        - ${intermediate}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n"},"caChains":{"type":"array","items":{"type":"string"},"description":"A list of the issuing and intermediate CA certificates in the \u003cspan pulumi-lang-nodejs=\"`format`\" pulumi-lang-dotnet=\"`Format`\" pulumi-lang-go=\"`format`\" pulumi-lang-python=\"`format`\" pulumi-lang-yaml=\"`format`\" pulumi-lang-java=\"`format`\"\u003e`format`\u003c/span\u003e specified.\n"},"certificate":{"type":"string","description":"The intermediate CA certificate in the \u003cspan pulumi-lang-nodejs=\"`format`\" pulumi-lang-dotnet=\"`Format`\" pulumi-lang-go=\"`format`\" pulumi-lang-python=\"`format`\" pulumi-lang-yaml=\"`format`\" pulumi-lang-java=\"`format`\"\u003e`format`\u003c/span\u003e specified.\n"},"certificateBundle":{"type":"string","description":"The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). \nRequires the \u003cspan pulumi-lang-nodejs=\"`format`\" pulumi-lang-dotnet=\"`Format`\" pulumi-lang-go=\"`format`\" pulumi-lang-python=\"`format`\" pulumi-lang-yaml=\"`format`\" pulumi-lang-java=\"`format`\"\u003e`format`\u003c/span\u003e to be set to any of: pem, pem_bundle. The value will be empty for all other formats.\n"},"commonName":{"type":"string","description":"CN of intermediate to create\n"},"country":{"type":"string","description":"The country\n"},"csr":{"type":"string","description":"The CSR\n"},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n"},"excludedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n"},"excludedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n"},"excludedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n"},"excludedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n"},"format":{"type":"string","description":"The format of data\n"},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n"},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. May\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"issuingCa":{"type":"string","description":"The issuing CA certificate in the \u003cspan pulumi-lang-nodejs=\"`format`\" pulumi-lang-dotnet=\"`Format`\" pulumi-lang-go=\"`format`\" pulumi-lang-python=\"`format`\" pulumi-lang-yaml=\"`format`\" pulumi-lang-java=\"`format`\"\u003e`format`\u003c/span\u003e specified.\n"},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the key usages to be added to the existing set of key usages (\"CRL\", \"CertSign\") on the generated certificate.\n"},"locality":{"type":"string","description":"The locality\n"},"maxPathLength":{"type":"integer","description":"The maximum path length to encode in the generated certificate\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. \nThe value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date\nfor IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property."},"organization":{"type":"string","description":"The organization\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n"},"ou":{"type":"string","description":"The organization unit\n"},"permittedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are allowed to be issued\n"},"permittedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.\n"},"permittedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.\n"},"permittedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.\n"},"postalCode":{"type":"string","description":"The postal code\n"},"province":{"type":"string","description":"The province\n"},"revoke":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction.\n"},"serialNumber":{"type":"string","description":"The certificate's serial number, hex formatted.\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n"},"skid":{"type":"string","description":"Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.\n"},"streetAddress":{"type":"string","description":"The street address\n"},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n"},"useCsrValues":{"type":"boolean","description":"Preserve CSR values\n"},"usePss":{"type":"boolean","description":"Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.\n"}},"required":["backend","caChains","certificate","certificateBundle","commonName","csr","issuingCa","serialNumber"],"inputProperties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"commonName":{"type":"string","description":"CN of intermediate to create\n","willReplaceOnChanges":true},"country":{"type":"string","description":"The country\n","willReplaceOnChanges":true},"csr":{"type":"string","description":"The CSR\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"excludedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. May\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the key usages to be added to the existing set of key usages (\"CRL\", \"CertSign\") on the generated certificate.\n","willReplaceOnChanges":true},"locality":{"type":"string","description":"The locality\n","willReplaceOnChanges":true},"maxPathLength":{"type":"integer","description":"The maximum path length to encode in the generated certificate\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. \nThe value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date\nfor IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization\n","willReplaceOnChanges":true},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"ou":{"type":"string","description":"The organization unit\n","willReplaceOnChanges":true},"permittedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are allowed to be issued\n","willReplaceOnChanges":true},"permittedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"permittedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"permittedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"postalCode":{"type":"string","description":"The postal code\n","willReplaceOnChanges":true},"province":{"type":"string","description":"The province\n","willReplaceOnChanges":true},"revoke":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction.\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n","willReplaceOnChanges":true},"skid":{"type":"string","description":"Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.\n","willReplaceOnChanges":true},"streetAddress":{"type":"string","description":"The street address\n","willReplaceOnChanges":true},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true},"useCsrValues":{"type":"boolean","description":"Preserve CSR values\n","willReplaceOnChanges":true},"usePss":{"type":"boolean","description":"Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.\n","willReplaceOnChanges":true}},"requiredInputs":["backend","commonName","csr"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRootSignIntermediate resources.\n","properties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"caChains":{"type":"array","items":{"type":"string"},"description":"A list of the issuing and intermediate CA certificates in the \u003cspan pulumi-lang-nodejs=\"`format`\" pulumi-lang-dotnet=\"`Format`\" pulumi-lang-go=\"`format`\" pulumi-lang-python=\"`format`\" pulumi-lang-yaml=\"`format`\" pulumi-lang-java=\"`format`\"\u003e`format`\u003c/span\u003e specified.\n"},"certificate":{"type":"string","description":"The intermediate CA certificate in the \u003cspan pulumi-lang-nodejs=\"`format`\" pulumi-lang-dotnet=\"`Format`\" pulumi-lang-go=\"`format`\" pulumi-lang-python=\"`format`\" pulumi-lang-yaml=\"`format`\" pulumi-lang-java=\"`format`\"\u003e`format`\u003c/span\u003e specified.\n"},"certificateBundle":{"type":"string","description":"The concatenation of the intermediate CA and the issuing CA certificates (PEM encoded). \nRequires the \u003cspan pulumi-lang-nodejs=\"`format`\" pulumi-lang-dotnet=\"`Format`\" pulumi-lang-go=\"`format`\" pulumi-lang-python=\"`format`\" pulumi-lang-yaml=\"`format`\" pulumi-lang-java=\"`format`\"\u003e`format`\u003c/span\u003e to be set to any of: pem, pem_bundle. The value will be empty for all other formats.\n"},"commonName":{"type":"string","description":"CN of intermediate to create\n","willReplaceOnChanges":true},"country":{"type":"string","description":"The country\n","willReplaceOnChanges":true},"csr":{"type":"string","description":"The CSR\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"excludedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"excludedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are not allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. May\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"issuingCa":{"type":"string","description":"The issuing CA certificate in the \u003cspan pulumi-lang-nodejs=\"`format`\" pulumi-lang-dotnet=\"`Format`\" pulumi-lang-go=\"`format`\" pulumi-lang-python=\"`format`\" pulumi-lang-yaml=\"`format`\" pulumi-lang-java=\"`format`\"\u003e`format`\u003c/span\u003e specified.\n"},"keyUsages":{"type":"array","items":{"type":"string"},"description":"Specify the key usages to be added to the existing set of key usages (\"CRL\", \"CertSign\") on the generated certificate.\n","willReplaceOnChanges":true},"locality":{"type":"string","description":"The locality\n","willReplaceOnChanges":true},"maxPathLength":{"type":"integer","description":"The maximum path length to encode in the generated certificate\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. \nThe value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date\nfor IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the NotBefore property.","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization\n","willReplaceOnChanges":true},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"ou":{"type":"string","description":"The organization unit\n","willReplaceOnChanges":true},"permittedDnsDomains":{"type":"array","items":{"type":"string"},"description":"List of domains for which certificates are allowed to be issued\n","willReplaceOnChanges":true},"permittedEmailAddresses":{"type":"array","items":{"type":"string"},"description":"List of email addresses for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"permittedIpRanges":{"type":"array","items":{"type":"string"},"description":"List of IP ranges for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"permittedUriDomains":{"type":"array","items":{"type":"string"},"description":"List of URI domains for which certificates are allowed to be issued. Requires Vault version 1.19+.\n","willReplaceOnChanges":true},"postalCode":{"type":"string","description":"The postal code\n","willReplaceOnChanges":true},"province":{"type":"string","description":"The province\n","willReplaceOnChanges":true},"revoke":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, the certificate will be revoked on resource destruction.\n"},"serialNumber":{"type":"string","description":"The certificate's serial number, hex formatted.\n"},"signatureBits":{"type":"integer","description":"The number of bits to use in the signature algorithm\n","willReplaceOnChanges":true},"skid":{"type":"string","description":"Value for the Subject Key Identifier field (see https://tools.ietf.org/html/rfc5280#section-4.2.1.2). Specified as a string in hex format.\n","willReplaceOnChanges":true},"streetAddress":{"type":"string","description":"The street address\n","willReplaceOnChanges":true},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true},"useCsrValues":{"type":"boolean","description":"Preserve CSR values\n","willReplaceOnChanges":true},"usePss":{"type":"boolean","description":"Specifies whether or not to use PSS signatures over PKCS#1v1.5 signatures when a RSA-type issuer is used. Ignored for ECDSA/Ed25519 issuers.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:pkiSecret/secretBackendSign:SecretBackendSign":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.pkisecret.SecretBackendSign(\"test\", {\n    backend: pki.path,\n    name: admin.name,\n    csr: `-----BEGIN CERTIFICATE REQUEST-----\nMIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx\nITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy\ndC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP\nCW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt\nVonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy\nX6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0\nV+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01\nte8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS\nkVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw\nkY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD\n5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O\ngIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I\n1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG\n9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL\nIt7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG\nfnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN\n77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN\nvt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv\ndo5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1\nOGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te\ndBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf\nUwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8\nOTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0\no3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=\n-----END CERTIFICATE REQUEST-----\n`,\n    commonName: \"test.my.domain\",\n}, {\n    dependsOn: [admin],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.pkisecret.SecretBackendSign(\"test\",\n    backend=pki[\"path\"],\n    name=admin[\"name\"],\n    csr=\"\"\"-----BEGIN CERTIFICATE REQUEST-----\nMIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx\nITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy\ndC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP\nCW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt\nVonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy\nX6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0\nV+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01\nte8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS\nkVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw\nkY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD\n5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O\ngIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I\n1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG\n9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL\nIt7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG\nfnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN\n77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN\nvt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv\ndo5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1\nOGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te\ndBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf\nUwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8\nOTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0\no3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=\n-----END CERTIFICATE REQUEST-----\n\"\"\",\n    common_name=\"test.my.domain\",\n    opts = pulumi.ResourceOptions(depends_on=[admin]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.PkiSecret.SecretBackendSign(\"test\", new()\n    {\n        Backend = pki.Path,\n        Name = admin.Name,\n        Csr = @\"-----BEGIN CERTIFICATE REQUEST-----\nMIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx\nITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy\ndC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP\nCW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt\nVonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy\nX6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0\nV+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01\nte8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS\nkVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw\nkY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD\n5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O\ngIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I\n1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG\n9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL\nIt7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG\nfnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN\n77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN\nvt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv\ndo5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1\nOGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te\ndBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf\nUwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8\nOTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0\no3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=\n-----END CERTIFICATE REQUEST-----\n\",\n        CommonName = \"test.my.domain\",\n    }, new CustomResourceOptions\n    {\n        DependsOn =\n        {\n            admin,\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := pkisecret.NewSecretBackendSign(ctx, \"test\", \u0026pkisecret.SecretBackendSignArgs{\n\t\t\tBackend: pulumi.Any(pki.Path),\n\t\t\tName:    pulumi.Any(admin.Name),\n\t\t\tCsr: pulumi.String(`-----BEGIN CERTIFICATE REQUEST-----\nMIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx\nITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy\ndC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP\nCW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt\nVonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy\nX6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0\nV+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01\nte8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS\nkVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw\nkY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD\n5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O\ngIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I\n1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG\n9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL\nIt7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG\nfnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN\n77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN\nvt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv\ndo5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1\nOGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te\ndBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf\nUwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8\nOTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0\no3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=\n-----END CERTIFICATE REQUEST-----\n`),\n\t\t\tCommonName: pulumi.String(\"test.my.domain\"),\n\t\t}, pulumi.DependsOn([]pulumi.Resource{\n\t\t\tadmin,\n\t\t}))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.pkiSecret.SecretBackendSign;\nimport com.pulumi.vault.pkiSecret.SecretBackendSignArgs;\nimport com.pulumi.resources.CustomResourceOptions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new SecretBackendSign(\"test\", SecretBackendSignArgs.builder()\n            .backend(pki.path())\n            .name(admin.name())\n            .csr(\"\"\"\n-----BEGIN CERTIFICATE REQUEST-----\nMIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx\nITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy\ndC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\nAJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP\nCW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt\nVonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy\nX6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0\nV+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01\nte8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS\nkVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw\nkY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD\n5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O\ngIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I\n1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG\n9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL\nIt7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG\nfnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN\n77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN\nvt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv\ndo5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1\nOGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te\ndBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf\nUwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8\nOTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0\no3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=\n-----END CERTIFICATE REQUEST-----\n            \"\"\")\n            .commonName(\"test.my.domain\")\n            .build(), CustomResourceOptions.builder()\n                .dependsOn(admin)\n                .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:pkiSecret:SecretBackendSign\n    properties:\n      backend: ${pki.path}\n      name: ${admin.name}\n      csr: |\n        -----BEGIN CERTIFICATE REQUEST-----\n        MIIEqDCCApACAQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx\n        ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTY2Vy\n        dC50ZXN0Lm15LmRvbWFpbjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB\n        AJupYCQ8UVCWII1Zof1c6YcSSaM9hEaDU78cfKP5RoSeH10BvrWRfT+mzCONVpNP\n        CW9Iabtvk6hm0ot6ilnndEyVJbc0g7hdDLBX5BM25D+DGZGJRKUz1V+uBrWmXtIt\n        Vonj7JTDTe7ViH0GDsB7CvqXFGXO2a2cDYBchLkL6vQiFPshxvUsLtwxuy/qdYgy\n        X6ya+AUoZcoQGy1XxNjfH6cPtWSWQGEp1oPR6vL9hU3laTZb3C+VV4jZem+he8/0\n        V+qV6fLG92WTXm2hmf8nrtUqqJ+C7mW/RJod+TviviBadIX0OHXW7k5HVsZood01\n        te8vMRUNJNiZfa9EMIK5oncbQn0LcM3Wo9VrjpL7jREb/4HCS2gswYGv7hzk9cCS\n        kVY4rDucchKbApuI3kfzmO7GFOF5eiSkYZpY/czNn7VVM3WCu6dpOX4+3rhgrZQw\n        kY14L930DaLVRUgve/zKVP2D2GHdEOs+MbV7s96UgigT9pXly/yHPj+1sSYqmnaD\n        5b7jSeJusmzO/nrwXVGLsnezR87VzHl9Ux9g5s6zh+R+PrZuVxYsLvoUpaasH47O\n        gIcBzSb/6pSGZKAUizmYsHsR1k88dAvsQ+FsUDaNokdi9VndEB4QPmiFmjyLV+0I\n        1TFoXop4sW11NPz1YCq+IxnYrEaIN3PyhY0GvBJDFY1/AgMBAAGgADANBgkqhkiG\n        9w0BAQsFAAOCAgEActuqnqS8Y9UF7e08w7tR3FPzGecWreuvxILrlFEZJxiLPFqL\n        It7uJvtypCVQvz6UQzKdBYO7tMpRaWViB8DrWzXNZjLMrg+QHcpveg8C0Ett4scG\n        fnvLk6fTDFYrnGvwHTqiHos5i0y3bFLyS1BGwSpdLAykGtvC+VM8mRyw/Y7CPcKN\n        77kebY/9xduW1g2uxWLr0x90RuQDv9psPojT+59tRLGSp5Kt0IeD3QtnAZEFE4aN\n        vt+Pd69eg3BgZ8ZeDgoqAw3yppvOkpAFiE5pw2qPZaM4SRphl4d2Lek2zNIMyZqv\n        do5zh356HOgXtDaSg0POnRGrN/Ua+LMCRTg6GEPUnx9uQb/zt8Zu0hIexDGyykp1\n        OGqtWlv/Nc8UYuS38v0BeB6bMPeoqQUjkqs8nHlAEFn0KlgYdtDC+7SdQx6wS4te\n        dBKRNDfC4lS3jYJgs55jHqonZgkpSi3bamlxpfpW0ukGBcmq91wRe4bOw/4uD/vf\n        UwqMWOdCYcU3mdYNjTWy22ORW3SGFQxMBwpUEURCSoeqWr6aJeQ7KAYkx1PrB5T8\n        OTEc13lWf+B0PU9UJuGTsmpIuImPDVd0EVDayr3mT5dDbqTVDbe8ppf2IswABmf0\n        o3DybUeUmknYjl109rdSf+76nuREICHatxXgN3xCMFuBaN4WLO+ksd6Y1Ys=\n        -----END CERTIFICATE REQUEST-----\n      commonName: test.my.domain\n    options:\n      dependsOn:\n        - ${admin}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n"},"autoRenew":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, certs will be renewed if the expiration is within \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n"},"caChains":{"type":"array","items":{"type":"string"},"description":"The CA chain\n"},"certMetadata":{"type":"string","description":"A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's\u003cspan pulumi-lang-nodejs=\" noStoreMetadata \" pulumi-lang-dotnet=\" NoStoreMetadata \" pulumi-lang-go=\" noStoreMetadata \" pulumi-lang-python=\" no_store_metadata \" pulumi-lang-yaml=\" noStoreMetadata \" pulumi-lang-java=\" noStoreMetadata \"\u003e no_store_metadata \u003c/span\u003emust be set to false, otherwise an error is returned when specified.\n"},"certificate":{"type":"string","description":"The certificate\n"},"commonName":{"type":"string","description":"CN of certificate to create\n"},"csr":{"type":"string","description":"The CSR\n"},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n"},"expiration":{"type":"integer","description":"The expiration date of the certificate in unix epoch format\n"},"format":{"type":"string","description":"The format of data\n"},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n"},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. Can\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"issuingCa":{"type":"string","description":"The issuing CA\n"},"minSecondsRemaining":{"type":"integer","description":"Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)\n"},"name":{"type":"string","description":"Name of the role to create the certificate against\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n"},"renewPending":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the current time (during refresh) is after the start of the early renewal window declared by \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e otherwise; if \u003cspan pulumi-lang-nodejs=\"`autoRenew`\" pulumi-lang-dotnet=\"`AutoRenew`\" pulumi-lang-go=\"`autoRenew`\" pulumi-lang-python=\"`auto_renew`\" pulumi-lang-yaml=\"`autoRenew`\" pulumi-lang-java=\"`autoRenew`\"\u003e`auto_renew`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e then the provider will plan to replace the certificate once renewal is pending.\n"},"serialNumber":{"type":"string","description":"The certificate's serial number, hex formatted.\n"},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n"}},"required":["backend","caChains","certificate","commonName","csr","expiration","issuingCa","name","renewPending","serialNumber"],"inputProperties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"autoRenew":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, certs will be renewed if the expiration is within \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"certMetadata":{"type":"string","description":"A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's\u003cspan pulumi-lang-nodejs=\" noStoreMetadata \" pulumi-lang-dotnet=\" NoStoreMetadata \" pulumi-lang-go=\" noStoreMetadata \" pulumi-lang-python=\" no_store_metadata \" pulumi-lang-yaml=\" noStoreMetadata \" pulumi-lang-java=\" noStoreMetadata \"\u003e no_store_metadata \u003c/span\u003emust be set to false, otherwise an error is returned when specified.\n"},"commonName":{"type":"string","description":"CN of certificate to create\n","willReplaceOnChanges":true},"csr":{"type":"string","description":"The CSR\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. Can\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"minSecondsRemaining":{"type":"integer","description":"Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)\n"},"name":{"type":"string","description":"Name of the role to create the certificate against\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true}},"requiredInputs":["backend","commonName","csr"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendSign resources.\n","properties":{"altNames":{"type":"array","items":{"type":"string"},"description":"List of alternative names\n","willReplaceOnChanges":true},"autoRenew":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, certs will be renewed if the expiration is within \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e. Default \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n"},"backend":{"type":"string","description":"The PKI secret backend the resource belongs to.\n","willReplaceOnChanges":true},"caChains":{"type":"array","items":{"type":"string"},"description":"The CA chain\n"},"certMetadata":{"type":"string","description":"A base 64 encoded value or an empty string to associate with the certificate's serial number. The role's\u003cspan pulumi-lang-nodejs=\" noStoreMetadata \" pulumi-lang-dotnet=\" NoStoreMetadata \" pulumi-lang-go=\" noStoreMetadata \" pulumi-lang-python=\" no_store_metadata \" pulumi-lang-yaml=\" noStoreMetadata \" pulumi-lang-java=\" noStoreMetadata \"\u003e no_store_metadata \u003c/span\u003emust be set to false, otherwise an error is returned when specified.\n"},"certificate":{"type":"string","description":"The certificate\n"},"commonName":{"type":"string","description":"CN of certificate to create\n","willReplaceOnChanges":true},"csr":{"type":"string","description":"The CSR\n","willReplaceOnChanges":true},"excludeCnFromSans":{"type":"boolean","description":"Flag to exclude CN from SANs\n","willReplaceOnChanges":true},"expiration":{"type":"integer","description":"The expiration date of the certificate in unix epoch format\n"},"format":{"type":"string","description":"The format of data\n","willReplaceOnChanges":true},"ipSans":{"type":"array","items":{"type":"string"},"description":"List of alternative IPs\n","willReplaceOnChanges":true},"issuerRef":{"type":"string","description":"Specifies the default issuer of this request. Can\nbe the value \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e, a name, or an issuer ID. Use ACLs to prevent access to\nthe `/pki/issuer/:issuer_ref/{issue,sign}/:name` paths to prevent users\noverriding the role's \u003cspan pulumi-lang-nodejs=\"`issuerRef`\" pulumi-lang-dotnet=\"`IssuerRef`\" pulumi-lang-go=\"`issuerRef`\" pulumi-lang-python=\"`issuer_ref`\" pulumi-lang-yaml=\"`issuerRef`\" pulumi-lang-java=\"`issuerRef`\"\u003e`issuer_ref`\u003c/span\u003e value.\n"},"issuingCa":{"type":"string","description":"The issuing CA\n"},"minSecondsRemaining":{"type":"integer","description":"Generate a new certificate when the expiration is within this number of seconds, default is 604800 (7 days)\n"},"name":{"type":"string","description":"Name of the role to create the certificate against\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notAfter":{"type":"string","description":"Set the Not After field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ. Supports the Y10K end date for IEEE 802.1AR-2018 standard devices, 9999-12-31T23:59:59Z.\n"},"otherSans":{"type":"array","items":{"type":"string"},"description":"List of other SANs\n","willReplaceOnChanges":true},"renewPending":{"type":"boolean","description":"\u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the current time (during refresh) is after the start of the early renewal window declared by \u003cspan pulumi-lang-nodejs=\"`minSecondsRemaining`\" pulumi-lang-dotnet=\"`MinSecondsRemaining`\" pulumi-lang-go=\"`minSecondsRemaining`\" pulumi-lang-python=\"`min_seconds_remaining`\" pulumi-lang-yaml=\"`minSecondsRemaining`\" pulumi-lang-java=\"`minSecondsRemaining`\"\u003e`min_seconds_remaining`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e otherwise; if \u003cspan pulumi-lang-nodejs=\"`autoRenew`\" pulumi-lang-dotnet=\"`AutoRenew`\" pulumi-lang-go=\"`autoRenew`\" pulumi-lang-python=\"`auto_renew`\" pulumi-lang-yaml=\"`autoRenew`\" pulumi-lang-java=\"`autoRenew`\"\u003e`auto_renew`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e then the provider will plan to replace the certificate once renewal is pending.\n"},"serialNumber":{"type":"string","description":"The certificate's serial number, hex formatted.\n"},"ttl":{"type":"string","description":"Time to live\n"},"uriSans":{"type":"array","items":{"type":"string"},"description":"List of alternative URIs\n","willReplaceOnChanges":true}},"type":"object"}},"vault:rabbitMq/secretBackend:SecretBackend":{"description":"\n\n## Import\n\nRabbitMQ secret backends can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:rabbitMq/secretBackend:SecretBackend rabbitmq rabbitmq\n```\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"connectionUri":{"type":"string","description":"Specifies the RabbitMQ connection URI.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e.\n","secret":true},"passwordPolicy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.\n"},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nSpecifies the RabbitMQ management administrator password. This is a write-only field and will not be read back from Vault.","secret":true},"passwordWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" passwordWo \" pulumi-lang-dotnet=\" PasswordWo \" pulumi-lang-go=\" passwordWo \" pulumi-lang-python=\" password_wo \" pulumi-lang-yaml=\" passwordWo \" pulumi-lang-java=\" passwordWo \"\u003e password_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the password."},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`rabbitmq`\" pulumi-lang-dotnet=\"`Rabbitmq`\" pulumi-lang-go=\"`rabbitmq`\" pulumi-lang-python=\"`rabbitmq`\" pulumi-lang-yaml=\"`rabbitmq`\" pulumi-lang-java=\"`rabbitmq`\"\u003e`rabbitmq`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username.\n","secret":true},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated."},"verifyConnection":{"type":"boolean","description":"Specifies whether to verify connection URI, username, and password.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","connectionUri","defaultLeaseTtlSeconds","forceNoCache","maxLeaseTtlSeconds","sealWrap","username"],"inputProperties":{"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"connectionUri":{"type":"string","description":"Specifies the RabbitMQ connection URI.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e.\n","secret":true},"passwordPolicy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.\n"},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nSpecifies the RabbitMQ management administrator password. This is a write-only field and will not be read back from Vault.","secret":true},"passwordWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" passwordWo \" pulumi-lang-dotnet=\" PasswordWo \" pulumi-lang-go=\" passwordWo \" pulumi-lang-python=\" password_wo \" pulumi-lang-yaml=\" passwordWo \" pulumi-lang-java=\" passwordWo \"\u003e password_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the password."},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`rabbitmq`\" pulumi-lang-dotnet=\"`Rabbitmq`\" pulumi-lang-go=\"`rabbitmq`\" pulumi-lang-python=\"`rabbitmq`\" pulumi-lang-yaml=\"`rabbitmq`\" pulumi-lang-java=\"`rabbitmq`\"\u003e`rabbitmq`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username.\n","secret":true},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated."},"verifyConnection":{"type":"boolean","description":"Specifies whether to verify connection URI, username, and password.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"}},"requiredInputs":["connectionUri","username"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"connectionUri":{"type":"string","description":"Specifies the RabbitMQ connection URI.\n"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"password":{"type":"string","description":"Specifies the RabbitMQ management administrator password.\nConflicts with \u003cspan pulumi-lang-nodejs=\"`passwordWo`\" pulumi-lang-dotnet=\"`PasswordWo`\" pulumi-lang-go=\"`passwordWo`\" pulumi-lang-python=\"`password_wo`\" pulumi-lang-yaml=\"`passwordWo`\" pulumi-lang-java=\"`passwordWo`\"\u003e`password_wo`\u003c/span\u003e.\n","secret":true},"passwordPolicy":{"type":"string","description":"Specifies a password policy to use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.\n"},"passwordWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\nSpecifies the RabbitMQ management administrator password. This is a write-only field and will not be read back from Vault.","secret":true},"passwordWoVersion":{"type":"integer","description":"A version counter for the write-only\u003cspan pulumi-lang-nodejs=\" passwordWo \" pulumi-lang-dotnet=\" PasswordWo \" pulumi-lang-go=\" passwordWo \" pulumi-lang-python=\" password_wo \" pulumi-lang-yaml=\" passwordWo \" pulumi-lang-java=\" passwordWo \"\u003e password_wo \u003c/span\u003efield. Incrementing this value will trigger an update to the password."},"path":{"type":"string","description":"The unique path this backend should be mounted at. Must\nnot begin or end with a `/`. Defaults to \u003cspan pulumi-lang-nodejs=\"`rabbitmq`\" pulumi-lang-dotnet=\"`Rabbitmq`\" pulumi-lang-go=\"`rabbitmq`\" pulumi-lang-python=\"`rabbitmq`\" pulumi-lang-yaml=\"`rabbitmq`\" pulumi-lang-java=\"`rabbitmq`\"\u003e`rabbitmq`\u003c/span\u003e.\n"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"username":{"type":"string","description":"Specifies the RabbitMQ management administrator username.\n","secret":true},"usernameTemplate":{"type":"string","description":"Template describing how dynamic usernames are generated."},"verifyConnection":{"type":"boolean","description":"Specifies whether to verify connection URI, username, and password.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"}},"type":"object"}},"vault:rabbitMq/secretBackendRole:SecretBackendRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst rabbitmq = new vault.rabbitmq.SecretBackend(\"rabbitmq\", {\n    connectionUri: \"https://.....\",\n    username: \"user\",\n    password: \"password\",\n});\nconst role = new vault.rabbitmq.SecretBackendRole(\"role\", {\n    backend: rabbitmq.path,\n    name: \"deploy\",\n    tags: \"tag1,tag2\",\n    vhosts: [{\n        host: \"/\",\n        configure: \"\",\n        read: \".*\",\n        write: \"\",\n    }],\n    vhostTopics: [{\n        vhosts: [{\n            topic: \"amq.topic\",\n            read: \".*\",\n            write: \"\",\n        }],\n        host: \"/\",\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nrabbitmq = vault.rabbitmq.SecretBackend(\"rabbitmq\",\n    connection_uri=\"https://.....\",\n    username=\"user\",\n    password=\"password\")\nrole = vault.rabbitmq.SecretBackendRole(\"role\",\n    backend=rabbitmq.path,\n    name=\"deploy\",\n    tags=\"tag1,tag2\",\n    vhosts=[{\n        \"host\": \"/\",\n        \"configure\": \"\",\n        \"read\": \".*\",\n        \"write\": \"\",\n    }],\n    vhost_topics=[{\n        \"vhosts\": [{\n            \"topic\": \"amq.topic\",\n            \"read\": \".*\",\n            \"write\": \"\",\n        }],\n        \"host\": \"/\",\n    }])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var rabbitmq = new Vault.RabbitMQ.SecretBackend(\"rabbitmq\", new()\n    {\n        ConnectionUri = \"https://.....\",\n        Username = \"user\",\n        Password = \"password\",\n    });\n\n    var role = new Vault.RabbitMQ.SecretBackendRole(\"role\", new()\n    {\n        Backend = rabbitmq.Path,\n        Name = \"deploy\",\n        Tags = \"tag1,tag2\",\n        Vhosts = new[]\n        {\n            new Vault.RabbitMQ.Inputs.SecretBackendRoleVhostArgs\n            {\n                Host = \"/\",\n                Configure = \"\",\n                Read = \".*\",\n                Write = \"\",\n            },\n        },\n        VhostTopics = new[]\n        {\n            new Vault.RabbitMQ.Inputs.SecretBackendRoleVhostTopicArgs\n            {\n                Vhosts = new[]\n                {\n                    new Vault.RabbitMQ.Inputs.SecretBackendRoleVhostTopicVhostArgs\n                    {\n                        Topic = \"amq.topic\",\n                        Read = \".*\",\n                        Write = \"\",\n                    },\n                },\n                Host = \"/\",\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/rabbitmq\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trabbitmq, err := rabbitmq.NewSecretBackend(ctx, \"rabbitmq\", \u0026rabbitmq.SecretBackendArgs{\n\t\t\tConnectionUri: pulumi.String(\"https://.....\"),\n\t\t\tUsername:      pulumi.String(\"user\"),\n\t\t\tPassword:      pulumi.String(\"password\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = rabbitmq.NewSecretBackendRole(ctx, \"role\", \u0026rabbitmq.SecretBackendRoleArgs{\n\t\t\tBackend: rabbitmq.Path,\n\t\t\tName:    pulumi.String(\"deploy\"),\n\t\t\tTags:    pulumi.String(\"tag1,tag2\"),\n\t\t\tVhosts: rabbitmq.SecretBackendRoleVhostArray{\n\t\t\t\t\u0026rabbitmq.SecretBackendRoleVhostArgs{\n\t\t\t\t\tHost:      pulumi.String(\"/\"),\n\t\t\t\t\tConfigure: pulumi.String(\"\"),\n\t\t\t\t\tRead:      pulumi.String(\".*\"),\n\t\t\t\t\tWrite:     pulumi.String(\"\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tVhostTopics: rabbitmq.SecretBackendRoleVhostTopicArray{\n\t\t\t\t\u0026rabbitmq.SecretBackendRoleVhostTopicArgs{\n\t\t\t\t\tVhosts: rabbitmq.SecretBackendRoleVhostTopicVhostArray{\n\t\t\t\t\t\t\u0026rabbitmq.SecretBackendRoleVhostTopicVhostArgs{\n\t\t\t\t\t\t\tTopic: pulumi.String(\"amq.topic\"),\n\t\t\t\t\t\t\tRead:  pulumi.String(\".*\"),\n\t\t\t\t\t\t\tWrite: pulumi.String(\"\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tHost: pulumi.String(\"/\"),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.rabbitMq.SecretBackend;\nimport com.pulumi.vault.rabbitMq.SecretBackendArgs;\nimport com.pulumi.vault.rabbitMq.SecretBackendRole;\nimport com.pulumi.vault.rabbitMq.SecretBackendRoleArgs;\nimport com.pulumi.vault.rabbitMq.inputs.SecretBackendRoleVhostArgs;\nimport com.pulumi.vault.rabbitMq.inputs.SecretBackendRoleVhostTopicArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var rabbitmq = new SecretBackend(\"rabbitmq\", SecretBackendArgs.builder()\n            .connectionUri(\"https://.....\")\n            .username(\"user\")\n            .password(\"password\")\n            .build());\n\n        var role = new SecretBackendRole(\"role\", SecretBackendRoleArgs.builder()\n            .backend(rabbitmq.path())\n            .name(\"deploy\")\n            .tags(\"tag1,tag2\")\n            .vhosts(SecretBackendRoleVhostArgs.builder()\n                .host(\"/\")\n                .configure(\"\")\n                .read(\".*\")\n                .write(\"\")\n                .build())\n            .vhostTopics(SecretBackendRoleVhostTopicArgs.builder()\n                .vhosts(SecretBackendRoleVhostTopicVhostArgs.builder()\n                    .topic(\"amq.topic\")\n                    .read(\".*\")\n                    .write(\"\")\n                    .build())\n                .host(\"/\")\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  rabbitmq:\n    type: vault:rabbitMq:SecretBackend\n    properties:\n      connectionUri: https://.....\n      username: user\n      password: password\n  role:\n    type: vault:rabbitMq:SecretBackendRole\n    properties:\n      backend: ${rabbitmq.path}\n      name: deploy\n      tags: tag1,tag2\n      vhosts:\n        - host: /\n          configure: \"\"\n          read: .*\n          write: \"\"\n      vhostTopics:\n        - vhosts:\n            - topic: amq.topic\n              read: .*\n              write: \"\"\n          host: /\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nRabbitMQ secret backend roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:rabbitMq/secretBackendRole:SecretBackendRole role rabbitmq/roles/deploy\n```\n","properties":{"backend":{"type":"string","description":"The path the RabbitMQ secret backend is mounted at,\nwith no leading or trailing `/`s.\n"},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.\n"},"vhostTopics":{"type":"array","items":{"$ref":"#/types/vault:rabbitMq/SecretBackendRoleVhostTopic:SecretBackendRoleVhostTopic"},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.\n"},"vhosts":{"type":"array","items":{"$ref":"#/types/vault:rabbitMq/SecretBackendRoleVhost:SecretBackendRoleVhost"},"description":"Specifies a map of virtual hosts to permissions.\n"}},"required":["backend","name"],"inputProperties":{"backend":{"type":"string","description":"The path the RabbitMQ secret backend is mounted at,\nwith no leading or trailing `/`s.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.\n"},"vhostTopics":{"type":"array","items":{"$ref":"#/types/vault:rabbitMq/SecretBackendRoleVhostTopic:SecretBackendRoleVhostTopic"},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.\n"},"vhosts":{"type":"array","items":{"$ref":"#/types/vault:rabbitMq/SecretBackendRoleVhost:SecretBackendRoleVhost"},"description":"Specifies a map of virtual hosts to permissions.\n"}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRole resources.\n","properties":{"backend":{"type":"string","description":"The path the RabbitMQ secret backend is mounted at,\nwith no leading or trailing `/`s.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"The name to identify this role within the backend.\nMust be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"tags":{"type":"string","description":"Specifies a comma-separated RabbitMQ management tags.\n"},"vhostTopics":{"type":"array","items":{"$ref":"#/types/vault:rabbitMq/SecretBackendRoleVhostTopic:SecretBackendRoleVhostTopic"},"description":"Specifies a map of virtual hosts and exchanges to topic permissions. This option requires RabbitMQ 3.7.0 or later.\n"},"vhosts":{"type":"array","items":{"$ref":"#/types/vault:rabbitMq/SecretBackendRoleVhost:SecretBackendRoleVhost"},"description":"Specifies a map of virtual hosts to permissions.\n"}},"type":"object"}},"vault:saml/authBackend:AuthBackend":{"description":"Manages a SAML Auth mount in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/saml/) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.saml.AuthBackend(\"test\", {\n    path: \"saml\",\n    idpMetadataUrl: \"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\",\n    entityId: \"https://my.vault/v1/auth/saml\",\n    acsUrls: [\"https://my.vault.primary/v1/auth/saml/callback\"],\n    defaultRole: \"admin\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.saml.AuthBackend(\"test\",\n    path=\"saml\",\n    idp_metadata_url=\"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\",\n    entity_id=\"https://my.vault/v1/auth/saml\",\n    acs_urls=[\"https://my.vault.primary/v1/auth/saml/callback\"],\n    default_role=\"admin\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.Saml.AuthBackend(\"test\", new()\n    {\n        Path = \"saml\",\n        IdpMetadataUrl = \"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\",\n        EntityId = \"https://my.vault/v1/auth/saml\",\n        AcsUrls = new[]\n        {\n            \"https://my.vault.primary/v1/auth/saml/callback\",\n        },\n        DefaultRole = \"admin\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := saml.NewAuthBackend(ctx, \"test\", \u0026saml.AuthBackendArgs{\n\t\t\tPath:           pulumi.String(\"saml\"),\n\t\t\tIdpMetadataUrl: pulumi.String(\"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\"),\n\t\t\tEntityId:       pulumi.String(\"https://my.vault/v1/auth/saml\"),\n\t\t\tAcsUrls: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"https://my.vault.primary/v1/auth/saml/callback\"),\n\t\t\t},\n\t\t\tDefaultRole: pulumi.String(\"admin\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.saml.AuthBackend;\nimport com.pulumi.vault.saml.AuthBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new AuthBackend(\"test\", AuthBackendArgs.builder()\n            .path(\"saml\")\n            .idpMetadataUrl(\"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\")\n            .entityId(\"https://my.vault/v1/auth/saml\")\n            .acsUrls(\"https://my.vault.primary/v1/auth/saml/callback\")\n            .defaultRole(\"admin\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:saml:AuthBackend\n    properties:\n      path: saml\n      idpMetadataUrl: https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\n      entityId: https://my.vault/v1/auth/saml\n      acsUrls:\n        - https://my.vault.primary/v1/auth/saml/callback\n      defaultRole: admin\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nSAML authentication mounts can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:saml/authBackend:AuthBackend example saml\n```\n","properties":{"acsUrls":{"type":"array","items":{"type":"string"},"description":"The well-formatted URLs of your Assertion Consumer Service (ACS)\nthat should receive a response from the identity provider.\n"},"defaultRole":{"type":"string","description":"The role to use if no role is provided during login.\n"},"disableRemount":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"entityId":{"type":"string","description":"The entity ID of the SAML authentication service provider.\n"},"idpCert":{"type":"string","description":"The PEM encoded certificate of the identity provider. Mutually exclusive\nwith \u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"idpEntityId":{"type":"string","description":"The entity ID of the identity provider. Mutually exclusive with\n\u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"idpMetadataUrl":{"type":"string","description":"The metadata URL of the identity provider.\n"},"idpSsoUrl":{"type":"string","description":"The SSO URL of the identity provider. Mutually exclusive with \n\u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path where the auth backend will be mounted. Defaults to `auth/saml`\nif not specified.\n"},"tune":{"$ref":"#/types/vault:saml/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"validateAssertionSignature":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, validates the signature of \nthe SAML assertion. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"validateResponseSignature":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, validates the signature of \nthe SAML response. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"verboseLogging":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, logs additional, potentially sensitive\ninformation during the SAML exchange according to the current logging level. Not\nrecommended for production.\n"}},"required":["acsUrls","entityId","tune","validateAssertionSignature","validateResponseSignature","verboseLogging"],"inputProperties":{"acsUrls":{"type":"array","items":{"type":"string"},"description":"The well-formatted URLs of your Assertion Consumer Service (ACS)\nthat should receive a response from the identity provider.\n"},"defaultRole":{"type":"string","description":"The role to use if no role is provided during login.\n"},"disableRemount":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"entityId":{"type":"string","description":"The entity ID of the SAML authentication service provider.\n"},"idpCert":{"type":"string","description":"The PEM encoded certificate of the identity provider. Mutually exclusive\nwith \u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"idpEntityId":{"type":"string","description":"The entity ID of the identity provider. Mutually exclusive with\n\u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"idpMetadataUrl":{"type":"string","description":"The metadata URL of the identity provider.\n"},"idpSsoUrl":{"type":"string","description":"The SSO URL of the identity provider. Mutually exclusive with \n\u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path where the auth backend will be mounted. Defaults to `auth/saml`\nif not specified.\n","willReplaceOnChanges":true},"tune":{"$ref":"#/types/vault:saml/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"validateAssertionSignature":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, validates the signature of \nthe SAML assertion. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"validateResponseSignature":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, validates the signature of \nthe SAML response. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"verboseLogging":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, logs additional, potentially sensitive\ninformation during the SAML exchange according to the current logging level. Not\nrecommended for production.\n"}},"requiredInputs":["acsUrls","entityId"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackend resources.\n","properties":{"acsUrls":{"type":"array","items":{"type":"string"},"description":"The well-formatted URLs of your Assertion Consumer Service (ACS)\nthat should receive a response from the identity provider.\n"},"defaultRole":{"type":"string","description":"The role to use if no role is provided during login.\n"},"disableRemount":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"entityId":{"type":"string","description":"The entity ID of the SAML authentication service provider.\n"},"idpCert":{"type":"string","description":"The PEM encoded certificate of the identity provider. Mutually exclusive\nwith \u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"idpEntityId":{"type":"string","description":"The entity ID of the identity provider. Mutually exclusive with\n\u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"idpMetadataUrl":{"type":"string","description":"The metadata URL of the identity provider.\n"},"idpSsoUrl":{"type":"string","description":"The SSO URL of the identity provider. Mutually exclusive with \n\u003cspan pulumi-lang-nodejs=\"`idpMetadataUrl`\" pulumi-lang-dotnet=\"`IdpMetadataUrl`\" pulumi-lang-go=\"`idpMetadataUrl`\" pulumi-lang-python=\"`idp_metadata_url`\" pulumi-lang-yaml=\"`idpMetadataUrl`\" pulumi-lang-java=\"`idpMetadataUrl`\"\u003e`idp_metadata_url`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path where the auth backend will be mounted. Defaults to `auth/saml`\nif not specified.\n","willReplaceOnChanges":true},"tune":{"$ref":"#/types/vault:saml/AuthBackendTune:AuthBackendTune","description":"Extra configuration block. Structure is documented below.\n\nThe \u003cspan pulumi-lang-nodejs=\"`tune`\" pulumi-lang-dotnet=\"`Tune`\" pulumi-lang-go=\"`tune`\" pulumi-lang-python=\"`tune`\" pulumi-lang-yaml=\"`tune`\" pulumi-lang-java=\"`tune`\"\u003e`tune`\u003c/span\u003e block is used to tune the auth backend:\n"},"validateAssertionSignature":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, validates the signature of \nthe SAML assertion. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"validateResponseSignature":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, validates the signature of \nthe SAML response. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"verboseLogging":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, logs additional, potentially sensitive\ninformation during the SAML exchange according to the current logging level. Not\nrecommended for production.\n"}},"type":"object"}},"vault:saml/authBackendRole:AuthBackendRole":{"description":"Manages an SAML auth backend role in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/saml.html) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.saml.AuthBackend(\"example\", {\n    path: \"saml\",\n    idpMetadataUrl: \"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\",\n    entityId: \"https://my.vault/v1/auth/saml\",\n    acsUrls: [\"https://my.vault.primary/v1/auth/saml/callback\"],\n    defaultRole: \"default-role\",\n});\nconst exampleAuthBackendRole = new vault.saml.AuthBackendRole(\"example\", {\n    path: example.path,\n    name: \"my-role\",\n    groupsAttribute: \"groups\",\n    boundAttributes: {\n        group: \"admin\",\n    },\n    boundSubjects: [\"*example.com\"],\n    tokenPolicies: [\"writer\"],\n    tokenTtl: 86400,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.saml.AuthBackend(\"example\",\n    path=\"saml\",\n    idp_metadata_url=\"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\",\n    entity_id=\"https://my.vault/v1/auth/saml\",\n    acs_urls=[\"https://my.vault.primary/v1/auth/saml/callback\"],\n    default_role=\"default-role\")\nexample_auth_backend_role = vault.saml.AuthBackendRole(\"example\",\n    path=example.path,\n    name=\"my-role\",\n    groups_attribute=\"groups\",\n    bound_attributes={\n        \"group\": \"admin\",\n    },\n    bound_subjects=[\"*example.com\"],\n    token_policies=[\"writer\"],\n    token_ttl=86400)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Saml.AuthBackend(\"example\", new()\n    {\n        Path = \"saml\",\n        IdpMetadataUrl = \"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\",\n        EntityId = \"https://my.vault/v1/auth/saml\",\n        AcsUrls = new[]\n        {\n            \"https://my.vault.primary/v1/auth/saml/callback\",\n        },\n        DefaultRole = \"default-role\",\n    });\n\n    var exampleAuthBackendRole = new Vault.Saml.AuthBackendRole(\"example\", new()\n    {\n        Path = example.Path,\n        Name = \"my-role\",\n        GroupsAttribute = \"groups\",\n        BoundAttributes = \n        {\n            { \"group\", \"admin\" },\n        },\n        BoundSubjects = new[]\n        {\n            \"*example.com\",\n        },\n        TokenPolicies = new[]\n        {\n            \"writer\",\n        },\n        TokenTtl = 86400,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/saml\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := saml.NewAuthBackend(ctx, \"example\", \u0026saml.AuthBackendArgs{\n\t\t\tPath:           pulumi.String(\"saml\"),\n\t\t\tIdpMetadataUrl: pulumi.String(\"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\"),\n\t\t\tEntityId:       pulumi.String(\"https://my.vault/v1/auth/saml\"),\n\t\t\tAcsUrls: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"https://my.vault.primary/v1/auth/saml/callback\"),\n\t\t\t},\n\t\t\tDefaultRole: pulumi.String(\"default-role\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = saml.NewAuthBackendRole(ctx, \"example\", \u0026saml.AuthBackendRoleArgs{\n\t\t\tPath:            example.Path,\n\t\t\tName:            pulumi.String(\"my-role\"),\n\t\t\tGroupsAttribute: pulumi.String(\"groups\"),\n\t\t\tBoundAttributes: pulumi.StringMap{\n\t\t\t\t\"group\": pulumi.String(\"admin\"),\n\t\t\t},\n\t\t\tBoundSubjects: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*example.com\"),\n\t\t\t},\n\t\t\tTokenPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"writer\"),\n\t\t\t},\n\t\t\tTokenTtl: pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.saml.AuthBackend;\nimport com.pulumi.vault.saml.AuthBackendArgs;\nimport com.pulumi.vault.saml.AuthBackendRole;\nimport com.pulumi.vault.saml.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackend(\"example\", AuthBackendArgs.builder()\n            .path(\"saml\")\n            .idpMetadataUrl(\"https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\")\n            .entityId(\"https://my.vault/v1/auth/saml\")\n            .acsUrls(\"https://my.vault.primary/v1/auth/saml/callback\")\n            .defaultRole(\"default-role\")\n            .build());\n\n        var exampleAuthBackendRole = new AuthBackendRole(\"exampleAuthBackendRole\", AuthBackendRoleArgs.builder()\n            .path(example.path())\n            .name(\"my-role\")\n            .groupsAttribute(\"groups\")\n            .boundAttributes(Map.of(\"group\", \"admin\"))\n            .boundSubjects(\"*example.com\")\n            .tokenPolicies(\"writer\")\n            .tokenTtl(86400)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:saml:AuthBackend\n    properties:\n      path: saml\n      idpMetadataUrl: https://company.okta.com/app/abc123eb9xnIfzlaf697/sso/saml/metadata\n      entityId: https://my.vault/v1/auth/saml\n      acsUrls:\n        - https://my.vault.primary/v1/auth/saml/callback\n      defaultRole: default-role\n  exampleAuthBackendRole:\n    type: vault:saml:AuthBackendRole\n    name: example\n    properties:\n      path: ${example.path}\n      name: my-role\n      groupsAttribute: groups\n      boundAttributes:\n        group: admin\n      boundSubjects:\n        - '*example.com'\n      tokenPolicies:\n        - writer\n      tokenTtl: 86400\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nSAML authentication backend roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:saml/authBackendRole:AuthBackendRole example auth/saml/role/my-role\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"boundAttributes":{"type":"object","additionalProperties":{"type":"string"},"description":"Mapping of attribute names to values that are expected to\nexist in the SAML assertion.\n"},"boundAttributesType":{"type":"string","description":"The type of matching assertion to perform on\n\u003cspan pulumi-lang-nodejs=\"`boundAttributesType`\" pulumi-lang-dotnet=\"`BoundAttributesType`\" pulumi-lang-go=\"`boundAttributesType`\" pulumi-lang-python=\"`bound_attributes_type`\" pulumi-lang-yaml=\"`boundAttributesType`\" pulumi-lang-java=\"`boundAttributesType`\"\u003e`bound_attributes_type`\u003c/span\u003e.\n"},"boundSubjects":{"type":"array","items":{"type":"string"},"description":"List of subjects being asserted for SAML authentication.\n"},"boundSubjectsType":{"type":"string","description":"The type of matching assertion to perform on \u003cspan pulumi-lang-nodejs=\"`boundSubjects`\" pulumi-lang-dotnet=\"`BoundSubjects`\" pulumi-lang-go=\"`boundSubjects`\" pulumi-lang-python=\"`bound_subjects`\" pulumi-lang-yaml=\"`boundSubjects`\" pulumi-lang-java=\"`boundSubjects`\"\u003e`bound_subjects`\u003c/span\u003e.\n"},"groupsAttribute":{"type":"string","description":"The attribute to use to identify the set of groups to which the\nuser belongs.\n"},"name":{"type":"string","description":"Unique name of the role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path where the auth backend is mounted.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["boundAttributesType","boundSubjectsType","name","path"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"boundAttributes":{"type":"object","additionalProperties":{"type":"string"},"description":"Mapping of attribute names to values that are expected to\nexist in the SAML assertion.\n"},"boundAttributesType":{"type":"string","description":"The type of matching assertion to perform on\n\u003cspan pulumi-lang-nodejs=\"`boundAttributesType`\" pulumi-lang-dotnet=\"`BoundAttributesType`\" pulumi-lang-go=\"`boundAttributesType`\" pulumi-lang-python=\"`bound_attributes_type`\" pulumi-lang-yaml=\"`boundAttributesType`\" pulumi-lang-java=\"`boundAttributesType`\"\u003e`bound_attributes_type`\u003c/span\u003e.\n"},"boundSubjects":{"type":"array","items":{"type":"string"},"description":"List of subjects being asserted for SAML authentication.\n"},"boundSubjectsType":{"type":"string","description":"The type of matching assertion to perform on \u003cspan pulumi-lang-nodejs=\"`boundSubjects`\" pulumi-lang-dotnet=\"`BoundSubjects`\" pulumi-lang-go=\"`boundSubjects`\" pulumi-lang-python=\"`bound_subjects`\" pulumi-lang-yaml=\"`boundSubjects`\" pulumi-lang-java=\"`boundSubjects`\"\u003e`bound_subjects`\u003c/span\u003e.\n"},"groupsAttribute":{"type":"string","description":"The attribute to use to identify the set of groups to which the\nuser belongs.\n"},"name":{"type":"string","description":"Unique name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path where the auth backend is mounted.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"boundAttributes":{"type":"object","additionalProperties":{"type":"string"},"description":"Mapping of attribute names to values that are expected to\nexist in the SAML assertion.\n"},"boundAttributesType":{"type":"string","description":"The type of matching assertion to perform on\n\u003cspan pulumi-lang-nodejs=\"`boundAttributesType`\" pulumi-lang-dotnet=\"`BoundAttributesType`\" pulumi-lang-go=\"`boundAttributesType`\" pulumi-lang-python=\"`bound_attributes_type`\" pulumi-lang-yaml=\"`boundAttributesType`\" pulumi-lang-java=\"`boundAttributesType`\"\u003e`bound_attributes_type`\u003c/span\u003e.\n"},"boundSubjects":{"type":"array","items":{"type":"string"},"description":"List of subjects being asserted for SAML authentication.\n"},"boundSubjectsType":{"type":"string","description":"The type of matching assertion to perform on \u003cspan pulumi-lang-nodejs=\"`boundSubjects`\" pulumi-lang-dotnet=\"`BoundSubjects`\" pulumi-lang-go=\"`boundSubjects`\" pulumi-lang-python=\"`bound_subjects`\" pulumi-lang-yaml=\"`boundSubjects`\" pulumi-lang-java=\"`boundSubjects`\"\u003e`bound_subjects`\u003c/span\u003e.\n"},"groupsAttribute":{"type":"string","description":"The attribute to use to identify the set of groups to which the\nuser belongs.\n"},"name":{"type":"string","description":"Unique name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path where the auth backend is mounted.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:secrets/syncAssociation:SyncAssociation":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2 = new vault.Mount(\"kvv2\", {\n    path: \"kvv2\",\n    type: \"kv\",\n    options: {\n        version: \"2\",\n    },\n    description: \"KV Version 2 secret engine mount\",\n});\nconst token = new vault.kv.SecretV2(\"token\", {\n    mount: kvv2.path,\n    name: \"token\",\n    dataJson: JSON.stringify({\n        dev: \"B!gS3cr3t\",\n        prod: \"S3cureP4$$\",\n    }),\n});\nconst gh = new vault.secrets.SyncGhDestination(\"gh\", {\n    name: \"gh-dest\",\n    accessToken: accessToken,\n    repositoryOwner: repoOwner,\n    repositoryName: \"repo-name-example\",\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n});\nconst ghToken = new vault.secrets.SyncAssociation(\"gh_token\", {\n    name: gh.name,\n    type: gh.type,\n    mount: kvv2.path,\n    secretName: token.name,\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv2 = vault.Mount(\"kvv2\",\n    path=\"kvv2\",\n    type=\"kv\",\n    options={\n        \"version\": \"2\",\n    },\n    description=\"KV Version 2 secret engine mount\")\ntoken = vault.kv.SecretV2(\"token\",\n    mount=kvv2.path,\n    name=\"token\",\n    data_json=json.dumps({\n        \"dev\": \"B!gS3cr3t\",\n        \"prod\": \"S3cureP4$$\",\n    }))\ngh = vault.secrets.SyncGhDestination(\"gh\",\n    name=\"gh-dest\",\n    access_token=access_token,\n    repository_owner=repo_owner,\n    repository_name=\"repo-name-example\",\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\ngh_token = vault.secrets.SyncAssociation(\"gh_token\",\n    name=gh.name,\n    type=gh.type,\n    mount=kvv2.path,\n    secret_name=token.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv2 = new Vault.Mount(\"kvv2\", new()\n    {\n        Path = \"kvv2\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"2\" },\n        },\n        Description = \"KV Version 2 secret engine mount\",\n    });\n\n    var token = new Vault.Kv.SecretV2(\"token\", new()\n    {\n        Mount = kvv2.Path,\n        Name = \"token\",\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"dev\"] = \"B!gS3cr3t\",\n            [\"prod\"] = \"S3cureP4$$\",\n        }),\n    });\n\n    var gh = new Vault.Secrets.SyncGhDestination(\"gh\", new()\n    {\n        Name = \"gh-dest\",\n        AccessToken = accessToken,\n        RepositoryOwner = repoOwner,\n        RepositoryName = \"repo-name-example\",\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    });\n\n    var ghToken = new Vault.Secrets.SyncAssociation(\"gh_token\", new()\n    {\n        Name = gh.Name,\n        Type = gh.Type,\n        Mount = kvv2.Path,\n        SecretName = token.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv2, err := vault.NewMount(ctx, \"kvv2\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv2\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"dev\":  \"B!gS3cr3t\",\n\t\t\t\"prod\": \"S3cureP4$$\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\ttoken, err := kv.NewSecretV2(ctx, \"token\", \u0026kv.SecretV2Args{\n\t\t\tMount:    kvv2.Path,\n\t\t\tName:     pulumi.String(\"token\"),\n\t\t\tDataJson: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgh, err := secrets.NewSyncGhDestination(ctx, \"gh\", \u0026secrets.SyncGhDestinationArgs{\n\t\t\tName:               pulumi.String(\"gh-dest\"),\n\t\t\tAccessToken:        pulumi.Any(accessToken),\n\t\t\tRepositoryOwner:    pulumi.Any(repoOwner),\n\t\t\tRepositoryName:     pulumi.String(\"repo-name-example\"),\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = secrets.NewSyncAssociation(ctx, \"gh_token\", \u0026secrets.SyncAssociationArgs{\n\t\t\tName:       gh.Name,\n\t\t\tType:       gh.Type,\n\t\t\tMount:      kvv2.Path,\n\t\t\tSecretName: token.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.SecretV2;\nimport com.pulumi.vault.kv.SecretV2Args;\nimport com.pulumi.vault.secrets.SyncGhDestination;\nimport com.pulumi.vault.secrets.SyncGhDestinationArgs;\nimport com.pulumi.vault.secrets.SyncAssociation;\nimport com.pulumi.vault.secrets.SyncAssociationArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv2 = new Mount(\"kvv2\", MountArgs.builder()\n            .path(\"kvv2\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"2\"))\n            .description(\"KV Version 2 secret engine mount\")\n            .build());\n\n        var token = new SecretV2(\"token\", SecretV2Args.builder()\n            .mount(kvv2.path())\n            .name(\"token\")\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"dev\", \"B!gS3cr3t\"),\n                    jsonProperty(\"prod\", \"S3cureP4$$\")\n                )))\n            .build());\n\n        var gh = new SyncGhDestination(\"gh\", SyncGhDestinationArgs.builder()\n            .name(\"gh-dest\")\n            .accessToken(accessToken)\n            .repositoryOwner(repoOwner)\n            .repositoryName(\"repo-name-example\")\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\n            .build());\n\n        var ghToken = new SyncAssociation(\"ghToken\", SyncAssociationArgs.builder()\n            .name(gh.name())\n            .type(gh.type())\n            .mount(kvv2.path())\n            .secretName(token.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv2:\n    type: vault:Mount\n    properties:\n      path: kvv2\n      type: kv\n      options:\n        version: '2'\n      description: KV Version 2 secret engine mount\n  token:\n    type: vault:kv:SecretV2\n    properties:\n      mount: ${kvv2.path}\n      name: token\n      dataJson:\n        fn::toJSON:\n          dev: B!gS3cr3t\n          prod: S3cureP4$$\n  gh:\n    type: vault:secrets:SyncGhDestination\n    properties:\n      name: gh-dest\n      accessToken: ${accessToken}\n      repositoryOwner: ${repoOwner}\n      repositoryName: repo-name-example\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\n  ghToken:\n    type: vault:secrets:SyncAssociation\n    name: gh_token\n    properties:\n      name: ${gh.name}\n      type: ${gh.type}\n      mount: ${kvv2.path}\n      secretName: ${token.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"metadatas":{"type":"array","items":{"$ref":"#/types/vault:secrets/SyncAssociationMetadata:SyncAssociationMetadata"},"description":"Metadata for each subkey of the associated secret."},"mount":{"type":"string","description":"Specifies the mount where the secret is located.\n"},"name":{"type":"string","description":"Specifies the name of the destination.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n"},"secretName":{"type":"string","description":"Specifies the name of the secret to synchronize.\n"},"type":{"type":"string","description":"Specifies the destination type.\n"}},"required":["metadatas","mount","name","secretName","type"],"inputProperties":{"mount":{"type":"string","description":"Specifies the mount where the secret is located.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"Specifies the name of the destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"secretName":{"type":"string","description":"Specifies the name of the secret to synchronize.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Specifies the destination type.\n","willReplaceOnChanges":true}},"requiredInputs":["mount","secretName","type"],"stateInputs":{"description":"Input properties used for looking up and filtering SyncAssociation resources.\n","properties":{"metadatas":{"type":"array","items":{"$ref":"#/types/vault:secrets/SyncAssociationMetadata:SyncAssociationMetadata"},"description":"Metadata for each subkey of the associated secret."},"mount":{"type":"string","description":"Specifies the mount where the secret is located.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"Specifies the name of the destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"secretName":{"type":"string","description":"Specifies the name of the secret to synchronize.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"Specifies the destination type.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:secrets/syncAwsDestination:SyncAwsDestination":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.secrets.SyncAwsDestination(\"aws\", {\n    name: \"aws-dest\",\n    accessKeyId: accessKeyId,\n    secretAccessKey: secretAccessKey,\n    region: \"us-east-1\",\n    roleArn: \"role-arn\",\n    externalId: \"external-id\",\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    customTags: {\n        foo: \"bar\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.secrets.SyncAwsDestination(\"aws\",\n    name=\"aws-dest\",\n    access_key_id=access_key_id,\n    secret_access_key=secret_access_key,\n    region=\"us-east-1\",\n    role_arn=\"role-arn\",\n    external_id=\"external-id\",\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    custom_tags={\n        \"foo\": \"bar\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.Secrets.SyncAwsDestination(\"aws\", new()\n    {\n        Name = \"aws-dest\",\n        AccessKeyId = accessKeyId,\n        SecretAccessKey = secretAccessKey,\n        Region = \"us-east-1\",\n        RoleArn = \"role-arn\",\n        ExternalId = \"external-id\",\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n        CustomTags = \n        {\n            { \"foo\", \"bar\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := secrets.NewSyncAwsDestination(ctx, \"aws\", \u0026secrets.SyncAwsDestinationArgs{\n\t\t\tName:               pulumi.String(\"aws-dest\"),\n\t\t\tAccessKeyId:        pulumi.Any(accessKeyId),\n\t\t\tSecretAccessKey:    pulumi.Any(secretAccessKey),\n\t\t\tRegion:             pulumi.String(\"us-east-1\"),\n\t\t\tRoleArn:            pulumi.String(\"role-arn\"),\n\t\t\tExternalId:         pulumi.String(\"external-id\"),\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\"),\n\t\t\tCustomTags: pulumi.StringMap{\n\t\t\t\t\"foo\": pulumi.String(\"bar\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncAwsDestination;\nimport com.pulumi.vault.secrets.SyncAwsDestinationArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new SyncAwsDestination(\"aws\", SyncAwsDestinationArgs.builder()\n            .name(\"aws-dest\")\n            .accessKeyId(accessKeyId)\n            .secretAccessKey(secretAccessKey)\n            .region(\"us-east-1\")\n            .roleArn(\"role-arn\")\n            .externalId(\"external-id\")\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\n            .customTags(Map.of(\"foo\", \"bar\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:secrets:SyncAwsDestination\n    properties:\n      name: aws-dest\n      accessKeyId: ${accessKeyId}\n      secretAccessKey: ${secretAccessKey}\n      region: us-east-1\n      roleArn: role-arn\n      externalId: external-id\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\n      customTags:\n        foo: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example with Networking Restrictions\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst awsRestricted = new vault.secrets.SyncAwsDestination(\"aws_restricted\", {\n    name: \"aws-dest-restricted\",\n    accessKeyId: accessKeyId,\n    secretAccessKey: secretAccessKey,\n    region: \"us-east-1\",\n    allowedIpv4Addresses: [\n        \"192.168.1.0/24\",\n        \"10.0.0.0/8\",\n    ],\n    allowedIpv6Addresses: [\"2001:db8::/32\"],\n    allowedPorts: [\n        443,\n        8200,\n    ],\n    disableStrictNetworking: false,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws_restricted = vault.secrets.SyncAwsDestination(\"aws_restricted\",\n    name=\"aws-dest-restricted\",\n    access_key_id=access_key_id,\n    secret_access_key=secret_access_key,\n    region=\"us-east-1\",\n    allowed_ipv4_addresses=[\n        \"192.168.1.0/24\",\n        \"10.0.0.0/8\",\n    ],\n    allowed_ipv6_addresses=[\"2001:db8::/32\"],\n    allowed_ports=[\n        443,\n        8200,\n    ],\n    disable_strict_networking=False)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var awsRestricted = new Vault.Secrets.SyncAwsDestination(\"aws_restricted\", new()\n    {\n        Name = \"aws-dest-restricted\",\n        AccessKeyId = accessKeyId,\n        SecretAccessKey = secretAccessKey,\n        Region = \"us-east-1\",\n        AllowedIpv4Addresses = new[]\n        {\n            \"192.168.1.0/24\",\n            \"10.0.0.0/8\",\n        },\n        AllowedIpv6Addresses = new[]\n        {\n            \"2001:db8::/32\",\n        },\n        AllowedPorts = new[]\n        {\n            443,\n            8200,\n        },\n        DisableStrictNetworking = false,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := secrets.NewSyncAwsDestination(ctx, \"aws_restricted\", \u0026secrets.SyncAwsDestinationArgs{\n\t\t\tName:            pulumi.String(\"aws-dest-restricted\"),\n\t\t\tAccessKeyId:     pulumi.Any(accessKeyId),\n\t\t\tSecretAccessKey: pulumi.Any(secretAccessKey),\n\t\t\tRegion:          pulumi.String(\"us-east-1\"),\n\t\t\tAllowedIpv4Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"192.168.1.0/24\"),\n\t\t\t\tpulumi.String(\"10.0.0.0/8\"),\n\t\t\t},\n\t\t\tAllowedIpv6Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"2001:db8::/32\"),\n\t\t\t},\n\t\t\tAllowedPorts: pulumi.IntArray{\n\t\t\t\tpulumi.Int(443),\n\t\t\t\tpulumi.Int(8200),\n\t\t\t},\n\t\t\tDisableStrictNetworking: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncAwsDestination;\nimport com.pulumi.vault.secrets.SyncAwsDestinationArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var awsRestricted = new SyncAwsDestination(\"awsRestricted\", SyncAwsDestinationArgs.builder()\n            .name(\"aws-dest-restricted\")\n            .accessKeyId(accessKeyId)\n            .secretAccessKey(secretAccessKey)\n            .region(\"us-east-1\")\n            .allowedIpv4Addresses(            \n                \"192.168.1.0/24\",\n                \"10.0.0.0/8\")\n            .allowedIpv6Addresses(\"2001:db8::/32\")\n            .allowedPorts(            \n                443,\n                8200)\n            .disableStrictNetworking(false)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  awsRestricted:\n    type: vault:secrets:SyncAwsDestination\n    name: aws_restricted\n    properties:\n      name: aws-dest-restricted\n      accessKeyId: ${accessKeyId}\n      secretAccessKey: ${secretAccessKey}\n      region: us-east-1\n      allowedIpv4Addresses:\n        - 192.168.1.0/24\n        - 10.0.0.0/8\n      allowedIpv6Addresses:\n        - 2001:db8::/32\n      allowedPorts:\n        - 443\n        - 8200\n      disableStrictNetworking: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAWS Secrets sync destinations can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:secrets/syncAwsDestination:SyncAwsDestination aws aws-dest\n```\n","properties":{"accessKeyId":{"type":"string","description":"Access key id to authenticate against the AWS secrets manager.\nCan be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment\nvariable.\n"},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv4 addresses for outbound connections from Vault to AWS Secrets Manager.\nCan also be set via an IP address range using CIDR notation. For example: `[\"192.168.1.0/24\", \"10.0.0.0/8\"]`.\n**Requires Vault 1.19.0+**.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv6 addresses for outbound connections from Vault to AWS Secrets Manager.\nCan also be set via an IP address range using CIDR notation. For example: `[\"2001:db8::/32\"]`.\n**Requires Vault 1.19.0+**.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Allowed ports for outbound connections from Vault to AWS Secrets Manager.\nFor example: `[443, 8200]`.\n**Requires Vault 1.19.0+**.\n"},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"Disable strict networking mode. When set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, Vault will not enforce\nallowed IP addresses and ports. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n**Requires Vault 1.19.0+**.\n"},"externalId":{"type":"string","description":"Optional extra protection that must match the trust policy granting access to the\nAWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.\nThe field is mutable with no special condition, but users must be careful that the new value fits with the trust\nrelationship condition they set on AWS otherwise sync operations will start to fail due to client-side access\ndenied errors. Ignored if the \u003cspan pulumi-lang-nodejs=\"`roleArn`\" pulumi-lang-dotnet=\"`RoleArn`\" pulumi-lang-go=\"`roleArn`\" pulumi-lang-python=\"`role_arn`\" pulumi-lang-yaml=\"`roleArn`\" pulumi-lang-java=\"`roleArn`\"\u003e`role_arn`\u003c/span\u003e field is empty.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource \nat the destination. Supports `secret-path` and `secret-key`.\n"},"name":{"type":"string","description":"Unique name of the AWS destination.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n"},"region":{"type":"string","description":"Region where to manage the secrets manager entries.\nCan be omitted and directly provided to Vault using the `AWS_REGION` environment\nvariable.\n"},"roleArn":{"type":"string","description":"Specifies a role to assume when connecting to AWS. When assuming a role, \nVault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must\nexist for Vault to be able to assume this role. The role can be in a different account.\nThe value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.\nIt is possible to provide both an access key pair and a role to assume.\n"},"secretAccessKey":{"type":"string","description":"Secret access key to authenticate against the AWS secrets manager.\nCan be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment\nvariable.\n","secret":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"type":{"type":"string","description":"The type of the secrets destination (`aws-sm`).\n"}},"required":["name","secretNameTemplate","type"],"inputProperties":{"accessKeyId":{"type":"string","description":"Access key id to authenticate against the AWS secrets manager.\nCan be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment\nvariable.\n"},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv4 addresses for outbound connections from Vault to AWS Secrets Manager.\nCan also be set via an IP address range using CIDR notation. For example: `[\"192.168.1.0/24\", \"10.0.0.0/8\"]`.\n**Requires Vault 1.19.0+**.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv6 addresses for outbound connections from Vault to AWS Secrets Manager.\nCan also be set via an IP address range using CIDR notation. For example: `[\"2001:db8::/32\"]`.\n**Requires Vault 1.19.0+**.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Allowed ports for outbound connections from Vault to AWS Secrets Manager.\nFor example: `[443, 8200]`.\n**Requires Vault 1.19.0+**.\n"},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"Disable strict networking mode. When set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, Vault will not enforce\nallowed IP addresses and ports. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n**Requires Vault 1.19.0+**.\n"},"externalId":{"type":"string","description":"Optional extra protection that must match the trust policy granting access to the\nAWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.\nThe field is mutable with no special condition, but users must be careful that the new value fits with the trust\nrelationship condition they set on AWS otherwise sync operations will start to fail due to client-side access\ndenied errors. Ignored if the \u003cspan pulumi-lang-nodejs=\"`roleArn`\" pulumi-lang-dotnet=\"`RoleArn`\" pulumi-lang-go=\"`roleArn`\" pulumi-lang-python=\"`role_arn`\" pulumi-lang-yaml=\"`roleArn`\" pulumi-lang-java=\"`roleArn`\"\u003e`role_arn`\u003c/span\u003e field is empty.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource \nat the destination. Supports `secret-path` and `secret-key`.\n"},"name":{"type":"string","description":"Unique name of the AWS destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"region":{"type":"string","description":"Region where to manage the secrets manager entries.\nCan be omitted and directly provided to Vault using the `AWS_REGION` environment\nvariable.\n","willReplaceOnChanges":true},"roleArn":{"type":"string","description":"Specifies a role to assume when connecting to AWS. When assuming a role, \nVault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must\nexist for Vault to be able to assume this role. The role can be in a different account.\nThe value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.\nIt is possible to provide both an access key pair and a role to assume.\n"},"secretAccessKey":{"type":"string","description":"Secret access key to authenticate against the AWS secrets manager.\nCan be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment\nvariable.\n","secret":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering SyncAwsDestination resources.\n","properties":{"accessKeyId":{"type":"string","description":"Access key id to authenticate against the AWS secrets manager.\nCan be omitted and directly provided to Vault using the `AWS_ACCESS_KEY_ID` environment\nvariable.\n"},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv4 addresses for outbound connections from Vault to AWS Secrets Manager.\nCan also be set via an IP address range using CIDR notation. For example: `[\"192.168.1.0/24\", \"10.0.0.0/8\"]`.\n**Requires Vault 1.19.0+**.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv6 addresses for outbound connections from Vault to AWS Secrets Manager.\nCan also be set via an IP address range using CIDR notation. For example: `[\"2001:db8::/32\"]`.\n**Requires Vault 1.19.0+**.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Allowed ports for outbound connections from Vault to AWS Secrets Manager.\nFor example: `[443, 8200]`.\n**Requires Vault 1.19.0+**.\n"},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"Disable strict networking mode. When set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, Vault will not enforce\nallowed IP addresses and ports. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n**Requires Vault 1.19.0+**.\n"},"externalId":{"type":"string","description":"Optional extra protection that must match the trust policy granting access to the\nAWS IAM role ARN. We recommend using a different random UUID per destination. The value is generated by users.\nThe field is mutable with no special condition, but users must be careful that the new value fits with the trust\nrelationship condition they set on AWS otherwise sync operations will start to fail due to client-side access\ndenied errors. Ignored if the \u003cspan pulumi-lang-nodejs=\"`roleArn`\" pulumi-lang-dotnet=\"`RoleArn`\" pulumi-lang-go=\"`roleArn`\" pulumi-lang-python=\"`role_arn`\" pulumi-lang-yaml=\"`roleArn`\" pulumi-lang-java=\"`roleArn`\"\u003e`role_arn`\u003c/span\u003e field is empty.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource \nat the destination. Supports `secret-path` and `secret-key`.\n"},"name":{"type":"string","description":"Unique name of the AWS destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"region":{"type":"string","description":"Region where to manage the secrets manager entries.\nCan be omitted and directly provided to Vault using the `AWS_REGION` environment\nvariable.\n","willReplaceOnChanges":true},"roleArn":{"type":"string","description":"Specifies a role to assume when connecting to AWS. When assuming a role, \nVault uses temporary STS credentials to authenticate. An initial session with the proper trust relationship must\nexist for Vault to be able to assume this role. The role can be in a different account.\nThe value is mutable as long as the new role targets the same AWS account ID. If not, the BE will return an error.\nIt is possible to provide both an access key pair and a role to assume.\n"},"secretAccessKey":{"type":"string","description":"Secret access key to authenticate against the AWS secrets manager.\nCan be omitted and directly provided to Vault using the `AWS_SECRET_ACCESS_KEY` environment\nvariable.\n","secret":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"type":{"type":"string","description":"The type of the secrets destination (`aws-sm`).\n","willReplaceOnChanges":true}},"type":"object"}},"vault:secrets/syncAzureDestination:SyncAzureDestination":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst az = new vault.secrets.SyncAzureDestination(\"az\", {\n    name: \"az-dest\",\n    keyVaultUri: keyVaultUri,\n    clientId: clientId,\n    clientSecret: clientSecret,\n    tenantId: tenantId,\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    allowedIpv4Addresses: [\n        \"192.168.1.1/24\",\n        \"10.0.0.1/8\",\n    ],\n    allowedIpv6Addresses: [\"2001:db9::/32\"],\n    allowedPorts: [\n        443,\n        9443,\n    ],\n    disableStrictNetworking: false,\n    customTags: {\n        foo: \"bar\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naz = vault.secrets.SyncAzureDestination(\"az\",\n    name=\"az-dest\",\n    key_vault_uri=key_vault_uri,\n    client_id=client_id,\n    client_secret=client_secret,\n    tenant_id=tenant_id,\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    allowed_ipv4_addresses=[\n        \"192.168.1.1/24\",\n        \"10.0.0.1/8\",\n    ],\n    allowed_ipv6_addresses=[\"2001:db9::/32\"],\n    allowed_ports=[\n        443,\n        9443,\n    ],\n    disable_strict_networking=False,\n    custom_tags={\n        \"foo\": \"bar\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var az = new Vault.Secrets.SyncAzureDestination(\"az\", new()\n    {\n        Name = \"az-dest\",\n        KeyVaultUri = keyVaultUri,\n        ClientId = clientId,\n        ClientSecret = clientSecret,\n        TenantId = tenantId,\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n        AllowedIpv4Addresses = new[]\n        {\n            \"192.168.1.1/24\",\n            \"10.0.0.1/8\",\n        },\n        AllowedIpv6Addresses = new[]\n        {\n            \"2001:db9::/32\",\n        },\n        AllowedPorts = new[]\n        {\n            443,\n            9443,\n        },\n        DisableStrictNetworking = false,\n        CustomTags = \n        {\n            { \"foo\", \"bar\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := secrets.NewSyncAzureDestination(ctx, \"az\", \u0026secrets.SyncAzureDestinationArgs{\n\t\t\tName:               pulumi.String(\"az-dest\"),\n\t\t\tKeyVaultUri:        pulumi.Any(keyVaultUri),\n\t\t\tClientId:           pulumi.Any(clientId),\n\t\t\tClientSecret:       pulumi.Any(clientSecret),\n\t\t\tTenantId:           pulumi.Any(tenantId),\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\"),\n\t\t\tAllowedIpv4Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"192.168.1.1/24\"),\n\t\t\t\tpulumi.String(\"10.0.0.1/8\"),\n\t\t\t},\n\t\t\tAllowedIpv6Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"2001:db9::/32\"),\n\t\t\t},\n\t\t\tAllowedPorts: pulumi.IntArray{\n\t\t\t\tpulumi.Int(443),\n\t\t\t\tpulumi.Int(9443),\n\t\t\t},\n\t\t\tDisableStrictNetworking: pulumi.Bool(false),\n\t\t\tCustomTags: pulumi.StringMap{\n\t\t\t\t\"foo\": pulumi.String(\"bar\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncAzureDestination;\nimport com.pulumi.vault.secrets.SyncAzureDestinationArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var az = new SyncAzureDestination(\"az\", SyncAzureDestinationArgs.builder()\n            .name(\"az-dest\")\n            .keyVaultUri(keyVaultUri)\n            .clientId(clientId)\n            .clientSecret(clientSecret)\n            .tenantId(tenantId)\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\n            .allowedIpv4Addresses(            \n                \"192.168.1.1/24\",\n                \"10.0.0.1/8\")\n            .allowedIpv6Addresses(\"2001:db9::/32\")\n            .allowedPorts(            \n                443,\n                9443)\n            .disableStrictNetworking(false)\n            .customTags(Map.of(\"foo\", \"bar\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  az:\n    type: vault:secrets:SyncAzureDestination\n    properties:\n      name: az-dest\n      keyVaultUri: ${keyVaultUri}\n      clientId: ${clientId}\n      clientSecret: ${clientSecret}\n      tenantId: ${tenantId}\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\n      allowedIpv4Addresses:\n        - 192.168.1.1/24\n        - 10.0.0.1/8\n      allowedIpv6Addresses:\n        - 2001:db9::/32\n      allowedPorts:\n        - 443\n        - 9443\n      disableStrictNetworking: false # Enforce networking restrictions\n      customTags:\n        foo: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nAzure Secrets sync destinations can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:secrets/syncAzureDestination:SyncAzureDestination az az-dest\n```\n","properties":{"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"List of IPv4 addresses or CIDR blocks allowed to make outbound\nconnections from Vault to the destination. Requires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"List of IPv6 addresses or CIDR blocks allowed to make outbound\nconnections from Vault to the destination. Requires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"List of port numbers allowed for outbound connections from Vault to the\ndestination. Requires Vault 1.19+.\n"},"clientId":{"type":"string","description":"Client ID of an Azure app registration.\nCan be omitted and directly provided to Vault using the `AZURE_CLIENT_ID` environment\nvariable.\n"},"clientSecret":{"type":"string","description":"Client Secret of an Azure app registration.\nCan be omitted and directly provided to Vault using the `AZURE_CLIENT_SECRET` environment\nvariable.\n","secret":true},"cloud":{"type":"string","description":"Specifies a cloud for the client. The default is Azure Public Cloud.\n"},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"When set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict enforcement of networking\nrestrictions. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"keyVaultUri":{"type":"string","description":"URI of an existing Azure Key Vault instance.\nCan be omitted and directly provided to Vault using the `KEY_VAULT_URI` environment\nvariable.\n"},"name":{"type":"string","description":"Unique name of the Azure destination.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n"},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"tenantId":{"type":"string","description":"ID of the target Azure tenant.\nCan be omitted and directly provided to Vault using the `AZURE_TENANT_ID` environment\nvariable.\n"},"type":{"type":"string","description":"The type of the secrets destination (`azure-kv`).\n"}},"required":["name","secretNameTemplate","type"],"inputProperties":{"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"List of IPv4 addresses or CIDR blocks allowed to make outbound\nconnections from Vault to the destination. Requires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"List of IPv6 addresses or CIDR blocks allowed to make outbound\nconnections from Vault to the destination. Requires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"List of port numbers allowed for outbound connections from Vault to the\ndestination. Requires Vault 1.19+.\n"},"clientId":{"type":"string","description":"Client ID of an Azure app registration.\nCan be omitted and directly provided to Vault using the `AZURE_CLIENT_ID` environment\nvariable.\n"},"clientSecret":{"type":"string","description":"Client Secret of an Azure app registration.\nCan be omitted and directly provided to Vault using the `AZURE_CLIENT_SECRET` environment\nvariable.\n","secret":true},"cloud":{"type":"string","description":"Specifies a cloud for the client. The default is Azure Public Cloud.\n","willReplaceOnChanges":true},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"When set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict enforcement of networking\nrestrictions. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"keyVaultUri":{"type":"string","description":"URI of an existing Azure Key Vault instance.\nCan be omitted and directly provided to Vault using the `KEY_VAULT_URI` environment\nvariable.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"Unique name of the Azure destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"tenantId":{"type":"string","description":"ID of the target Azure tenant.\nCan be omitted and directly provided to Vault using the `AZURE_TENANT_ID` environment\nvariable.\n","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering SyncAzureDestination resources.\n","properties":{"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"List of IPv4 addresses or CIDR blocks allowed to make outbound\nconnections from Vault to the destination. Requires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"List of IPv6 addresses or CIDR blocks allowed to make outbound\nconnections from Vault to the destination. Requires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"List of port numbers allowed for outbound connections from Vault to the\ndestination. Requires Vault 1.19+.\n"},"clientId":{"type":"string","description":"Client ID of an Azure app registration.\nCan be omitted and directly provided to Vault using the `AZURE_CLIENT_ID` environment\nvariable.\n"},"clientSecret":{"type":"string","description":"Client Secret of an Azure app registration.\nCan be omitted and directly provided to Vault using the `AZURE_CLIENT_SECRET` environment\nvariable.\n","secret":true},"cloud":{"type":"string","description":"Specifies a cloud for the client. The default is Azure Public Cloud.\n","willReplaceOnChanges":true},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"When set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict enforcement of networking\nrestrictions. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"keyVaultUri":{"type":"string","description":"URI of an existing Azure Key Vault instance.\nCan be omitted and directly provided to Vault using the `KEY_VAULT_URI` environment\nvariable.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"Unique name of the Azure destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"tenantId":{"type":"string","description":"ID of the target Azure tenant.\nCan be omitted and directly provided to Vault using the `AZURE_TENANT_ID` environment\nvariable.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"The type of the secrets destination (`azure-kv`).\n","willReplaceOnChanges":true}},"type":"object"}},"vault:secrets/syncConfig:SyncConfig":{"description":"Configures the secret sync global config. \nThe config is global and can only be managed in the root namespace.\n\n\u003e **Important** The config is global so the\u003cspan pulumi-lang-nodejs=\" vault.secrets.SyncConfig \" pulumi-lang-dotnet=\" vault.secrets.SyncConfig \" pulumi-lang-go=\" secrets.SyncConfig \" pulumi-lang-python=\" secrets.SyncConfig \" pulumi-lang-yaml=\" vault.secrets.SyncConfig \" pulumi-lang-java=\" vault.secrets.SyncConfig \"\u003e vault.secrets.SyncConfig \u003c/span\u003eresource must not be defined\nmultiple times for the same Vault server. If multiple definition exists, the last one applied will be\neffective.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst globalConfig = new vault.secrets.SyncConfig(\"global_config\", {\n    disabled: true,\n    queueCapacity: 500000,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nglobal_config = vault.secrets.SyncConfig(\"global_config\",\n    disabled=True,\n    queue_capacity=500000)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var globalConfig = new Vault.Secrets.SyncConfig(\"global_config\", new()\n    {\n        Disabled = true,\n        QueueCapacity = 500000,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := secrets.NewSyncConfig(ctx, \"global_config\", \u0026secrets.SyncConfigArgs{\n\t\t\tDisabled:      pulumi.Bool(true),\n\t\t\tQueueCapacity: pulumi.Int(500000),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncConfig;\nimport com.pulumi.vault.secrets.SyncConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var globalConfig = new SyncConfig(\"globalConfig\", SyncConfigArgs.builder()\n            .disabled(true)\n            .queueCapacity(500000)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  globalConfig:\n    type: vault:secrets:SyncConfig\n    name: global_config\n    properties:\n      disabled: true\n      queueCapacity: 500000\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\n```sh\n$ pulumi import vault:secrets/syncConfig:SyncConfig config global_config\n```\n","properties":{"disabled":{"type":"boolean","description":"Disables the syncing process between Vault and external destinations. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThis resource can only be configured in the root namespace.\n*Available only for Vault Enterprise*.\n"},"queueCapacity":{"type":"integer","description":"Maximum number of pending sync operations allowed on the queue. Defaults to \u003cspan pulumi-lang-nodejs=\"`1000000`\" pulumi-lang-dotnet=\"`1000000`\" pulumi-lang-go=\"`1000000`\" pulumi-lang-python=\"`1000000`\" pulumi-lang-yaml=\"`1000000`\" pulumi-lang-java=\"`1000000`\"\u003e`1000000`\u003c/span\u003e.\n"}},"inputProperties":{"disabled":{"type":"boolean","description":"Disables the syncing process between Vault and external destinations. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThis resource can only be configured in the root namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"queueCapacity":{"type":"integer","description":"Maximum number of pending sync operations allowed on the queue. Defaults to \u003cspan pulumi-lang-nodejs=\"`1000000`\" pulumi-lang-dotnet=\"`1000000`\" pulumi-lang-go=\"`1000000`\" pulumi-lang-python=\"`1000000`\" pulumi-lang-yaml=\"`1000000`\" pulumi-lang-java=\"`1000000`\"\u003e`1000000`\u003c/span\u003e.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering SyncConfig resources.\n","properties":{"disabled":{"type":"boolean","description":"Disables the syncing process between Vault and external destinations. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThis resource can only be configured in the root namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"queueCapacity":{"type":"integer","description":"Maximum number of pending sync operations allowed on the queue. Defaults to \u003cspan pulumi-lang-nodejs=\"`1000000`\" pulumi-lang-dotnet=\"`1000000`\" pulumi-lang-go=\"`1000000`\" pulumi-lang-python=\"`1000000`\" pulumi-lang-yaml=\"`1000000`\" pulumi-lang-java=\"`1000000`\"\u003e`1000000`\u003c/span\u003e.\n"}},"type":"object"}},"vault:secrets/syncGcpDestination:SyncGcpDestination":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcp = new vault.secrets.SyncGcpDestination(\"gcp\", {\n    name: \"gcp-dest\",\n    projectId: \"gcp-project-id\",\n    credentials: std.file({\n        input: credentialsFile,\n    }).then(invoke =\u003e invoke.result),\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    customTags: {\n        foo: \"bar\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\ngcp = vault.secrets.SyncGcpDestination(\"gcp\",\n    name=\"gcp-dest\",\n    project_id=\"gcp-project-id\",\n    credentials=std.file(input=credentials_file).result,\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    custom_tags={\n        \"foo\": \"bar\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcp = new Vault.Secrets.SyncGcpDestination(\"gcp\", new()\n    {\n        Name = \"gcp-dest\",\n        ProjectId = \"gcp-project-id\",\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = credentialsFile,\n        }).Apply(invoke =\u003e invoke.Result),\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n        CustomTags = \n        {\n            { \"foo\", \"bar\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: credentialsFile,\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = secrets.NewSyncGcpDestination(ctx, \"gcp\", \u0026secrets.SyncGcpDestinationArgs{\n\t\t\tName:               pulumi.String(\"gcp-dest\"),\n\t\t\tProjectId:          pulumi.String(\"gcp-project-id\"),\n\t\t\tCredentials:        pulumi.String(invokeFile.Result),\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\"),\n\t\t\tCustomTags: pulumi.StringMap{\n\t\t\t\t\"foo\": pulumi.String(\"bar\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncGcpDestination;\nimport com.pulumi.vault.secrets.SyncGcpDestinationArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcp = new SyncGcpDestination(\"gcp\", SyncGcpDestinationArgs.builder()\n            .name(\"gcp-dest\")\n            .projectId(\"gcp-project-id\")\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(credentialsFile)\n                .build()).result())\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\n            .customTags(Map.of(\"foo\", \"bar\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcp:\n    type: vault:secrets:SyncGcpDestination\n    properties:\n      name: gcp-dest\n      projectId: gcp-project-id\n      credentials:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: ${credentialsFile}\n          return: result\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\n      customTags:\n        foo: bar\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### With Networking Configuration (Vault 1.19+)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcpNetworking = new vault.secrets.SyncGcpDestination(\"gcp_networking\", {\n    name: \"gcp-dest-networking\",\n    projectId: \"gcp-project-id\",\n    credentials: std.file({\n        input: credentialsFile,\n    }).then(invoke =\u003e invoke.result),\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    allowedIpv4Addresses: [\n        \"10.0.0.0/8\",\n        \"192.168.0.0/16\",\n    ],\n    allowedIpv6Addresses: [\"2001:db8::/32\"],\n    allowedPorts: [\n        443,\n        8443,\n    ],\n    disableStrictNetworking: false,\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\ngcp_networking = vault.secrets.SyncGcpDestination(\"gcp_networking\",\n    name=\"gcp-dest-networking\",\n    project_id=\"gcp-project-id\",\n    credentials=std.file(input=credentials_file).result,\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    allowed_ipv4_addresses=[\n        \"10.0.0.0/8\",\n        \"192.168.0.0/16\",\n    ],\n    allowed_ipv6_addresses=[\"2001:db8::/32\"],\n    allowed_ports=[\n        443,\n        8443,\n    ],\n    disable_strict_networking=False)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcpNetworking = new Vault.Secrets.SyncGcpDestination(\"gcp_networking\", new()\n    {\n        Name = \"gcp-dest-networking\",\n        ProjectId = \"gcp-project-id\",\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = credentialsFile,\n        }).Apply(invoke =\u003e invoke.Result),\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n        AllowedIpv4Addresses = new[]\n        {\n            \"10.0.0.0/8\",\n            \"192.168.0.0/16\",\n        },\n        AllowedIpv6Addresses = new[]\n        {\n            \"2001:db8::/32\",\n        },\n        AllowedPorts = new[]\n        {\n            443,\n            8443,\n        },\n        DisableStrictNetworking = false,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: credentialsFile,\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = secrets.NewSyncGcpDestination(ctx, \"gcp_networking\", \u0026secrets.SyncGcpDestinationArgs{\n\t\t\tName:               pulumi.String(\"gcp-dest-networking\"),\n\t\t\tProjectId:          pulumi.String(\"gcp-project-id\"),\n\t\t\tCredentials:        pulumi.String(invokeFile.Result),\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\"),\n\t\t\tAllowedIpv4Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"10.0.0.0/8\"),\n\t\t\t\tpulumi.String(\"192.168.0.0/16\"),\n\t\t\t},\n\t\t\tAllowedIpv6Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"2001:db8::/32\"),\n\t\t\t},\n\t\t\tAllowedPorts: pulumi.IntArray{\n\t\t\t\tpulumi.Int(443),\n\t\t\t\tpulumi.Int(8443),\n\t\t\t},\n\t\t\tDisableStrictNetworking: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncGcpDestination;\nimport com.pulumi.vault.secrets.SyncGcpDestinationArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcpNetworking = new SyncGcpDestination(\"gcpNetworking\", SyncGcpDestinationArgs.builder()\n            .name(\"gcp-dest-networking\")\n            .projectId(\"gcp-project-id\")\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(credentialsFile)\n                .build()).result())\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\n            .allowedIpv4Addresses(            \n                \"10.0.0.0/8\",\n                \"192.168.0.0/16\")\n            .allowedIpv6Addresses(\"2001:db8::/32\")\n            .allowedPorts(            \n                443,\n                8443)\n            .disableStrictNetworking(false)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcpNetworking:\n    type: vault:secrets:SyncGcpDestination\n    name: gcp_networking\n    properties:\n      name: gcp-dest-networking\n      projectId: gcp-project-id\n      credentials:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: ${credentialsFile}\n          return: result\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\n      allowedIpv4Addresses:\n        - 10.0.0.0/8\n        - 192.168.0.0/16\n      allowedIpv6Addresses:\n        - 2001:db8::/32\n      allowedPorts:\n        - 443\n        - 8443\n      disableStrictNetworking: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### With Global Encryption (Vault 1.19+)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcpEncryption = new vault.secrets.SyncGcpDestination(\"gcp_encryption\", {\n    name: \"gcp-dest-encryption\",\n    projectId: \"gcp-project-id\",\n    credentials: std.file({\n        input: credentialsFile,\n    }).then(invoke =\u003e invoke.result),\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    globalKmsKey: \"projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key\",\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\ngcp_encryption = vault.secrets.SyncGcpDestination(\"gcp_encryption\",\n    name=\"gcp-dest-encryption\",\n    project_id=\"gcp-project-id\",\n    credentials=std.file(input=credentials_file).result,\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    global_kms_key=\"projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcpEncryption = new Vault.Secrets.SyncGcpDestination(\"gcp_encryption\", new()\n    {\n        Name = \"gcp-dest-encryption\",\n        ProjectId = \"gcp-project-id\",\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = credentialsFile,\n        }).Apply(invoke =\u003e invoke.Result),\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n        GlobalKmsKey = \"projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: credentialsFile,\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = secrets.NewSyncGcpDestination(ctx, \"gcp_encryption\", \u0026secrets.SyncGcpDestinationArgs{\n\t\t\tName:               pulumi.String(\"gcp-dest-encryption\"),\n\t\t\tProjectId:          pulumi.String(\"gcp-project-id\"),\n\t\t\tCredentials:        pulumi.String(invokeFile.Result),\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\"),\n\t\t\tGlobalKmsKey:       pulumi.String(\"projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncGcpDestination;\nimport com.pulumi.vault.secrets.SyncGcpDestinationArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcpEncryption = new SyncGcpDestination(\"gcpEncryption\", SyncGcpDestinationArgs.builder()\n            .name(\"gcp-dest-encryption\")\n            .projectId(\"gcp-project-id\")\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(credentialsFile)\n                .build()).result())\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\n            .globalKmsKey(\"projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcpEncryption:\n    type: vault:secrets:SyncGcpDestination\n    name: gcp_encryption\n    properties:\n      name: gcp-dest-encryption\n      projectId: gcp-project-id\n      credentials:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: ${credentialsFile}\n          return: result\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\n      globalKmsKey: projects/my-project/locations/global/keyRings/my-keyring/cryptoKeys/my-key\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### With Multi-Region Replication and Regional Encryption (Vault 1.19+)\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gcpReplicationEncryption = new vault.secrets.SyncGcpDestination(\"gcp_replication_encryption\", {\n    name: \"gcp-dest-replication-encryption\",\n    projectId: \"gcp-project-id\",\n    credentials: std.file({\n        input: credentialsFile,\n    }).then(invoke =\u003e invoke.result),\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}\",\n    granularity: \"secret-key\",\n    locationalKmsKeys: {\n        \"us-central1\": \"projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key\",\n        \"us-east1\": \"projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key\",\n    },\n    replicationLocations: [\n        \"us-central1\",\n        \"us-east1\",\n    ],\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\ngcp_replication_encryption = vault.secrets.SyncGcpDestination(\"gcp_replication_encryption\",\n    name=\"gcp-dest-replication-encryption\",\n    project_id=\"gcp-project-id\",\n    credentials=std.file(input=credentials_file).result,\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}\",\n    granularity=\"secret-key\",\n    locational_kms_keys={\n        \"us-central1\": \"projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key\",\n        \"us-east1\": \"projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key\",\n    },\n    replication_locations=[\n        \"us-central1\",\n        \"us-east1\",\n    ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gcpReplicationEncryption = new Vault.Secrets.SyncGcpDestination(\"gcp_replication_encryption\", new()\n    {\n        Name = \"gcp-dest-replication-encryption\",\n        ProjectId = \"gcp-project-id\",\n        Credentials = Std.File.Invoke(new()\n        {\n            Input = credentialsFile,\n        }).Apply(invoke =\u003e invoke.Result),\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}\",\n        Granularity = \"secret-key\",\n        LocationalKmsKeys = \n        {\n            { \"us-central1\", \"projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key\" },\n            { \"us-east1\", \"projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key\" },\n        },\n        ReplicationLocations = new[]\n        {\n            \"us-central1\",\n            \"us-east1\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: credentialsFile,\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = secrets.NewSyncGcpDestination(ctx, \"gcp_replication_encryption\", \u0026secrets.SyncGcpDestinationArgs{\n\t\t\tName:               pulumi.String(\"gcp-dest-replication-encryption\"),\n\t\t\tProjectId:          pulumi.String(\"gcp-project-id\"),\n\t\t\tCredentials:        pulumi.String(invokeFile.Result),\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}\"),\n\t\t\tGranularity:        pulumi.String(\"secret-key\"),\n\t\t\tLocationalKmsKeys: pulumi.StringMap{\n\t\t\t\t\"us-central1\": pulumi.String(\"projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key\"),\n\t\t\t\t\"us-east1\":    pulumi.String(\"projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key\"),\n\t\t\t},\n\t\t\tReplicationLocations: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"us-central1\"),\n\t\t\t\tpulumi.String(\"us-east1\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncGcpDestination;\nimport com.pulumi.vault.secrets.SyncGcpDestinationArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gcpReplicationEncryption = new SyncGcpDestination(\"gcpReplicationEncryption\", SyncGcpDestinationArgs.builder()\n            .name(\"gcp-dest-replication-encryption\")\n            .projectId(\"gcp-project-id\")\n            .credentials(StdFunctions.file(FileArgs.builder()\n                .input(credentialsFile)\n                .build()).result())\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}\")\n            .granularity(\"secret-key\")\n            .locationalKmsKeys(Map.ofEntries(\n                Map.entry(\"us-central1\", \"projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key\"),\n                Map.entry(\"us-east1\", \"projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key\")\n            ))\n            .replicationLocations(            \n                \"us-central1\",\n                \"us-east1\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gcpReplicationEncryption:\n    type: vault:secrets:SyncGcpDestination\n    name: gcp_replication_encryption\n    properties:\n      name: gcp-dest-replication-encryption\n      projectId: gcp-project-id\n      credentials:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: ${credentialsFile}\n          return: result\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}_{{ .SecretKey | lowercase }}\n      granularity: secret-key\n      locationalKmsKeys:\n        us-central1: projects/my-project/locations/us-central1/keyRings/kr/cryptoKeys/key\n        us-east1: projects/my-project/locations/us-east1/keyRings/kr/cryptoKeys/key\n      replicationLocations:\n        - us-central1\n        - us-east1\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nGCP Secrets sync destinations can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:secrets/syncGcpDestination:SyncGcpDestination gcp gcp-dest\n```\n","properties":{"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed."},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed."},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Allowed ports for outbound network connectivity. If not set, all ports are allowed."},"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP.\nCan be omitted and directly provided to Vault using the `GOOGLE_APPLICATION_CREDENTIALS` environment\nvariable.\n","secret":true},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"Disable strict networking requirements."},"globalKmsKey":{"type":"string","description":"Global KMS key for encryption."},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"locationalKmsKeys":{"type":"object","additionalProperties":{"type":"string"},"description":"Locational KMS keys for encryption."},"name":{"type":"string","description":"Unique name of the GCP destination.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n"},"projectId":{"type":"string","description":"The target project to manage secrets in. If set,\noverrides the project ID derived from the service account JSON credentials or application\ndefault credentials. The service account must be [authorized](https://cloud.google.com/iam/docs/service-account-overview#locations)\nto perform Secret Manager actions in the target project.\n"},"replicationLocations":{"type":"array","items":{"type":"string"},"description":"Replication locations for secrets."},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"type":{"type":"string","description":"The type of the secrets destination (`gcp-sm`).\n"}},"required":["name","secretNameTemplate","type"],"inputProperties":{"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed."},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed."},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Allowed ports for outbound network connectivity. If not set, all ports are allowed."},"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP.\nCan be omitted and directly provided to Vault using the `GOOGLE_APPLICATION_CREDENTIALS` environment\nvariable.\n","secret":true},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"Disable strict networking requirements."},"globalKmsKey":{"type":"string","description":"Global KMS key for encryption."},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"locationalKmsKeys":{"type":"object","additionalProperties":{"type":"string"},"description":"Locational KMS keys for encryption."},"name":{"type":"string","description":"Unique name of the GCP destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"projectId":{"type":"string","description":"The target project to manage secrets in. If set,\noverrides the project ID derived from the service account JSON credentials or application\ndefault credentials. The service account must be [authorized](https://cloud.google.com/iam/docs/service-account-overview#locations)\nto perform Secret Manager actions in the target project.\n","willReplaceOnChanges":true},"replicationLocations":{"type":"array","items":{"type":"string"},"description":"Replication locations for secrets."},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering SyncGcpDestination resources.\n","properties":{"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv4 addresses for outbound network connectivity in CIDR notation. If not set, all IPv4 addresses are allowed."},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Allowed IPv6 addresses for outbound network connectivity in CIDR notation. If not set, all IPv6 addresses are allowed."},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Allowed ports for outbound network connectivity. If not set, all ports are allowed."},"credentials":{"type":"string","description":"JSON-encoded credentials to use to connect to GCP.\nCan be omitted and directly provided to Vault using the `GOOGLE_APPLICATION_CREDENTIALS` environment\nvariable.\n","secret":true},"customTags":{"type":"object","additionalProperties":{"type":"string"},"description":"Custom tags to set on the secret managed at the destination.\n"},"disableStrictNetworking":{"type":"boolean","description":"Disable strict networking requirements."},"globalKmsKey":{"type":"string","description":"Global KMS key for encryption."},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"locationalKmsKeys":{"type":"object","additionalProperties":{"type":"string"},"description":"Locational KMS keys for encryption."},"name":{"type":"string","description":"Unique name of the GCP destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"projectId":{"type":"string","description":"The target project to manage secrets in. If set,\noverrides the project ID derived from the service account JSON credentials or application\ndefault credentials. The service account must be [authorized](https://cloud.google.com/iam/docs/service-account-overview#locations)\nto perform Secret Manager actions in the target project.\n","willReplaceOnChanges":true},"replicationLocations":{"type":"array","items":{"type":"string"},"description":"Replication locations for secrets."},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"type":{"type":"string","description":"The type of the secrets destination (`gcp-sm`).\n","willReplaceOnChanges":true}},"type":"object"}},"vault:secrets/syncGhDestination:SyncGhDestination":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst gh = new vault.secrets.SyncGhDestination(\"gh\", {\n    name: \"gh-dest\",\n    accessToken: accessToken,\n    repositoryOwner: repoOwner,\n    repositoryName: \"repo-name-example\",\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    secretsLocation: \"repository\",\n    environmentName: \"production\",\n    allowedIpv4Addresses: [\n        \"192.168.1.0/24\",\n        \"10.0.0.0/8\",\n    ],\n    allowedIpv6Addresses: [\"2001:db8::/32\"],\n    allowedPorts: [\n        443,\n        80,\n        22,\n    ],\n    disableStrictNetworking: false,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ngh = vault.secrets.SyncGhDestination(\"gh\",\n    name=\"gh-dest\",\n    access_token=access_token,\n    repository_owner=repo_owner,\n    repository_name=\"repo-name-example\",\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    secrets_location=\"repository\",\n    environment_name=\"production\",\n    allowed_ipv4_addresses=[\n        \"192.168.1.0/24\",\n        \"10.0.0.0/8\",\n    ],\n    allowed_ipv6_addresses=[\"2001:db8::/32\"],\n    allowed_ports=[\n        443,\n        80,\n        22,\n    ],\n    disable_strict_networking=False)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var gh = new Vault.Secrets.SyncGhDestination(\"gh\", new()\n    {\n        Name = \"gh-dest\",\n        AccessToken = accessToken,\n        RepositoryOwner = repoOwner,\n        RepositoryName = \"repo-name-example\",\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n        SecretsLocation = \"repository\",\n        EnvironmentName = \"production\",\n        AllowedIpv4Addresses = new[]\n        {\n            \"192.168.1.0/24\",\n            \"10.0.0.0/8\",\n        },\n        AllowedIpv6Addresses = new[]\n        {\n            \"2001:db8::/32\",\n        },\n        AllowedPorts = new[]\n        {\n            443,\n            80,\n            22,\n        },\n        DisableStrictNetworking = false,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := secrets.NewSyncGhDestination(ctx, \"gh\", \u0026secrets.SyncGhDestinationArgs{\n\t\t\tName:               pulumi.String(\"gh-dest\"),\n\t\t\tAccessToken:        pulumi.Any(accessToken),\n\t\t\tRepositoryOwner:    pulumi.Any(repoOwner),\n\t\t\tRepositoryName:     pulumi.String(\"repo-name-example\"),\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\"),\n\t\t\tSecretsLocation:    pulumi.String(\"repository\"),\n\t\t\tEnvironmentName:    pulumi.String(\"production\"),\n\t\t\tAllowedIpv4Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"192.168.1.0/24\"),\n\t\t\t\tpulumi.String(\"10.0.0.0/8\"),\n\t\t\t},\n\t\t\tAllowedIpv6Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"2001:db8::/32\"),\n\t\t\t},\n\t\t\tAllowedPorts: pulumi.IntArray{\n\t\t\t\tpulumi.Int(443),\n\t\t\t\tpulumi.Int(80),\n\t\t\t\tpulumi.Int(22),\n\t\t\t},\n\t\t\tDisableStrictNetworking: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncGhDestination;\nimport com.pulumi.vault.secrets.SyncGhDestinationArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var gh = new SyncGhDestination(\"gh\", SyncGhDestinationArgs.builder()\n            .name(\"gh-dest\")\n            .accessToken(accessToken)\n            .repositoryOwner(repoOwner)\n            .repositoryName(\"repo-name-example\")\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\n            .secretsLocation(\"repository\")\n            .environmentName(\"production\")\n            .allowedIpv4Addresses(            \n                \"192.168.1.0/24\",\n                \"10.0.0.0/8\")\n            .allowedIpv6Addresses(\"2001:db8::/32\")\n            .allowedPorts(            \n                443,\n                80,\n                22)\n            .disableStrictNetworking(false)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  gh:\n    type: vault:secrets:SyncGhDestination\n    properties:\n      name: gh-dest\n      accessToken: ${accessToken}\n      repositoryOwner: ${repoOwner}\n      repositoryName: repo-name-example\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\n      secretsLocation: repository\n      environmentName: production\n      allowedIpv4Addresses:\n        - 192.168.1.0/24\n        - 10.0.0.0/8\n      allowedIpv6Addresses:\n        - 2001:db8::/32\n      allowedPorts:\n        - 443\n        - 80\n        - 22\n      disableStrictNetworking: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nGitHub Secrets sync destinations can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:secrets/syncGhDestination:SyncGhDestination gh gh-dest\n```\n","properties":{"accessToken":{"type":"string","description":"Fine-grained or personal access token.\nCan be omitted and directly provided to Vault using the `GITHUB_ACCESS_TOKEN` environment\nvariable.\n","secret":true},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv4 addresses in CIDR notation (e.g., `192.168.1.1/32`)\nfor outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv6 addresses in CIDR notation (e.g., `2001:db8::1/128`)\nfor outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Set of allowed ports for outbound connections from Vault to the\ndestination. If not set, all ports are allowed. Requires Vault 1.19+.\n"},"appName":{"type":"string","description":"The user-defined name of the GitHub App configuration. This is a reference to the name used   \non the new endpoint when configuring the GitHub app on the Vault Server. Can be modified.\nTakes precedence over the \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e field.\n"},"disableStrictNetworking":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict networking enforcement\nfor this destination. When disabled, Vault will not enforce allowed IP addresses and ports.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"environmentName":{"type":"string","description":"Environment name for the destination. Requires Vault 1.18+.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"installationId":{"type":"integer","description":"The ID of the installation generated by GitHub when the app referenced by the \u003cspan pulumi-lang-nodejs=\"`appName`\" pulumi-lang-dotnet=\"`AppName`\" pulumi-lang-go=\"`appName`\" pulumi-lang-python=\"`app_name`\" pulumi-lang-yaml=\"`appName`\" pulumi-lang-java=\"`appName`\"\u003e`app_name`\u003c/span\u003e \nwas installed in the user's GitHub account. Can be modified. Necessary if the \u003cspan pulumi-lang-nodejs=\"`appName`\" pulumi-lang-dotnet=\"`AppName`\" pulumi-lang-go=\"`appName`\" pulumi-lang-python=\"`app_name`\" pulumi-lang-yaml=\"`appName`\" pulumi-lang-java=\"`appName`\"\u003e`app_name`\u003c/span\u003e field is also provided.\n"},"name":{"type":"string","description":"Unique name of the GitHub destination.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n"},"repositoryName":{"type":"string","description":"Name of the repository.\nCan be omitted and directly provided to Vault using the `GITHUB_REPOSITORY_NAME` environment\nvariable.\n"},"repositoryOwner":{"type":"string","description":"GitHub organization or username that owns the repository.\nCan be omitted and directly provided to Vault using the `GITHUB_REPOSITORY_OWNER` environment\nvariable.\n"},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"secretsLocation":{"type":"string","description":"Location where secrets are stored in the destination. Requires Vault 1.18+.\n"},"type":{"type":"string","description":"The type of the secrets destination (\u003cspan pulumi-lang-nodejs=\"`gh`\" pulumi-lang-dotnet=\"`Gh`\" pulumi-lang-go=\"`gh`\" pulumi-lang-python=\"`gh`\" pulumi-lang-yaml=\"`gh`\" pulumi-lang-java=\"`gh`\"\u003e`gh`\u003c/span\u003e).\n"}},"required":["name","secretNameTemplate","type"],"inputProperties":{"accessToken":{"type":"string","description":"Fine-grained or personal access token.\nCan be omitted and directly provided to Vault using the `GITHUB_ACCESS_TOKEN` environment\nvariable.\n","secret":true},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv4 addresses in CIDR notation (e.g., `192.168.1.1/32`)\nfor outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv6 addresses in CIDR notation (e.g., `2001:db8::1/128`)\nfor outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Set of allowed ports for outbound connections from Vault to the\ndestination. If not set, all ports are allowed. Requires Vault 1.19+.\n"},"appName":{"type":"string","description":"The user-defined name of the GitHub App configuration. This is a reference to the name used   \non the new endpoint when configuring the GitHub app on the Vault Server. Can be modified.\nTakes precedence over the \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e field.\n"},"disableStrictNetworking":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict networking enforcement\nfor this destination. When disabled, Vault will not enforce allowed IP addresses and ports.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"environmentName":{"type":"string","description":"Environment name for the destination. Requires Vault 1.18+.\n","willReplaceOnChanges":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"installationId":{"type":"integer","description":"The ID of the installation generated by GitHub when the app referenced by the \u003cspan pulumi-lang-nodejs=\"`appName`\" pulumi-lang-dotnet=\"`AppName`\" pulumi-lang-go=\"`appName`\" pulumi-lang-python=\"`app_name`\" pulumi-lang-yaml=\"`appName`\" pulumi-lang-java=\"`appName`\"\u003e`app_name`\u003c/span\u003e \nwas installed in the user's GitHub account. Can be modified. Necessary if the \u003cspan pulumi-lang-nodejs=\"`appName`\" pulumi-lang-dotnet=\"`AppName`\" pulumi-lang-go=\"`appName`\" pulumi-lang-python=\"`app_name`\" pulumi-lang-yaml=\"`appName`\" pulumi-lang-java=\"`appName`\"\u003e`app_name`\u003c/span\u003e field is also provided.\n"},"name":{"type":"string","description":"Unique name of the GitHub destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"repositoryName":{"type":"string","description":"Name of the repository.\nCan be omitted and directly provided to Vault using the `GITHUB_REPOSITORY_NAME` environment\nvariable.\n","willReplaceOnChanges":true},"repositoryOwner":{"type":"string","description":"GitHub organization or username that owns the repository.\nCan be omitted and directly provided to Vault using the `GITHUB_REPOSITORY_OWNER` environment\nvariable.\n","willReplaceOnChanges":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"secretsLocation":{"type":"string","description":"Location where secrets are stored in the destination. Requires Vault 1.18+.\n"}},"stateInputs":{"description":"Input properties used for looking up and filtering SyncGhDestination resources.\n","properties":{"accessToken":{"type":"string","description":"Fine-grained or personal access token.\nCan be omitted and directly provided to Vault using the `GITHUB_ACCESS_TOKEN` environment\nvariable.\n","secret":true},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv4 addresses in CIDR notation (e.g., `192.168.1.1/32`)\nfor outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv6 addresses in CIDR notation (e.g., `2001:db8::1/128`)\nfor outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Set of allowed ports for outbound connections from Vault to the\ndestination. If not set, all ports are allowed. Requires Vault 1.19+.\n"},"appName":{"type":"string","description":"The user-defined name of the GitHub App configuration. This is a reference to the name used   \non the new endpoint when configuring the GitHub app on the Vault Server. Can be modified.\nTakes precedence over the \u003cspan pulumi-lang-nodejs=\"`accessToken`\" pulumi-lang-dotnet=\"`AccessToken`\" pulumi-lang-go=\"`accessToken`\" pulumi-lang-python=\"`access_token`\" pulumi-lang-yaml=\"`accessToken`\" pulumi-lang-java=\"`accessToken`\"\u003e`access_token`\u003c/span\u003e field.\n"},"disableStrictNetworking":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict networking enforcement\nfor this destination. When disabled, Vault will not enforce allowed IP addresses and ports.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"environmentName":{"type":"string","description":"Environment name for the destination. Requires Vault 1.18+.\n","willReplaceOnChanges":true},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"installationId":{"type":"integer","description":"The ID of the installation generated by GitHub when the app referenced by the \u003cspan pulumi-lang-nodejs=\"`appName`\" pulumi-lang-dotnet=\"`AppName`\" pulumi-lang-go=\"`appName`\" pulumi-lang-python=\"`app_name`\" pulumi-lang-yaml=\"`appName`\" pulumi-lang-java=\"`appName`\"\u003e`app_name`\u003c/span\u003e \nwas installed in the user's GitHub account. Can be modified. Necessary if the \u003cspan pulumi-lang-nodejs=\"`appName`\" pulumi-lang-dotnet=\"`AppName`\" pulumi-lang-go=\"`appName`\" pulumi-lang-python=\"`app_name`\" pulumi-lang-yaml=\"`appName`\" pulumi-lang-java=\"`appName`\"\u003e`app_name`\u003c/span\u003e field is also provided.\n"},"name":{"type":"string","description":"Unique name of the GitHub destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"repositoryName":{"type":"string","description":"Name of the repository.\nCan be omitted and directly provided to Vault using the `GITHUB_REPOSITORY_NAME` environment\nvariable.\n","willReplaceOnChanges":true},"repositoryOwner":{"type":"string","description":"GitHub organization or username that owns the repository.\nCan be omitted and directly provided to Vault using the `GITHUB_REPOSITORY_OWNER` environment\nvariable.\n","willReplaceOnChanges":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"secretsLocation":{"type":"string","description":"Location where secrets are stored in the destination. Requires Vault 1.18+.\n"},"type":{"type":"string","description":"The type of the secrets destination (\u003cspan pulumi-lang-nodejs=\"`gh`\" pulumi-lang-dotnet=\"`Gh`\" pulumi-lang-go=\"`gh`\" pulumi-lang-python=\"`gh`\" pulumi-lang-yaml=\"`gh`\" pulumi-lang-java=\"`gh`\"\u003e`gh`\u003c/span\u003e).\n","willReplaceOnChanges":true}},"type":"object"}},"vault:secrets/syncGithubApps:SyncGithubApps":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst github_apps = new vault.secrets.SyncGithubApps(\"github-apps\", {\n    name: \"gh-apps\",\n    appId: appId,\n    privateKey: std.file({\n        input: privatekeyFile,\n    }).then(invoke =\u003e invoke.result),\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\ngithub_apps = vault.secrets.SyncGithubApps(\"github-apps\",\n    name=\"gh-apps\",\n    app_id=app_id,\n    private_key=std.file(input=privatekey_file).result)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var github_apps = new Vault.Secrets.SyncGithubApps(\"github-apps\", new()\n    {\n        Name = \"gh-apps\",\n        AppId = appId,\n        PrivateKey = Std.File.Invoke(new()\n        {\n            Input = privatekeyFile,\n        }).Apply(invoke =\u003e invoke.Result),\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: privatekeyFile,\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = secrets.NewSyncGithubApps(ctx, \"github-apps\", \u0026secrets.SyncGithubAppsArgs{\n\t\t\tName:       pulumi.String(\"gh-apps\"),\n\t\t\tAppId:      pulumi.Any(appId),\n\t\t\tPrivateKey: pulumi.String(invokeFile.Result),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncGithubApps;\nimport com.pulumi.vault.secrets.SyncGithubAppsArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var github_apps = new SyncGithubApps(\"github-apps\", SyncGithubAppsArgs.builder()\n            .name(\"gh-apps\")\n            .appId(appId)\n            .privateKey(StdFunctions.file(FileArgs.builder()\n                .input(privatekeyFile)\n                .build()).result())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  github-apps:\n    type: vault:secrets:SyncGithubApps\n    properties:\n      name: gh-apps\n      appId: ${appId}\n      privateKey:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: ${privatekeyFile}\n          return: result\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nGitHub Apps Secrets sync configuration endpoint can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:secrets/syncGithubApps:SyncGithubApps gh github-apps\n```\n","properties":{"appId":{"type":"integer","description":"The GitHub application ID.\n"},"fingerprint":{"type":"string","description":"A fingerprint of a private key."},"name":{"type":"string","description":"The user-defined name of the GitHub App configuration.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n"},"privateKey":{"type":"string","description":"The content of a PEM formatted private key generated on GitHub for the app.\n","secret":true}},"required":["appId","fingerprint","name","privateKey"],"inputProperties":{"appId":{"type":"integer","description":"The GitHub application ID.\n","willReplaceOnChanges":true},"name":{"type":"string","description":"The user-defined name of the GitHub App configuration.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"privateKey":{"type":"string","description":"The content of a PEM formatted private key generated on GitHub for the app.\n","secret":true}},"requiredInputs":["appId","privateKey"],"stateInputs":{"description":"Input properties used for looking up and filtering SyncGithubApps resources.\n","properties":{"appId":{"type":"integer","description":"The GitHub application ID.\n","willReplaceOnChanges":true},"fingerprint":{"type":"string","description":"A fingerprint of a private key."},"name":{"type":"string","description":"The user-defined name of the GitHub App configuration.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"privateKey":{"type":"string","description":"The content of a PEM formatted private key generated on GitHub for the app.\n","secret":true}},"type":"object"}},"vault:secrets/syncVercelDestination:SyncVercelDestination":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst vercel = new vault.secrets.SyncVercelDestination(\"vercel\", {\n    name: \"vercel-dest\",\n    accessToken: accessToken,\n    projectId: projectId,\n    deploymentEnvironments: [\n        \"development\",\n        \"preview\",\n        \"production\",\n    ],\n    secretNameTemplate: \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    allowedIpv4Addresses: [\n        \"192.168.1.1/32\",\n        \"10.0.0.1/32\",\n    ],\n    allowedIpv6Addresses: [\"2001:db8:85a3::8a2e:370:7334/128\"],\n    allowedPorts: [\n        443,\n        8443,\n    ],\n    disableStrictNetworking: false,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nvercel = vault.secrets.SyncVercelDestination(\"vercel\",\n    name=\"vercel-dest\",\n    access_token=access_token,\n    project_id=project_id,\n    deployment_environments=[\n        \"development\",\n        \"preview\",\n        \"production\",\n    ],\n    secret_name_template=\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n    allowed_ipv4_addresses=[\n        \"192.168.1.1/32\",\n        \"10.0.0.1/32\",\n    ],\n    allowed_ipv6_addresses=[\"2001:db8:85a3::8a2e:370:7334/128\"],\n    allowed_ports=[\n        443,\n        8443,\n    ],\n    disable_strict_networking=False)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var vercel = new Vault.Secrets.SyncVercelDestination(\"vercel\", new()\n    {\n        Name = \"vercel-dest\",\n        AccessToken = accessToken,\n        ProjectId = projectId,\n        DeploymentEnvironments = new[]\n        {\n            \"development\",\n            \"preview\",\n            \"production\",\n        },\n        SecretNameTemplate = \"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\",\n        AllowedIpv4Addresses = new[]\n        {\n            \"192.168.1.1/32\",\n            \"10.0.0.1/32\",\n        },\n        AllowedIpv6Addresses = new[]\n        {\n            \"2001:db8:85a3::8a2e:370:7334/128\",\n        },\n        AllowedPorts = new[]\n        {\n            443,\n            8443,\n        },\n        DisableStrictNetworking = false,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/secrets\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := secrets.NewSyncVercelDestination(ctx, \"vercel\", \u0026secrets.SyncVercelDestinationArgs{\n\t\t\tName:        pulumi.String(\"vercel-dest\"),\n\t\t\tAccessToken: pulumi.Any(accessToken),\n\t\t\tProjectId:   pulumi.Any(projectId),\n\t\t\tDeploymentEnvironments: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"development\"),\n\t\t\t\tpulumi.String(\"preview\"),\n\t\t\t\tpulumi.String(\"production\"),\n\t\t\t},\n\t\t\tSecretNameTemplate: pulumi.String(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\"),\n\t\t\tAllowedIpv4Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"192.168.1.1/32\"),\n\t\t\t\tpulumi.String(\"10.0.0.1/32\"),\n\t\t\t},\n\t\t\tAllowedIpv6Addresses: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"2001:db8:85a3::8a2e:370:7334/128\"),\n\t\t\t},\n\t\t\tAllowedPorts: pulumi.IntArray{\n\t\t\t\tpulumi.Int(443),\n\t\t\t\tpulumi.Int(8443),\n\t\t\t},\n\t\t\tDisableStrictNetworking: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.secrets.SyncVercelDestination;\nimport com.pulumi.vault.secrets.SyncVercelDestinationArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var vercel = new SyncVercelDestination(\"vercel\", SyncVercelDestinationArgs.builder()\n            .name(\"vercel-dest\")\n            .accessToken(accessToken)\n            .projectId(projectId)\n            .deploymentEnvironments(            \n                \"development\",\n                \"preview\",\n                \"production\")\n            .secretNameTemplate(\"vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\")\n            .allowedIpv4Addresses(            \n                \"192.168.1.1/32\",\n                \"10.0.0.1/32\")\n            .allowedIpv6Addresses(\"2001:db8:85a3::8a2e:370:7334/128\")\n            .allowedPorts(            \n                443,\n                8443)\n            .disableStrictNetworking(false)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  vercel:\n    type: vault:secrets:SyncVercelDestination\n    properties:\n      name: vercel-dest\n      accessToken: ${accessToken}\n      projectId: ${projectId}\n      deploymentEnvironments:\n        - development\n        - preview\n        - production\n      secretNameTemplate: vault_{{ .MountAccessor | lowercase }}_{{ .SecretPath | lowercase }}\n      allowedIpv4Addresses:\n        - 192.168.1.1/32\n        - 10.0.0.1/32\n      allowedIpv6Addresses:\n        - 2001:db8:85a3::8a2e:370:7334/128\n      allowedPorts:\n        - 443\n        - 8443\n      disableStrictNetworking: false\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nVercel Secrets sync destinations can be imported using the `name`, e.g.\n\n```sh\n$ pulumi import vault:secrets/syncVercelDestination:SyncVercelDestination vercel vercel-dest\n```\n","properties":{"accessToken":{"type":"string","description":"Vercel API access token with the permissions to manage environment\nvariables.\n","secret":true},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv4 addresses in CIDR notation (e.g., `192.168.1.1/32`)\nfor outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv6 addresses in CIDR notation (e.g., `2001:db8::1/128`)\nfor outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Set of allowed ports for outbound connections from Vault to the\ndestination. If not set, all ports are allowed. Requires Vault 1.19+.\n"},"deploymentEnvironments":{"type":"array","items":{"type":"string"},"description":"Deployment environments where the environment variables\nare available. Accepts \u003cspan pulumi-lang-nodejs=\"`development`\" pulumi-lang-dotnet=\"`Development`\" pulumi-lang-go=\"`development`\" pulumi-lang-python=\"`development`\" pulumi-lang-yaml=\"`development`\" pulumi-lang-java=\"`development`\"\u003e`development`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`preview`\" pulumi-lang-dotnet=\"`Preview`\" pulumi-lang-go=\"`preview`\" pulumi-lang-python=\"`preview`\" pulumi-lang-yaml=\"`preview`\" pulumi-lang-java=\"`preview`\"\u003e`preview`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`production`\" pulumi-lang-dotnet=\"`Production`\" pulumi-lang-go=\"`production`\" pulumi-lang-python=\"`production`\" pulumi-lang-yaml=\"`production`\" pulumi-lang-java=\"`production`\"\u003e`production`\u003c/span\u003e.\n"},"disableStrictNetworking":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict networking enforcement\nfor this destination. When disabled, Vault will not enforce allowed IP addresses and ports.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"name":{"type":"string","description":"Unique name of the GitHub destination.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n"},"projectId":{"type":"string","description":"Project ID where to manage environment variables.\n"},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"teamId":{"type":"string","description":"Team ID where to manage environment variables.\n"},"type":{"type":"string","description":"The type of the secrets destination (`vercel-project`).\n"}},"required":["accessToken","deploymentEnvironments","name","projectId","secretNameTemplate","type"],"inputProperties":{"accessToken":{"type":"string","description":"Vercel API access token with the permissions to manage environment\nvariables.\n","secret":true},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv4 addresses in CIDR notation (e.g., `192.168.1.1/32`)\nfor outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv6 addresses in CIDR notation (e.g., `2001:db8::1/128`)\nfor outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Set of allowed ports for outbound connections from Vault to the\ndestination. If not set, all ports are allowed. Requires Vault 1.19+.\n"},"deploymentEnvironments":{"type":"array","items":{"type":"string"},"description":"Deployment environments where the environment variables\nare available. Accepts \u003cspan pulumi-lang-nodejs=\"`development`\" pulumi-lang-dotnet=\"`Development`\" pulumi-lang-go=\"`development`\" pulumi-lang-python=\"`development`\" pulumi-lang-yaml=\"`development`\" pulumi-lang-java=\"`development`\"\u003e`development`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`preview`\" pulumi-lang-dotnet=\"`Preview`\" pulumi-lang-go=\"`preview`\" pulumi-lang-python=\"`preview`\" pulumi-lang-yaml=\"`preview`\" pulumi-lang-java=\"`preview`\"\u003e`preview`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`production`\" pulumi-lang-dotnet=\"`Production`\" pulumi-lang-go=\"`production`\" pulumi-lang-python=\"`production`\" pulumi-lang-yaml=\"`production`\" pulumi-lang-java=\"`production`\"\u003e`production`\u003c/span\u003e.\n"},"disableStrictNetworking":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict networking enforcement\nfor this destination. When disabled, Vault will not enforce allowed IP addresses and ports.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"name":{"type":"string","description":"Unique name of the GitHub destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"projectId":{"type":"string","description":"Project ID where to manage environment variables.\n","willReplaceOnChanges":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"teamId":{"type":"string","description":"Team ID where to manage environment variables.\n"}},"requiredInputs":["accessToken","deploymentEnvironments","projectId"],"stateInputs":{"description":"Input properties used for looking up and filtering SyncVercelDestination resources.\n","properties":{"accessToken":{"type":"string","description":"Vercel API access token with the permissions to manage environment\nvariables.\n","secret":true},"allowedIpv4Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv4 addresses in CIDR notation (e.g., `192.168.1.1/32`)\nfor outbound connections from Vault to the destination. If not set, all IPv4 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedIpv6Addresses":{"type":"array","items":{"type":"string"},"description":"Set of allowed IPv6 addresses in CIDR notation (e.g., `2001:db8::1/128`)\nfor outbound connections from Vault to the destination. If not set, all IPv6 addresses are allowed.\nRequires Vault 1.19+.\n"},"allowedPorts":{"type":"array","items":{"type":"integer"},"description":"Set of allowed ports for outbound connections from Vault to the\ndestination. If not set, all ports are allowed. Requires Vault 1.19+.\n"},"deploymentEnvironments":{"type":"array","items":{"type":"string"},"description":"Deployment environments where the environment variables\nare available. Accepts \u003cspan pulumi-lang-nodejs=\"`development`\" pulumi-lang-dotnet=\"`Development`\" pulumi-lang-go=\"`development`\" pulumi-lang-python=\"`development`\" pulumi-lang-yaml=\"`development`\" pulumi-lang-java=\"`development`\"\u003e`development`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`preview`\" pulumi-lang-dotnet=\"`Preview`\" pulumi-lang-go=\"`preview`\" pulumi-lang-python=\"`preview`\" pulumi-lang-yaml=\"`preview`\" pulumi-lang-java=\"`preview`\"\u003e`preview`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`production`\" pulumi-lang-dotnet=\"`Production`\" pulumi-lang-go=\"`production`\" pulumi-lang-python=\"`production`\" pulumi-lang-yaml=\"`production`\" pulumi-lang-java=\"`production`\"\u003e`production`\u003c/span\u003e.\n"},"disableStrictNetworking":{"type":"boolean","description":"If set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, disables strict networking enforcement\nfor this destination. When disabled, Vault will not enforce allowed IP addresses and ports.\nDefaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e. Requires Vault 1.19+.\n"},"granularity":{"type":"string","description":"Determines what level of information is synced as a distinct resource\nat the destination. Supports `secret-path` and `secret-key`.\n"},"name":{"type":"string","description":"Unique name of the GitHub destination.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n","willReplaceOnChanges":true},"projectId":{"type":"string","description":"Project ID where to manage environment variables.\n","willReplaceOnChanges":true},"secretNameTemplate":{"type":"string","description":"Template describing how to generate external secret names.\nSupports a subset of the Go Template syntax.\n"},"teamId":{"type":"string","description":"Team ID where to manage environment variables.\n"},"type":{"type":"string","description":"The type of the secrets destination (`vercel-project`).\n","willReplaceOnChanges":true}},"type":"object"}},"vault:ssh/secretBackendCa:SecretBackendCa":{"description":"Provides a resource to manage CA information in an SSH secret backend\n[SSH secret backend within Vault](https://www.vaultproject.io/docs/secrets/ssh/index.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.Mount(\"example\", {type: \"ssh\"});\nconst foo = new vault.ssh.SecretBackendCa(\"foo\", {backend: example.path});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.Mount(\"example\", type=\"ssh\")\nfoo = vault.ssh.SecretBackendCa(\"foo\", backend=example.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Mount(\"example\", new()\n    {\n        Type = \"ssh\",\n    });\n\n    var foo = new Vault.Ssh.SecretBackendCa(\"foo\", new()\n    {\n        Backend = example.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ssh\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := vault.NewMount(ctx, \"example\", \u0026vault.MountArgs{\n\t\t\tType: pulumi.String(\"ssh\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ssh.NewSecretBackendCa(ctx, \"foo\", \u0026ssh.SecretBackendCaArgs{\n\t\t\tBackend: example.Path,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.ssh.SecretBackendCa;\nimport com.pulumi.vault.ssh.SecretBackendCaArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new Mount(\"example\", MountArgs.builder()\n            .type(\"ssh\")\n            .build());\n\n        var foo = new SecretBackendCa(\"foo\", SecretBackendCaArgs.builder()\n            .backend(example.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:Mount\n    properties:\n      type: ssh\n  foo:\n    type: vault:ssh:SecretBackendCa\n    properties:\n      backend: ${example.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nSSH secret backend CAs can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:ssh/secretBackendCa:SecretBackendCa foo ssh\n```\n","properties":{"backend":{"type":"string","description":"The path where the SSH secret backend is mounted. Defaults to 'ssh'\n"},"generateSigningKey":{"type":"boolean","description":"Whether Vault should generate the signing key pair internally. Defaults to true\n"},"keyBits":{"type":"integer","description":"Specifies the desired key bits for the generated SSH CA key when \u003cspan pulumi-lang-nodejs=\"`generateSigningKey`\" pulumi-lang-dotnet=\"`GenerateSigningKey`\" pulumi-lang-go=\"`generateSigningKey`\" pulumi-lang-python=\"`generate_signing_key`\" pulumi-lang-yaml=\"`generateSigningKey`\" pulumi-lang-java=\"`generateSigningKey`\"\u003e`generate_signing_key`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"},"keyType":{"type":"string","description":"Specifies the desired key type for the generated SSH CA key when \u003cspan pulumi-lang-nodejs=\"`generateSigningKey`\" pulumi-lang-dotnet=\"`GenerateSigningKey`\" pulumi-lang-go=\"`generateSigningKey`\" pulumi-lang-python=\"`generate_signing_key`\" pulumi-lang-yaml=\"`generateSigningKey`\" pulumi-lang-java=\"`generateSigningKey`\"\u003e`generate_signing_key`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"},"managedKeyId":{"type":"string","description":"The id of the managed key to use. When using a managed key, this field or\u003cspan pulumi-lang-nodejs=\" managedKeyName \" pulumi-lang-dotnet=\" ManagedKeyName \" pulumi-lang-go=\" managedKeyName \" pulumi-lang-python=\" managed_key_name \" pulumi-lang-yaml=\" managedKeyName \" pulumi-lang-java=\" managedKeyName \"\u003e managed_key_name \u003c/span\u003eis required."},"managedKeyName":{"type":"string","description":"The name of the managed key to use. When using a managed key, this field or\u003cspan pulumi-lang-nodejs=\" managedKeyId \" pulumi-lang-dotnet=\" ManagedKeyId \" pulumi-lang-go=\" managedKeyId \" pulumi-lang-python=\" managed_key_id \" pulumi-lang-yaml=\" managedKeyId \" pulumi-lang-java=\" managedKeyId \"\u003e managed_key_id \u003c/span\u003eis required.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"privateKey":{"type":"string","description":"The private key part the SSH CA key pair; required if\u003cspan pulumi-lang-nodejs=\" generateSigningKey \" pulumi-lang-dotnet=\" GenerateSigningKey \" pulumi-lang-go=\" generateSigningKey \" pulumi-lang-python=\" generate_signing_key \" pulumi-lang-yaml=\" generateSigningKey \" pulumi-lang-java=\" generateSigningKey \"\u003e generate_signing_key \u003c/span\u003eis false.\n","secret":true},"publicKey":{"type":"string","description":"The public key part the SSH CA key pair; required if\u003cspan pulumi-lang-nodejs=\" generateSigningKey \" pulumi-lang-dotnet=\" GenerateSigningKey \" pulumi-lang-go=\" generateSigningKey \" pulumi-lang-python=\" generate_signing_key \" pulumi-lang-yaml=\" generateSigningKey \" pulumi-lang-java=\" generateSigningKey \"\u003e generate_signing_key \u003c/span\u003eis false.\n"}},"required":["privateKey","publicKey"],"inputProperties":{"backend":{"type":"string","description":"The path where the SSH secret backend is mounted. Defaults to 'ssh'\n","willReplaceOnChanges":true},"generateSigningKey":{"type":"boolean","description":"Whether Vault should generate the signing key pair internally. Defaults to true\n","willReplaceOnChanges":true},"keyBits":{"type":"integer","description":"Specifies the desired key bits for the generated SSH CA key when \u003cspan pulumi-lang-nodejs=\"`generateSigningKey`\" pulumi-lang-dotnet=\"`GenerateSigningKey`\" pulumi-lang-go=\"`generateSigningKey`\" pulumi-lang-python=\"`generate_signing_key`\" pulumi-lang-yaml=\"`generateSigningKey`\" pulumi-lang-java=\"`generateSigningKey`\"\u003e`generate_signing_key`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n","willReplaceOnChanges":true},"keyType":{"type":"string","description":"Specifies the desired key type for the generated SSH CA key when \u003cspan pulumi-lang-nodejs=\"`generateSigningKey`\" pulumi-lang-dotnet=\"`GenerateSigningKey`\" pulumi-lang-go=\"`generateSigningKey`\" pulumi-lang-python=\"`generate_signing_key`\" pulumi-lang-yaml=\"`generateSigningKey`\" pulumi-lang-java=\"`generateSigningKey`\"\u003e`generate_signing_key`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n","willReplaceOnChanges":true},"managedKeyId":{"type":"string","description":"The id of the managed key to use. When using a managed key, this field or\u003cspan pulumi-lang-nodejs=\" managedKeyName \" pulumi-lang-dotnet=\" ManagedKeyName \" pulumi-lang-go=\" managedKeyName \" pulumi-lang-python=\" managed_key_name \" pulumi-lang-yaml=\" managedKeyName \" pulumi-lang-java=\" managedKeyName \"\u003e managed_key_name \u003c/span\u003eis required.","willReplaceOnChanges":true},"managedKeyName":{"type":"string","description":"The name of the managed key to use. When using a managed key, this field or\u003cspan pulumi-lang-nodejs=\" managedKeyId \" pulumi-lang-dotnet=\" ManagedKeyId \" pulumi-lang-go=\" managedKeyId \" pulumi-lang-python=\" managed_key_id \" pulumi-lang-yaml=\" managedKeyId \" pulumi-lang-java=\" managedKeyId \"\u003e managed_key_id \u003c/span\u003eis required.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"privateKey":{"type":"string","description":"The private key part the SSH CA key pair; required if\u003cspan pulumi-lang-nodejs=\" generateSigningKey \" pulumi-lang-dotnet=\" GenerateSigningKey \" pulumi-lang-go=\" generateSigningKey \" pulumi-lang-python=\" generate_signing_key \" pulumi-lang-yaml=\" generateSigningKey \" pulumi-lang-java=\" generateSigningKey \"\u003e generate_signing_key \u003c/span\u003eis false.\n","secret":true,"willReplaceOnChanges":true},"publicKey":{"type":"string","description":"The public key part the SSH CA key pair; required if\u003cspan pulumi-lang-nodejs=\" generateSigningKey \" pulumi-lang-dotnet=\" GenerateSigningKey \" pulumi-lang-go=\" generateSigningKey \" pulumi-lang-python=\" generate_signing_key \" pulumi-lang-yaml=\" generateSigningKey \" pulumi-lang-java=\" generateSigningKey \"\u003e generate_signing_key \u003c/span\u003eis false.\n","willReplaceOnChanges":true}},"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendCa resources.\n","properties":{"backend":{"type":"string","description":"The path where the SSH secret backend is mounted. Defaults to 'ssh'\n","willReplaceOnChanges":true},"generateSigningKey":{"type":"boolean","description":"Whether Vault should generate the signing key pair internally. Defaults to true\n","willReplaceOnChanges":true},"keyBits":{"type":"integer","description":"Specifies the desired key bits for the generated SSH CA key when \u003cspan pulumi-lang-nodejs=\"`generateSigningKey`\" pulumi-lang-dotnet=\"`GenerateSigningKey`\" pulumi-lang-go=\"`generateSigningKey`\" pulumi-lang-python=\"`generate_signing_key`\" pulumi-lang-yaml=\"`generateSigningKey`\" pulumi-lang-java=\"`generateSigningKey`\"\u003e`generate_signing_key`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n","willReplaceOnChanges":true},"keyType":{"type":"string","description":"Specifies the desired key type for the generated SSH CA key when \u003cspan pulumi-lang-nodejs=\"`generateSigningKey`\" pulumi-lang-dotnet=\"`GenerateSigningKey`\" pulumi-lang-go=\"`generateSigningKey`\" pulumi-lang-python=\"`generate_signing_key`\" pulumi-lang-yaml=\"`generateSigningKey`\" pulumi-lang-java=\"`generateSigningKey`\"\u003e`generate_signing_key`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n","willReplaceOnChanges":true},"managedKeyId":{"type":"string","description":"The id of the managed key to use. When using a managed key, this field or\u003cspan pulumi-lang-nodejs=\" managedKeyName \" pulumi-lang-dotnet=\" ManagedKeyName \" pulumi-lang-go=\" managedKeyName \" pulumi-lang-python=\" managed_key_name \" pulumi-lang-yaml=\" managedKeyName \" pulumi-lang-java=\" managedKeyName \"\u003e managed_key_name \u003c/span\u003eis required.","willReplaceOnChanges":true},"managedKeyName":{"type":"string","description":"The name of the managed key to use. When using a managed key, this field or\u003cspan pulumi-lang-nodejs=\" managedKeyId \" pulumi-lang-dotnet=\" ManagedKeyId \" pulumi-lang-go=\" managedKeyId \" pulumi-lang-python=\" managed_key_id \" pulumi-lang-yaml=\" managedKeyId \" pulumi-lang-java=\" managedKeyId \"\u003e managed_key_id \u003c/span\u003eis required.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"privateKey":{"type":"string","description":"The private key part the SSH CA key pair; required if\u003cspan pulumi-lang-nodejs=\" generateSigningKey \" pulumi-lang-dotnet=\" GenerateSigningKey \" pulumi-lang-go=\" generateSigningKey \" pulumi-lang-python=\" generate_signing_key \" pulumi-lang-yaml=\" generateSigningKey \" pulumi-lang-java=\" generateSigningKey \"\u003e generate_signing_key \u003c/span\u003eis false.\n","secret":true,"willReplaceOnChanges":true},"publicKey":{"type":"string","description":"The public key part the SSH CA key pair; required if\u003cspan pulumi-lang-nodejs=\" generateSigningKey \" pulumi-lang-dotnet=\" GenerateSigningKey \" pulumi-lang-go=\" generateSigningKey \" pulumi-lang-python=\" generate_signing_key \" pulumi-lang-yaml=\" generateSigningKey \" pulumi-lang-java=\" generateSigningKey \"\u003e generate_signing_key \u003c/span\u003eis false.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:ssh/secretBackendRole:SecretBackendRole":{"description":"Provides a resource to manage roles in an SSH secret backend\n[SSH secret backend within Vault](https://www.vaultproject.io/docs/secrets/ssh/index.html).\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.Mount(\"example\", {type: \"ssh\"});\nconst foo = new vault.ssh.SecretBackendRole(\"foo\", {\n    name: \"my-role\",\n    backend: example.path,\n    keyType: \"ca\",\n    allowUserCertificates: true,\n});\nconst bar = new vault.ssh.SecretBackendRole(\"bar\", {\n    name: \"otp-role\",\n    backend: example.path,\n    keyType: \"otp\",\n    defaultUser: \"default\",\n    allowedUsers: \"default,baz\",\n    cidrList: \"0.0.0.0/0\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.Mount(\"example\", type=\"ssh\")\nfoo = vault.ssh.SecretBackendRole(\"foo\",\n    name=\"my-role\",\n    backend=example.path,\n    key_type=\"ca\",\n    allow_user_certificates=True)\nbar = vault.ssh.SecretBackendRole(\"bar\",\n    name=\"otp-role\",\n    backend=example.path,\n    key_type=\"otp\",\n    default_user=\"default\",\n    allowed_users=\"default,baz\",\n    cidr_list=\"0.0.0.0/0\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.Mount(\"example\", new()\n    {\n        Type = \"ssh\",\n    });\n\n    var foo = new Vault.Ssh.SecretBackendRole(\"foo\", new()\n    {\n        Name = \"my-role\",\n        Backend = example.Path,\n        KeyType = \"ca\",\n        AllowUserCertificates = true,\n    });\n\n    var bar = new Vault.Ssh.SecretBackendRole(\"bar\", new()\n    {\n        Name = \"otp-role\",\n        Backend = example.Path,\n        KeyType = \"otp\",\n        DefaultUser = \"default\",\n        AllowedUsers = \"default,baz\",\n        CidrList = \"0.0.0.0/0\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ssh\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := vault.NewMount(ctx, \"example\", \u0026vault.MountArgs{\n\t\t\tType: pulumi.String(\"ssh\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ssh.NewSecretBackendRole(ctx, \"foo\", \u0026ssh.SecretBackendRoleArgs{\n\t\t\tName:                  pulumi.String(\"my-role\"),\n\t\t\tBackend:               example.Path,\n\t\t\tKeyType:               pulumi.String(\"ca\"),\n\t\t\tAllowUserCertificates: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = ssh.NewSecretBackendRole(ctx, \"bar\", \u0026ssh.SecretBackendRoleArgs{\n\t\t\tName:         pulumi.String(\"otp-role\"),\n\t\t\tBackend:      example.Path,\n\t\t\tKeyType:      pulumi.String(\"otp\"),\n\t\t\tDefaultUser:  pulumi.String(\"default\"),\n\t\t\tAllowedUsers: pulumi.String(\"default,baz\"),\n\t\t\tCidrList:     pulumi.String(\"0.0.0.0/0\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.ssh.SecretBackendRole;\nimport com.pulumi.vault.ssh.SecretBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new Mount(\"example\", MountArgs.builder()\n            .type(\"ssh\")\n            .build());\n\n        var foo = new SecretBackendRole(\"foo\", SecretBackendRoleArgs.builder()\n            .name(\"my-role\")\n            .backend(example.path())\n            .keyType(\"ca\")\n            .allowUserCertificates(true)\n            .build());\n\n        var bar = new SecretBackendRole(\"bar\", SecretBackendRoleArgs.builder()\n            .name(\"otp-role\")\n            .backend(example.path())\n            .keyType(\"otp\")\n            .defaultUser(\"default\")\n            .allowedUsers(\"default,baz\")\n            .cidrList(\"0.0.0.0/0\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:Mount\n    properties:\n      type: ssh\n  foo:\n    type: vault:ssh:SecretBackendRole\n    properties:\n      name: my-role\n      backend: ${example.path}\n      keyType: ca\n      allowUserCertificates: true\n  bar:\n    type: vault:ssh:SecretBackendRole\n    properties:\n      name: otp-role\n      backend: ${example.path}\n      keyType: otp\n      defaultUser: default\n      allowedUsers: default,baz\n      cidrList: 0.0.0.0/0\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nSSH secret backend roles can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:ssh/secretBackendRole:SecretBackendRole foo ssh/roles/my-role\n```\n","properties":{"algorithmSigner":{"type":"string","description":"When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.\n"},"allowBareDomains":{"type":"boolean","description":"Specifies if host certificates that are requested are allowed to use the base domains listed in \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e.\n"},"allowEmptyPrincipals":{"type":"boolean","description":"Allow signing certificates with no\nvalid principals (e.g. any valid principal). For backwards compatibility\nonly. The default of false is highly recommended.\n"},"allowHostCertificates":{"type":"boolean","description":"Specifies if certificates are allowed to be signed for use as a 'host'.\n"},"allowSubdomains":{"type":"boolean","description":"Specifies if host certificates that are requested are allowed to be subdomains of those listed in \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e.\n"},"allowUserCertificates":{"type":"boolean","description":"Specifies if certificates are allowed to be signed for use as a 'user'.\n"},"allowUserKeyIds":{"type":"boolean","description":"Specifies if users can override the key ID for a signed certificate with the \u003cspan pulumi-lang-nodejs=\"`keyId`\" pulumi-lang-dotnet=\"`KeyId`\" pulumi-lang-go=\"`keyId`\" pulumi-lang-python=\"`key_id`\" pulumi-lang-yaml=\"`keyId`\" pulumi-lang-java=\"`keyId`\"\u003e`key_id`\u003c/span\u003e field.\n"},"allowedCriticalOptions":{"type":"string","description":"Specifies a comma-separated list of critical options that certificates can have when signed.\n"},"allowedDomains":{"type":"string","description":"The list of domains for which a client can request a host certificate.\n"},"allowedDomainsTemplate":{"type":"boolean","description":"Specifies if \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e can be declared using\nidentity template policies. Non-templated domains are also permitted.\n"},"allowedExtensions":{"type":"string","description":"Specifies a comma-separated list of extensions that certificates can have when signed.\n"},"allowedUserKeyConfigs":{"type":"array","items":{"$ref":"#/types/vault:ssh/SecretBackendRoleAllowedUserKeyConfig:SecretBackendRoleAllowedUserKeyConfig"},"description":"Set of configuration blocks to define allowed  \nuser key configuration, like key type and their lengths. Can be specified multiple times.\n*See Configuration-Options for more info*\n"},"allowedUsers":{"type":"string","description":"Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.\n"},"allowedUsersTemplate":{"type":"boolean","description":"Specifies if \u003cspan pulumi-lang-nodejs=\"`allowedUsers`\" pulumi-lang-dotnet=\"`AllowedUsers`\" pulumi-lang-go=\"`allowedUsers`\" pulumi-lang-python=\"`allowed_users`\" pulumi-lang-yaml=\"`allowedUsers`\" pulumi-lang-java=\"`allowedUsers`\"\u003e`allowed_users`\u003c/span\u003e can be declared using identity template policies. Non-templated users are also permitted.\n"},"backend":{"type":"string","description":"The path where the SSH secret backend is mounted.\n"},"cidrList":{"type":"string","description":"The comma-separated string of CIDR blocks for which this role is applicable.\n"},"defaultCriticalOptions":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies a map of critical options that certificates have when signed.\n"},"defaultExtensions":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies a map of extensions that certificates have when signed.\n"},"defaultUser":{"type":"string","description":"Specifies the default username for which a credential will be generated.\n"},"defaultUserTemplate":{"type":"boolean","description":"If set, \u003cspan pulumi-lang-nodejs=\"`defaultUsers`\" pulumi-lang-dotnet=\"`DefaultUsers`\" pulumi-lang-go=\"`defaultUsers`\" pulumi-lang-python=\"`default_users`\" pulumi-lang-yaml=\"`defaultUsers`\" pulumi-lang-java=\"`defaultUsers`\"\u003e`default_users`\u003c/span\u003e can be specified using identity template values. A non-templated user is also permitted.\n"},"keyIdFormat":{"type":"string","description":"Specifies a custom format for the key id of a signed certificate.\n"},"keyType":{"type":"string","description":"Specifies the type of credentials generated by this role. This can be either \u003cspan pulumi-lang-nodejs=\"`otp`\" pulumi-lang-dotnet=\"`Otp`\" pulumi-lang-go=\"`otp`\" pulumi-lang-python=\"`otp`\" pulumi-lang-yaml=\"`otp`\" pulumi-lang-java=\"`otp`\"\u003e`otp`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`dynamic`\" pulumi-lang-dotnet=\"`Dynamic`\" pulumi-lang-go=\"`dynamic`\" pulumi-lang-python=\"`dynamic`\" pulumi-lang-yaml=\"`dynamic`\" pulumi-lang-java=\"`dynamic`\"\u003e`dynamic`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ca`\" pulumi-lang-dotnet=\"`Ca`\" pulumi-lang-go=\"`ca`\" pulumi-lang-python=\"`ca`\" pulumi-lang-yaml=\"`ca`\" pulumi-lang-java=\"`ca`\"\u003e`ca`\u003c/span\u003e.\n"},"maxTtl":{"type":"string","description":"Specifies the maximum Time To Live value.\n"},"name":{"type":"string","description":"Specifies the name of the role to create.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings."},"ttl":{"type":"string","description":"Specifies the Time To Live value.\n"}},"required":["algorithmSigner","allowedDomainsTemplate","backend","keyType","maxTtl","name","notBeforeDuration","ttl"],"inputProperties":{"algorithmSigner":{"type":"string","description":"When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.\n"},"allowBareDomains":{"type":"boolean","description":"Specifies if host certificates that are requested are allowed to use the base domains listed in \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e.\n"},"allowEmptyPrincipals":{"type":"boolean","description":"Allow signing certificates with no\nvalid principals (e.g. any valid principal). For backwards compatibility\nonly. The default of false is highly recommended.\n"},"allowHostCertificates":{"type":"boolean","description":"Specifies if certificates are allowed to be signed for use as a 'host'.\n"},"allowSubdomains":{"type":"boolean","description":"Specifies if host certificates that are requested are allowed to be subdomains of those listed in \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e.\n"},"allowUserCertificates":{"type":"boolean","description":"Specifies if certificates are allowed to be signed for use as a 'user'.\n"},"allowUserKeyIds":{"type":"boolean","description":"Specifies if users can override the key ID for a signed certificate with the \u003cspan pulumi-lang-nodejs=\"`keyId`\" pulumi-lang-dotnet=\"`KeyId`\" pulumi-lang-go=\"`keyId`\" pulumi-lang-python=\"`key_id`\" pulumi-lang-yaml=\"`keyId`\" pulumi-lang-java=\"`keyId`\"\u003e`key_id`\u003c/span\u003e field.\n"},"allowedCriticalOptions":{"type":"string","description":"Specifies a comma-separated list of critical options that certificates can have when signed.\n"},"allowedDomains":{"type":"string","description":"The list of domains for which a client can request a host certificate.\n"},"allowedDomainsTemplate":{"type":"boolean","description":"Specifies if \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e can be declared using\nidentity template policies. Non-templated domains are also permitted.\n"},"allowedExtensions":{"type":"string","description":"Specifies a comma-separated list of extensions that certificates can have when signed.\n"},"allowedUserKeyConfigs":{"type":"array","items":{"$ref":"#/types/vault:ssh/SecretBackendRoleAllowedUserKeyConfig:SecretBackendRoleAllowedUserKeyConfig"},"description":"Set of configuration blocks to define allowed  \nuser key configuration, like key type and their lengths. Can be specified multiple times.\n*See Configuration-Options for more info*\n"},"allowedUsers":{"type":"string","description":"Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.\n"},"allowedUsersTemplate":{"type":"boolean","description":"Specifies if \u003cspan pulumi-lang-nodejs=\"`allowedUsers`\" pulumi-lang-dotnet=\"`AllowedUsers`\" pulumi-lang-go=\"`allowedUsers`\" pulumi-lang-python=\"`allowed_users`\" pulumi-lang-yaml=\"`allowedUsers`\" pulumi-lang-java=\"`allowedUsers`\"\u003e`allowed_users`\u003c/span\u003e can be declared using identity template policies. Non-templated users are also permitted.\n"},"backend":{"type":"string","description":"The path where the SSH secret backend is mounted.\n","willReplaceOnChanges":true},"cidrList":{"type":"string","description":"The comma-separated string of CIDR blocks for which this role is applicable.\n"},"defaultCriticalOptions":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies a map of critical options that certificates have when signed.\n"},"defaultExtensions":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies a map of extensions that certificates have when signed.\n"},"defaultUser":{"type":"string","description":"Specifies the default username for which a credential will be generated.\n"},"defaultUserTemplate":{"type":"boolean","description":"If set, \u003cspan pulumi-lang-nodejs=\"`defaultUsers`\" pulumi-lang-dotnet=\"`DefaultUsers`\" pulumi-lang-go=\"`defaultUsers`\" pulumi-lang-python=\"`default_users`\" pulumi-lang-yaml=\"`defaultUsers`\" pulumi-lang-java=\"`defaultUsers`\"\u003e`default_users`\u003c/span\u003e can be specified using identity template values. A non-templated user is also permitted.\n"},"keyIdFormat":{"type":"string","description":"Specifies a custom format for the key id of a signed certificate.\n"},"keyType":{"type":"string","description":"Specifies the type of credentials generated by this role. This can be either \u003cspan pulumi-lang-nodejs=\"`otp`\" pulumi-lang-dotnet=\"`Otp`\" pulumi-lang-go=\"`otp`\" pulumi-lang-python=\"`otp`\" pulumi-lang-yaml=\"`otp`\" pulumi-lang-java=\"`otp`\"\u003e`otp`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`dynamic`\" pulumi-lang-dotnet=\"`Dynamic`\" pulumi-lang-go=\"`dynamic`\" pulumi-lang-python=\"`dynamic`\" pulumi-lang-yaml=\"`dynamic`\" pulumi-lang-java=\"`dynamic`\"\u003e`dynamic`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ca`\" pulumi-lang-dotnet=\"`Ca`\" pulumi-lang-go=\"`ca`\" pulumi-lang-python=\"`ca`\" pulumi-lang-yaml=\"`ca`\" pulumi-lang-java=\"`ca`\"\u003e`ca`\u003c/span\u003e.\n"},"maxTtl":{"type":"string","description":"Specifies the maximum Time To Live value.\n"},"name":{"type":"string","description":"Specifies the name of the role to create.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings."},"ttl":{"type":"string","description":"Specifies the Time To Live value.\n"}},"requiredInputs":["backend","keyType"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendRole resources.\n","properties":{"algorithmSigner":{"type":"string","description":"When supplied, this value specifies a signing algorithm for the key. Possible values: ssh-rsa, rsa-sha2-256, rsa-sha2-512.\n"},"allowBareDomains":{"type":"boolean","description":"Specifies if host certificates that are requested are allowed to use the base domains listed in \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e.\n"},"allowEmptyPrincipals":{"type":"boolean","description":"Allow signing certificates with no\nvalid principals (e.g. any valid principal). For backwards compatibility\nonly. The default of false is highly recommended.\n"},"allowHostCertificates":{"type":"boolean","description":"Specifies if certificates are allowed to be signed for use as a 'host'.\n"},"allowSubdomains":{"type":"boolean","description":"Specifies if host certificates that are requested are allowed to be subdomains of those listed in \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e.\n"},"allowUserCertificates":{"type":"boolean","description":"Specifies if certificates are allowed to be signed for use as a 'user'.\n"},"allowUserKeyIds":{"type":"boolean","description":"Specifies if users can override the key ID for a signed certificate with the \u003cspan pulumi-lang-nodejs=\"`keyId`\" pulumi-lang-dotnet=\"`KeyId`\" pulumi-lang-go=\"`keyId`\" pulumi-lang-python=\"`key_id`\" pulumi-lang-yaml=\"`keyId`\" pulumi-lang-java=\"`keyId`\"\u003e`key_id`\u003c/span\u003e field.\n"},"allowedCriticalOptions":{"type":"string","description":"Specifies a comma-separated list of critical options that certificates can have when signed.\n"},"allowedDomains":{"type":"string","description":"The list of domains for which a client can request a host certificate.\n"},"allowedDomainsTemplate":{"type":"boolean","description":"Specifies if \u003cspan pulumi-lang-nodejs=\"`allowedDomains`\" pulumi-lang-dotnet=\"`AllowedDomains`\" pulumi-lang-go=\"`allowedDomains`\" pulumi-lang-python=\"`allowed_domains`\" pulumi-lang-yaml=\"`allowedDomains`\" pulumi-lang-java=\"`allowedDomains`\"\u003e`allowed_domains`\u003c/span\u003e can be declared using\nidentity template policies. Non-templated domains are also permitted.\n"},"allowedExtensions":{"type":"string","description":"Specifies a comma-separated list of extensions that certificates can have when signed.\n"},"allowedUserKeyConfigs":{"type":"array","items":{"$ref":"#/types/vault:ssh/SecretBackendRoleAllowedUserKeyConfig:SecretBackendRoleAllowedUserKeyConfig"},"description":"Set of configuration blocks to define allowed  \nuser key configuration, like key type and their lengths. Can be specified multiple times.\n*See Configuration-Options for more info*\n"},"allowedUsers":{"type":"string","description":"Specifies a comma-separated list of usernames that are to be allowed, only if certain usernames are to be allowed.\n"},"allowedUsersTemplate":{"type":"boolean","description":"Specifies if \u003cspan pulumi-lang-nodejs=\"`allowedUsers`\" pulumi-lang-dotnet=\"`AllowedUsers`\" pulumi-lang-go=\"`allowedUsers`\" pulumi-lang-python=\"`allowed_users`\" pulumi-lang-yaml=\"`allowedUsers`\" pulumi-lang-java=\"`allowedUsers`\"\u003e`allowed_users`\u003c/span\u003e can be declared using identity template policies. Non-templated users are also permitted.\n"},"backend":{"type":"string","description":"The path where the SSH secret backend is mounted.\n","willReplaceOnChanges":true},"cidrList":{"type":"string","description":"The comma-separated string of CIDR blocks for which this role is applicable.\n"},"defaultCriticalOptions":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies a map of critical options that certificates have when signed.\n"},"defaultExtensions":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies a map of extensions that certificates have when signed.\n"},"defaultUser":{"type":"string","description":"Specifies the default username for which a credential will be generated.\n"},"defaultUserTemplate":{"type":"boolean","description":"If set, \u003cspan pulumi-lang-nodejs=\"`defaultUsers`\" pulumi-lang-dotnet=\"`DefaultUsers`\" pulumi-lang-go=\"`defaultUsers`\" pulumi-lang-python=\"`default_users`\" pulumi-lang-yaml=\"`defaultUsers`\" pulumi-lang-java=\"`defaultUsers`\"\u003e`default_users`\u003c/span\u003e can be specified using identity template values. A non-templated user is also permitted.\n"},"keyIdFormat":{"type":"string","description":"Specifies a custom format for the key id of a signed certificate.\n"},"keyType":{"type":"string","description":"Specifies the type of credentials generated by this role. This can be either \u003cspan pulumi-lang-nodejs=\"`otp`\" pulumi-lang-dotnet=\"`Otp`\" pulumi-lang-go=\"`otp`\" pulumi-lang-python=\"`otp`\" pulumi-lang-yaml=\"`otp`\" pulumi-lang-java=\"`otp`\"\u003e`otp`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`dynamic`\" pulumi-lang-dotnet=\"`Dynamic`\" pulumi-lang-go=\"`dynamic`\" pulumi-lang-python=\"`dynamic`\" pulumi-lang-yaml=\"`dynamic`\" pulumi-lang-java=\"`dynamic`\"\u003e`dynamic`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`ca`\" pulumi-lang-dotnet=\"`Ca`\" pulumi-lang-go=\"`ca`\" pulumi-lang-python=\"`ca`\" pulumi-lang-yaml=\"`ca`\" pulumi-lang-java=\"`ca`\"\u003e`ca`\u003c/span\u003e.\n"},"maxTtl":{"type":"string","description":"Specifies the maximum Time To Live value.\n"},"name":{"type":"string","description":"Specifies the name of the role to create.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"notBeforeDuration":{"type":"string","description":"Specifies the duration by which to backdate the ValidAfter property. Uses duration format strings."},"ttl":{"type":"string","description":"Specifies the Time To Live value.\n"}},"type":"object"}},"vault:terraformcloud/secretBackend:SecretBackend":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.terraformcloud.SecretBackend(\"test\", {\n    backend: \"terraform\",\n    description: \"Manages the Terraform Cloud backend\",\n    token: \"V0idfhi2iksSDU234ucdbi2nidsi...\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.terraformcloud.SecretBackend(\"test\",\n    backend=\"terraform\",\n    description=\"Manages the Terraform Cloud backend\",\n    token=\"V0idfhi2iksSDU234ucdbi2nidsi...\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.TerraformCloud.SecretBackend(\"test\", new()\n    {\n        Backend = \"terraform\",\n        Description = \"Manages the Terraform Cloud backend\",\n        Token = \"V0idfhi2iksSDU234ucdbi2nidsi...\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/terraformcloud\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := terraformcloud.NewSecretBackend(ctx, \"test\", \u0026terraformcloud.SecretBackendArgs{\n\t\t\tBackend:     pulumi.String(\"terraform\"),\n\t\t\tDescription: pulumi.String(\"Manages the Terraform Cloud backend\"),\n\t\t\tToken:       pulumi.String(\"V0idfhi2iksSDU234ucdbi2nidsi...\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.terraformcloud.SecretBackend;\nimport com.pulumi.vault.terraformcloud.SecretBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new SecretBackend(\"test\", SecretBackendArgs.builder()\n            .backend(\"terraform\")\n            .description(\"Manages the Terraform Cloud backend\")\n            .token(\"V0idfhi2iksSDU234ucdbi2nidsi...\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:terraformcloud:SecretBackend\n    properties:\n      backend: terraform\n      description: Manages the Terraform Cloud backend\n      token: V0idfhi2iksSDU234ucdbi2nidsi...\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nTerraform Cloud secret backends can be imported using the `backend`, e.g.\n\n```sh\n$ pulumi import vault:terraformcloud/secretBackend:SecretBackend example terraform\n```\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"address":{"type":"string"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"backend":{"type":"string"},"basePath":{"type":"string"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source"},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment"},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n"},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability"},"token":{"type":"string","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\n","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for write-only secret data."}},"required":["accessor","auditNonHmacRequestKeys","auditNonHmacResponseKeys","forceNoCache","sealWrap"],"inputProperties":{"address":{"type":"string"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"backend":{"type":"string"},"basePath":{"type":"string"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"token":{"type":"string","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\n","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for write-only secret data."}},"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackend resources.\n","properties":{"accessor":{"type":"string","description":"Accessor of the mount"},"address":{"type":"string"},"allowedManagedKeys":{"type":"array","items":{"type":"string"},"description":"List of managed key registry entry names that the mount in question is allowed to access"},"allowedResponseHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"auditNonHmacRequestKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the request data object."},"auditNonHmacResponseKeys":{"type":"array","items":{"type":"string"},"description":"Specifies the list of keys that will not be HMAC'd by audit devices in the response data object."},"backend":{"type":"string"},"basePath":{"type":"string"},"defaultLeaseTtlSeconds":{"type":"integer","description":"Default lease duration for secrets in seconds"},"delegatedAuthAccessors":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"description":{"type":"string","description":"Human-friendly description of the mount for the backend."},"disableRemount":{"type":"boolean","description":"If set, opts out of mount migration on path updates.\nSee here for more info on [Mount Migration](https://www.vaultproject.io/docs/concepts/mount-migration)\n"},"externalEntropyAccess":{"type":"boolean","description":"Enable the secrets engine to access Vault's external entropy source","willReplaceOnChanges":true},"forceNoCache":{"type":"boolean","description":"If set to true, disables caching."},"identityTokenKey":{"type":"string","description":"The key to use for signing plugin workload identity tokens"},"listingVisibility":{"type":"string","description":"Specifies whether to show this mount in the UI-specific listing endpoint"},"local":{"type":"boolean","description":"Local mount flag that can be explicitly set to true to enforce local mount in HA environment","willReplaceOnChanges":true},"maxLeaseTtlSeconds":{"type":"integer","description":"Maximum possible lease duration for secrets in seconds"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"options":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies mount type specific options that are passed to the backend"},"passthroughRequestHeaders":{"type":"array","items":{"type":"string"},"description":"List of headers to allow and pass from the request to the plugin"},"pluginVersion":{"type":"string","description":"Specifies the semantic version of the plugin to use, e.g. 'v1.0.0'"},"sealWrap":{"type":"boolean","description":"Enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability","willReplaceOnChanges":true},"token":{"type":"string","secret":true},"tokenWo":{"type":"string","description":"**NOTE:** This field is write-only and its value will not be updated in state as part of read operations.\n","secret":true},"tokenWoVersion":{"type":"integer","description":"Version counter for write-only secret data."}},"type":"object"}},"vault:terraformcloud/secretCreds:SecretCreds":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.terraformcloud.SecretBackend(\"test\", {\n    backend: \"terraform\",\n    description: \"Manages the Terraform Cloud backend\",\n    token: \"V0idfhi2iksSDU234ucdbi2nidsi...\",\n});\nconst example = new vault.terraformcloud.SecretRole(\"example\", {\n    backend: test.backend,\n    name: \"test-role\",\n    organization: \"example-organization-name\",\n    teamId: \"team-ieF4isC...\",\n});\nconst token = new vault.terraformcloud.SecretCreds(\"token\", {\n    backend: test.backend,\n    role: example.name,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.terraformcloud.SecretBackend(\"test\",\n    backend=\"terraform\",\n    description=\"Manages the Terraform Cloud backend\",\n    token=\"V0idfhi2iksSDU234ucdbi2nidsi...\")\nexample = vault.terraformcloud.SecretRole(\"example\",\n    backend=test.backend,\n    name=\"test-role\",\n    organization=\"example-organization-name\",\n    team_id=\"team-ieF4isC...\")\ntoken = vault.terraformcloud.SecretCreds(\"token\",\n    backend=test.backend,\n    role=example.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.TerraformCloud.SecretBackend(\"test\", new()\n    {\n        Backend = \"terraform\",\n        Description = \"Manages the Terraform Cloud backend\",\n        Token = \"V0idfhi2iksSDU234ucdbi2nidsi...\",\n    });\n\n    var example = new Vault.TerraformCloud.SecretRole(\"example\", new()\n    {\n        Backend = test.Backend,\n        Name = \"test-role\",\n        Organization = \"example-organization-name\",\n        TeamId = \"team-ieF4isC...\",\n    });\n\n    var token = new Vault.TerraformCloud.SecretCreds(\"token\", new()\n    {\n        Backend = test.Backend,\n        Role = example.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/terraformcloud\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttest, err := terraformcloud.NewSecretBackend(ctx, \"test\", \u0026terraformcloud.SecretBackendArgs{\n\t\t\tBackend:     pulumi.String(\"terraform\"),\n\t\t\tDescription: pulumi.String(\"Manages the Terraform Cloud backend\"),\n\t\t\tToken:       pulumi.String(\"V0idfhi2iksSDU234ucdbi2nidsi...\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texample, err := terraformcloud.NewSecretRole(ctx, \"example\", \u0026terraformcloud.SecretRoleArgs{\n\t\t\tBackend:      test.Backend,\n\t\t\tName:         pulumi.String(\"test-role\"),\n\t\t\tOrganization: pulumi.String(\"example-organization-name\"),\n\t\t\tTeamId:       pulumi.String(\"team-ieF4isC...\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = terraformcloud.NewSecretCreds(ctx, \"token\", \u0026terraformcloud.SecretCredsArgs{\n\t\t\tBackend: test.Backend,\n\t\t\tRole:    example.Name,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.terraformcloud.SecretBackend;\nimport com.pulumi.vault.terraformcloud.SecretBackendArgs;\nimport com.pulumi.vault.terraformcloud.SecretRole;\nimport com.pulumi.vault.terraformcloud.SecretRoleArgs;\nimport com.pulumi.vault.terraformcloud.SecretCreds;\nimport com.pulumi.vault.terraformcloud.SecretCredsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new SecretBackend(\"test\", SecretBackendArgs.builder()\n            .backend(\"terraform\")\n            .description(\"Manages the Terraform Cloud backend\")\n            .token(\"V0idfhi2iksSDU234ucdbi2nidsi...\")\n            .build());\n\n        var example = new SecretRole(\"example\", SecretRoleArgs.builder()\n            .backend(test.backend())\n            .name(\"test-role\")\n            .organization(\"example-organization-name\")\n            .teamId(\"team-ieF4isC...\")\n            .build());\n\n        var token = new SecretCreds(\"token\", SecretCredsArgs.builder()\n            .backend(test.backend())\n            .role(example.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:terraformcloud:SecretBackend\n    properties:\n      backend: terraform\n      description: Manages the Terraform Cloud backend\n      token: V0idfhi2iksSDU234ucdbi2nidsi...\n  example:\n    type: vault:terraformcloud:SecretRole\n    properties:\n      backend: ${test.backend}\n      name: test-role\n      organization: example-organization-name\n      teamId: team-ieF4isC...\n  token:\n    type: vault:terraformcloud:SecretCreds\n    properties:\n      backend: ${test.backend}\n      role: ${example.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"backend":{"type":"string"},"leaseId":{"type":"string","description":"The lease associated with the token. Only user tokens will have a \nVault lease associated with them.\n","secret":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"organization":{"type":"string","description":"The organization associated with the token provided.\n"},"role":{"type":"string","description":"Name of the role."},"teamId":{"type":"string","description":"The team id associated with the token provided.\n"},"token":{"type":"string","description":"The actual token that was generated and can be used with API calls\nto identify the user of the call.\n","secret":true},"tokenId":{"type":"string","description":"The public identifier for a specific token. It can be used \nto look up information about a token or to revoke a token.\n"}},"required":["backend","leaseId","organization","role","teamId","token","tokenId"],"inputProperties":{"backend":{"type":"string"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"Name of the role.","willReplaceOnChanges":true}},"requiredInputs":["backend","role"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretCreds resources.\n","properties":{"backend":{"type":"string"},"leaseId":{"type":"string","description":"The lease associated with the token. Only user tokens will have a \nVault lease associated with them.\n","secret":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string","description":"The organization associated with the token provided.\n"},"role":{"type":"string","description":"Name of the role.","willReplaceOnChanges":true},"teamId":{"type":"string","description":"The team id associated with the token provided.\n"},"token":{"type":"string","description":"The actual token that was generated and can be used with API calls\nto identify the user of the call.\n","secret":true},"tokenId":{"type":"string","description":"The public identifier for a specific token. It can be used \nto look up information about a token or to revoke a token.\n"}},"type":"object"}},"vault:terraformcloud/secretRole:SecretRole":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = new vault.terraformcloud.SecretBackend(\"test\", {\n    backend: \"terraform\",\n    description: \"Manages the Terraform Cloud backend\",\n    token: \"V0idfhi2iksSDU234ucdbi2nidsi...\",\n});\nconst example = new vault.terraformcloud.SecretRole(\"example\", {\n    backend: test.backend,\n    name: \"test-role\",\n    organization: \"example-organization-name\",\n    teamId: \"team-ieF4isC...\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.terraformcloud.SecretBackend(\"test\",\n    backend=\"terraform\",\n    description=\"Manages the Terraform Cloud backend\",\n    token=\"V0idfhi2iksSDU234ucdbi2nidsi...\")\nexample = vault.terraformcloud.SecretRole(\"example\",\n    backend=test.backend,\n    name=\"test-role\",\n    organization=\"example-organization-name\",\n    team_id=\"team-ieF4isC...\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = new Vault.TerraformCloud.SecretBackend(\"test\", new()\n    {\n        Backend = \"terraform\",\n        Description = \"Manages the Terraform Cloud backend\",\n        Token = \"V0idfhi2iksSDU234ucdbi2nidsi...\",\n    });\n\n    var example = new Vault.TerraformCloud.SecretRole(\"example\", new()\n    {\n        Backend = test.Backend,\n        Name = \"test-role\",\n        Organization = \"example-organization-name\",\n        TeamId = \"team-ieF4isC...\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/terraformcloud\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttest, err := terraformcloud.NewSecretBackend(ctx, \"test\", \u0026terraformcloud.SecretBackendArgs{\n\t\t\tBackend:     pulumi.String(\"terraform\"),\n\t\t\tDescription: pulumi.String(\"Manages the Terraform Cloud backend\"),\n\t\t\tToken:       pulumi.String(\"V0idfhi2iksSDU234ucdbi2nidsi...\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = terraformcloud.NewSecretRole(ctx, \"example\", \u0026terraformcloud.SecretRoleArgs{\n\t\t\tBackend:      test.Backend,\n\t\t\tName:         pulumi.String(\"test-role\"),\n\t\t\tOrganization: pulumi.String(\"example-organization-name\"),\n\t\t\tTeamId:       pulumi.String(\"team-ieF4isC...\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.terraformcloud.SecretBackend;\nimport com.pulumi.vault.terraformcloud.SecretBackendArgs;\nimport com.pulumi.vault.terraformcloud.SecretRole;\nimport com.pulumi.vault.terraformcloud.SecretRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var test = new SecretBackend(\"test\", SecretBackendArgs.builder()\n            .backend(\"terraform\")\n            .description(\"Manages the Terraform Cloud backend\")\n            .token(\"V0idfhi2iksSDU234ucdbi2nidsi...\")\n            .build());\n\n        var example = new SecretRole(\"example\", SecretRoleArgs.builder()\n            .backend(test.backend())\n            .name(\"test-role\")\n            .organization(\"example-organization-name\")\n            .teamId(\"team-ieF4isC...\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  test:\n    type: vault:terraformcloud:SecretBackend\n    properties:\n      backend: terraform\n      description: Manages the Terraform Cloud backend\n      token: V0idfhi2iksSDU234ucdbi2nidsi...\n  example:\n    type: vault:terraformcloud:SecretRole\n    properties:\n      backend: ${test.backend}\n      name: test-role\n      organization: example-organization-name\n      teamId: team-ieF4isC...\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nTerraform Cloud secret backend roles can be imported using the `backend`, `/roles/`, and the `name` e.g.\n\n```sh\n$ pulumi import vault:terraformcloud/secretRole:SecretRole example terraform/roles/my-role\n```\n","properties":{"backend":{"type":"string"},"credentialType":{"type":"string","description":"The type of credential to generate. Valid values are 'team', 'team_legacy', 'user', or 'organization'. Can only create multiple-team tokens with \u003cspan pulumi-lang-nodejs=\"`team`\" pulumi-lang-dotnet=\"`Team`\" pulumi-lang-go=\"`team`\" pulumi-lang-python=\"`team`\" pulumi-lang-yaml=\"`team`\" pulumi-lang-java=\"`team`\"\u003e`team`\u003c/span\u003e.\n"},"description":{"type":"string"},"maxTtl":{"type":"integer","description":"Maximum TTL for leases associated with this role, in seconds.\n"},"name":{"type":"string"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"organization":{"type":"string"},"teamId":{"type":"string"},"ttl":{"type":"integer","description":"Specifies the TTL for this role, in seconds.\n"},"userId":{"type":"string"}},"required":["name"],"inputProperties":{"backend":{"type":"string","willReplaceOnChanges":true},"credentialType":{"type":"string","description":"The type of credential to generate. Valid values are 'team', 'team_legacy', 'user', or 'organization'. Can only create multiple-team tokens with \u003cspan pulumi-lang-nodejs=\"`team`\" pulumi-lang-dotnet=\"`Team`\" pulumi-lang-go=\"`team`\" pulumi-lang-python=\"`team`\" pulumi-lang-yaml=\"`team`\" pulumi-lang-java=\"`team`\"\u003e`team`\u003c/span\u003e.\n","willReplaceOnChanges":true},"description":{"type":"string"},"maxTtl":{"type":"integer","description":"Maximum TTL for leases associated with this role, in seconds.\n"},"name":{"type":"string","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string"},"teamId":{"type":"string"},"ttl":{"type":"integer","description":"Specifies the TTL for this role, in seconds.\n"},"userId":{"type":"string"}},"stateInputs":{"description":"Input properties used for looking up and filtering SecretRole resources.\n","properties":{"backend":{"type":"string","willReplaceOnChanges":true},"credentialType":{"type":"string","description":"The type of credential to generate. Valid values are 'team', 'team_legacy', 'user', or 'organization'. Can only create multiple-team tokens with \u003cspan pulumi-lang-nodejs=\"`team`\" pulumi-lang-dotnet=\"`Team`\" pulumi-lang-go=\"`team`\" pulumi-lang-python=\"`team`\" pulumi-lang-yaml=\"`team`\" pulumi-lang-java=\"`team`\"\u003e`team`\u003c/span\u003e.\n","willReplaceOnChanges":true},"description":{"type":"string"},"maxTtl":{"type":"integer","description":"Maximum TTL for leases associated with this role, in seconds.\n"},"name":{"type":"string","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"organization":{"type":"string"},"teamId":{"type":"string"},"ttl":{"type":"integer","description":"Specifies the TTL for this role, in seconds.\n"},"userId":{"type":"string"}},"type":"object"}},"vault:tokenauth/authBackendRole:AuthBackendRole":{"description":"Manages Token auth backend role in a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/docs/auth/token.html) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = new vault.tokenauth.AuthBackendRole(\"example\", {\n    roleName: \"my-role\",\n    allowedPolicies: [\n        \"dev\",\n        \"test\",\n    ],\n    disallowedPolicies: [\"default\"],\n    allowedEntityAliases: [\"test_entity\"],\n    orphan: true,\n    tokenPeriod: 86400,\n    renewable: true,\n    tokenExplicitMaxTtl: 115200,\n    pathSuffix: \"path-suffix\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.tokenauth.AuthBackendRole(\"example\",\n    role_name=\"my-role\",\n    allowed_policies=[\n        \"dev\",\n        \"test\",\n    ],\n    disallowed_policies=[\"default\"],\n    allowed_entity_aliases=[\"test_entity\"],\n    orphan=True,\n    token_period=86400,\n    renewable=True,\n    token_explicit_max_ttl=115200,\n    path_suffix=\"path-suffix\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new Vault.TokenAuth.AuthBackendRole(\"example\", new()\n    {\n        RoleName = \"my-role\",\n        AllowedPolicies = new[]\n        {\n            \"dev\",\n            \"test\",\n        },\n        DisallowedPolicies = new[]\n        {\n            \"default\",\n        },\n        AllowedEntityAliases = new[]\n        {\n            \"test_entity\",\n        },\n        Orphan = true,\n        TokenPeriod = 86400,\n        Renewable = true,\n        TokenExplicitMaxTtl = 115200,\n        PathSuffix = \"path-suffix\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/tokenauth\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := tokenauth.NewAuthBackendRole(ctx, \"example\", \u0026tokenauth.AuthBackendRoleArgs{\n\t\t\tRoleName: pulumi.String(\"my-role\"),\n\t\t\tAllowedPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"dev\"),\n\t\t\t\tpulumi.String(\"test\"),\n\t\t\t},\n\t\t\tDisallowedPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"default\"),\n\t\t\t},\n\t\t\tAllowedEntityAliases: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"test_entity\"),\n\t\t\t},\n\t\t\tOrphan:              pulumi.Bool(true),\n\t\t\tTokenPeriod:         pulumi.Int(86400),\n\t\t\tRenewable:           pulumi.Bool(true),\n\t\t\tTokenExplicitMaxTtl: pulumi.Int(115200),\n\t\t\tPathSuffix:          pulumi.String(\"path-suffix\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.tokenauth.AuthBackendRole;\nimport com.pulumi.vault.tokenauth.AuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new AuthBackendRole(\"example\", AuthBackendRoleArgs.builder()\n            .roleName(\"my-role\")\n            .allowedPolicies(            \n                \"dev\",\n                \"test\")\n            .disallowedPolicies(\"default\")\n            .allowedEntityAliases(\"test_entity\")\n            .orphan(true)\n            .tokenPeriod(86400)\n            .renewable(true)\n            .tokenExplicitMaxTtl(115200)\n            .pathSuffix(\"path-suffix\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: vault:tokenauth:AuthBackendRole\n    properties:\n      roleName: my-role\n      allowedPolicies:\n        - dev\n        - test\n      disallowedPolicies:\n        - default\n      allowedEntityAliases:\n        - test_entity\n      orphan: true\n      tokenPeriod: '86400'\n      renewable: true\n      tokenExplicitMaxTtl: '115200'\n      pathSuffix: path-suffix\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nToken auth backend roles can be imported with `auth/token/roles/` followed by the `role_name`, e.g.\n\n```sh\n$ pulumi import vault:tokenauth/authBackendRole:AuthBackendRole example auth/token/roles/my-role\n```\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedEntityAliases":{"type":"array","items":{"type":"string"},"description":"List of allowed entity aliases.\n"},"allowedPolicies":{"type":"array","items":{"type":"string"},"description":"List of allowed policies for given role.\n"},"allowedPoliciesGlobs":{"type":"array","items":{"type":"string"},"description":"Set of allowed policies with glob match for given role.\n"},"disallowedPolicies":{"type":"array","items":{"type":"string"},"description":"List of disallowed policies for given role.\n"},"disallowedPoliciesGlobs":{"type":"array","items":{"type":"string"},"description":"Set of disallowed policies with glob match for given role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"orphan":{"type":"boolean","description":"If true, tokens created against this policy will be orphan tokens.\n"},"pathSuffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name."},"renewable":{"type":"boolean","description":"Whether to disable the ability of the token to be renewed past its initial TTL.\n"},"roleName":{"type":"string","description":"The name of the role.\n"},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"required":["roleName"],"inputProperties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedEntityAliases":{"type":"array","items":{"type":"string"},"description":"List of allowed entity aliases.\n"},"allowedPolicies":{"type":"array","items":{"type":"string"},"description":"List of allowed policies for given role.\n"},"allowedPoliciesGlobs":{"type":"array","items":{"type":"string"},"description":"Set of allowed policies with glob match for given role.\n"},"disallowedPolicies":{"type":"array","items":{"type":"string"},"description":"List of disallowed policies for given role.\n"},"disallowedPoliciesGlobs":{"type":"array","items":{"type":"string"},"description":"Set of disallowed policies with glob match for given role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"orphan":{"type":"boolean","description":"If true, tokens created against this policy will be orphan tokens.\n"},"pathSuffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name."},"renewable":{"type":"boolean","description":"Whether to disable the ability of the token to be renewed past its initial TTL.\n"},"roleName":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"requiredInputs":["roleName"],"stateInputs":{"description":"Input properties used for looking up and filtering AuthBackendRole resources.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"},"description":"The metadata to be tied to generated entity alias.\n  This should be a list or map containing the metadata in key value pairs."},"allowedEntityAliases":{"type":"array","items":{"type":"string"},"description":"List of allowed entity aliases.\n"},"allowedPolicies":{"type":"array","items":{"type":"string"},"description":"List of allowed policies for given role.\n"},"allowedPoliciesGlobs":{"type":"array","items":{"type":"string"},"description":"Set of allowed policies with glob match for given role.\n"},"disallowedPolicies":{"type":"array","items":{"type":"string"},"description":"List of disallowed policies for given role.\n"},"disallowedPoliciesGlobs":{"type":"array","items":{"type":"string"},"description":"Set of disallowed policies with glob match for given role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"orphan":{"type":"boolean","description":"If true, tokens created against this policy will be orphan tokens.\n"},"pathSuffix":{"type":"string","description":"Tokens created against this role will have the given suffix as part of their path in addition to the role name."},"renewable":{"type":"boolean","description":"Whether to disable the ability of the token to be renewed past its initial TTL.\n"},"roleName":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"Specifies the blocks of IP addresses which are allowed to use the generated token"},"tokenExplicitMaxTtl":{"type":"integer","description":"Generated Token's Explicit Maximum TTL in seconds"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime of the generated token"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If true, the 'default' policy will not automatically be added to generated tokens"},"tokenNumUses":{"type":"integer","description":"The maximum number of times a token may be used, a value of zero means unlimited"},"tokenPeriod":{"type":"integer","description":"Generated Token's Period"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"Generated Token's Policies"},"tokenTtl":{"type":"integer","description":"The initial ttl of the token to generate in seconds"},"tokenType":{"type":"string","description":"The type of token to generate, service or batch"}},"type":"object"}},"vault:transform/alphabet:Alphabet":{"description":"This resource supports the \"/transform/alphabet/{name}\" Vault endpoint.\n\nIt queries an existing alphabet by the given name.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst mountTransform = new vault.Mount(\"mount_transform\", {\n    path: \"transform\",\n    type: \"transform\",\n});\nconst test = new vault.transform.Alphabet(\"test\", {\n    path: mountTransform.path,\n    name: \"numerics\",\n    alphabet: \"0123456789\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nmount_transform = vault.Mount(\"mount_transform\",\n    path=\"transform\",\n    type=\"transform\")\ntest = vault.transform.Alphabet(\"test\",\n    path=mount_transform.path,\n    name=\"numerics\",\n    alphabet=\"0123456789\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var mountTransform = new Vault.Mount(\"mount_transform\", new()\n    {\n        Path = \"transform\",\n        Type = \"transform\",\n    });\n\n    var test = new Vault.Transform.Alphabet(\"test\", new()\n    {\n        Path = mountTransform.Path,\n        Name = \"numerics\",\n        AlphabetSet = \"0123456789\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transform\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tmountTransform, err := vault.NewMount(ctx, \"mount_transform\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"transform\"),\n\t\t\tType: pulumi.String(\"transform\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = transform.NewAlphabet(ctx, \"test\", \u0026transform.AlphabetArgs{\n\t\t\tPath:     mountTransform.Path,\n\t\t\tName:     pulumi.String(\"numerics\"),\n\t\t\tAlphabet: pulumi.String(\"0123456789\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transform.Alphabet;\nimport com.pulumi.vault.transform.AlphabetArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var mountTransform = new Mount(\"mountTransform\", MountArgs.builder()\n            .path(\"transform\")\n            .type(\"transform\")\n            .build());\n\n        var test = new Alphabet(\"test\", AlphabetArgs.builder()\n            .path(mountTransform.path())\n            .name(\"numerics\")\n            .alphabet(\"0123456789\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  mountTransform:\n    type: vault:Mount\n    name: mount_transform\n    properties:\n      path: transform\n      type: transform\n  test:\n    type: vault:transform:Alphabet\n    properties:\n      path: ${mountTransform.path}\n      name: numerics\n      alphabet: '0123456789'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.\n","language":{"csharp":{"name":"AlphabetSet"}}},"name":{"type":"string","description":"The name of the alphabet.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n"}},"required":["name","path"],"inputProperties":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.\n","language":{"csharp":{"name":"AlphabetSet"}}},"name":{"type":"string","description":"The name of the alphabet.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering Alphabet resources.\n","properties":{"alphabet":{"type":"string","description":"A string of characters that contains the alphabet set.\n","language":{"csharp":{"name":"AlphabetSet"}}},"name":{"type":"string","description":"The name of the alphabet.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true}},"type":"object"}},"vault:transform/role:Role":{"description":"This resource supports the \"/transform/role/{name}\" Vault endpoint.\n\nIt creates or updates the role with the given name. If a role with the name does not exist, it will be created.\nIf the role exists, it will be updated with the new attributes.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst mountTransform = new vault.Mount(\"mount_transform\", {\n    path: \"transform\",\n    type: \"transform\",\n});\nconst test = new vault.transform.Role(\"test\", {\n    path: mountTransform.path,\n    name: \"payments\",\n    transformations: [\"ccn-fpe\"],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nmount_transform = vault.Mount(\"mount_transform\",\n    path=\"transform\",\n    type=\"transform\")\ntest = vault.transform.Role(\"test\",\n    path=mount_transform.path,\n    name=\"payments\",\n    transformations=[\"ccn-fpe\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var mountTransform = new Vault.Mount(\"mount_transform\", new()\n    {\n        Path = \"transform\",\n        Type = \"transform\",\n    });\n\n    var test = new Vault.Transform.Role(\"test\", new()\n    {\n        Path = mountTransform.Path,\n        Name = \"payments\",\n        Transformations = new[]\n        {\n            \"ccn-fpe\",\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transform\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tmountTransform, err := vault.NewMount(ctx, \"mount_transform\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"transform\"),\n\t\t\tType: pulumi.String(\"transform\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = transform.NewRole(ctx, \"test\", \u0026transform.RoleArgs{\n\t\t\tPath: mountTransform.Path,\n\t\t\tName: pulumi.String(\"payments\"),\n\t\t\tTransformations: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ccn-fpe\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transform.Role;\nimport com.pulumi.vault.transform.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var mountTransform = new Mount(\"mountTransform\", MountArgs.builder()\n            .path(\"transform\")\n            .type(\"transform\")\n            .build());\n\n        var test = new Role(\"test\", RoleArgs.builder()\n            .path(mountTransform.path())\n            .name(\"payments\")\n            .transformations(\"ccn-fpe\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  mountTransform:\n    type: vault:Mount\n    name: mount_transform\n    properties:\n      path: transform\n      type: transform\n  test:\n    type: vault:transform:Role\n    properties:\n      path: ${mountTransform.path}\n      name: payments\n      transformations:\n        - ccn-fpe\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"name":{"type":"string","description":"The name of the role.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n"},"transformations":{"type":"array","items":{"type":"string"},"description":"A comma separated string or slice of transformations to use.\n"}},"required":["name","path"],"inputProperties":{"name":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true},"transformations":{"type":"array","items":{"type":"string"},"description":"A comma separated string or slice of transformations to use.\n"}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering Role resources.\n","properties":{"name":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true},"transformations":{"type":"array","items":{"type":"string"},"description":"A comma separated string or slice of transformations to use.\n"}},"type":"object"}},"vault:transform/template:Template":{"description":"This resource supports the `/transform/template/{name}` Vault endpoint.\n\nIt creates or updates a template with the given name. If a template with the name does not exist,\nit will be created. If the template exists, it will be updated with the new attributes.\n\n\u003e Requires _Vault Enterprise with the Advanced Data Protection Transform Module_.\nSee [Transform Secrets Engine](https://www.vaultproject.io/docs/secrets/transform)\nfor more information.\n\n## Example Usage\n\nPlease note that the \u003cspan pulumi-lang-nodejs=\"`pattern`\" pulumi-lang-dotnet=\"`Pattern`\" pulumi-lang-go=\"`pattern`\" pulumi-lang-python=\"`pattern`\" pulumi-lang-yaml=\"`pattern`\" pulumi-lang-java=\"`pattern`\"\u003e`pattern`\u003c/span\u003e below holds a regex. The regex shown\nis identical to the one in our [Setup](https://www.vaultproject.io/docs/secrets/transform#setup)\ndocs, `(\\d{4})-(\\d{4})-(\\d{4})-(\\d{4})`. However, due to HCL, the\nbackslashes must be escaped to appear correctly in Vault. For further\nassistance escaping your own custom regex, see String Literals.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst transform = new vault.Mount(\"transform\", {\n    path: \"transform\",\n    type: \"transform\",\n});\nconst numerics = new vault.transform.Alphabet(\"numerics\", {\n    path: transform.path,\n    name: \"numerics\",\n    alphabet: \"0123456789\",\n});\nconst test = new vault.transform.Template(\"test\", {\n    path: numerics.path,\n    name: \"ccn\",\n    type: \"regex\",\n    pattern: \"(\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})\",\n    alphabet: \"numerics\",\n    encodeFormat: \"$1-$2-$3-$4\",\n    decodeFormats: {\n        \"last-four-digits\": \"$4\",\n    },\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntransform = vault.Mount(\"transform\",\n    path=\"transform\",\n    type=\"transform\")\nnumerics = vault.transform.Alphabet(\"numerics\",\n    path=transform.path,\n    name=\"numerics\",\n    alphabet=\"0123456789\")\ntest = vault.transform.Template(\"test\",\n    path=numerics.path,\n    name=\"ccn\",\n    type=\"regex\",\n    pattern=\"(\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})\",\n    alphabet=\"numerics\",\n    encode_format=\"$1-$2-$3-$4\",\n    decode_formats={\n        \"last-four-digits\": \"$4\",\n    })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var transform = new Vault.Mount(\"transform\", new()\n    {\n        Path = \"transform\",\n        Type = \"transform\",\n    });\n\n    var numerics = new Vault.Transform.Alphabet(\"numerics\", new()\n    {\n        Path = transform.Path,\n        Name = \"numerics\",\n        AlphabetSet = \"0123456789\",\n    });\n\n    var test = new Vault.Transform.Template(\"test\", new()\n    {\n        Path = numerics.Path,\n        Name = \"ccn\",\n        Type = \"regex\",\n        Pattern = \"(\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})\",\n        Alphabet = \"numerics\",\n        EncodeFormat = \"$1-$2-$3-$4\",\n        DecodeFormats = \n        {\n            { \"last-four-digits\", \"$4\" },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transform\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttransform, err := vault.NewMount(ctx, \"transform\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"transform\"),\n\t\t\tType: pulumi.String(\"transform\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tnumerics, err := transform.NewAlphabet(ctx, \"numerics\", \u0026transform.AlphabetArgs{\n\t\t\tPath:     transform.Path,\n\t\t\tName:     pulumi.String(\"numerics\"),\n\t\t\tAlphabet: pulumi.String(\"0123456789\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = transform.NewTemplate(ctx, \"test\", \u0026transform.TemplateArgs{\n\t\t\tPath:         numerics.Path,\n\t\t\tName:         pulumi.String(\"ccn\"),\n\t\t\tType:         pulumi.String(\"regex\"),\n\t\t\tPattern:      pulumi.String(\"(\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})\"),\n\t\t\tAlphabet:     pulumi.String(\"numerics\"),\n\t\t\tEncodeFormat: pulumi.String(\"$1-$2-$3-$4\"),\n\t\t\tDecodeFormats: pulumi.StringMap{\n\t\t\t\t\"last-four-digits\": pulumi.String(\"$4\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transform.Alphabet;\nimport com.pulumi.vault.transform.AlphabetArgs;\nimport com.pulumi.vault.transform.Template;\nimport com.pulumi.vault.transform.TemplateArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var transform = new Mount(\"transform\", MountArgs.builder()\n            .path(\"transform\")\n            .type(\"transform\")\n            .build());\n\n        var numerics = new Alphabet(\"numerics\", AlphabetArgs.builder()\n            .path(transform.path())\n            .name(\"numerics\")\n            .alphabet(\"0123456789\")\n            .build());\n\n        var test = new Template(\"test\", TemplateArgs.builder()\n            .path(numerics.path())\n            .name(\"ccn\")\n            .type(\"regex\")\n            .pattern(\"(\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})[- ](\\\\d{4})\")\n            .alphabet(\"numerics\")\n            .encodeFormat(\"$1-$2-$3-$4\")\n            .decodeFormats(Map.of(\"last-four-digits\", \"$4\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  transform:\n    type: vault:Mount\n    properties:\n      path: transform\n      type: transform\n  numerics:\n    type: vault:transform:Alphabet\n    properties:\n      path: ${transform.path}\n      name: numerics\n      alphabet: '0123456789'\n  test:\n    type: vault:transform:Template\n    properties:\n      path: ${numerics.path}\n      name: ccn\n      type: regex\n      pattern: (\\d{4})[- ](\\d{4})[- ](\\d{4})[- ](\\d{4})\n      alphabet: numerics\n      encodeFormat: $1-$2-$3-$4\n      decodeFormats:\n        last-four-digits: $4\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.\n"},"decodeFormats":{"type":"object","additionalProperties":{"type":"string"},"description":"Optional mapping of name to regular expression template, used to customize\nthe decoded output. (requires Vault Enterprise 1.9+)\n"},"encodeFormat":{"type":"string","description":"The regular expression template used to format encoded values.\n(requires Vault Enterprise 1.9+)\n"},"name":{"type":"string","description":"The name of the template.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n"},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.\n"},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.\n"}},"required":["name","path"],"inputProperties":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.\n"},"decodeFormats":{"type":"object","additionalProperties":{"type":"string"},"description":"Optional mapping of name to regular expression template, used to customize\nthe decoded output. (requires Vault Enterprise 1.9+)\n"},"encodeFormat":{"type":"string","description":"The regular expression template used to format encoded values.\n(requires Vault Enterprise 1.9+)\n"},"name":{"type":"string","description":"The name of the template.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.\n"},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.\n"}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering Template resources.\n","properties":{"alphabet":{"type":"string","description":"The alphabet to use for this template. This is only used during FPE transformations.\n"},"decodeFormats":{"type":"object","additionalProperties":{"type":"string"},"description":"Optional mapping of name to regular expression template, used to customize\nthe decoded output. (requires Vault Enterprise 1.9+)\n"},"encodeFormat":{"type":"string","description":"The regular expression template used to format encoded values.\n(requires Vault Enterprise 1.9+)\n"},"name":{"type":"string","description":"The name of the template.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true},"pattern":{"type":"string","description":"The pattern used for matching. Currently, only regular expression pattern is supported.\n"},"type":{"type":"string","description":"The pattern type to use for match detection. Currently, only regex is supported.\n"}},"type":"object"}},"vault:transform/transformation:Transformation":{"properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"The set of roles allowed to perform this transformation.\n"},"deletionAllowed":{"type":"boolean","description":"If true, this transform can be deleted.\nOtherwise, deletion is blocked while this value remains false. Default: \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n*Only supported on vault-1.12+*\n"},"maskingCharacter":{"type":"string","description":"The character used to replace data when in masking mode\n"},"name":{"type":"string","description":"The name of the transformation.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n"},"template":{"type":"string","description":"The name of the template to use.\n"},"templates":{"type":"array","items":{"type":"string"},"description":"Templates configured for transformation.\n"},"tweakSource":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.\n"},"type":{"type":"string","description":"The type of transformation to perform.\n"}},"required":["name","path","templates"],"inputProperties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"The set of roles allowed to perform this transformation.\n"},"deletionAllowed":{"type":"boolean","description":"If true, this transform can be deleted.\nOtherwise, deletion is blocked while this value remains false. Default: \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n*Only supported on vault-1.12+*\n"},"maskingCharacter":{"type":"string","description":"The character used to replace data when in masking mode\n"},"name":{"type":"string","description":"The name of the transformation.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true},"template":{"type":"string","description":"The name of the template to use.\n"},"templates":{"type":"array","items":{"type":"string"},"description":"Templates configured for transformation.\n"},"tweakSource":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.\n"},"type":{"type":"string","description":"The type of transformation to perform.\n"}},"requiredInputs":["path"],"stateInputs":{"description":"Input properties used for looking up and filtering Transformation resources.\n","properties":{"allowedRoles":{"type":"array","items":{"type":"string"},"description":"The set of roles allowed to perform this transformation.\n"},"deletionAllowed":{"type":"boolean","description":"If true, this transform can be deleted.\nOtherwise, deletion is blocked while this value remains false. Default: \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e\n*Only supported on vault-1.12+*\n"},"maskingCharacter":{"type":"string","description":"The character used to replace data when in masking mode\n"},"name":{"type":"string","description":"The name of the transformation.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true},"template":{"type":"string","description":"The name of the template to use.\n"},"templates":{"type":"array","items":{"type":"string"},"description":"Templates configured for transformation.\n"},"tweakSource":{"type":"string","description":"The source of where the tweak value comes from. Only valid when in FPE mode.\n"},"type":{"type":"string","description":"The type of transformation to perform.\n"}},"type":"object"}},"vault:transit/secretBackendKey:SecretBackendKey":{"description":"Creates an Encryption Keyring on a Transit Secret Backend for Vault.\n\n## Example Usage\n\n### Basic Example\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst transit = new vault.Mount(\"transit\", {\n    path: \"transit\",\n    type: \"transit\",\n    description: \"Example description\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst key = new vault.transit.SecretBackendKey(\"key\", {\n    backend: transit.path,\n    name: \"my_key\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntransit = vault.Mount(\"transit\",\n    path=\"transit\",\n    type=\"transit\",\n    description=\"Example description\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\nkey = vault.transit.SecretBackendKey(\"key\",\n    backend=transit.path,\n    name=\"my_key\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var transit = new Vault.Mount(\"transit\", new()\n    {\n        Path = \"transit\",\n        Type = \"transit\",\n        Description = \"Example description\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var key = new Vault.Transit.SecretBackendKey(\"key\", new()\n    {\n        Backend = transit.Path,\n        Name = \"my_key\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transit\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttransit, err := vault.NewMount(ctx, \"transit\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"transit\"),\n\t\t\tType:                   pulumi.String(\"transit\"),\n\t\t\tDescription:            pulumi.String(\"Example description\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = transit.NewSecretBackendKey(ctx, \"key\", \u0026transit.SecretBackendKeyArgs{\n\t\t\tBackend: transit.Path,\n\t\t\tName:    pulumi.String(\"my_key\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transit.SecretBackendKey;\nimport com.pulumi.vault.transit.SecretBackendKeyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var transit = new Mount(\"transit\", MountArgs.builder()\n            .path(\"transit\")\n            .type(\"transit\")\n            .description(\"Example description\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var key = new SecretBackendKey(\"key\", SecretBackendKeyArgs.builder()\n            .backend(transit.path())\n            .name(\"my_key\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  transit:\n    type: vault:Mount\n    properties:\n      path: transit\n      type: transit\n      description: Example description\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  key:\n    type: vault:transit:SecretBackendKey\n    properties:\n      backend: ${transit.path}\n      name: my_key\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example with Key Derivation and Context\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst transit = new vault.Mount(\"transit\", {\n    path: \"transit\",\n    type: \"transit\",\n});\nconst derivedKey = new vault.transit.SecretBackendKey(\"derived_key\", {\n    backend: transit.path,\n    name: \"derived_key\",\n    derived: true,\n    convergentEncryption: true,\n    context: \"dGVzdGNvbnRleHQ=\",\n    deletionAllowed: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntransit = vault.Mount(\"transit\",\n    path=\"transit\",\n    type=\"transit\")\nderived_key = vault.transit.SecretBackendKey(\"derived_key\",\n    backend=transit.path,\n    name=\"derived_key\",\n    derived=True,\n    convergent_encryption=True,\n    context=\"dGVzdGNvbnRleHQ=\",\n    deletion_allowed=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var transit = new Vault.Mount(\"transit\", new()\n    {\n        Path = \"transit\",\n        Type = \"transit\",\n    });\n\n    var derivedKey = new Vault.Transit.SecretBackendKey(\"derived_key\", new()\n    {\n        Backend = transit.Path,\n        Name = \"derived_key\",\n        Derived = true,\n        ConvergentEncryption = true,\n        Context = \"dGVzdGNvbnRleHQ=\",\n        DeletionAllowed = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transit\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttransit, err := vault.NewMount(ctx, \"transit\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"transit\"),\n\t\t\tType: pulumi.String(\"transit\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = transit.NewSecretBackendKey(ctx, \"derived_key\", \u0026transit.SecretBackendKeyArgs{\n\t\t\tBackend:              transit.Path,\n\t\t\tName:                 pulumi.String(\"derived_key\"),\n\t\t\tDerived:              pulumi.Bool(true),\n\t\t\tConvergentEncryption: pulumi.Bool(true),\n\t\t\tContext:              pulumi.String(\"dGVzdGNvbnRleHQ=\"),\n\t\t\tDeletionAllowed:      pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transit.SecretBackendKey;\nimport com.pulumi.vault.transit.SecretBackendKeyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var transit = new Mount(\"transit\", MountArgs.builder()\n            .path(\"transit\")\n            .type(\"transit\")\n            .build());\n\n        var derivedKey = new SecretBackendKey(\"derivedKey\", SecretBackendKeyArgs.builder()\n            .backend(transit.path())\n            .name(\"derived_key\")\n            .derived(true)\n            .convergentEncryption(true)\n            .context(\"dGVzdGNvbnRleHQ=\")\n            .deletionAllowed(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  transit:\n    type: vault:Mount\n    properties:\n      path: transit\n      type: transit\n  derivedKey:\n    type: vault:transit:SecretBackendKey\n    name: derived_key\n    properties:\n      backend: ${transit.path}\n      name: derived_key\n      derived: true\n      convergentEncryption: true\n      context: dGVzdGNvbnRleHQ=\n      deletionAllowed: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example with Managed Key\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst transit = new vault.Mount(\"transit\", {\n    path: \"transit\",\n    type: \"transit\",\n});\nconst managedKeyByName = new vault.transit.SecretBackendKey(\"managed_key_by_name\", {\n    backend: transit.path,\n    name: \"my_managed_key\",\n    type: \"managed_key\",\n    managedKeyName: \"my_aws_kms_key\",\n    deletionAllowed: true,\n});\nconst managedKeyById = new vault.transit.SecretBackendKey(\"managed_key_by_id\", {\n    backend: transit.path,\n    name: \"my_managed_key_by_id\",\n    type: \"managed_key\",\n    managedKeyId: \"12345678-1234-1234-1234-123456789012\",\n    deletionAllowed: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntransit = vault.Mount(\"transit\",\n    path=\"transit\",\n    type=\"transit\")\nmanaged_key_by_name = vault.transit.SecretBackendKey(\"managed_key_by_name\",\n    backend=transit.path,\n    name=\"my_managed_key\",\n    type=\"managed_key\",\n    managed_key_name=\"my_aws_kms_key\",\n    deletion_allowed=True)\nmanaged_key_by_id = vault.transit.SecretBackendKey(\"managed_key_by_id\",\n    backend=transit.path,\n    name=\"my_managed_key_by_id\",\n    type=\"managed_key\",\n    managed_key_id=\"12345678-1234-1234-1234-123456789012\",\n    deletion_allowed=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var transit = new Vault.Mount(\"transit\", new()\n    {\n        Path = \"transit\",\n        Type = \"transit\",\n    });\n\n    var managedKeyByName = new Vault.Transit.SecretBackendKey(\"managed_key_by_name\", new()\n    {\n        Backend = transit.Path,\n        Name = \"my_managed_key\",\n        Type = \"managed_key\",\n        ManagedKeyName = \"my_aws_kms_key\",\n        DeletionAllowed = true,\n    });\n\n    var managedKeyById = new Vault.Transit.SecretBackendKey(\"managed_key_by_id\", new()\n    {\n        Backend = transit.Path,\n        Name = \"my_managed_key_by_id\",\n        Type = \"managed_key\",\n        ManagedKeyId = \"12345678-1234-1234-1234-123456789012\",\n        DeletionAllowed = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transit\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttransit, err := vault.NewMount(ctx, \"transit\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"transit\"),\n\t\t\tType: pulumi.String(\"transit\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = transit.NewSecretBackendKey(ctx, \"managed_key_by_name\", \u0026transit.SecretBackendKeyArgs{\n\t\t\tBackend:         transit.Path,\n\t\t\tName:            pulumi.String(\"my_managed_key\"),\n\t\t\tType:            pulumi.String(\"managed_key\"),\n\t\t\tManagedKeyName:  pulumi.String(\"my_aws_kms_key\"),\n\t\t\tDeletionAllowed: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = transit.NewSecretBackendKey(ctx, \"managed_key_by_id\", \u0026transit.SecretBackendKeyArgs{\n\t\t\tBackend:         transit.Path,\n\t\t\tName:            pulumi.String(\"my_managed_key_by_id\"),\n\t\t\tType:            pulumi.String(\"managed_key\"),\n\t\t\tManagedKeyId:    pulumi.String(\"12345678-1234-1234-1234-123456789012\"),\n\t\t\tDeletionAllowed: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transit.SecretBackendKey;\nimport com.pulumi.vault.transit.SecretBackendKeyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var transit = new Mount(\"transit\", MountArgs.builder()\n            .path(\"transit\")\n            .type(\"transit\")\n            .build());\n\n        var managedKeyByName = new SecretBackendKey(\"managedKeyByName\", SecretBackendKeyArgs.builder()\n            .backend(transit.path())\n            .name(\"my_managed_key\")\n            .type(\"managed_key\")\n            .managedKeyName(\"my_aws_kms_key\")\n            .deletionAllowed(true)\n            .build());\n\n        var managedKeyById = new SecretBackendKey(\"managedKeyById\", SecretBackendKeyArgs.builder()\n            .backend(transit.path())\n            .name(\"my_managed_key_by_id\")\n            .type(\"managed_key\")\n            .managedKeyId(\"12345678-1234-1234-1234-123456789012\")\n            .deletionAllowed(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  transit:\n    type: vault:Mount\n    properties:\n      path: transit\n      type: transit\n  managedKeyByName:\n    type: vault:transit:SecretBackendKey\n    name: managed_key_by_name\n    properties:\n      backend: ${transit.path}\n      name: my_managed_key\n      type: managed_key\n      managedKeyName: my_aws_kms_key\n      deletionAllowed: true\n  managedKeyById:\n    type: vault:transit:SecretBackendKey\n    name: managed_key_by_id\n    properties:\n      backend: ${transit.path}\n      name: my_managed_key_by_id\n      type: managed_key\n      managedKeyId: 12345678-1234-1234-1234-123456789012\n      deletionAllowed: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nTransit secret backend keys can be imported using the `path`, e.g.\n\n```sh\n$ pulumi import vault:transit/secretBackendKey:SecretBackendKey key transit/keys/my_key\n```\n","properties":{"allowPlaintextBackup":{"type":"boolean","description":"Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.\n* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)\n"},"autoRotatePeriod":{"type":"integer","description":"Amount of seconds the key should live before being automatically rotated.\nA value of 0 disables automatic rotation for the key.\n"},"backend":{"type":"string","description":"The path the transit secret backend is mounted at, with no leading or trailing `/`s.\n"},"context":{"type":"string","description":"Base64 encoded context for key derivation. Required if \u003cspan pulumi-lang-nodejs=\"`derived`\" pulumi-lang-dotnet=\"`Derived`\" pulumi-lang-go=\"`derived`\" pulumi-lang-python=\"`derived`\" pulumi-lang-yaml=\"`derived`\" pulumi-lang-java=\"`derived`\"\u003e`derived`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e. This provides additional entropy for key derivation and should be consistent across operations that need to use the same derived key.\n"},"convergentEncryption":{"type":"boolean","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires \u003cspan pulumi-lang-nodejs=\"`derived`\" pulumi-lang-dotnet=\"`Derived`\" pulumi-lang-go=\"`derived`\" pulumi-lang-python=\"`derived`\" pulumi-lang-yaml=\"`derived`\" pulumi-lang-java=\"`derived`\"\u003e`derived`\u003c/span\u003e to be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n"},"deletionAllowed":{"type":"boolean","description":"Specifies if the key is allowed to be deleted."},"derived":{"type":"boolean","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.\n"},"exportable":{"type":"boolean","description":"Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.\n"},"hybridKeyTypeEc":{"type":"string","description":"The elliptic curve algorithm to use for hybrid signatures.\nSupported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e.\n"},"hybridKeyTypePqc":{"type":"string","description":"The post-quantum algorithm to use for hybrid signatures.\nCurrently, ML-DSA is the only supported key type.\n"},"keySize":{"type":"integer","description":"The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.\n"},"keys":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e of the encryption key.\n* for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value \u003cspan pulumi-lang-nodejs=\"`id`\" pulumi-lang-dotnet=\"`Id`\" pulumi-lang-go=\"`id`\" pulumi-lang-python=\"`id`\" pulumi-lang-yaml=\"`id`\" pulumi-lang-java=\"`id`\"\u003e`id`\u003c/span\u003e which is just a hash of the key's metadata.\n* for key types \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `rsa-2048`, `rsa-3072` and `rsa-4096`, each key version will be a map of the following:\n"},"latestVersion":{"type":"integer","description":"Latest key version available. This value is 1-indexed, so if \u003cspan pulumi-lang-nodejs=\"`latestVersion`\" pulumi-lang-dotnet=\"`LatestVersion`\" pulumi-lang-go=\"`latestVersion`\" pulumi-lang-python=\"`latest_version`\" pulumi-lang-yaml=\"`latestVersion`\" pulumi-lang-java=\"`latestVersion`\"\u003e`latest_version`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`1`\" pulumi-lang-dotnet=\"`1`\" pulumi-lang-go=\"`1`\" pulumi-lang-python=\"`1`\" pulumi-lang-yaml=\"`1`\" pulumi-lang-java=\"`1`\"\u003e`1`\u003c/span\u003e, then the key's information can be referenced from \u003cspan pulumi-lang-nodejs=\"`keys`\" pulumi-lang-dotnet=\"`Keys`\" pulumi-lang-go=\"`keys`\" pulumi-lang-python=\"`keys`\" pulumi-lang-yaml=\"`keys`\" pulumi-lang-java=\"`keys`\"\u003e`keys`\u003c/span\u003e by selecting element \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e\n"},"managedKeyId":{"type":"string","description":"The UUID of the managed key to use when the key \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e. This is the unique identifier of a previously configured managed key. When \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, either \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e must be specified.\n"},"managedKeyName":{"type":"string","description":"The name of the managed key to use when the key \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e. This references a previously configured managed key in Vault (e.g., AWS KMS, Azure Key Vault, PKCS#11, etc.). When \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, either \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e must be specified.\n"},"minAvailableVersion":{"type":"integer","description":"Minimum key version available for use. If keys have been archived by increasing \u003cspan pulumi-lang-nodejs=\"`minDecryptionVersion`\" pulumi-lang-dotnet=\"`MinDecryptionVersion`\" pulumi-lang-go=\"`minDecryptionVersion`\" pulumi-lang-python=\"`min_decryption_version`\" pulumi-lang-yaml=\"`minDecryptionVersion`\" pulumi-lang-java=\"`minDecryptionVersion`\"\u003e`min_decryption_version`\u003c/span\u003e, this attribute will reflect that change.\n"},"minDecryptionVersion":{"type":"integer","description":"Minimum key version to use for decryption.\n"},"minEncryptionVersion":{"type":"integer","description":"Minimum key version to use for encryption\n"},"name":{"type":"string","description":"The name to identify this key within the backend. Must be unique within the backend.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"parameterSet":{"type":"string","description":"The parameter set to use for ML-DSA or SLH-DSA. Required for\nML-DSA, hybrid, and SLH-DSA keys.\nValid values for ML-DSA are \u003cspan pulumi-lang-nodejs=\"`44`\" pulumi-lang-dotnet=\"`44`\" pulumi-lang-go=\"`44`\" pulumi-lang-python=\"`44`\" pulumi-lang-yaml=\"`44`\" pulumi-lang-java=\"`44`\"\u003e`44`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`65`\" pulumi-lang-dotnet=\"`65`\" pulumi-lang-go=\"`65`\" pulumi-lang-python=\"`65`\" pulumi-lang-yaml=\"`65`\" pulumi-lang-java=\"`65`\"\u003e`65`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`87`\" pulumi-lang-dotnet=\"`87`\" pulumi-lang-go=\"`87`\" pulumi-lang-python=\"`87`\" pulumi-lang-yaml=\"`87`\" pulumi-lang-java=\"`87`\"\u003e`87`\u003c/span\u003e.\nValid values for SLH-DSA are `slh-dsa-sha2-128s`, `slh-dsa-shake-128s`, `slh-dsa-sha2-128f`, `slh-dsa-shake-128`, `slh-dsa-sha2-192s`,\n`slh-dsa-shake-192s`, `slh-dsa-sha2-192f`, `slh-dsa-shake-192f`, `slh-dsa-sha2-256s`, `slh-dsa-shake-256s`,\n`slh-dsa-sha2-256f`, and `slh-dsa-shake-256f`.\n"},"supportsDecryption":{"type":"boolean","description":"Whether or not the key supports decryption, based on key type.\n"},"supportsDerivation":{"type":"boolean","description":"Whether or not the key supports derivation, based on key type.\n"},"supportsEncryption":{"type":"boolean","description":"Whether or not the key supports encryption, based on key type.\n"},"supportsSigning":{"type":"boolean","description":"Whether or not the key supports signing, based on key type.\n"},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, \u003cspan pulumi-lang-nodejs=\"`hmac`\" pulumi-lang-dotnet=\"`Hmac`\" pulumi-lang-go=\"`hmac`\" pulumi-lang-python=\"`hmac`\" pulumi-lang-yaml=\"`hmac`\" pulumi-lang-java=\"`hmac`\"\u003e`hmac`\u003c/span\u003e, `rsa-2048`, `rsa-3072`, `rsa-4096`, \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, `aes128-cmac`, `aes192-cmac`, `aes256-cmac`, `ml-dsa`, \u003cspan pulumi-lang-nodejs=\"`hybrid`\" pulumi-lang-dotnet=\"`Hybrid`\" pulumi-lang-go=\"`hybrid`\" pulumi-lang-python=\"`hybrid`\" pulumi-lang-yaml=\"`hybrid`\" pulumi-lang-java=\"`hybrid`\"\u003e`hybrid`\u003c/span\u003e, and `slh-dsa`.\n* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)\n"}},"required":["autoRotatePeriod","backend","keys","latestVersion","minAvailableVersion","name","supportsDecryption","supportsDerivation","supportsEncryption","supportsSigning"],"inputProperties":{"allowPlaintextBackup":{"type":"boolean","description":"Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.\n* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)\n"},"autoRotatePeriod":{"type":"integer","description":"Amount of seconds the key should live before being automatically rotated.\nA value of 0 disables automatic rotation for the key.\n"},"backend":{"type":"string","description":"The path the transit secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"context":{"type":"string","description":"Base64 encoded context for key derivation. Required if \u003cspan pulumi-lang-nodejs=\"`derived`\" pulumi-lang-dotnet=\"`Derived`\" pulumi-lang-go=\"`derived`\" pulumi-lang-python=\"`derived`\" pulumi-lang-yaml=\"`derived`\" pulumi-lang-java=\"`derived`\"\u003e`derived`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e. This provides additional entropy for key derivation and should be consistent across operations that need to use the same derived key.\n","willReplaceOnChanges":true},"convergentEncryption":{"type":"boolean","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires \u003cspan pulumi-lang-nodejs=\"`derived`\" pulumi-lang-dotnet=\"`Derived`\" pulumi-lang-go=\"`derived`\" pulumi-lang-python=\"`derived`\" pulumi-lang-yaml=\"`derived`\" pulumi-lang-java=\"`derived`\"\u003e`derived`\u003c/span\u003e to be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n","willReplaceOnChanges":true},"deletionAllowed":{"type":"boolean","description":"Specifies if the key is allowed to be deleted."},"derived":{"type":"boolean","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.\n","willReplaceOnChanges":true},"exportable":{"type":"boolean","description":"Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.\n"},"hybridKeyTypeEc":{"type":"string","description":"The elliptic curve algorithm to use for hybrid signatures.\nSupported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e.\n"},"hybridKeyTypePqc":{"type":"string","description":"The post-quantum algorithm to use for hybrid signatures.\nCurrently, ML-DSA is the only supported key type.\n"},"keySize":{"type":"integer","description":"The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.\n"},"managedKeyId":{"type":"string","description":"The UUID of the managed key to use when the key \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e. This is the unique identifier of a previously configured managed key. When \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, either \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e must be specified.\n","willReplaceOnChanges":true},"managedKeyName":{"type":"string","description":"The name of the managed key to use when the key \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e. This references a previously configured managed key in Vault (e.g., AWS KMS, Azure Key Vault, PKCS#11, etc.). When \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, either \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e must be specified.\n","willReplaceOnChanges":true},"minDecryptionVersion":{"type":"integer","description":"Minimum key version to use for decryption.\n"},"minEncryptionVersion":{"type":"integer","description":"Minimum key version to use for encryption\n"},"name":{"type":"string","description":"The name to identify this key within the backend. Must be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"parameterSet":{"type":"string","description":"The parameter set to use for ML-DSA or SLH-DSA. Required for\nML-DSA, hybrid, and SLH-DSA keys.\nValid values for ML-DSA are \u003cspan pulumi-lang-nodejs=\"`44`\" pulumi-lang-dotnet=\"`44`\" pulumi-lang-go=\"`44`\" pulumi-lang-python=\"`44`\" pulumi-lang-yaml=\"`44`\" pulumi-lang-java=\"`44`\"\u003e`44`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`65`\" pulumi-lang-dotnet=\"`65`\" pulumi-lang-go=\"`65`\" pulumi-lang-python=\"`65`\" pulumi-lang-yaml=\"`65`\" pulumi-lang-java=\"`65`\"\u003e`65`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`87`\" pulumi-lang-dotnet=\"`87`\" pulumi-lang-go=\"`87`\" pulumi-lang-python=\"`87`\" pulumi-lang-yaml=\"`87`\" pulumi-lang-java=\"`87`\"\u003e`87`\u003c/span\u003e.\nValid values for SLH-DSA are `slh-dsa-sha2-128s`, `slh-dsa-shake-128s`, `slh-dsa-sha2-128f`, `slh-dsa-shake-128`, `slh-dsa-sha2-192s`,\n`slh-dsa-shake-192s`, `slh-dsa-sha2-192f`, `slh-dsa-shake-192f`, `slh-dsa-sha2-256s`, `slh-dsa-shake-256s`,\n`slh-dsa-sha2-256f`, and `slh-dsa-shake-256f`.\n"},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, \u003cspan pulumi-lang-nodejs=\"`hmac`\" pulumi-lang-dotnet=\"`Hmac`\" pulumi-lang-go=\"`hmac`\" pulumi-lang-python=\"`hmac`\" pulumi-lang-yaml=\"`hmac`\" pulumi-lang-java=\"`hmac`\"\u003e`hmac`\u003c/span\u003e, `rsa-2048`, `rsa-3072`, `rsa-4096`, \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, `aes128-cmac`, `aes192-cmac`, `aes256-cmac`, `ml-dsa`, \u003cspan pulumi-lang-nodejs=\"`hybrid`\" pulumi-lang-dotnet=\"`Hybrid`\" pulumi-lang-go=\"`hybrid`\" pulumi-lang-python=\"`hybrid`\" pulumi-lang-yaml=\"`hybrid`\" pulumi-lang-java=\"`hybrid`\"\u003e`hybrid`\u003c/span\u003e, and `slh-dsa`.\n* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)\n","willReplaceOnChanges":true}},"requiredInputs":["backend"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretBackendKey resources.\n","properties":{"allowPlaintextBackup":{"type":"boolean","description":"Enables taking backup of entire keyring in the plaintext format. Once set, this cannot be disabled.\n* Refer to Vault API documentation on key backups for more information: [Backup Key](https://www.vaultproject.io/api-docs/secret/transit#backup-key)\n"},"autoRotatePeriod":{"type":"integer","description":"Amount of seconds the key should live before being automatically rotated.\nA value of 0 disables automatic rotation for the key.\n"},"backend":{"type":"string","description":"The path the transit secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"context":{"type":"string","description":"Base64 encoded context for key derivation. Required if \u003cspan pulumi-lang-nodejs=\"`derived`\" pulumi-lang-dotnet=\"`Derived`\" pulumi-lang-go=\"`derived`\" pulumi-lang-python=\"`derived`\" pulumi-lang-yaml=\"`derived`\" pulumi-lang-java=\"`derived`\"\u003e`derived`\u003c/span\u003e is set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e. This provides additional entropy for key derivation and should be consistent across operations that need to use the same derived key.\n","willReplaceOnChanges":true},"convergentEncryption":{"type":"boolean","description":"Whether or not to support convergent encryption, where the same plaintext creates the same ciphertext. This requires \u003cspan pulumi-lang-nodejs=\"`derived`\" pulumi-lang-dotnet=\"`Derived`\" pulumi-lang-go=\"`derived`\" pulumi-lang-python=\"`derived`\" pulumi-lang-yaml=\"`derived`\" pulumi-lang-java=\"`derived`\"\u003e`derived`\u003c/span\u003e to be set to \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e.\n","willReplaceOnChanges":true},"deletionAllowed":{"type":"boolean","description":"Specifies if the key is allowed to be deleted."},"derived":{"type":"boolean","description":"Specifies if key derivation is to be used. If enabled, all encrypt/decrypt requests to this key must provide a context which is used for key derivation.\n","willReplaceOnChanges":true},"exportable":{"type":"boolean","description":"Enables keys to be exportable. This allows for all valid private keys in the keyring to be exported. Once set, this cannot be disabled.\n"},"hybridKeyTypeEc":{"type":"string","description":"The elliptic curve algorithm to use for hybrid signatures.\nSupported key types are `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, and \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e.\n"},"hybridKeyTypePqc":{"type":"string","description":"The post-quantum algorithm to use for hybrid signatures.\nCurrently, ML-DSA is the only supported key type.\n"},"keySize":{"type":"integer","description":"The key size in bytes for algorithms that allow variable key sizes. Currently only applicable to HMAC, where it must be between 32 and 512 bytes.\n"},"keys":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"List of key versions in the keyring. This attribute is zero-indexed and will contain a map of values depending on the \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e of the encryption key.\n* for key types `aes128-gcm96`, `aes256-gcm96` and `chacha20-poly1305`, each key version will be a map of a single value \u003cspan pulumi-lang-nodejs=\"`id`\" pulumi-lang-dotnet=\"`Id`\" pulumi-lang-go=\"`id`\" pulumi-lang-python=\"`id`\" pulumi-lang-yaml=\"`id`\" pulumi-lang-java=\"`id`\"\u003e`id`\u003c/span\u003e which is just a hash of the key's metadata.\n* for key types \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, `rsa-2048`, `rsa-3072` and `rsa-4096`, each key version will be a map of the following:\n"},"latestVersion":{"type":"integer","description":"Latest key version available. This value is 1-indexed, so if \u003cspan pulumi-lang-nodejs=\"`latestVersion`\" pulumi-lang-dotnet=\"`LatestVersion`\" pulumi-lang-go=\"`latestVersion`\" pulumi-lang-python=\"`latest_version`\" pulumi-lang-yaml=\"`latestVersion`\" pulumi-lang-java=\"`latestVersion`\"\u003e`latest_version`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`1`\" pulumi-lang-dotnet=\"`1`\" pulumi-lang-go=\"`1`\" pulumi-lang-python=\"`1`\" pulumi-lang-yaml=\"`1`\" pulumi-lang-java=\"`1`\"\u003e`1`\u003c/span\u003e, then the key's information can be referenced from \u003cspan pulumi-lang-nodejs=\"`keys`\" pulumi-lang-dotnet=\"`Keys`\" pulumi-lang-go=\"`keys`\" pulumi-lang-python=\"`keys`\" pulumi-lang-yaml=\"`keys`\" pulumi-lang-java=\"`keys`\"\u003e`keys`\u003c/span\u003e by selecting element \u003cspan pulumi-lang-nodejs=\"`0`\" pulumi-lang-dotnet=\"`0`\" pulumi-lang-go=\"`0`\" pulumi-lang-python=\"`0`\" pulumi-lang-yaml=\"`0`\" pulumi-lang-java=\"`0`\"\u003e`0`\u003c/span\u003e\n"},"managedKeyId":{"type":"string","description":"The UUID of the managed key to use when the key \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e. This is the unique identifier of a previously configured managed key. When \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, either \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e must be specified.\n","willReplaceOnChanges":true},"managedKeyName":{"type":"string","description":"The name of the managed key to use when the key \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e. This references a previously configured managed key in Vault (e.g., AWS KMS, Azure Key Vault, PKCS#11, etc.). When \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, either \u003cspan pulumi-lang-nodejs=\"`managedKeyName`\" pulumi-lang-dotnet=\"`ManagedKeyName`\" pulumi-lang-go=\"`managedKeyName`\" pulumi-lang-python=\"`managed_key_name`\" pulumi-lang-yaml=\"`managedKeyName`\" pulumi-lang-java=\"`managedKeyName`\"\u003e`managed_key_name`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`managedKeyId`\" pulumi-lang-dotnet=\"`ManagedKeyId`\" pulumi-lang-go=\"`managedKeyId`\" pulumi-lang-python=\"`managed_key_id`\" pulumi-lang-yaml=\"`managedKeyId`\" pulumi-lang-java=\"`managedKeyId`\"\u003e`managed_key_id`\u003c/span\u003e must be specified.\n","willReplaceOnChanges":true},"minAvailableVersion":{"type":"integer","description":"Minimum key version available for use. If keys have been archived by increasing \u003cspan pulumi-lang-nodejs=\"`minDecryptionVersion`\" pulumi-lang-dotnet=\"`MinDecryptionVersion`\" pulumi-lang-go=\"`minDecryptionVersion`\" pulumi-lang-python=\"`min_decryption_version`\" pulumi-lang-yaml=\"`minDecryptionVersion`\" pulumi-lang-java=\"`minDecryptionVersion`\"\u003e`min_decryption_version`\u003c/span\u003e, this attribute will reflect that change.\n"},"minDecryptionVersion":{"type":"integer","description":"Minimum key version to use for decryption.\n"},"minEncryptionVersion":{"type":"integer","description":"Minimum key version to use for encryption\n"},"name":{"type":"string","description":"The name to identify this key within the backend. Must be unique within the backend.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"parameterSet":{"type":"string","description":"The parameter set to use for ML-DSA or SLH-DSA. Required for\nML-DSA, hybrid, and SLH-DSA keys.\nValid values for ML-DSA are \u003cspan pulumi-lang-nodejs=\"`44`\" pulumi-lang-dotnet=\"`44`\" pulumi-lang-go=\"`44`\" pulumi-lang-python=\"`44`\" pulumi-lang-yaml=\"`44`\" pulumi-lang-java=\"`44`\"\u003e`44`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`65`\" pulumi-lang-dotnet=\"`65`\" pulumi-lang-go=\"`65`\" pulumi-lang-python=\"`65`\" pulumi-lang-yaml=\"`65`\" pulumi-lang-java=\"`65`\"\u003e`65`\u003c/span\u003e, and \u003cspan pulumi-lang-nodejs=\"`87`\" pulumi-lang-dotnet=\"`87`\" pulumi-lang-go=\"`87`\" pulumi-lang-python=\"`87`\" pulumi-lang-yaml=\"`87`\" pulumi-lang-java=\"`87`\"\u003e`87`\u003c/span\u003e.\nValid values for SLH-DSA are `slh-dsa-sha2-128s`, `slh-dsa-shake-128s`, `slh-dsa-sha2-128f`, `slh-dsa-shake-128`, `slh-dsa-sha2-192s`,\n`slh-dsa-shake-192s`, `slh-dsa-sha2-192f`, `slh-dsa-shake-192f`, `slh-dsa-sha2-256s`, `slh-dsa-shake-256s`,\n`slh-dsa-sha2-256f`, and `slh-dsa-shake-256f`.\n"},"supportsDecryption":{"type":"boolean","description":"Whether or not the key supports decryption, based on key type.\n"},"supportsDerivation":{"type":"boolean","description":"Whether or not the key supports derivation, based on key type.\n"},"supportsEncryption":{"type":"boolean","description":"Whether or not the key supports encryption, based on key type.\n"},"supportsSigning":{"type":"boolean","description":"Whether or not the key supports signing, based on key type.\n"},"type":{"type":"string","description":"Specifies the type of key to create. The currently-supported types are: `aes128-gcm96`, `aes256-gcm96` (default), `chacha20-poly1305`, \u003cspan pulumi-lang-nodejs=\"`ed25519`\" pulumi-lang-dotnet=\"`Ed25519`\" pulumi-lang-go=\"`ed25519`\" pulumi-lang-python=\"`ed25519`\" pulumi-lang-yaml=\"`ed25519`\" pulumi-lang-java=\"`ed25519`\"\u003e`ed25519`\u003c/span\u003e, `ecdsa-p256`, `ecdsa-p384`, `ecdsa-p521`, \u003cspan pulumi-lang-nodejs=\"`hmac`\" pulumi-lang-dotnet=\"`Hmac`\" pulumi-lang-go=\"`hmac`\" pulumi-lang-python=\"`hmac`\" pulumi-lang-yaml=\"`hmac`\" pulumi-lang-java=\"`hmac`\"\u003e`hmac`\u003c/span\u003e, `rsa-2048`, `rsa-3072`, `rsa-4096`, \u003cspan pulumi-lang-nodejs=\"`managedKey`\" pulumi-lang-dotnet=\"`ManagedKey`\" pulumi-lang-go=\"`managedKey`\" pulumi-lang-python=\"`managed_key`\" pulumi-lang-yaml=\"`managedKey`\" pulumi-lang-java=\"`managedKey`\"\u003e`managed_key`\u003c/span\u003e, `aes128-cmac`, `aes192-cmac`, `aes256-cmac`, `ml-dsa`, \u003cspan pulumi-lang-nodejs=\"`hybrid`\" pulumi-lang-dotnet=\"`Hybrid`\" pulumi-lang-go=\"`hybrid`\" pulumi-lang-python=\"`hybrid`\" pulumi-lang-yaml=\"`hybrid`\" pulumi-lang-java=\"`hybrid`\"\u003e`hybrid`\u003c/span\u003e, and `slh-dsa`.\n* Refer to the Vault documentation on transit key types for more information: [Key Types](https://www.vaultproject.io/docs/secrets/transit#key-types)\n","willReplaceOnChanges":true}},"type":"object"}},"vault:transit/secretCacheConfig:SecretCacheConfig":{"description":"Configure the cache for the Transit Secret Backend in Vault.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst transit = new vault.Mount(\"transit\", {\n    path: \"transit\",\n    type: \"transit\",\n    description: \"Example description\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 86400,\n});\nconst cfg = new vault.transit.SecretCacheConfig(\"cfg\", {\n    backend: transit.path,\n    size: 500,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntransit = vault.Mount(\"transit\",\n    path=\"transit\",\n    type=\"transit\",\n    description=\"Example description\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=86400)\ncfg = vault.transit.SecretCacheConfig(\"cfg\",\n    backend=transit.path,\n    size=500)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var transit = new Vault.Mount(\"transit\", new()\n    {\n        Path = \"transit\",\n        Type = \"transit\",\n        Description = \"Example description\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 86400,\n    });\n\n    var cfg = new Vault.Transit.SecretCacheConfig(\"cfg\", new()\n    {\n        Backend = transit.Path,\n        Size = 500,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transit\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttransit, err := vault.NewMount(ctx, \"transit\", \u0026vault.MountArgs{\n\t\t\tPath:                   pulumi.String(\"transit\"),\n\t\t\tType:                   pulumi.String(\"transit\"),\n\t\t\tDescription:            pulumi.String(\"Example description\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(86400),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = transit.NewSecretCacheConfig(ctx, \"cfg\", \u0026transit.SecretCacheConfigArgs{\n\t\t\tBackend: transit.Path,\n\t\t\tSize:    pulumi.Int(500),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transit.SecretCacheConfig;\nimport com.pulumi.vault.transit.SecretCacheConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var transit = new Mount(\"transit\", MountArgs.builder()\n            .path(\"transit\")\n            .type(\"transit\")\n            .description(\"Example description\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(86400)\n            .build());\n\n        var cfg = new SecretCacheConfig(\"cfg\", SecretCacheConfigArgs.builder()\n            .backend(transit.path())\n            .size(500)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  transit:\n    type: vault:Mount\n    properties:\n      path: transit\n      type: transit\n      description: Example description\n      defaultLeaseTtlSeconds: 3600\n      maxLeaseTtlSeconds: 86400\n  cfg:\n    type: vault:transit:SecretCacheConfig\n    properties:\n      backend: ${transit.path}\n      size: 500\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","properties":{"backend":{"type":"string","description":"The path the transit secret backend is mounted at, with no leading or trailing `/`s.\n"},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n"},"size":{"type":"integer","description":"The number of cache entries. 0 means unlimited.\n"}},"required":["backend","size"],"inputProperties":{"backend":{"type":"string","description":"The path the transit secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"size":{"type":"integer","description":"The number of cache entries. 0 means unlimited.\n"}},"requiredInputs":["backend","size"],"stateInputs":{"description":"Input properties used for looking up and filtering SecretCacheConfig resources.\n","properties":{"backend":{"type":"string","description":"The path the transit secret backend is mounted at, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"size":{"type":"integer","description":"The number of cache entries. 0 means unlimited.\n"}},"type":"object"}}},"functions":{"pulumi:providers:vault/terraformConfig":{"description":"This function returns a Terraform config object with terraform-namecased keys,to be used with the Terraform Module Provider.","inputs":{"properties":{"__self__":{"type":"ref","$ref":"#/provider"}},"type":"pulumi:providers:vault/terraformConfig","required":["__self__"]},"outputs":{"properties":{"result":{"additionalProperties":{"$ref":"pulumi.json#/Any"},"type":"object"}},"required":["result"],"type":"object"}},"vault:ad/getAccessCredentials:getAccessCredentials":{"description":"## Example Usage\n\n","inputs":{"description":"A collection of arguments for invoking getAccessCredentials.\n","properties":{"backend":{"type":"string","description":"The path to the AD secret backend to\nread credentials from, with no leading or trailing `/`s.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name of the AD secret backend role to read\ncredentials from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true}},"type":"object","required":["backend","role"]},"outputs":{"description":"A collection of values returned by getAccessCredentials.\n","properties":{"backend":{"type":"string"},"currentPassword":{"description":"The current set password on the Active Directory service account.\n","secret":true,"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"lastPassword":{"description":"The current set password on the Active Directory service account, provided because AD is eventually consistent.\n","secret":true,"type":"string"},"namespace":{"type":"string"},"role":{"type":"string"},"username":{"description":"The Active Directory service account username.\n","type":"string"}},"required":["backend","currentPassword","lastPassword","role","username","id"],"type":"object"}},"vault:appRole/getAuthBackendRoleId:getAuthBackendRoleId":{"description":"Reads the Role ID of an AppRole from a Vault server.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nexport = async () =\u003e {\n    const role = await vault.appRole.getAuthBackendRoleId({\n        backend: \"my-approle-backend\",\n        roleName: \"my-role\",\n    });\n    return {\n        \"role-id\": role.roleId,\n    };\n}\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nrole = vault.appRole.get_auth_backend_role_id(backend=\"my-approle-backend\",\n    role_name=\"my-role\")\npulumi.export(\"role-id\", role.role_id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var role = Vault.AppRole.GetAuthBackendRoleId.Invoke(new()\n    {\n        Backend = \"my-approle-backend\",\n        RoleName = \"my-role\",\n    });\n\n    return new Dictionary\u003cstring, object?\u003e\n    {\n        [\"role-id\"] = role.Apply(getAuthBackendRoleIdResult =\u003e getAuthBackendRoleIdResult.RoleId),\n    };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/approle\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trole, err := approle.GetAuthBackendRoleId(ctx, \u0026approle.GetAuthBackendRoleIdArgs{\n\t\t\tBackend:  pulumi.StringRef(\"my-approle-backend\"),\n\t\t\tRoleName: \"my-role\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"role-id\", role.RoleId)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.appRole.AppRoleFunctions;\nimport com.pulumi.vault.appRole.inputs.GetAuthBackendRoleIdArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var role = AppRoleFunctions.getAuthBackendRoleId(GetAuthBackendRoleIdArgs.builder()\n            .backend(\"my-approle-backend\")\n            .roleName(\"my-role\")\n            .build());\n\n        ctx.export(\"role-id\", role.roleId());\n    }\n}\n```\n```yaml\nvariables:\n  role:\n    fn::invoke:\n      function: vault:appRole:getAuthBackendRoleId\n      arguments:\n        backend: my-approle-backend\n        roleName: my-role\noutputs:\n  role-id: ${role.roleId}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getAuthBackendRoleId.\n","properties":{"backend":{"type":"string","description":"The unique name for the AppRole backend the role to\nretrieve a RoleID for resides in. Defaults to \"approle\".\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The name of the role to retrieve the Role ID for.\n","willReplaceOnChanges":true}},"type":"object","required":["roleName"]},"outputs":{"description":"A collection of values returned by getAuthBackendRoleId.\n","properties":{"backend":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"roleId":{"description":"The RoleID of the role.\n","type":"string"},"roleName":{"type":"string"}},"required":["roleId","roleName","id"],"type":"object"}},"vault:aws/getAccessCredentials:getAccessCredentials":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst aws = new vault.aws.SecretBackend(\"aws\", {\n    accessKey: \"AKIA.....\",\n    secretKey: \"SECRETKEYFROMAWS\",\n});\nconst role = new vault.aws.SecretBackendRole(\"role\", {\n    backend: aws.path,\n    name: \"test\",\n    policy: `{\n  \\\\\"Version\\\\\": \\\\\"2012-10-17\\\\\",\n  \\\\\"Statement\\\\\": [\n    {\n      \\\\\"Effect\\\\\": \\\\\"Allow\\\\\",\n      \\\\\"Action\\\\\": \\\\\"iam:*\\\\\",\n      \\\\\"Resource\\\\\": \\\\\"*\\\\\"\n    }\n  ]\n}\n`,\n});\n// generally, these blocks would be in a different module\nconst creds = pulumi.all([aws.path, role.name]).apply(([path, name]) =\u003e vault.aws.getAccessCredentialsOutput({\n    backend: path,\n    role: name,\n}));\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\naws = vault.aws.SecretBackend(\"aws\",\n    access_key=\"AKIA.....\",\n    secret_key=\"SECRETKEYFROMAWS\")\nrole = vault.aws.SecretBackendRole(\"role\",\n    backend=aws.path,\n    name=\"test\",\n    policy=\"\"\"{\n  \\\"Version\\\": \\\"2012-10-17\\\",\n  \\\"Statement\\\": [\n    {\n      \\\"Effect\\\": \\\"Allow\\\",\n      \\\"Action\\\": \\\"iam:*\\\",\n      \\\"Resource\\\": \\\"*\\\"\n    }\n  ]\n}\n\"\"\")\n# generally, these blocks would be in a different module\ncreds = pulumi.Output.all(\n    path=aws.path,\n    name=role.name\n).apply(lambda resolved_outputs: vault.aws.get_access_credentials_output(backend=resolved_outputs['path'],\n    role=resolved_outputs['name']))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var aws = new Vault.Aws.SecretBackend(\"aws\", new()\n    {\n        AccessKey = \"AKIA.....\",\n        SecretKey = \"SECRETKEYFROMAWS\",\n    });\n\n    var role = new Vault.Aws.SecretBackendRole(\"role\", new()\n    {\n        Backend = aws.Path,\n        Name = \"test\",\n        Policy = @\"{\n  \\\"\"Version\\\"\": \\\"\"2012-10-17\\\"\",\n  \\\"\"Statement\\\"\": [\n    {\n      \\\"\"Effect\\\"\": \\\"\"Allow\\\"\",\n      \\\"\"Action\\\"\": \\\"\"iam:*\\\"\",\n      \\\"\"Resource\\\"\": \\\"\"*\\\"\"\n    }\n  ]\n}\n\",\n    });\n\n    // generally, these blocks would be in a different module\n    var creds = Vault.Aws.GetAccessCredentials.Invoke(new()\n    {\n        Backend = aws.Path,\n        Role = role.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/aws\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\taws, err := aws.NewSecretBackend(ctx, \"aws\", \u0026aws.SecretBackendArgs{\n\t\t\tAccessKey: pulumi.String(\"AKIA.....\"),\n\t\t\tSecretKey: pulumi.String(\"SECRETKEYFROMAWS\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := aws.NewSecretBackendRole(ctx, \"role\", \u0026aws.SecretBackendRoleArgs{\n\t\t\tBackend: aws.Path,\n\t\t\tName:    pulumi.String(\"test\"),\n\t\t\tPolicy: `{\n  \\\"Version\\\": \\\"2012-10-17\\\",\n  \\\"Statement\\\": [\n    {\n      \\\"Effect\\\": \\\"Allow\\\",\n      \\\"Action\\\": \\\"iam:*\\\",\n      \\\"Resource\\\": \\\"*\\\"\n    }\n  ]\n}\n`,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// generally, these blocks would be in a different module\n\t\t_ = pulumi.All(aws.Path, role.Name).ApplyT(func(_args []interface{}) (aws.GetAccessCredentialsResult, error) {\n\t\t\tpath := _args[0].(*string)\n\t\t\tname := _args[1].(string)\n\t\t\treturn aws.GetAccessCredentialsResult(interface{}(aws.GetAccessCredentials(ctx, \u0026aws.GetAccessCredentialsArgs{\n\t\t\t\tBackend: path,\n\t\t\t\tRole:    name,\n\t\t\t}, nil))), nil\n\t\t}).(aws.GetAccessCredentialsResultOutput)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.aws.SecretBackend;\nimport com.pulumi.vault.aws.SecretBackendArgs;\nimport com.pulumi.vault.aws.SecretBackendRole;\nimport com.pulumi.vault.aws.SecretBackendRoleArgs;\nimport com.pulumi.vault.aws.AwsFunctions;\nimport com.pulumi.vault.aws.inputs.GetAccessCredentialsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var aws = new SecretBackend(\"aws\", SecretBackendArgs.builder()\n            .accessKey(\"AKIA.....\")\n            .secretKey(\"SECRETKEYFROMAWS\")\n            .build());\n\n        var role = new SecretBackendRole(\"role\", SecretBackendRoleArgs.builder()\n            .backend(aws.path())\n            .name(\"test\")\n            .policy(\"\"\"\n{\n  \\\"Version\\\": \\\"2012-10-17\\\",\n  \\\"Statement\\\": [\n    {\n      \\\"Effect\\\": \\\"Allow\\\",\n      \\\"Action\\\": \\\"iam:*\\\",\n      \\\"Resource\\\": \\\"*\\\"\n    }\n  ]\n}\n            \"\"\")\n            .build());\n\n        // generally, these blocks would be in a different module\n        final var creds = Output.tuple(aws.path(), role.name()).applyValue(values -\u003e {\n            var path = values.t1;\n            var name = values.t2;\n            return AwsFunctions.getAccessCredentials(GetAccessCredentialsArgs.builder()\n                .backend(path)\n                .role(name)\n                .build());\n        });\n\n    }\n}\n```\n```yaml\nresources:\n  aws:\n    type: vault:aws:SecretBackend\n    properties:\n      accessKey: AKIA.....\n      secretKey: SECRETKEYFROMAWS\n  role:\n    type: vault:aws:SecretBackendRole\n    properties:\n      backend: ${aws.path}\n      name: test\n      policy: |\n        {\n          \\\"Version\\\": \\\"2012-10-17\\\",\n          \\\"Statement\\\": [\n            {\n              \\\"Effect\\\": \\\"Allow\\\",\n              \\\"Action\\\": \\\"iam:*\\\",\n              \\\"Resource\\\": \\\"*\\\"\n            }\n          ]\n        }\nvariables:\n  # generally, these blocks would be in a different module\n  creds:\n    fn::invoke:\n      function: vault:aws:getAccessCredentials\n      arguments:\n        backend: ${aws.path}\n        role: ${role.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getAccessCredentials.\n","properties":{"backend":{"type":"string","description":"The path to the AWS secret backend to\nread credentials from, with no leading or trailing `/`s.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"region":{"type":"string","description":"The region the read credentials belong to.\n"},"role":{"type":"string","description":"The name of the AWS secret backend role to read\ncredentials from, with no leading or trailing `/`s.\n"},"roleArn":{"type":"string","description":"The specific AWS ARN to use\nfrom the configured role. If the role does not have multiple ARNs, this does\nnot need to be specified.\n"},"ttl":{"type":"string","description":"Specifies the TTL for the use of the STS token. This\nis specified as a string with a duration suffix. Valid only when\n\u003cspan pulumi-lang-nodejs=\"`credentialType`\" pulumi-lang-dotnet=\"`CredentialType`\" pulumi-lang-go=\"`credentialType`\" pulumi-lang-python=\"`credential_type`\" pulumi-lang-yaml=\"`credentialType`\" pulumi-lang-java=\"`credentialType`\"\u003e`credential_type`\u003c/span\u003e of the connected \u003cspan pulumi-lang-nodejs=\"`vault.aws.SecretBackendRole`\" pulumi-lang-dotnet=\"`vault.aws.SecretBackendRole`\" pulumi-lang-go=\"`aws.SecretBackendRole`\" pulumi-lang-python=\"`aws.SecretBackendRole`\" pulumi-lang-yaml=\"`vault.aws.SecretBackendRole`\" pulumi-lang-java=\"`vault.aws.SecretBackendRole`\"\u003e`vault.aws.SecretBackendRole`\u003c/span\u003e resource is \u003cspan pulumi-lang-nodejs=\"`assumedRole`\" pulumi-lang-dotnet=\"`AssumedRole`\" pulumi-lang-go=\"`assumedRole`\" pulumi-lang-python=\"`assumed_role`\" pulumi-lang-yaml=\"`assumedRole`\" pulumi-lang-java=\"`assumedRole`\"\u003e`assumed_role`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`federationToken`\" pulumi-lang-dotnet=\"`FederationToken`\" pulumi-lang-go=\"`federationToken`\" pulumi-lang-python=\"`federation_token`\" pulumi-lang-yaml=\"`federationToken`\" pulumi-lang-java=\"`federationToken`\"\u003e`federation_token`\u003c/span\u003e\n"},"type":{"type":"string","description":"The type of credentials to read. Defaults\nto `\"creds\"`, which just returns an AWS Access Key ID and Secret\nKey. Can also be set to `\"sts\"`, which will return a security token\nin addition to the keys.\n"}},"type":"object","required":["backend","role"]},"outputs":{"description":"A collection of values returned by getAccessCredentials.\n","properties":{"accessKey":{"description":"The AWS Access Key ID returned by Vault.\n","secret":true,"type":"string"},"backend":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"leaseDuration":{"description":"The duration of the secret lease, in seconds relative\nto the time the data was requested. Once this time has passed any plan\ngenerated with this data may fail to apply.\n","type":"integer"},"leaseId":{"description":"The lease identifier assigned by Vault.\n","type":"string"},"leaseRenewable":{"type":"boolean"},"leaseStartTime":{"type":"string"},"namespace":{"type":"string"},"region":{"type":"string"},"role":{"type":"string"},"roleArn":{"type":"string"},"secretKey":{"description":"The AWS Secret Key returned by Vault.\n","secret":true,"type":"string"},"securityToken":{"description":"The STS token returned by Vault, if any.\n","secret":true,"type":"string"},"ttl":{"type":"string"},"type":{"type":"string"}},"required":["accessKey","backend","leaseDuration","leaseId","leaseRenewable","leaseStartTime","role","secretKey","securityToken","id"],"type":"object"}},"vault:aws/getStaticAccessCredentials:getStaticAccessCredentials":{"inputs":{"description":"A collection of arguments for invoking getStaticAccessCredentials.\n","properties":{"backend":{"type":"string"},"name":{"type":"string","willReplaceOnChanges":true},"namespace":{"type":"string","willReplaceOnChanges":true}},"type":"object","required":["backend","name"]},"outputs":{"description":"A collection of values returned by getStaticAccessCredentials.\n","properties":{"accessKey":{"secret":true,"type":"string"},"backend":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"secretKey":{"secret":true,"type":"string"}},"required":["accessKey","backend","name","secretKey","id"],"type":"object"}},"vault:azure/getAccessCredentials:getAccessCredentials":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst creds = vault.azure.getAccessCredentials({\n    role: \"my-role\",\n    validateCreds: true,\n    numSequentialSuccesses: 8,\n    numSecondsBetweenTests: 1,\n    maxCredValidationSeconds: 300,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ncreds = vault.azure.get_access_credentials(role=\"my-role\",\n    validate_creds=True,\n    num_sequential_successes=8,\n    num_seconds_between_tests=1,\n    max_cred_validation_seconds=300)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var creds = Vault.Azure.GetAccessCredentials.Invoke(new()\n    {\n        Role = \"my-role\",\n        ValidateCreds = true,\n        NumSequentialSuccesses = 8,\n        NumSecondsBetweenTests = 1,\n        MaxCredValidationSeconds = 300,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/azure\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := azure.GetAccessCredentials(ctx, \u0026azure.GetAccessCredentialsArgs{\n\t\t\tRole:                     \"my-role\",\n\t\t\tValidateCreds:            pulumi.BoolRef(true),\n\t\t\tNumSequentialSuccesses:   pulumi.IntRef(8),\n\t\t\tNumSecondsBetweenTests:   pulumi.IntRef(1),\n\t\t\tMaxCredValidationSeconds: pulumi.IntRef(300),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.azure.AzureFunctions;\nimport com.pulumi.vault.azure.inputs.GetAccessCredentialsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var creds = AzureFunctions.getAccessCredentials(GetAccessCredentialsArgs.builder()\n            .role(\"my-role\")\n            .validateCreds(true)\n            .numSequentialSuccesses(8)\n            .numSecondsBetweenTests(1)\n            .maxCredValidationSeconds(300)\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  creds:\n    fn::invoke:\n      function: vault:azure:getAccessCredentials\n      arguments:\n        role: my-role\n        validateCreds: true\n        numSequentialSuccesses: 8\n        numSecondsBetweenTests: 1\n        maxCredValidationSeconds: 300\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Caveats\n\nThe \u003cspan pulumi-lang-nodejs=\"`validateCreds`\" pulumi-lang-dotnet=\"`ValidateCreds`\" pulumi-lang-go=\"`validateCreds`\" pulumi-lang-python=\"`validate_creds`\" pulumi-lang-yaml=\"`validateCreds`\" pulumi-lang-java=\"`validateCreds`\"\u003e`validate_creds`\u003c/span\u003e option requires read-access to the \u003cspan pulumi-lang-nodejs=\"`backend`\" pulumi-lang-dotnet=\"`Backend`\" pulumi-lang-go=\"`backend`\" pulumi-lang-python=\"`backend`\" pulumi-lang-yaml=\"`backend`\" pulumi-lang-java=\"`backend`\"\u003e`backend`\u003c/span\u003e config endpoint.\nIf the effective Vault role does not have the required permissions then valid values \nare required to be set for: \u003cspan pulumi-lang-nodejs=\"`subscriptionId`\" pulumi-lang-dotnet=\"`SubscriptionId`\" pulumi-lang-go=\"`subscriptionId`\" pulumi-lang-python=\"`subscription_id`\" pulumi-lang-yaml=\"`subscriptionId`\" pulumi-lang-java=\"`subscriptionId`\"\u003e`subscription_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`tenantId`\" pulumi-lang-dotnet=\"`TenantId`\" pulumi-lang-go=\"`tenantId`\" pulumi-lang-python=\"`tenant_id`\" pulumi-lang-yaml=\"`tenantId`\" pulumi-lang-java=\"`tenantId`\"\u003e`tenant_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`environment`\" pulumi-lang-dotnet=\"`Environment`\" pulumi-lang-go=\"`environment`\" pulumi-lang-python=\"`environment`\" pulumi-lang-yaml=\"`environment`\" pulumi-lang-java=\"`environment`\"\u003e`environment`\u003c/span\u003e.\n","inputs":{"description":"A collection of arguments for invoking getAccessCredentials.\n","properties":{"backend":{"type":"string","description":"The path to the Azure secret backend to\nread credentials from, with no leading or trailing `/`s.\n"},"environment":{"type":"string","description":"The Azure environment to use during credential validation.\nDefaults to the environment configured in the Vault backend.\nSome possible values: `AzurePublicCloud`, `AzureGovernmentCloud`\n*See the caveats section for more information on this field.*\n"},"maxCredValidationSeconds":{"type":"integer","description":"If 'validate_creds' is true, \nthe number of seconds after which to give up validating credentials. Defaults\nto 300.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"numSecondsBetweenTests":{"type":"integer","description":"If 'validate_creds' is true, \nthe number of seconds to wait between each test of generated credentials.\nDefaults to 1.\n"},"numSequentialSuccesses":{"type":"integer","description":"If 'validate_creds' is true, \nthe number of sequential successes required to validate generated\ncredentials. Defaults to 8.\n"},"role":{"type":"string","description":"The name of the Azure secret backend role to read\ncredentials from, with no leading or trailing `/`s.\n"},"subscriptionId":{"type":"string","description":"The subscription ID to use during credential\nvalidation. Defaults to the subscription ID configured in the Vault \u003cspan pulumi-lang-nodejs=\"`backend`\" pulumi-lang-dotnet=\"`Backend`\" pulumi-lang-go=\"`backend`\" pulumi-lang-python=\"`backend`\" pulumi-lang-yaml=\"`backend`\" pulumi-lang-java=\"`backend`\"\u003e`backend`\u003c/span\u003e.\n*See the caveats section for more information on this field.*\n"},"tenantId":{"type":"string","description":"The tenant ID to use during credential validation.\nDefaults to the tenant ID configured in the Vault \u003cspan pulumi-lang-nodejs=\"`backend`\" pulumi-lang-dotnet=\"`Backend`\" pulumi-lang-go=\"`backend`\" pulumi-lang-python=\"`backend`\" pulumi-lang-yaml=\"`backend`\" pulumi-lang-java=\"`backend`\"\u003e`backend`\u003c/span\u003e.\n*See the caveats section for more information on this field.*\n"},"validateCreds":{"type":"boolean","description":"Whether generated credentials should be \nvalidated before being returned. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, which returns\ncredentials without checking whether they have fully propagated throughout\nAzure Active Directory. Designating \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e activates testing.\n"}},"type":"object","required":["backend","role"]},"outputs":{"description":"A collection of values returned by getAccessCredentials.\n","properties":{"backend":{"type":"string"},"clientId":{"description":"The client id for credentials to query the Azure APIs.\n","type":"string"},"clientSecret":{"description":"The client secret for credentials to query the Azure APIs.\n","secret":true,"type":"string"},"environment":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"leaseDuration":{"description":"The duration of the secret lease, in seconds relative\nto the time the data was requested. Once this time has passed any plan\ngenerated with this data may fail to apply.\n","type":"integer"},"leaseId":{"description":"The lease identifier assigned by Vault.\n","type":"string"},"leaseRenewable":{"type":"boolean"},"leaseStartTime":{"type":"string"},"maxCredValidationSeconds":{"type":"integer"},"namespace":{"type":"string"},"numSecondsBetweenTests":{"type":"integer"},"numSequentialSuccesses":{"type":"integer"},"role":{"type":"string"},"subscriptionId":{"type":"string"},"tenantId":{"type":"string"},"validateCreds":{"type":"boolean"}},"required":["backend","clientId","clientSecret","leaseDuration","leaseId","leaseRenewable","leaseStartTime","role","id"],"type":"object"}},"vault:gcp/getAuthBackendRole:getAuthBackendRole":{"description":"Reads a GCP auth role from a Vault server.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nexport = async () =\u003e {\n    const role = await vault.gcp.getAuthBackendRole({\n        backend: \"my-gcp-backend\",\n        roleName: \"my-role\",\n    });\n    return {\n        \"role-id\": role.roleId,\n    };\n}\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nrole = vault.gcp.get_auth_backend_role(backend=\"my-gcp-backend\",\n    role_name=\"my-role\")\npulumi.export(\"role-id\", role.role_id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var role = Vault.Gcp.GetAuthBackendRole.Invoke(new()\n    {\n        Backend = \"my-gcp-backend\",\n        RoleName = \"my-role\",\n    });\n\n    return new Dictionary\u003cstring, object?\u003e\n    {\n        [\"role-id\"] = role.Apply(getAuthBackendRoleResult =\u003e getAuthBackendRoleResult.RoleId),\n    };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/gcp\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trole, err := gcp.LookupAuthBackendRole(ctx, \u0026gcp.LookupAuthBackendRoleArgs{\n\t\t\tBackend:  pulumi.StringRef(\"my-gcp-backend\"),\n\t\t\tRoleName: \"my-role\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"role-id\", role.RoleId)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.gcp.GcpFunctions;\nimport com.pulumi.vault.gcp.inputs.GetAuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var role = GcpFunctions.getAuthBackendRole(GetAuthBackendRoleArgs.builder()\n            .backend(\"my-gcp-backend\")\n            .roleName(\"my-role\")\n            .build());\n\n        ctx.export(\"role-id\", role.roleId());\n    }\n}\n```\n```yaml\nvariables:\n  role:\n    fn::invoke:\n      function: vault:gcp:getAuthBackendRole\n      arguments:\n        backend: my-gcp-backend\n        roleName: my-role\noutputs:\n  role-id: ${role.roleId}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getAuthBackendRole.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"}},"backend":{"type":"string","description":"The unique name for the GCP backend from which to fetch the role. Defaults to \"gcp\".\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The name of the role to retrieve the Role ID for.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"List of CIDR blocks; if set, specifies blocks of IP\naddresses which can authenticate successfully, and ties the resulting token to these blocks\nas well.\n"},"tokenExplicitMaxTtl":{"type":"integer","description":"If set, will encode an\n[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)\nonto the token in number of seconds. This is a hard cap even if \u003cspan pulumi-lang-nodejs=\"`tokenTtl`\" pulumi-lang-dotnet=\"`TokenTtl`\" pulumi-lang-go=\"`tokenTtl`\" pulumi-lang-python=\"`token_ttl`\" pulumi-lang-yaml=\"`tokenTtl`\" pulumi-lang-java=\"`tokenTtl`\"\u003e`token_ttl`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`tokenMaxTtl`\" pulumi-lang-dotnet=\"`TokenMaxTtl`\" pulumi-lang-go=\"`tokenMaxTtl`\" pulumi-lang-python=\"`token_max_ttl`\" pulumi-lang-yaml=\"`tokenMaxTtl`\" pulumi-lang-java=\"`tokenMaxTtl`\"\u003e`token_max_ttl`\u003c/span\u003e would otherwise allow a renewal.\n"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If set, the default policy will not be set on\ngenerated tokens; otherwise it will be added to the policies set in token_policies.\n"},"tokenNumUses":{"type":"integer","description":"The\n[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),\nif any, in number of seconds to set on the token.\n"},"tokenPeriod":{"type":"integer","description":"(Optional) If set, indicates that the\ntoken generated using this role should never expire. The token should be renewed within the\nduration specified by this value. At each renewal, the token's TTL will be set to the\nvalue of this field. Specified in seconds.\n"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"List of policies to encode onto generated tokens. Depending\non the auth method, this list may be supplemented by user/group/other values.\n"},"tokenTtl":{"type":"integer","description":"The incremental lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenType":{"type":"string","description":"The type of token that should be generated. Can be \u003cspan pulumi-lang-nodejs=\"`service`\" pulumi-lang-dotnet=\"`Service`\" pulumi-lang-go=\"`service`\" pulumi-lang-python=\"`service`\" pulumi-lang-yaml=\"`service`\" pulumi-lang-java=\"`service`\"\u003e`service`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`batch`\" pulumi-lang-dotnet=\"`Batch`\" pulumi-lang-go=\"`batch`\" pulumi-lang-python=\"`batch`\" pulumi-lang-yaml=\"`batch`\" pulumi-lang-java=\"`batch`\"\u003e`batch`\u003c/span\u003e, or \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e to use the mount's tuned default (which unless changed will be\n\u003cspan pulumi-lang-nodejs=\"`service`\" pulumi-lang-dotnet=\"`Service`\" pulumi-lang-go=\"`service`\" pulumi-lang-python=\"`service`\" pulumi-lang-yaml=\"`service`\" pulumi-lang-java=\"`service`\"\u003e`service`\u003c/span\u003e tokens). For token store roles, there are two additional possibilities:\n`default-service` and `default-batch` which specify the type to return unless the client\nrequests a different type at generation time.\n"}},"type":"object","required":["roleName"]},"outputs":{"description":"A collection of values returned by getAuthBackendRole.\n","properties":{"aliasMetadata":{"additionalProperties":{"type":"string"},"type":"object"},"backend":{"type":"string"},"boundInstanceGroups":{"description":"GCP regions bound to the role. Returned when \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`gce`\" pulumi-lang-dotnet=\"`Gce`\" pulumi-lang-go=\"`gce`\" pulumi-lang-python=\"`gce`\" pulumi-lang-yaml=\"`gce`\" pulumi-lang-java=\"`gce`\"\u003e`gce`\u003c/span\u003e.\n","items":{"type":"string"},"type":"array"},"boundLabels":{"description":"GCP labels bound to the role. Returned when \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`gce`\" pulumi-lang-dotnet=\"`Gce`\" pulumi-lang-go=\"`gce`\" pulumi-lang-python=\"`gce`\" pulumi-lang-yaml=\"`gce`\" pulumi-lang-java=\"`gce`\"\u003e`gce`\u003c/span\u003e.\n","items":{"type":"string"},"type":"array"},"boundProjects":{"description":"GCP projects bound to the role.\n","items":{"type":"string"},"type":"array"},"boundRegions":{"description":"GCP regions bound to the role. Returned when \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`gce`\" pulumi-lang-dotnet=\"`Gce`\" pulumi-lang-go=\"`gce`\" pulumi-lang-python=\"`gce`\" pulumi-lang-yaml=\"`gce`\" pulumi-lang-java=\"`gce`\"\u003e`gce`\u003c/span\u003e.\n","items":{"type":"string"},"type":"array"},"boundServiceAccounts":{"description":"GCP service accounts bound to the role. Returned when \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e.\n","items":{"type":"string"},"type":"array"},"boundZones":{"description":"GCP zones bound to the role. Returned when \u003cspan pulumi-lang-nodejs=\"`type`\" pulumi-lang-dotnet=\"`Type`\" pulumi-lang-go=\"`type`\" pulumi-lang-python=\"`type`\" pulumi-lang-yaml=\"`type`\" pulumi-lang-java=\"`type`\"\u003e`type`\u003c/span\u003e is \u003cspan pulumi-lang-nodejs=\"`gce`\" pulumi-lang-dotnet=\"`Gce`\" pulumi-lang-go=\"`gce`\" pulumi-lang-python=\"`gce`\" pulumi-lang-yaml=\"`gce`\" pulumi-lang-java=\"`gce`\"\u003e`gce`\u003c/span\u003e.\n","items":{"type":"string"},"type":"array"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"roleId":{"description":"The RoleID of the GCP role.\n","type":"string"},"roleName":{"type":"string"},"tokenBoundCidrs":{"description":"List of CIDR blocks; if set, specifies blocks of IP\naddresses which can authenticate successfully, and ties the resulting token to these blocks\nas well.\n","items":{"type":"string"},"type":"array"},"tokenExplicitMaxTtl":{"description":"If set, will encode an\n[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)\nonto the token in number of seconds. This is a hard cap even if \u003cspan pulumi-lang-nodejs=\"`tokenTtl`\" pulumi-lang-dotnet=\"`TokenTtl`\" pulumi-lang-go=\"`tokenTtl`\" pulumi-lang-python=\"`token_ttl`\" pulumi-lang-yaml=\"`tokenTtl`\" pulumi-lang-java=\"`tokenTtl`\"\u003e`token_ttl`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`tokenMaxTtl`\" pulumi-lang-dotnet=\"`TokenMaxTtl`\" pulumi-lang-go=\"`tokenMaxTtl`\" pulumi-lang-python=\"`token_max_ttl`\" pulumi-lang-yaml=\"`tokenMaxTtl`\" pulumi-lang-java=\"`tokenMaxTtl`\"\u003e`token_max_ttl`\u003c/span\u003e would otherwise allow a renewal.\n","type":"integer"},"tokenMaxTtl":{"description":"The maximum lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n","type":"integer"},"tokenNoDefaultPolicy":{"description":"If set, the default policy will not be set on\ngenerated tokens; otherwise it will be added to the policies set in token_policies.\n","type":"boolean"},"tokenNumUses":{"description":"The\n[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),\nif any, in number of seconds to set on the token.\n","type":"integer"},"tokenPeriod":{"description":"(Optional) If set, indicates that the\ntoken generated using this role should never expire. The token should be renewed within the\nduration specified by this value. At each renewal, the token's TTL will be set to the\nvalue of this field. Specified in seconds.\n","type":"integer"},"tokenPolicies":{"description":"List of policies to encode onto generated tokens. Depending\non the auth method, this list may be supplemented by user/group/other values.\n","items":{"type":"string"},"type":"array"},"tokenTtl":{"description":"The incremental lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n","type":"integer"},"tokenType":{"description":"The type of token that should be generated. Can be \u003cspan pulumi-lang-nodejs=\"`service`\" pulumi-lang-dotnet=\"`Service`\" pulumi-lang-go=\"`service`\" pulumi-lang-python=\"`service`\" pulumi-lang-yaml=\"`service`\" pulumi-lang-java=\"`service`\"\u003e`service`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`batch`\" pulumi-lang-dotnet=\"`Batch`\" pulumi-lang-go=\"`batch`\" pulumi-lang-python=\"`batch`\" pulumi-lang-yaml=\"`batch`\" pulumi-lang-java=\"`batch`\"\u003e`batch`\u003c/span\u003e, or \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e to use the mount's tuned default (which unless changed will be\n\u003cspan pulumi-lang-nodejs=\"`service`\" pulumi-lang-dotnet=\"`Service`\" pulumi-lang-go=\"`service`\" pulumi-lang-python=\"`service`\" pulumi-lang-yaml=\"`service`\" pulumi-lang-java=\"`service`\"\u003e`service`\u003c/span\u003e tokens). For token store roles, there are two additional possibilities:\n`default-service` and `default-batch` which specify the type to return unless the client\nrequests a different type at generation time.\n","type":"string"},"type":{"description":"Type of GCP role. Expected values are \u003cspan pulumi-lang-nodejs=\"`iam`\" pulumi-lang-dotnet=\"`Iam`\" pulumi-lang-go=\"`iam`\" pulumi-lang-python=\"`iam`\" pulumi-lang-yaml=\"`iam`\" pulumi-lang-java=\"`iam`\"\u003e`iam`\u003c/span\u003e or \u003cspan pulumi-lang-nodejs=\"`gce`\" pulumi-lang-dotnet=\"`Gce`\" pulumi-lang-go=\"`gce`\" pulumi-lang-python=\"`gce`\" pulumi-lang-yaml=\"`gce`\" pulumi-lang-java=\"`gce`\"\u003e`gce`\u003c/span\u003e.\n","type":"string"}},"required":["boundInstanceGroups","boundLabels","boundProjects","boundRegions","boundServiceAccounts","boundZones","roleId","roleName","type","id"],"type":"object"}},"vault:generic/getSecret:getSecret":{"description":"## Example Usage\n\n### Generic secret\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst rundeckAuth = vault.generic.getSecret({\n    path: \"secret/rundeck_auth\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nrundeck_auth = vault.generic.get_secret(path=\"secret/rundeck_auth\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var rundeckAuth = Vault.Generic.GetSecret.Invoke(new()\n    {\n        Path = \"secret/rundeck_auth\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/generic\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := generic.LookupSecret(ctx, \u0026generic.LookupSecretArgs{\n\t\t\tPath: \"secret/rundeck_auth\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.generic.GenericFunctions;\nimport com.pulumi.vault.generic.inputs.GetSecretArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var rundeckAuth = GenericFunctions.getSecret(GetSecretArgs.builder()\n            .path(\"secret/rundeck_auth\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  rundeckAuth:\n    fn::invoke:\n      function: vault:generic:getSecret\n      arguments:\n        path: secret/rundeck_auth\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### KV \n\nFor this example, consider \u003cspan pulumi-lang-nodejs=\"`example`\" pulumi-lang-dotnet=\"`Example`\" pulumi-lang-go=\"`example`\" pulumi-lang-python=\"`example`\" pulumi-lang-yaml=\"`example`\" pulumi-lang-java=\"`example`\"\u003e`example`\u003c/span\u003e as a path for a KV engine.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nfunction notImplemented(message: string) {\n    throw new Error(message);\n}\n\nconst exampleCreds = vault.generic.getSecret({\n    path: \"example/creds\",\n});\nconst exampleTemplate = notImplemented(\"The template_file data resource is not yet supported.\");\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\n\ndef not_implemented(msg):\n    raise NotImplementedError(msg)\n\nexample_creds = vault.generic.get_secret(path=\"example/creds\")\nexample_template = not_implemented(\"The template_file data resource is not yet supported.\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\n\t\nobject NotImplemented(string errorMessage) \n{\n    throw new System.NotImplementedException(errorMessage);\n}\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var exampleCreds = Vault.Generic.GetSecret.Invoke(new()\n    {\n        Path = \"example/creds\",\n    });\n\n    var exampleTemplate = NotImplemented(\"The template_file data resource is not yet supported.\");\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/generic\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc notImplemented(message string) pulumi.AnyOutput {\n\tpanic(message)\n}\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := generic.LookupSecret(ctx, \u0026generic.LookupSecretArgs{\n\t\t\tPath: \"example/creds\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = notImplemented(\"The template_file data resource is not yet supported.\")\n\t\treturn nil\n\t})\n}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability on the given path.\n","inputs":{"description":"A collection of arguments for invoking getSecret.\n","properties":{"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The full logical path from which to request data.\nTo read data from the \"generic\" secret backend mounted in Vault by\ndefault, this should be prefixed with `secret/`. Reading from other backends\nwith this data source is possible; consult each backend's documentation\nto see which endpoints support the `GET` method.\n"},"version":{"type":"integer","description":"The version of the secret to read. This is used by the\nVault KV secrets engine - version 2 to indicate which version of the secret\nto read.\n"},"withLeaseStartTime":{"type":"boolean","description":"If set to true, stores \u003cspan pulumi-lang-nodejs=\"`leaseStartTime`\" pulumi-lang-dotnet=\"`LeaseStartTime`\" pulumi-lang-go=\"`leaseStartTime`\" pulumi-lang-python=\"`lease_start_time`\" pulumi-lang-yaml=\"`leaseStartTime`\" pulumi-lang-java=\"`leaseStartTime`\"\u003e`lease_start_time`\u003c/span\u003e in the TF state.\nNote that storing the \u003cspan pulumi-lang-nodejs=\"`leaseStartTime`\" pulumi-lang-dotnet=\"`LeaseStartTime`\" pulumi-lang-go=\"`leaseStartTime`\" pulumi-lang-python=\"`lease_start_time`\" pulumi-lang-yaml=\"`leaseStartTime`\" pulumi-lang-java=\"`leaseStartTime`\"\u003e`lease_start_time`\u003c/span\u003e in the TF state will cause a persistent drift\non every `pulumi preview` and will require a `pulumi up`.\n"}},"type":"object","required":["path"]},"outputs":{"description":"A collection of values returned by getSecret.\n","properties":{"data":{"additionalProperties":{"type":"string"},"description":"A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only\nrepresent string data, so any non-string values returned from Vault are\nserialized as JSON.\n","secret":true,"type":"object"},"dataJson":{"description":"A string containing the full data payload retrieved from\nVault, serialized in JSON format.\n","secret":true,"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"leaseDuration":{"description":"The duration of the secret lease, in seconds relative\nto the time the data was requested. Once this time has passed any plan\ngenerated with this data may fail to apply.\n","type":"integer"},"leaseId":{"description":"The lease identifier assigned by Vault, if any.\n","type":"string"},"leaseRenewable":{"type":"boolean"},"leaseStartTime":{"type":"string"},"namespace":{"type":"string"},"path":{"type":"string"},"version":{"type":"integer"},"withLeaseStartTime":{"type":"boolean"}},"required":["data","dataJson","leaseDuration","leaseId","leaseRenewable","leaseStartTime","path","id"],"type":"object"}},"vault:identity/getEntity:getEntity":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst entity = vault.identity.getEntity({\n    entityName: \"entity_12345\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nentity = vault.identity.get_entity(entity_name=\"entity_12345\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var entity = Vault.Identity.GetEntity.Invoke(new()\n    {\n        EntityName = \"entity_12345\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.LookupEntity(ctx, \u0026identity.LookupEntityArgs{\n\t\t\tEntityName: pulumi.StringRef(\"entity_12345\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.IdentityFunctions;\nimport com.pulumi.vault.identity.inputs.GetEntityArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var entity = IdentityFunctions.getEntity(GetEntityArgs.builder()\n            .entityName(\"entity_12345\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  entity:\n    fn::invoke:\n      function: vault:identity:getEntity\n      arguments:\n        entityName: entity_12345\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`update`\" pulumi-lang-dotnet=\"`Update`\" pulumi-lang-go=\"`update`\" pulumi-lang-python=\"`update`\" pulumi-lang-yaml=\"`update`\" pulumi-lang-java=\"`update`\"\u003e`update`\u003c/span\u003e capability on `/identity/lookup/entity`.\n","inputs":{"description":"A collection of arguments for invoking getEntity.\n","properties":{"aliasId":{"type":"string","description":"ID of the alias.\n"},"aliasMountAccessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to.\nThis should be supplied in conjunction with \u003cspan pulumi-lang-nodejs=\"`aliasName`\" pulumi-lang-dotnet=\"`AliasName`\" pulumi-lang-go=\"`aliasName`\" pulumi-lang-python=\"`alias_name`\" pulumi-lang-yaml=\"`aliasName`\" pulumi-lang-java=\"`aliasName`\"\u003e`alias_name`\u003c/span\u003e.\n\nThe lookup criteria can be \u003cspan pulumi-lang-nodejs=\"`entityName`\" pulumi-lang-dotnet=\"`EntityName`\" pulumi-lang-go=\"`entityName`\" pulumi-lang-python=\"`entity_name`\" pulumi-lang-yaml=\"`entityName`\" pulumi-lang-java=\"`entityName`\"\u003e`entity_name`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`entityId`\" pulumi-lang-dotnet=\"`EntityId`\" pulumi-lang-go=\"`entityId`\" pulumi-lang-python=\"`entity_id`\" pulumi-lang-yaml=\"`entityId`\" pulumi-lang-java=\"`entityId`\"\u003e`entity_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`aliasId`\" pulumi-lang-dotnet=\"`AliasId`\" pulumi-lang-go=\"`aliasId`\" pulumi-lang-python=\"`alias_id`\" pulumi-lang-yaml=\"`aliasId`\" pulumi-lang-java=\"`aliasId`\"\u003e`alias_id`\u003c/span\u003e, or a combination of\n\u003cspan pulumi-lang-nodejs=\"`aliasName`\" pulumi-lang-dotnet=\"`AliasName`\" pulumi-lang-go=\"`aliasName`\" pulumi-lang-python=\"`alias_name`\" pulumi-lang-yaml=\"`aliasName`\" pulumi-lang-java=\"`aliasName`\"\u003e`alias_name`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`aliasMountAccessor`\" pulumi-lang-dotnet=\"`AliasMountAccessor`\" pulumi-lang-go=\"`aliasMountAccessor`\" pulumi-lang-python=\"`alias_mount_accessor`\" pulumi-lang-yaml=\"`aliasMountAccessor`\" pulumi-lang-java=\"`aliasMountAccessor`\"\u003e`alias_mount_accessor`\u003c/span\u003e.\n"},"aliasName":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with\n\u003cspan pulumi-lang-nodejs=\"`aliasMountAccessor`\" pulumi-lang-dotnet=\"`AliasMountAccessor`\" pulumi-lang-go=\"`aliasMountAccessor`\" pulumi-lang-python=\"`alias_mount_accessor`\" pulumi-lang-yaml=\"`aliasMountAccessor`\" pulumi-lang-java=\"`aliasMountAccessor`\"\u003e`alias_mount_accessor`\u003c/span\u003e.\n"},"entityId":{"type":"string","description":"ID of the entity.\n"},"entityName":{"type":"string","description":"Name of the entity.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"},"outputs":{"description":"A collection of values returned by getEntity.\n","properties":{"aliasId":{"type":"string"},"aliasMountAccessor":{"type":"string"},"aliasName":{"type":"string"},"aliases":{"description":"A list of entity alias. Structure is documented below.\n","items":{"$ref":"#/types/vault:identity/getEntityAlias:getEntityAlias"},"type":"array"},"creationTime":{"description":"Creation time of the Alias\n","type":"string"},"dataJson":{"description":"A string containing the full data payload retrieved from\nVault, serialized in JSON format.\n","type":"string"},"directGroupIds":{"description":"List of Group IDs of which the entity is directly a member of\n","items":{"type":"string"},"type":"array"},"disabled":{"description":"Whether the entity is disabled\n","type":"boolean"},"entityId":{"type":"string"},"entityName":{"type":"string"},"groupIds":{"description":"List of all Group IDs of which the entity is a member of\n","items":{"type":"string"},"type":"array"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"inheritedGroupIds":{"description":"List of all Group IDs of which the entity is a member of transitively\n","items":{"type":"string"},"type":"array"},"lastUpdateTime":{"description":"Last update time of the alias\n","type":"string"},"mergedEntityIds":{"description":"Other entity IDs which is merged with this entity\n","items":{"type":"string"},"type":"array"},"metadata":{"additionalProperties":{"type":"string"},"description":"Arbitrary metadata\n","type":"object"},"namespace":{"type":"string"},"namespaceId":{"description":"Namespace of which the entity is part of\n","type":"string"},"policies":{"description":"List of policies attached to the entity\n","items":{"type":"string"},"type":"array"}},"required":["aliasId","aliasMountAccessor","aliasName","aliases","creationTime","dataJson","directGroupIds","disabled","entityId","entityName","groupIds","inheritedGroupIds","lastUpdateTime","mergedEntityIds","metadata","namespaceId","policies","id"],"type":"object"}},"vault:identity/getGroup:getGroup":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst group = vault.identity.getGroup({\n    groupName: \"user\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ngroup = vault.identity.get_group(group_name=\"user\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var @group = Vault.Identity.GetGroup.Invoke(new()\n    {\n        GroupName = \"user\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := identity.LookupGroup(ctx, \u0026identity.LookupGroupArgs{\n\t\t\tGroupName: pulumi.StringRef(\"user\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.IdentityFunctions;\nimport com.pulumi.vault.identity.inputs.GetGroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var group = IdentityFunctions.getGroup(GetGroupArgs.builder()\n            .groupName(\"user\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  group:\n    fn::invoke:\n      function: vault:identity:getGroup\n      arguments:\n        groupName: user\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`create`\" pulumi-lang-dotnet=\"`Create`\" pulumi-lang-go=\"`create`\" pulumi-lang-python=\"`create`\" pulumi-lang-yaml=\"`create`\" pulumi-lang-java=\"`create`\"\u003e`create`\u003c/span\u003e capability on `/identity/lookup/group`.\n","inputs":{"description":"A collection of arguments for invoking getGroup.\n","properties":{"aliasId":{"type":"string","description":"ID of the alias.\n"},"aliasMountAccessor":{"type":"string","description":"Accessor of the mount to which the alias belongs to.\nThis should be supplied in conjunction with \u003cspan pulumi-lang-nodejs=\"`aliasName`\" pulumi-lang-dotnet=\"`AliasName`\" pulumi-lang-go=\"`aliasName`\" pulumi-lang-python=\"`alias_name`\" pulumi-lang-yaml=\"`aliasName`\" pulumi-lang-java=\"`aliasName`\"\u003e`alias_name`\u003c/span\u003e.\n\nThe lookup criteria can be \u003cspan pulumi-lang-nodejs=\"`groupName`\" pulumi-lang-dotnet=\"`GroupName`\" pulumi-lang-go=\"`groupName`\" pulumi-lang-python=\"`group_name`\" pulumi-lang-yaml=\"`groupName`\" pulumi-lang-java=\"`groupName`\"\u003e`group_name`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`groupId`\" pulumi-lang-dotnet=\"`GroupId`\" pulumi-lang-go=\"`groupId`\" pulumi-lang-python=\"`group_id`\" pulumi-lang-yaml=\"`groupId`\" pulumi-lang-java=\"`groupId`\"\u003e`group_id`\u003c/span\u003e, \u003cspan pulumi-lang-nodejs=\"`aliasId`\" pulumi-lang-dotnet=\"`AliasId`\" pulumi-lang-go=\"`aliasId`\" pulumi-lang-python=\"`alias_id`\" pulumi-lang-yaml=\"`aliasId`\" pulumi-lang-java=\"`aliasId`\"\u003e`alias_id`\u003c/span\u003e, or a combination of\n\u003cspan pulumi-lang-nodejs=\"`aliasName`\" pulumi-lang-dotnet=\"`AliasName`\" pulumi-lang-go=\"`aliasName`\" pulumi-lang-python=\"`alias_name`\" pulumi-lang-yaml=\"`aliasName`\" pulumi-lang-java=\"`aliasName`\"\u003e`alias_name`\u003c/span\u003e and \u003cspan pulumi-lang-nodejs=\"`aliasMountAccessor`\" pulumi-lang-dotnet=\"`AliasMountAccessor`\" pulumi-lang-go=\"`aliasMountAccessor`\" pulumi-lang-python=\"`alias_mount_accessor`\" pulumi-lang-yaml=\"`aliasMountAccessor`\" pulumi-lang-java=\"`aliasMountAccessor`\"\u003e`alias_mount_accessor`\u003c/span\u003e.\n"},"aliasName":{"type":"string","description":"Name of the alias. This should be supplied in conjunction with\n\u003cspan pulumi-lang-nodejs=\"`aliasMountAccessor`\" pulumi-lang-dotnet=\"`AliasMountAccessor`\" pulumi-lang-go=\"`aliasMountAccessor`\" pulumi-lang-python=\"`alias_mount_accessor`\" pulumi-lang-yaml=\"`aliasMountAccessor`\" pulumi-lang-java=\"`aliasMountAccessor`\"\u003e`alias_mount_accessor`\u003c/span\u003e.\n"},"groupId":{"type":"string","description":"ID of the group.\n"},"groupName":{"type":"string","description":"Name of the group.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"},"outputs":{"description":"A collection of values returned by getGroup.\n","properties":{"aliasCanonicalId":{"description":"Canonical ID of the Alias\n","type":"string"},"aliasCreationTime":{"description":"Creation time of the Alias\n","type":"string"},"aliasId":{"type":"string"},"aliasLastUpdateTime":{"description":"Last update time of the alias\n","type":"string"},"aliasMergedFromCanonicalIds":{"description":"List of canonical IDs merged with this alias\n","items":{"type":"string"},"type":"array"},"aliasMetadata":{"additionalProperties":{"type":"string"},"description":"Arbitrary metadata\n","type":"object"},"aliasMountAccessor":{"type":"string"},"aliasMountPath":{"description":"Authentication mount path which this alias belongs to\n","type":"string"},"aliasMountType":{"description":"Authentication mount type which this alias belongs to\n","type":"string"},"aliasName":{"type":"string"},"creationTime":{"description":"Creation timestamp of the group\n","type":"string"},"dataJson":{"description":"A string containing the full data payload retrieved from\nVault, serialized in JSON format.\n","type":"string"},"groupId":{"type":"string"},"groupName":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"lastUpdateTime":{"description":"Last updated time of the group\n","type":"string"},"memberEntityIds":{"description":"List of Entity IDs which are members of this group\n","items":{"type":"string"},"type":"array"},"memberGroupIds":{"description":"List of Group IDs which are members of this group\n","items":{"type":"string"},"type":"array"},"metadata":{"additionalProperties":{"type":"string"},"description":"Arbitrary metadata\n","type":"object"},"modifyIndex":{"description":"Modify index of the group\n","type":"integer"},"namespace":{"type":"string"},"namespaceId":{"description":"Namespace of which the group is part of\n","type":"string"},"parentGroupIds":{"description":"List of Group IDs which are parents of this group.\n","items":{"type":"string"},"type":"array"},"policies":{"description":"List of policies attached to the group\n","items":{"type":"string"},"type":"array"},"type":{"description":"Type of group\n","type":"string"}},"required":["aliasCanonicalId","aliasCreationTime","aliasId","aliasLastUpdateTime","aliasMergedFromCanonicalIds","aliasMetadata","aliasMountAccessor","aliasMountPath","aliasMountType","aliasName","creationTime","dataJson","groupId","groupName","lastUpdateTime","memberEntityIds","memberGroupIds","metadata","modifyIndex","namespaceId","parentGroupIds","policies","type","id"],"type":"object"}},"vault:identity/getOidcClientCreds:getOidcClientCreds":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst app = new vault.identity.OidcClient(\"app\", {\n    name: \"application\",\n    redirectUris: [\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    idTokenTtl: 2400,\n    accessTokenTtl: 7200,\n});\nconst creds = vault.identity.getOidcClientCredsOutput({\n    name: app.name,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\napp = vault.identity.OidcClient(\"app\",\n    name=\"application\",\n    redirect_uris=[\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    id_token_ttl=2400,\n    access_token_ttl=7200)\ncreds = vault.identity.get_oidc_client_creds_output(name=app.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var app = new Vault.Identity.OidcClient(\"app\", new()\n    {\n        Name = \"application\",\n        RedirectUris = new[]\n        {\n            \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n            \"http://127.0.0.1:8251/callback\",\n            \"http://127.0.0.1:8080/callback\",\n        },\n        IdTokenTtl = 2400,\n        AccessTokenTtl = 7200,\n    });\n\n    var creds = Vault.Identity.GetOidcClientCreds.Invoke(new()\n    {\n        Name = app.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tapp, err := identity.NewOidcClient(ctx, \"app\", \u0026identity.OidcClientArgs{\n\t\t\tName: pulumi.String(\"application\"),\n\t\t\tRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8251/callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8080/callback\"),\n\t\t\t},\n\t\t\tIdTokenTtl:     pulumi.Int(2400),\n\t\t\tAccessTokenTtl: pulumi.Int(7200),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = identity.GetOidcClientCredsOutput(ctx, identity.GetOidcClientCredsOutputArgs{\n\t\t\tName: app.Name,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcClient;\nimport com.pulumi.vault.identity.OidcClientArgs;\nimport com.pulumi.vault.identity.IdentityFunctions;\nimport com.pulumi.vault.identity.inputs.GetOidcClientCredsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var app = new OidcClient(\"app\", OidcClientArgs.builder()\n            .name(\"application\")\n            .redirectUris(            \n                \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n                \"http://127.0.0.1:8251/callback\",\n                \"http://127.0.0.1:8080/callback\")\n            .idTokenTtl(2400)\n            .accessTokenTtl(7200)\n            .build());\n\n        final var creds = IdentityFunctions.getOidcClientCreds(GetOidcClientCredsArgs.builder()\n            .name(app.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  app:\n    type: vault:identity:OidcClient\n    properties:\n      name: application\n      redirectUris:\n        - http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\n        - http://127.0.0.1:8251/callback\n        - http://127.0.0.1:8080/callback\n      idTokenTtl: 2400\n      accessTokenTtl: 7200\nvariables:\n  creds:\n    fn::invoke:\n      function: vault:identity:getOidcClientCreds\n      arguments:\n        name: ${app.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getOidcClientCreds.\n","properties":{"name":{"type":"string","description":"The name of the OIDC Client in Vault.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["name"]},"outputs":{"description":"A collection of values returned by getOidcClientCreds.\n","properties":{"clientId":{"description":"The Client ID returned by Vault.\n","type":"string"},"clientSecret":{"description":"The Client Secret Key returned by Vault.\nFor public OpenID Clients \u003cspan pulumi-lang-nodejs=\"`clientSecret`\" pulumi-lang-dotnet=\"`ClientSecret`\" pulumi-lang-go=\"`clientSecret`\" pulumi-lang-python=\"`client_secret`\" pulumi-lang-yaml=\"`clientSecret`\" pulumi-lang-java=\"`clientSecret`\"\u003e`client_secret`\u003c/span\u003e is set to an empty string `\"\"`\n","secret":true,"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"name":{"type":"string"},"namespace":{"type":"string"}},"required":["clientId","clientSecret","name","id"],"type":"object"}},"vault:identity/getOidcOpenidConfig:getOidcOpenidConfig":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst key = new vault.identity.OidcKey(\"key\", {\n    name: \"key\",\n    allowedClientIds: [\"*\"],\n    rotationPeriod: 3600,\n    verificationTtl: 3600,\n});\nconst app = new vault.identity.OidcClient(\"app\", {\n    name: \"application\",\n    key: key.name,\n    redirectUris: [\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    idTokenTtl: 2400,\n    accessTokenTtl: 7200,\n});\nconst provider = new vault.identity.OidcProvider(\"provider\", {\n    name: \"provider\",\n    allowedClientIds: [test.clientId],\n});\nconst config = vault.identity.getOidcOpenidConfigOutput({\n    name: provider.name,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkey = vault.identity.OidcKey(\"key\",\n    name=\"key\",\n    allowed_client_ids=[\"*\"],\n    rotation_period=3600,\n    verification_ttl=3600)\napp = vault.identity.OidcClient(\"app\",\n    name=\"application\",\n    key=key.name,\n    redirect_uris=[\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    id_token_ttl=2400,\n    access_token_ttl=7200)\nprovider = vault.identity.OidcProvider(\"provider\",\n    name=\"provider\",\n    allowed_client_ids=[test[\"clientId\"]])\nconfig = vault.identity.get_oidc_openid_config_output(name=provider.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var key = new Vault.Identity.OidcKey(\"key\", new()\n    {\n        Name = \"key\",\n        AllowedClientIds = new[]\n        {\n            \"*\",\n        },\n        RotationPeriod = 3600,\n        VerificationTtl = 3600,\n    });\n\n    var app = new Vault.Identity.OidcClient(\"app\", new()\n    {\n        Name = \"application\",\n        Key = key.Name,\n        RedirectUris = new[]\n        {\n            \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n            \"http://127.0.0.1:8251/callback\",\n            \"http://127.0.0.1:8080/callback\",\n        },\n        IdTokenTtl = 2400,\n        AccessTokenTtl = 7200,\n    });\n\n    var provider = new Vault.Identity.OidcProvider(\"provider\", new()\n    {\n        Name = \"provider\",\n        AllowedClientIds = new[]\n        {\n            test.ClientId,\n        },\n    });\n\n    var config = Vault.Identity.GetOidcOpenidConfig.Invoke(new()\n    {\n        Name = provider.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkey, err := identity.NewOidcKey(ctx, \"key\", \u0026identity.OidcKeyArgs{\n\t\t\tName: pulumi.String(\"key\"),\n\t\t\tAllowedClientIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tRotationPeriod:  pulumi.Int(3600),\n\t\t\tVerificationTtl: pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcClient(ctx, \"app\", \u0026identity.OidcClientArgs{\n\t\t\tName: pulumi.String(\"application\"),\n\t\t\tKey:  key.Name,\n\t\t\tRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8251/callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8080/callback\"),\n\t\t\t},\n\t\t\tIdTokenTtl:     pulumi.Int(2400),\n\t\t\tAccessTokenTtl: pulumi.Int(7200),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tprovider, err := identity.NewOidcProvider(ctx, \"provider\", \u0026identity.OidcProviderArgs{\n\t\t\tName: pulumi.String(\"provider\"),\n\t\t\tAllowedClientIds: pulumi.StringArray{\n\t\t\t\ttest.ClientId,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = identity.GetOidcOpenidConfigOutput(ctx, identity.GetOidcOpenidConfigOutputArgs{\n\t\t\tName: provider.Name,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcKey;\nimport com.pulumi.vault.identity.OidcKeyArgs;\nimport com.pulumi.vault.identity.OidcClient;\nimport com.pulumi.vault.identity.OidcClientArgs;\nimport com.pulumi.vault.identity.OidcProvider;\nimport com.pulumi.vault.identity.OidcProviderArgs;\nimport com.pulumi.vault.identity.IdentityFunctions;\nimport com.pulumi.vault.identity.inputs.GetOidcOpenidConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var key = new OidcKey(\"key\", OidcKeyArgs.builder()\n            .name(\"key\")\n            .allowedClientIds(\"*\")\n            .rotationPeriod(3600)\n            .verificationTtl(3600)\n            .build());\n\n        var app = new OidcClient(\"app\", OidcClientArgs.builder()\n            .name(\"application\")\n            .key(key.name())\n            .redirectUris(            \n                \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n                \"http://127.0.0.1:8251/callback\",\n                \"http://127.0.0.1:8080/callback\")\n            .idTokenTtl(2400)\n            .accessTokenTtl(7200)\n            .build());\n\n        var provider = new OidcProvider(\"provider\", OidcProviderArgs.builder()\n            .name(\"provider\")\n            .allowedClientIds(test.clientId())\n            .build());\n\n        final var config = IdentityFunctions.getOidcOpenidConfig(GetOidcOpenidConfigArgs.builder()\n            .name(provider.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  key:\n    type: vault:identity:OidcKey\n    properties:\n      name: key\n      allowedClientIds:\n        - '*'\n      rotationPeriod: 3600\n      verificationTtl: 3600\n  app:\n    type: vault:identity:OidcClient\n    properties:\n      name: application\n      key: ${key.name}\n      redirectUris:\n        - http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\n        - http://127.0.0.1:8251/callback\n        - http://127.0.0.1:8080/callback\n      idTokenTtl: 2400\n      accessTokenTtl: 7200\n  provider:\n    type: vault:identity:OidcProvider\n    properties:\n      name: provider\n      allowedClientIds:\n        - ${test.clientId}\nvariables:\n  config:\n    fn::invoke:\n      function: vault:identity:getOidcOpenidConfig\n      arguments:\n        name: ${provider.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getOidcOpenidConfig.\n","properties":{"name":{"type":"string","description":"The name of the OIDC Provider in Vault.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["name"]},"outputs":{"description":"A collection of values returned by getOidcOpenidConfig.\n","properties":{"authorizationEndpoint":{"description":"The Authorization Endpoint for the provider.\n","type":"string"},"grantTypesSupporteds":{"description":"The grant types supported by the provider.\n","items":{"type":"string"},"type":"array"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"idTokenSigningAlgValuesSupporteds":{"description":"The signing algorithms supported by \nthe provider.\n","items":{"type":"string"},"type":"array"},"issuer":{"description":"The URL of the issuer for the provider.\n","type":"string"},"jwksUri":{"description":"The well known keys URI for the provider.\n","type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"requestUriParameterSupported":{"description":"Specifies whether Request URI Parameter is \nsupported by the provider.\n","type":"boolean"},"responseTypesSupporteds":{"description":"The response types supported by the provider.\n","items":{"type":"string"},"type":"array"},"scopesSupporteds":{"description":"The scopes supported by the provider.\n","items":{"type":"string"},"type":"array"},"subjectTypesSupporteds":{"description":"The subject types supported by the provider.\n","items":{"type":"string"},"type":"array"},"tokenEndpoint":{"description":"The Token Endpoint for the provider.\n","type":"string"},"tokenEndpointAuthMethodsSupporteds":{"description":"The token endpoint auth methods supported by the provider.\n","items":{"type":"string"},"type":"array"},"userinfoEndpoint":{"description":"The User Info Endpoint for the provider\n","type":"string"}},"required":["authorizationEndpoint","grantTypesSupporteds","idTokenSigningAlgValuesSupporteds","issuer","jwksUri","name","requestUriParameterSupported","responseTypesSupporteds","scopesSupporteds","subjectTypesSupporteds","tokenEndpoint","tokenEndpointAuthMethodsSupporteds","userinfoEndpoint","id"],"type":"object"}},"vault:identity/getOidcPublicKeys:getOidcPublicKeys":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst key = new vault.identity.OidcKey(\"key\", {\n    name: \"key\",\n    allowedClientIds: [\"*\"],\n    rotationPeriod: 3600,\n    verificationTtl: 3600,\n});\nconst app = new vault.identity.OidcClient(\"app\", {\n    name: \"application\",\n    key: key.name,\n    redirectUris: [\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    idTokenTtl: 2400,\n    accessTokenTtl: 7200,\n});\nconst provider = new vault.identity.OidcProvider(\"provider\", {\n    name: \"provider\",\n    allowedClientIds: [test.clientId],\n});\nconst publicKeys = vault.identity.getOidcPublicKeysOutput({\n    name: provider.name,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nkey = vault.identity.OidcKey(\"key\",\n    name=\"key\",\n    allowed_client_ids=[\"*\"],\n    rotation_period=3600,\n    verification_ttl=3600)\napp = vault.identity.OidcClient(\"app\",\n    name=\"application\",\n    key=key.name,\n    redirect_uris=[\n        \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n        \"http://127.0.0.1:8251/callback\",\n        \"http://127.0.0.1:8080/callback\",\n    ],\n    id_token_ttl=2400,\n    access_token_ttl=7200)\nprovider = vault.identity.OidcProvider(\"provider\",\n    name=\"provider\",\n    allowed_client_ids=[test[\"clientId\"]])\npublic_keys = vault.identity.get_oidc_public_keys_output(name=provider.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var key = new Vault.Identity.OidcKey(\"key\", new()\n    {\n        Name = \"key\",\n        AllowedClientIds = new[]\n        {\n            \"*\",\n        },\n        RotationPeriod = 3600,\n        VerificationTtl = 3600,\n    });\n\n    var app = new Vault.Identity.OidcClient(\"app\", new()\n    {\n        Name = \"application\",\n        Key = key.Name,\n        RedirectUris = new[]\n        {\n            \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n            \"http://127.0.0.1:8251/callback\",\n            \"http://127.0.0.1:8080/callback\",\n        },\n        IdTokenTtl = 2400,\n        AccessTokenTtl = 7200,\n    });\n\n    var provider = new Vault.Identity.OidcProvider(\"provider\", new()\n    {\n        Name = \"provider\",\n        AllowedClientIds = new[]\n        {\n            test.ClientId,\n        },\n    });\n\n    var publicKeys = Vault.Identity.GetOidcPublicKeys.Invoke(new()\n    {\n        Name = provider.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/identity\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkey, err := identity.NewOidcKey(ctx, \"key\", \u0026identity.OidcKeyArgs{\n\t\t\tName: pulumi.String(\"key\"),\n\t\t\tAllowedClientIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tRotationPeriod:  pulumi.Int(3600),\n\t\t\tVerificationTtl: pulumi.Int(3600),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = identity.NewOidcClient(ctx, \"app\", \u0026identity.OidcClientArgs{\n\t\t\tName: pulumi.String(\"application\"),\n\t\t\tKey:  key.Name,\n\t\t\tRedirectUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8251/callback\"),\n\t\t\t\tpulumi.String(\"http://127.0.0.1:8080/callback\"),\n\t\t\t},\n\t\t\tIdTokenTtl:     pulumi.Int(2400),\n\t\t\tAccessTokenTtl: pulumi.Int(7200),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tprovider, err := identity.NewOidcProvider(ctx, \"provider\", \u0026identity.OidcProviderArgs{\n\t\t\tName: pulumi.String(\"provider\"),\n\t\t\tAllowedClientIds: pulumi.StringArray{\n\t\t\t\ttest.ClientId,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = identity.GetOidcPublicKeysOutput(ctx, identity.GetOidcPublicKeysOutputArgs{\n\t\t\tName: provider.Name,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.identity.OidcKey;\nimport com.pulumi.vault.identity.OidcKeyArgs;\nimport com.pulumi.vault.identity.OidcClient;\nimport com.pulumi.vault.identity.OidcClientArgs;\nimport com.pulumi.vault.identity.OidcProvider;\nimport com.pulumi.vault.identity.OidcProviderArgs;\nimport com.pulumi.vault.identity.IdentityFunctions;\nimport com.pulumi.vault.identity.inputs.GetOidcPublicKeysArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var key = new OidcKey(\"key\", OidcKeyArgs.builder()\n            .name(\"key\")\n            .allowedClientIds(\"*\")\n            .rotationPeriod(3600)\n            .verificationTtl(3600)\n            .build());\n\n        var app = new OidcClient(\"app\", OidcClientArgs.builder()\n            .name(\"application\")\n            .key(key.name())\n            .redirectUris(            \n                \"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\",\n                \"http://127.0.0.1:8251/callback\",\n                \"http://127.0.0.1:8080/callback\")\n            .idTokenTtl(2400)\n            .accessTokenTtl(7200)\n            .build());\n\n        var provider = new OidcProvider(\"provider\", OidcProviderArgs.builder()\n            .name(\"provider\")\n            .allowedClientIds(test.clientId())\n            .build());\n\n        final var publicKeys = IdentityFunctions.getOidcPublicKeys(GetOidcPublicKeysArgs.builder()\n            .name(provider.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  key:\n    type: vault:identity:OidcKey\n    properties:\n      name: key\n      allowedClientIds:\n        - '*'\n      rotationPeriod: 3600\n      verificationTtl: 3600\n  app:\n    type: vault:identity:OidcClient\n    properties:\n      name: application\n      key: ${key.name}\n      redirectUris:\n        - http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback\n        - http://127.0.0.1:8251/callback\n        - http://127.0.0.1:8080/callback\n      idTokenTtl: 2400\n      accessTokenTtl: 7200\n  provider:\n    type: vault:identity:OidcProvider\n    properties:\n      name: provider\n      allowedClientIds:\n        - ${test.clientId}\nvariables:\n  publicKeys:\n    fn::invoke:\n      function: vault:identity:getOidcPublicKeys\n      arguments:\n        name: ${provider.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getOidcPublicKeys.\n","properties":{"name":{"type":"string","description":"The name of the OIDC Provider in Vault.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["name"]},"outputs":{"description":"A collection of values returned by getOidcPublicKeys.\n","properties":{"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"keys":{"description":"The public portion of keys for an OIDC provider. \nClients can use them to validate the authenticity of an identity token.\n","items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"name":{"type":"string"},"namespace":{"type":"string"}},"required":["keys","name","id"],"type":"object"}},"vault:index/getAuthBackend:getAuthBackend":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = vault.getAuthBackend({\n    path: \"userpass\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.get_auth_backend(path=\"userpass\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = Vault.GetAuthBackend.Invoke(new()\n    {\n        Path = \"userpass\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.LookupAuthBackend(ctx, \u0026vault.LookupAuthBackendArgs{\n\t\t\tPath: \"userpass\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetAuthBackendArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var example = VaultFunctions.getAuthBackend(GetAuthBackendArgs.builder()\n            .path(\"userpass\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  example:\n    fn::invoke:\n      function: vault:getAuthBackend\n      arguments:\n        path: userpass\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getAuthBackend.\n","properties":{"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The auth backend mount point.\n"}},"type":"object","required":["path"]},"outputs":{"description":"A collection of values returned by getAuthBackend.\n","properties":{"accessor":{"description":"The accessor for this auth method.\n","type":"string"},"defaultLeaseTtlSeconds":{"description":"The default lease duration in seconds.\n","type":"integer"},"description":{"description":"A description of the auth method.\n","type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"listingVisibility":{"description":"Specifies whether to show this mount in the UI-specific listing endpoint.\n","type":"string"},"local":{"description":"Specifies if the auth method is local only.\n","type":"boolean"},"maxLeaseTtlSeconds":{"description":"The maximum lease duration in seconds.\n","type":"integer"},"namespace":{"type":"string"},"path":{"type":"string"},"type":{"description":"The name of the auth method type.\n","type":"string"}},"required":["accessor","defaultLeaseTtlSeconds","description","listingVisibility","local","maxLeaseTtlSeconds","path","type","id"],"type":"object"}},"vault:index/getAuthBackends:getAuthBackends":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = vault.getAuthBackends({});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.get_auth_backends()\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = Vault.GetAuthBackends.Invoke();\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.GetAuthBackends(ctx, \u0026vault.GetAuthBackendsArgs{}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetAuthBackendsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var example = VaultFunctions.getAuthBackends(GetAuthBackendsArgs.builder()\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  example:\n    fn::invoke:\n      function: vault:getAuthBackends\n      arguments: {}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example_filter = vault.getAuthBackends({\n    type: \"kubernetes\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample_filter = vault.get_auth_backends(type=\"kubernetes\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example_filter = Vault.GetAuthBackends.Invoke(new()\n    {\n        Type = \"kubernetes\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.GetAuthBackends(ctx, \u0026vault.GetAuthBackendsArgs{\n\t\t\tType: pulumi.StringRef(\"kubernetes\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetAuthBackendsArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var example-filter = VaultFunctions.getAuthBackends(GetAuthBackendsArgs.builder()\n            .type(\"kubernetes\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  example-filter:\n    fn::invoke:\n      function: vault:getAuthBackends\n      arguments:\n        type: kubernetes\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getAuthBackends.\n","properties":{"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"type":{"type":"string","description":"The name of the auth method type. Allows filtering of backends returned by type.\n"}},"type":"object"},"outputs":{"description":"A collection of values returned by getAuthBackends.\n","properties":{"accessors":{"description":"The accessor IDs for the auth methods.\n","items":{"type":"string"},"type":"array"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"paths":{"description":"List of auth backend mount points.\n","items":{"type":"string"},"type":"array"},"type":{"type":"string"}},"required":["accessors","paths","id"],"type":"object"}},"vault:index/getNamespace:getNamespace":{"description":"## Example Usage\n\n### Current namespace\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst current = vault.getNamespace({});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ncurrent = vault.get_namespace()\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var current = Vault.GetNamespace.Invoke();\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.LookupNamespace(ctx, \u0026vault.LookupNamespaceArgs{}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetNamespaceArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var current = VaultFunctions.getNamespace(GetNamespaceArgs.builder()\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  current:\n    fn::invoke:\n      function: vault:getNamespace\n      arguments: {}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Single namespace\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst ns1 = vault.getNamespace({\n    path: \"ns1\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nns1 = vault.get_namespace(path=\"ns1\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var ns1 = Vault.GetNamespace.Invoke(new()\n    {\n        Path = \"ns1\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.LookupNamespace(ctx, \u0026vault.LookupNamespaceArgs{\n\t\t\tPath: pulumi.StringRef(\"ns1\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetNamespaceArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var ns1 = VaultFunctions.getNamespace(GetNamespaceArgs.builder()\n            .path(\"ns1\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  ns1:\n    fn::invoke:\n      function: vault:getNamespace\n      arguments:\n        path: ns1\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Nested namespace\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst child = vault.getNamespace({\n    namespace: \"parent\",\n    path: \"child\",\n});\nconst fullPath = child.then(child =\u003e child.id);\n// -\u003e foo/parent/child/\nconst pathFq = child.then(child =\u003e child.pathFq);\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nchild = vault.get_namespace(namespace=\"parent\",\n    path=\"child\")\nfull_path = child.id\n# -\u003e foo/parent/child/\npath_fq = child.path_fq\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var child = Vault.GetNamespace.Invoke(new()\n    {\n        Namespace = \"parent\",\n        Path = \"child\",\n    });\n\n    var fullPath = child.Apply(getNamespaceResult =\u003e getNamespaceResult.Id);\n\n    // -\u003e foo/parent/child/\n    var pathFq = child.Apply(getNamespaceResult =\u003e getNamespaceResult.PathFq);\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tchild, err := vault.LookupNamespace(ctx, \u0026vault.LookupNamespaceArgs{\n\t\t\tNamespace: pulumi.StringRef(\"parent\"),\n\t\t\tPath:      pulumi.StringRef(\"child\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ := child.Id\n\t\t// -\u003e foo/parent/child/\n\t\t_ := child.PathFq\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetNamespaceArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var child = VaultFunctions.getNamespace(GetNamespaceArgs.builder()\n            .namespace(\"parent\")\n            .path(\"child\")\n            .build());\n\n        final var fullPath = child.id();\n\n        // -\u003e foo/parent/child/\n        final var pathFq = child.pathFq();\n\n    }\n}\n```\n```yaml\nvariables:\n  child:\n    fn::invoke:\n      function: vault:getNamespace\n      arguments:\n        namespace: parent\n        path: child\n  fullPath: ${child.id}\n  # -\u003e foo/parent/child/\n  pathFq: ${child.pathFq}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getNamespace.\n","properties":{"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path of the namespace. Must not have a trailing `/`.\nIf not specified or empty, path attributes are set for the current namespace\nbased on the \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e arguments of the provider and this data source.\nOther path related attributes will be empty in this case.\n","willReplaceOnChanges":true}},"type":"object"},"outputs":{"description":"A collection of values returned by getNamespace.\n","properties":{"customMetadata":{"additionalProperties":{"type":"string"},"description":"(Optional) A map of strings containing arbitrary metadata for the namespace.\nOnly fetched if \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e is specified.\n*Requires Vault 1.12+.*\n","type":"object"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"namespaceId":{"description":"Vault server's internal ID of the namespace.\nOnly fetched if \u003cspan pulumi-lang-nodejs=\"`path`\" pulumi-lang-dotnet=\"`Path`\" pulumi-lang-go=\"`path`\" pulumi-lang-python=\"`path`\" pulumi-lang-yaml=\"`path`\" pulumi-lang-java=\"`path`\"\u003e`path`\u003c/span\u003e is specified.\n","type":"string"},"path":{"type":"string"},"pathFq":{"description":"The fully qualified path to the namespace. Useful when provisioning resources in a child \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e.\nThe path is relative to the provider's \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e argument.\n","type":"string"}},"required":["customMetadata","namespaceId","pathFq","id"],"type":"object"}},"vault:index/getNamespaces:getNamespaces":{"description":"## Example Usage\n\n### Direct child namespaces\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst children = vault.getNamespaces({});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nchildren = vault.get_namespaces()\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var children = Vault.GetNamespaces.Invoke();\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.GetNamespaces(ctx, \u0026vault.GetNamespacesArgs{}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetNamespacesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var children = VaultFunctions.getNamespaces(GetNamespacesArgs.builder()\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  children:\n    fn::invoke:\n      function: vault:getNamespaces\n      arguments: {}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### All child namespaces\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst children = vault.getNamespaces({\n    recursive: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nchildren = vault.get_namespaces(recursive=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var children = Vault.GetNamespaces.Invoke(new()\n    {\n        Recursive = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := vault.GetNamespaces(ctx, \u0026vault.GetNamespacesArgs{\n\t\t\tRecursive: pulumi.BoolRef(true),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetNamespacesArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var children = VaultFunctions.getNamespaces(GetNamespacesArgs.builder()\n            .recursive(true)\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  children:\n    fn::invoke:\n      function: vault:getNamespaces\n      arguments:\n        recursive: true\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Child namespace details\n\nTo fetch the details of child namespaces:\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst children = vault.getNamespaces({\n    namespace: \"parent\",\n});\nconst child = .reduce((__obj, [__key, __value]) =\u003e ({ ...__obj, [__key]: vault.getNamespace({\n    namespace: _arg0_.namespace,\n    path: __key,\n}) }));\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nchildren = vault.get_namespaces(namespace=\"parent\")\nchild = {__key: vault.get_namespace(namespace=children.namespace,\n    path=__key) for __key, __value in children.paths}\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var children = Vault.GetNamespaces.Invoke(new()\n    {\n        Namespace = \"parent\",\n    });\n\n    var child = .ToDictionary(item =\u003e {\n        var __key = item.Key;\n        return __key;\n    }, item =\u003e {\n        var __key = item.Key;\n        return Vault.GetNamespace.Invoke(new()\n        {\n            Namespace = _arg0_.Namespace,\n            Path = __key,\n        });\n    });\n\n});\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getNamespaces.\n","properties":{"namespace":{"type":"string","description":"The namespace to provision the resource in.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault#namespace).\n","willReplaceOnChanges":true},"recursive":{"type":"boolean","description":"If \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e, it will returns all child namespaces of the given namespace. Defaults to \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e, which returns only direct child namespaces.\n"}},"type":"object"},"outputs":{"description":"A collection of values returned by getNamespaces.\n","properties":{"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"paths":{"description":"Set of the paths of child namespaces.\n","items":{"type":"string"},"type":"array"},"pathsFqs":{"description":"Set of the fully qualified paths of child namespaces.\n","items":{"type":"string"},"type":"array"},"recursive":{"type":"boolean"}},"required":["paths","pathsFqs","id"],"type":"object"}},"vault:index/getNomadAccessToken:getNomadAccessToken":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.NomadSecretBackend(\"config\", {\n    backend: \"nomad\",\n    description: \"test description\",\n    defaultLeaseTtlSeconds: 3600,\n    maxLeaseTtlSeconds: 7200,\n    address: \"https://127.0.0.1:4646\",\n    token: \"ae20ceaa-...\",\n});\nconst test = new vault.NomadSecretRole(\"test\", {\n    backend: config.backend,\n    role: \"test\",\n    type: \"client\",\n    policies: [\"readonly\"],\n});\nconst token = pulumi.all([config.backend, test.role]).apply(([backend, role]) =\u003e vault.getNomadAccessTokenOutput({\n    backend: backend,\n    role: role,\n}));\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.NomadSecretBackend(\"config\",\n    backend=\"nomad\",\n    description=\"test description\",\n    default_lease_ttl_seconds=3600,\n    max_lease_ttl_seconds=7200,\n    address=\"https://127.0.0.1:4646\",\n    token=\"ae20ceaa-...\")\ntest = vault.NomadSecretRole(\"test\",\n    backend=config.backend,\n    role=\"test\",\n    type=\"client\",\n    policies=[\"readonly\"])\ntoken = pulumi.Output.all(\n    backend=config.backend,\n    role=test.role\n).apply(lambda resolved_outputs: vault.get_nomad_access_token_output(backend=resolved_outputs['backend'],\n    role=resolved_outputs['role']))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.NomadSecretBackend(\"config\", new()\n    {\n        Backend = \"nomad\",\n        Description = \"test description\",\n        DefaultLeaseTtlSeconds = 3600,\n        MaxLeaseTtlSeconds = 7200,\n        Address = \"https://127.0.0.1:4646\",\n        Token = \"ae20ceaa-...\",\n    });\n\n    var test = new Vault.NomadSecretRole(\"test\", new()\n    {\n        Backend = config.Backend,\n        Role = \"test\",\n        Type = \"client\",\n        Policies = new[]\n        {\n            \"readonly\",\n        },\n    });\n\n    var token = Vault.GetNomadAccessToken.Invoke(new()\n    {\n        Backend = config.Backend,\n        Role = test.Role,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tconfig, err := vault.NewNomadSecretBackend(ctx, \"config\", \u0026vault.NomadSecretBackendArgs{\n\t\t\tBackend:                pulumi.String(\"nomad\"),\n\t\t\tDescription:            pulumi.String(\"test description\"),\n\t\t\tDefaultLeaseTtlSeconds: pulumi.Int(3600),\n\t\t\tMaxLeaseTtlSeconds:     pulumi.Int(7200),\n\t\t\tAddress:                pulumi.String(\"https://127.0.0.1:4646\"),\n\t\t\tToken:                  pulumi.String(\"ae20ceaa-...\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttest, err := vault.NewNomadSecretRole(ctx, \"test\", \u0026vault.NomadSecretRoleArgs{\n\t\t\tBackend: config.Backend,\n\t\t\tRole:    pulumi.String(\"test\"),\n\t\t\tType:    pulumi.String(\"client\"),\n\t\t\tPolicies: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"readonly\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = pulumi.All(config.Backend, test.Role).ApplyT(func(_args []interface{}) (vault.GetNomadAccessTokenResult, error) {\n\t\t\tbackend := _args[0].(*string)\n\t\t\trole := _args[1].(string)\n\t\t\treturn vault.GetNomadAccessTokenResult(interface{}(vault.GetNomadAccessToken(ctx, \u0026vault.GetNomadAccessTokenArgs{\n\t\t\t\tBackend: backend,\n\t\t\t\tRole:    role,\n\t\t\t}, nil))), nil\n\t\t}).(vault.GetNomadAccessTokenResultOutput)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.NomadSecretBackend;\nimport com.pulumi.vault.NomadSecretBackendArgs;\nimport com.pulumi.vault.NomadSecretRole;\nimport com.pulumi.vault.NomadSecretRoleArgs;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetNomadAccessTokenArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new NomadSecretBackend(\"config\", NomadSecretBackendArgs.builder()\n            .backend(\"nomad\")\n            .description(\"test description\")\n            .defaultLeaseTtlSeconds(3600)\n            .maxLeaseTtlSeconds(7200)\n            .address(\"https://127.0.0.1:4646\")\n            .token(\"ae20ceaa-...\")\n            .build());\n\n        var test = new NomadSecretRole(\"test\", NomadSecretRoleArgs.builder()\n            .backend(config.backend())\n            .role(\"test\")\n            .type(\"client\")\n            .policies(\"readonly\")\n            .build());\n\n        final var token = Output.tuple(config.backend(), test.role()).applyValue(values -\u003e {\n            var backend = values.t1;\n            var role = values.t2;\n            return VaultFunctions.getNomadAccessToken(GetNomadAccessTokenArgs.builder()\n                .backend(backend)\n                .role(role)\n                .build());\n        });\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:NomadSecretBackend\n    properties:\n      backend: nomad\n      description: test description\n      defaultLeaseTtlSeconds: '3600'\n      maxLeaseTtlSeconds: '7200'\n      address: https://127.0.0.1:4646\n      token: ae20ceaa-...\n  test:\n    type: vault:NomadSecretRole\n    properties:\n      backend: ${config.backend}\n      role: test\n      type: client\n      policies:\n        - readonly\nvariables:\n  token:\n    fn::invoke:\n      function: vault:getNomadAccessToken\n      arguments:\n        backend: ${config.backend}\n        role: ${test.role}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getNomadAccessToken.\n","properties":{"backend":{"type":"string","description":"The path to the Nomad secret backend to\nread credentials from, with no leading or trailing `/`s.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name of the Nomad secret backend role to generate\na token for, with no leading or trailing `/`s.\n","willReplaceOnChanges":true}},"type":"object","required":["backend","role"]},"outputs":{"description":"A collection of values returned by getNomadAccessToken.\n","properties":{"accessorId":{"description":"The public identifier for a specific token. It can be used \nto look up information about a token or to revoke a token.\n","type":"string"},"backend":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"role":{"type":"string"},"secretId":{"description":"The token to be used when making requests to Nomad and should be kept private.\n","secret":true,"type":"string"}},"required":["accessorId","backend","role","secretId","id"],"type":"object"}},"vault:index/getPolicyDocument:getPolicyDocument":{"description":"This is a data source which can be used to construct a HCL representation of an Vault policy document, for use with resources which expect policy documents, such as the \u003cspan pulumi-lang-nodejs=\"`vault.Policy`\" pulumi-lang-dotnet=\"`vault.Policy`\" pulumi-lang-go=\"`Policy`\" pulumi-lang-python=\"`Policy`\" pulumi-lang-yaml=\"`vault.Policy`\" pulumi-lang-java=\"`vault.Policy`\"\u003e`vault.Policy`\u003c/span\u003e resource.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst example = vault.getPolicyDocument({\n    rules: [{\n        path: \"secret/*\",\n        capabilities: [\n            \"create\",\n            \"read\",\n            \"update\",\n            \"delete\",\n            \"list\",\n        ],\n        description: \"allow all on secrets\",\n    }],\n});\nconst examplePolicy = new vault.Policy(\"example\", {\n    name: \"example_policy\",\n    policy: example.then(example =\u003e example.hcl),\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nexample = vault.get_policy_document(rules=[{\n    \"path\": \"secret/*\",\n    \"capabilities\": [\n        \"create\",\n        \"read\",\n        \"update\",\n        \"delete\",\n        \"list\",\n    ],\n    \"description\": \"allow all on secrets\",\n}])\nexample_policy = vault.Policy(\"example\",\n    name=\"example_policy\",\n    policy=example.hcl)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = Vault.GetPolicyDocument.Invoke(new()\n    {\n        Rules = new[]\n        {\n            new Vault.Inputs.GetPolicyDocumentRuleInputArgs\n            {\n                Path = \"secret/*\",\n                Capabilities = new[]\n                {\n                    \"create\",\n                    \"read\",\n                    \"update\",\n                    \"delete\",\n                    \"list\",\n                },\n                Description = \"allow all on secrets\",\n            },\n        },\n    });\n\n    var examplePolicy = new Vault.Policy(\"example\", new()\n    {\n        Name = \"example_policy\",\n        PolicyContents = example.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Hcl),\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := vault.GetPolicyDocument(ctx, \u0026vault.GetPolicyDocumentArgs{\n\t\t\tRules: []vault.GetPolicyDocumentRule{\n\t\t\t\t{\n\t\t\t\t\tPath: \"secret/*\",\n\t\t\t\t\tCapabilities: []string{\n\t\t\t\t\t\t\"create\",\n\t\t\t\t\t\t\"read\",\n\t\t\t\t\t\t\"update\",\n\t\t\t\t\t\t\"delete\",\n\t\t\t\t\t\t\"list\",\n\t\t\t\t\t},\n\t\t\t\t\tDescription: pulumi.StringRef(\"allow all on secrets\"),\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = vault.NewPolicy(ctx, \"example\", \u0026vault.PolicyArgs{\n\t\t\tName:   pulumi.String(\"example_policy\"),\n\t\t\tPolicy: pulumi.String(example.Hcl),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.vault.Policy;\nimport com.pulumi.vault.PolicyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var example = VaultFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n            .rules(GetPolicyDocumentRuleArgs.builder()\n                .path(\"secret/*\")\n                .capabilities(                \n                    \"create\",\n                    \"read\",\n                    \"update\",\n                    \"delete\",\n                    \"list\")\n                .description(\"allow all on secrets\")\n                .build())\n            .build());\n\n        var examplePolicy = new Policy(\"examplePolicy\", PolicyArgs.builder()\n            .name(\"example_policy\")\n            .policy(example.hcl())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  examplePolicy:\n    type: vault:Policy\n    name: example\n    properties:\n      name: example_policy\n      policy: ${example.hcl}\nvariables:\n  example:\n    fn::invoke:\n      function: vault:getPolicyDocument\n      arguments:\n        rules:\n          - path: secret/*\n            capabilities:\n              - create\n              - read\n              - update\n              - delete\n              - list\n            description: allow all on secrets\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getPolicyDocument.\n","properties":{"namespace":{"type":"string","willReplaceOnChanges":true},"rules":{"type":"array","items":{"$ref":"#/types/vault:index/getPolicyDocumentRule:getPolicyDocumentRule"}}},"type":"object"},"outputs":{"description":"A collection of values returned by getPolicyDocument.\n","properties":{"hcl":{"description":"The above arguments serialized as a standard Vault HCL policy document.\n","type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"rules":{"items":{"$ref":"#/types/vault:index/getPolicyDocumentRule:getPolicyDocumentRule"},"type":"array"}},"required":["hcl","rules","id"],"type":"object"}},"vault:index/getRaftAutopilotState:getRaftAutopilotState":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nexport = async () =\u003e {\n    const main = await vault.getRaftAutopilotState({});\n    return {\n        \"failure-tolerance\": main.failureTolerance,\n    };\n}\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nmain = vault.get_raft_autopilot_state()\npulumi.export(\"failure-tolerance\", main.failure_tolerance)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var main = Vault.GetRaftAutopilotState.Invoke();\n\n    return new Dictionary\u003cstring, object?\u003e\n    {\n        [\"failure-tolerance\"] = main.Apply(getRaftAutopilotStateResult =\u003e getRaftAutopilotStateResult.FailureTolerance),\n    };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tmain, err := vault.GetRaftAutopilotState(ctx, \u0026vault.GetRaftAutopilotStateArgs{}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"failure-tolerance\", main.FailureTolerance)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.VaultFunctions;\nimport com.pulumi.vault.inputs.GetRaftAutopilotStateArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var main = VaultFunctions.getRaftAutopilotState(GetRaftAutopilotStateArgs.builder()\n            .build());\n\n        ctx.export(\"failure-tolerance\", main.failureTolerance());\n    }\n}\n```\n```yaml\nvariables:\n  main:\n    fn::invoke:\n      function: vault:getRaftAutopilotState\n      arguments: {}\noutputs:\n  failure-tolerance: ${main.failureTolerance}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getRaftAutopilotState.\n","properties":{"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object"},"outputs":{"description":"A collection of values returned by getRaftAutopilotState.\n","properties":{"failureTolerance":{"description":"How many nodes could fail before the cluster becomes unhealthy.\n","type":"integer"},"healthy":{"description":"Cluster health status.\n","type":"boolean"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"leader":{"description":"The current leader of Vault.\n","type":"string"},"namespace":{"type":"string"},"optimisticFailureTolerance":{"description":"The cluster-level optimistic failure tolerance.\n","type":"integer"},"redundancyZones":{"additionalProperties":{"type":"string"},"description":"Additional output related to redundancy zones stored as a serialized map of strings.\n","type":"object"},"redundancyZonesJson":{"description":"Additional output related to redundancy zones.\n","type":"string"},"servers":{"additionalProperties":{"type":"string"},"description":"Additionaly output related to servers in the cluster stored as a serialized map of strings.\n","type":"object"},"serversJson":{"description":"Additionaly output related to servers in the cluster.\n","type":"string"},"upgradeInfo":{"additionalProperties":{"type":"string"},"description":"Additional output related to upgrade information stored as a serialized map of strings.\n","type":"object"},"upgradeInfoJson":{"description":"Additional output related to upgrade information.\n","type":"string"},"voters":{"description":"The voters in the Vault cluster.\n","items":{"type":"string"},"type":"array"}},"required":["failureTolerance","healthy","leader","optimisticFailureTolerance","redundancyZones","redundancyZonesJson","servers","serversJson","upgradeInfo","upgradeInfoJson","voters","id"],"type":"object"}},"vault:kubernetes/getAuthBackendConfig:getAuthBackendConfig":{"description":"Reads the Role of an Kubernetes from a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-config) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = vault.kubernetes.getAuthBackendConfig({\n    backend: \"my-kubernetes-backend\",\n});\nexport const tokenReviewerJwt = config.then(config =\u003e config.tokenReviewerJwt);\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nconfig = vault.kubernetes.get_auth_backend_config(backend=\"my-kubernetes-backend\")\npulumi.export(\"tokenReviewerJwt\", config.token_reviewer_jwt)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = Vault.Kubernetes.GetAuthBackendConfig.Invoke(new()\n    {\n        Backend = \"my-kubernetes-backend\",\n    });\n\n    return new Dictionary\u003cstring, object?\u003e\n    {\n        [\"tokenReviewerJwt\"] = config.Apply(getAuthBackendConfigResult =\u003e getAuthBackendConfigResult.TokenReviewerJwt),\n    };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tconfig, err := kubernetes.LookupAuthBackendConfig(ctx, \u0026kubernetes.LookupAuthBackendConfigArgs{\n\t\t\tBackend: pulumi.StringRef(\"my-kubernetes-backend\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"tokenReviewerJwt\", config.TokenReviewerJwt)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kubernetes.KubernetesFunctions;\nimport com.pulumi.vault.kubernetes.inputs.GetAuthBackendConfigArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var config = KubernetesFunctions.getAuthBackendConfig(GetAuthBackendConfigArgs.builder()\n            .backend(\"my-kubernetes-backend\")\n            .build());\n\n        ctx.export(\"tokenReviewerJwt\", config.tokenReviewerJwt());\n    }\n}\n```\n```yaml\nvariables:\n  config:\n    fn::invoke:\n      function: vault:kubernetes:getAuthBackendConfig\n      arguments:\n        backend: my-kubernetes-backend\noutputs:\n  tokenReviewerJwt: ${config.tokenReviewerJwt}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getAuthBackendConfig.\n","properties":{"backend":{"type":"string","description":"The unique name for the Kubernetes backend the config to\nretrieve Role attributes for resides in. Defaults to \"kubernetes\".\n","willReplaceOnChanges":true},"disableIssValidation":{"type":"boolean","description":"(Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n"},"disableLocalCaJwt":{"type":"boolean","description":"(Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n"},"issuer":{"type":"string","description":"Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.\n"},"kubernetesCaCert":{"type":"string","description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.\n"},"kubernetesHost":{"type":"string","description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"pemKeys":{"type":"array","items":{"type":"string"},"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.\n"},"useAnnotationsAsAliasMetadata":{"type":"boolean","description":"(Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n"}},"type":"object"},"outputs":{"description":"A collection of values returned by getAuthBackendConfig.\n","properties":{"backend":{"type":"string"},"disableIssValidation":{"description":"(Optional) Disable JWT issuer validation. Allows to skip ISS validation. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n","type":"boolean"},"disableLocalCaJwt":{"description":"(Optional) Disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod. Requires Vault `v1.5.4+` or Vault auth kubernetes plugin `v0.7.1+`\n","type":"boolean"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"issuer":{"description":"Optional JWT issuer. If no issuer is specified, `kubernetes.io/serviceaccount` will be used as the default issuer.\n","type":"string"},"kubernetesCaCert":{"description":"PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API.\n","type":"string"},"kubernetesHost":{"description":"Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.\n","type":"string"},"namespace":{"type":"string"},"pemKeys":{"description":"Optional list of PEM-formatted public keys or certificates used to verify the signatures of Kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kubernetes exposes these keys.\n","items":{"type":"string"},"type":"array"},"useAnnotationsAsAliasMetadata":{"description":"(Optional) Use annotations from the client token's associated service account as alias metadata for the Vault entity. Requires Vault `v1.16+` or Vault auth kubernetes plugin `v0.18.0+`\n","type":"boolean"}},"required":["disableIssValidation","disableLocalCaJwt","issuer","kubernetesCaCert","kubernetesHost","pemKeys","useAnnotationsAsAliasMetadata","id"],"type":"object"}},"vault:kubernetes/getAuthBackendRole:getAuthBackendRole":{"description":"Reads the Role of an Kubernetes from a Vault server. See the [Vault\ndocumentation](https://www.vaultproject.io/api-docs/auth/kubernetes#read-role) for more\ninformation.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst role = vault.kubernetes.getAuthBackendRole({\n    backend: \"my-kubernetes-backend\",\n    roleName: \"my-role\",\n});\nexport const policies = role.then(role =\u003e role.policies);\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\nrole = vault.kubernetes.get_auth_backend_role(backend=\"my-kubernetes-backend\",\n    role_name=\"my-role\")\npulumi.export(\"policies\", role.policies)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var role = Vault.Kubernetes.GetAuthBackendRole.Invoke(new()\n    {\n        Backend = \"my-kubernetes-backend\",\n        RoleName = \"my-role\",\n    });\n\n    return new Dictionary\u003cstring, object?\u003e\n    {\n        [\"policies\"] = role.Apply(getAuthBackendRoleResult =\u003e getAuthBackendRoleResult.Policies),\n    };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\trole, err := kubernetes.LookupAuthBackendRole(ctx, \u0026kubernetes.LookupAuthBackendRoleArgs{\n\t\t\tBackend:  pulumi.StringRef(\"my-kubernetes-backend\"),\n\t\t\tRoleName: \"my-role\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"policies\", role.Policies)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kubernetes.KubernetesFunctions;\nimport com.pulumi.vault.kubernetes.inputs.GetAuthBackendRoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var role = KubernetesFunctions.getAuthBackendRole(GetAuthBackendRoleArgs.builder()\n            .backend(\"my-kubernetes-backend\")\n            .roleName(\"my-role\")\n            .build());\n\n        ctx.export(\"policies\", role.policies());\n    }\n}\n```\n```yaml\nvariables:\n  role:\n    fn::invoke:\n      function: vault:kubernetes:getAuthBackendRole\n      arguments:\n        backend: my-kubernetes-backend\n        roleName: my-role\noutputs:\n  policies: ${role.policies}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getAuthBackendRole.\n","properties":{"aliasMetadata":{"type":"object","additionalProperties":{"type":"string"}},"audience":{"type":"string","description":"Audience claim to verify in the JWT.\n"},"backend":{"type":"string","description":"The unique name for the Kubernetes backend the role to\nretrieve Role attributes for resides in. Defaults to \"kubernetes\".\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured namespace.\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The name of the role to retrieve the Role attributes for.\n","willReplaceOnChanges":true},"tokenBoundCidrs":{"type":"array","items":{"type":"string"},"description":"List of CIDR blocks; if set, specifies blocks of IP\naddresses which can authenticate successfully, and ties the resulting token to these blocks\nas well.\n"},"tokenExplicitMaxTtl":{"type":"integer","description":"If set, will encode an\n[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)\nonto the token in number of seconds. This is a hard cap even if \u003cspan pulumi-lang-nodejs=\"`tokenTtl`\" pulumi-lang-dotnet=\"`TokenTtl`\" pulumi-lang-go=\"`tokenTtl`\" pulumi-lang-python=\"`token_ttl`\" pulumi-lang-yaml=\"`tokenTtl`\" pulumi-lang-java=\"`tokenTtl`\"\u003e`token_ttl`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`tokenMaxTtl`\" pulumi-lang-dotnet=\"`TokenMaxTtl`\" pulumi-lang-go=\"`tokenMaxTtl`\" pulumi-lang-python=\"`token_max_ttl`\" pulumi-lang-yaml=\"`tokenMaxTtl`\" pulumi-lang-java=\"`tokenMaxTtl`\"\u003e`token_max_ttl`\u003c/span\u003e would otherwise allow a renewal.\n"},"tokenMaxTtl":{"type":"integer","description":"The maximum lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenNoDefaultPolicy":{"type":"boolean","description":"If set, the default policy will not be set on\ngenerated tokens; otherwise it will be added to the policies set in token_policies.\n"},"tokenNumUses":{"type":"integer","description":"The\n[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),\nif any, in number of seconds to set on the token.\n"},"tokenPeriod":{"type":"integer","description":"(Optional) If set, indicates that the\ntoken generated using this role should never expire. The token should be renewed within the\nduration specified by this value. At each renewal, the token's TTL will be set to the\nvalue of this field. Specified in seconds.\n"},"tokenPolicies":{"type":"array","items":{"type":"string"},"description":"List of policies to encode onto generated tokens. Depending\non the auth method, this list may be supplemented by user/group/other values.\n"},"tokenTtl":{"type":"integer","description":"The incremental lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n"},"tokenType":{"type":"string","description":"The type of token that should be generated. Can be \u003cspan pulumi-lang-nodejs=\"`service`\" pulumi-lang-dotnet=\"`Service`\" pulumi-lang-go=\"`service`\" pulumi-lang-python=\"`service`\" pulumi-lang-yaml=\"`service`\" pulumi-lang-java=\"`service`\"\u003e`service`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`batch`\" pulumi-lang-dotnet=\"`Batch`\" pulumi-lang-go=\"`batch`\" pulumi-lang-python=\"`batch`\" pulumi-lang-yaml=\"`batch`\" pulumi-lang-java=\"`batch`\"\u003e`batch`\u003c/span\u003e, or \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e to use the mount's tuned default (which unless changed will be\n\u003cspan pulumi-lang-nodejs=\"`service`\" pulumi-lang-dotnet=\"`Service`\" pulumi-lang-go=\"`service`\" pulumi-lang-python=\"`service`\" pulumi-lang-yaml=\"`service`\" pulumi-lang-java=\"`service`\"\u003e`service`\u003c/span\u003e tokens). For token store roles, there are two additional possibilities:\n`default-service` and `default-batch` which specify the type to return unless the client\nrequests a different type at generation time.\n"}},"type":"object","required":["roleName"]},"outputs":{"description":"A collection of values returned by getAuthBackendRole.\n","properties":{"aliasMetadata":{"additionalProperties":{"type":"string"},"type":"object"},"aliasNameSource":{"description":"Method used for generating identity aliases. (vault-1.9+)\n","type":"string"},"audience":{"description":"Audience claim to verify in the JWT.\n","type":"string"},"backend":{"type":"string"},"boundServiceAccountNames":{"description":"List of service account names able to access this role. If set to \"*\" all names are allowed, both this and\u003cspan pulumi-lang-nodejs=\" boundServiceAccountNamespaces \" pulumi-lang-dotnet=\" BoundServiceAccountNamespaces \" pulumi-lang-go=\" boundServiceAccountNamespaces \" pulumi-lang-python=\" bound_service_account_namespaces \" pulumi-lang-yaml=\" boundServiceAccountNamespaces \" pulumi-lang-java=\" boundServiceAccountNamespaces \"\u003e bound_service_account_namespaces \u003c/span\u003ecan not be \"*\".\n","items":{"type":"string"},"type":"array"},"boundServiceAccountNamespaceSelector":{"description":"A label selector for Kubernetes namespaces allowed to access this role. Accepts either a JSON or YAML object. The value should be of type LabelSelector. Currently, label selectors with matchExpressions are not supported. To use label selectors, Vault must have permission to read namespaces on the Kubernetes cluster. If set with bound_service_account_namespaces, the conditions are ORed. Requires Vault v1.16+.\n","type":"string"},"boundServiceAccountNamespaces":{"description":"List of namespaces allowed to access this role. If set to \"*\" all namespaces are allowed, both this and\u003cspan pulumi-lang-nodejs=\" boundServiceAccountNames \" pulumi-lang-dotnet=\" BoundServiceAccountNames \" pulumi-lang-go=\" boundServiceAccountNames \" pulumi-lang-python=\" bound_service_account_names \" pulumi-lang-yaml=\" boundServiceAccountNames \" pulumi-lang-java=\" boundServiceAccountNames \"\u003e bound_service_account_names \u003c/span\u003ecan not be set to \"*\".\n","items":{"type":"string"},"type":"array"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"roleName":{"type":"string"},"tokenBoundCidrs":{"description":"List of CIDR blocks; if set, specifies blocks of IP\naddresses which can authenticate successfully, and ties the resulting token to these blocks\nas well.\n","items":{"type":"string"},"type":"array"},"tokenExplicitMaxTtl":{"description":"If set, will encode an\n[explicit max TTL](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls)\nonto the token in number of seconds. This is a hard cap even if \u003cspan pulumi-lang-nodejs=\"`tokenTtl`\" pulumi-lang-dotnet=\"`TokenTtl`\" pulumi-lang-go=\"`tokenTtl`\" pulumi-lang-python=\"`token_ttl`\" pulumi-lang-yaml=\"`tokenTtl`\" pulumi-lang-java=\"`tokenTtl`\"\u003e`token_ttl`\u003c/span\u003e and\n\u003cspan pulumi-lang-nodejs=\"`tokenMaxTtl`\" pulumi-lang-dotnet=\"`TokenMaxTtl`\" pulumi-lang-go=\"`tokenMaxTtl`\" pulumi-lang-python=\"`token_max_ttl`\" pulumi-lang-yaml=\"`tokenMaxTtl`\" pulumi-lang-java=\"`tokenMaxTtl`\"\u003e`token_max_ttl`\u003c/span\u003e would otherwise allow a renewal.\n","type":"integer"},"tokenMaxTtl":{"description":"The maximum lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n","type":"integer"},"tokenNoDefaultPolicy":{"description":"If set, the default policy will not be set on\ngenerated tokens; otherwise it will be added to the policies set in token_policies.\n","type":"boolean"},"tokenNumUses":{"description":"The\n[period](https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls),\nif any, in number of seconds to set on the token.\n","type":"integer"},"tokenPeriod":{"description":"(Optional) If set, indicates that the\ntoken generated using this role should never expire. The token should be renewed within the\nduration specified by this value. At each renewal, the token's TTL will be set to the\nvalue of this field. Specified in seconds.\n","type":"integer"},"tokenPolicies":{"description":"List of policies to encode onto generated tokens. Depending\non the auth method, this list may be supplemented by user/group/other values.\n","items":{"type":"string"},"type":"array"},"tokenTtl":{"description":"The incremental lifetime for generated tokens in number of seconds.\nIts current value will be referenced at renewal time.\n","type":"integer"},"tokenType":{"description":"The type of token that should be generated. Can be \u003cspan pulumi-lang-nodejs=\"`service`\" pulumi-lang-dotnet=\"`Service`\" pulumi-lang-go=\"`service`\" pulumi-lang-python=\"`service`\" pulumi-lang-yaml=\"`service`\" pulumi-lang-java=\"`service`\"\u003e`service`\u003c/span\u003e,\n\u003cspan pulumi-lang-nodejs=\"`batch`\" pulumi-lang-dotnet=\"`Batch`\" pulumi-lang-go=\"`batch`\" pulumi-lang-python=\"`batch`\" pulumi-lang-yaml=\"`batch`\" pulumi-lang-java=\"`batch`\"\u003e`batch`\u003c/span\u003e, or \u003cspan pulumi-lang-nodejs=\"`default`\" pulumi-lang-dotnet=\"`Default`\" pulumi-lang-go=\"`default`\" pulumi-lang-python=\"`default`\" pulumi-lang-yaml=\"`default`\" pulumi-lang-java=\"`default`\"\u003e`default`\u003c/span\u003e to use the mount's tuned default (which unless changed will be\n\u003cspan pulumi-lang-nodejs=\"`service`\" pulumi-lang-dotnet=\"`Service`\" pulumi-lang-go=\"`service`\" pulumi-lang-python=\"`service`\" pulumi-lang-yaml=\"`service`\" pulumi-lang-java=\"`service`\"\u003e`service`\u003c/span\u003e tokens). For token store roles, there are two additional possibilities:\n`default-service` and `default-batch` which specify the type to return unless the client\nrequests a different type at generation time.\n","type":"string"}},"required":["aliasNameSource","boundServiceAccountNames","boundServiceAccountNamespaceSelector","boundServiceAccountNamespaces","roleName","id"],"type":"object"}},"vault:kubernetes/getServiceAccountToken:getServiceAccountToken":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as std from \"@pulumi/std\";\nimport * as vault from \"@pulumi/vault\";\n\nconst config = new vault.kubernetes.SecretBackend(\"config\", {\n    path: \"kubernetes\",\n    description: \"kubernetes secrets engine description\",\n    kubernetesHost: \"https://127.0.0.1:61233\",\n    kubernetesCaCert: std.file({\n        input: \"/path/to/cert\",\n    }).then(invoke =\u003e invoke.result),\n    serviceAccountJwt: std.file({\n        input: \"/path/to/token\",\n    }).then(invoke =\u003e invoke.result),\n    disableLocalCaJwt: false,\n});\nconst role = new vault.kubernetes.SecretBackendRole(\"role\", {\n    backend: config.path,\n    name: \"service-account-name-role\",\n    allowedKubernetesNamespaces: [\"*\"],\n    tokenMaxTtl: 43200,\n    tokenDefaultTtl: 21600,\n    serviceAccountName: \"test-service-account-with-generated-token\",\n    extraLabels: {\n        id: \"abc123\",\n        name: \"some_name\",\n    },\n    extraAnnotations: {\n        env: \"development\",\n        location: \"earth\",\n    },\n});\nconst token = vault.kubernetes.getServiceAccountTokenOutput({\n    backend: config.path,\n    role: role.name,\n    kubernetesNamespace: \"test\",\n    clusterRoleBinding: false,\n    ttl: \"1h\",\n});\n```\n```python\nimport pulumi\nimport pulumi_std as std\nimport pulumi_vault as vault\n\nconfig = vault.kubernetes.SecretBackend(\"config\",\n    path=\"kubernetes\",\n    description=\"kubernetes secrets engine description\",\n    kubernetes_host=\"https://127.0.0.1:61233\",\n    kubernetes_ca_cert=std.file(input=\"/path/to/cert\").result,\n    service_account_jwt=std.file(input=\"/path/to/token\").result,\n    disable_local_ca_jwt=False)\nrole = vault.kubernetes.SecretBackendRole(\"role\",\n    backend=config.path,\n    name=\"service-account-name-role\",\n    allowed_kubernetes_namespaces=[\"*\"],\n    token_max_ttl=43200,\n    token_default_ttl=21600,\n    service_account_name=\"test-service-account-with-generated-token\",\n    extra_labels={\n        \"id\": \"abc123\",\n        \"name\": \"some_name\",\n    },\n    extra_annotations={\n        \"env\": \"development\",\n        \"location\": \"earth\",\n    })\ntoken = vault.kubernetes.get_service_account_token_output(backend=config.path,\n    role=role.name,\n    kubernetes_namespace=\"test\",\n    cluster_role_binding=False,\n    ttl=\"1h\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Std = Pulumi.Std;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var config = new Vault.Kubernetes.SecretBackend(\"config\", new()\n    {\n        Path = \"kubernetes\",\n        Description = \"kubernetes secrets engine description\",\n        KubernetesHost = \"https://127.0.0.1:61233\",\n        KubernetesCaCert = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/cert\",\n        }).Apply(invoke =\u003e invoke.Result),\n        ServiceAccountJwt = Std.File.Invoke(new()\n        {\n            Input = \"/path/to/token\",\n        }).Apply(invoke =\u003e invoke.Result),\n        DisableLocalCaJwt = false,\n    });\n\n    var role = new Vault.Kubernetes.SecretBackendRole(\"role\", new()\n    {\n        Backend = config.Path,\n        Name = \"service-account-name-role\",\n        AllowedKubernetesNamespaces = new[]\n        {\n            \"*\",\n        },\n        TokenMaxTtl = 43200,\n        TokenDefaultTtl = 21600,\n        ServiceAccountName = \"test-service-account-with-generated-token\",\n        ExtraLabels = \n        {\n            { \"id\", \"abc123\" },\n            { \"name\", \"some_name\" },\n        },\n        ExtraAnnotations = \n        {\n            { \"env\", \"development\" },\n            { \"location\", \"earth\" },\n        },\n    });\n\n    var token = Vault.Kubernetes.GetServiceAccountToken.Invoke(new()\n    {\n        Backend = config.Path,\n        Role = role.Name,\n        KubernetesNamespace = \"test\",\n        ClusterRoleBinding = false,\n        Ttl = \"1h\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-std/sdk/go/std\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kubernetes\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinvokeFile, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/cert\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tinvokeFile1, err := std.File(ctx, \u0026std.FileArgs{\n\t\t\tInput: \"/path/to/token\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tconfig, err := kubernetes.NewSecretBackend(ctx, \"config\", \u0026kubernetes.SecretBackendArgs{\n\t\t\tPath:              pulumi.String(\"kubernetes\"),\n\t\t\tDescription:       pulumi.String(\"kubernetes secrets engine description\"),\n\t\t\tKubernetesHost:    pulumi.String(\"https://127.0.0.1:61233\"),\n\t\t\tKubernetesCaCert:  pulumi.String(invokeFile.Result),\n\t\t\tServiceAccountJwt: pulumi.String(invokeFile1.Result),\n\t\t\tDisableLocalCaJwt: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := kubernetes.NewSecretBackendRole(ctx, \"role\", \u0026kubernetes.SecretBackendRoleArgs{\n\t\t\tBackend: config.Path,\n\t\t\tName:    pulumi.String(\"service-account-name-role\"),\n\t\t\tAllowedKubernetesNamespaces: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"*\"),\n\t\t\t},\n\t\t\tTokenMaxTtl:        pulumi.Int(43200),\n\t\t\tTokenDefaultTtl:    pulumi.Int(21600),\n\t\t\tServiceAccountName: pulumi.String(\"test-service-account-with-generated-token\"),\n\t\t\tExtraLabels: pulumi.StringMap{\n\t\t\t\t\"id\":   pulumi.String(\"abc123\"),\n\t\t\t\t\"name\": pulumi.String(\"some_name\"),\n\t\t\t},\n\t\t\tExtraAnnotations: pulumi.StringMap{\n\t\t\t\t\"env\":      pulumi.String(\"development\"),\n\t\t\t\t\"location\": pulumi.String(\"earth\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = kubernetes.GetServiceAccountTokenOutput(ctx, kubernetes.GetServiceAccountTokenOutputArgs{\n\t\t\tBackend:             config.Path,\n\t\t\tRole:                role.Name,\n\t\t\tKubernetesNamespace: pulumi.String(\"test\"),\n\t\t\tClusterRoleBinding:  pulumi.Bool(false),\n\t\t\tTtl:                 pulumi.String(\"1h\"),\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.kubernetes.SecretBackend;\nimport com.pulumi.vault.kubernetes.SecretBackendArgs;\nimport com.pulumi.std.StdFunctions;\nimport com.pulumi.std.inputs.FileArgs;\nimport com.pulumi.vault.kubernetes.SecretBackendRole;\nimport com.pulumi.vault.kubernetes.SecretBackendRoleArgs;\nimport com.pulumi.vault.kubernetes.KubernetesFunctions;\nimport com.pulumi.vault.kubernetes.inputs.GetServiceAccountTokenArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var config = new SecretBackend(\"config\", SecretBackendArgs.builder()\n            .path(\"kubernetes\")\n            .description(\"kubernetes secrets engine description\")\n            .kubernetesHost(\"https://127.0.0.1:61233\")\n            .kubernetesCaCert(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/cert\")\n                .build()).result())\n            .serviceAccountJwt(StdFunctions.file(FileArgs.builder()\n                .input(\"/path/to/token\")\n                .build()).result())\n            .disableLocalCaJwt(false)\n            .build());\n\n        var role = new SecretBackendRole(\"role\", SecretBackendRoleArgs.builder()\n            .backend(config.path())\n            .name(\"service-account-name-role\")\n            .allowedKubernetesNamespaces(\"*\")\n            .tokenMaxTtl(43200)\n            .tokenDefaultTtl(21600)\n            .serviceAccountName(\"test-service-account-with-generated-token\")\n            .extraLabels(Map.ofEntries(\n                Map.entry(\"id\", \"abc123\"),\n                Map.entry(\"name\", \"some_name\")\n            ))\n            .extraAnnotations(Map.ofEntries(\n                Map.entry(\"env\", \"development\"),\n                Map.entry(\"location\", \"earth\")\n            ))\n            .build());\n\n        final var token = KubernetesFunctions.getServiceAccountToken(GetServiceAccountTokenArgs.builder()\n            .backend(config.path())\n            .role(role.name())\n            .kubernetesNamespace(\"test\")\n            .clusterRoleBinding(false)\n            .ttl(\"1h\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  config:\n    type: vault:kubernetes:SecretBackend\n    properties:\n      path: kubernetes\n      description: kubernetes secrets engine description\n      kubernetesHost: https://127.0.0.1:61233\n      kubernetesCaCert:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/cert\n          return: result\n      serviceAccountJwt:\n        fn::invoke:\n          function: std:file\n          arguments:\n            input: /path/to/token\n          return: result\n      disableLocalCaJwt: false\n  role:\n    type: vault:kubernetes:SecretBackendRole\n    properties:\n      backend: ${config.path}\n      name: service-account-name-role\n      allowedKubernetesNamespaces:\n        - '*'\n      tokenMaxTtl: 43200\n      tokenDefaultTtl: 21600\n      serviceAccountName: test-service-account-with-generated-token\n      extraLabels:\n        id: abc123\n        name: some_name\n      extraAnnotations:\n        env: development\n        location: earth\nvariables:\n  token:\n    fn::invoke:\n      function: vault:kubernetes:getServiceAccountToken\n      arguments:\n        backend: ${config.path}\n        role: ${role.name}\n        kubernetesNamespace: test\n        clusterRoleBinding: false\n        ttl: 1h\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getServiceAccountToken.\n","properties":{"backend":{"type":"string","description":"The Kubernetes secret backend to generate service account \ntokens from.\n"},"clusterRoleBinding":{"type":"boolean","description":"If true, generate a ClusterRoleBinding to grant \npermissions across the whole cluster instead of within a namespace.\n"},"kubernetesNamespace":{"type":"string","description":"The name of the Kubernetes namespace in which to \ngenerate the credentials.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"role":{"type":"string","description":"The name of the Kubernetes secret backend role to generate service \naccount tokens from.\n"},"ttl":{"type":"string","description":"The TTL of the generated Kubernetes service account token, specified in \nseconds or as a Go duration format string.\n"}},"type":"object","required":["backend","kubernetesNamespace","role"]},"outputs":{"description":"A collection of values returned by getServiceAccountToken.\n","properties":{"backend":{"type":"string"},"clusterRoleBinding":{"type":"boolean"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"kubernetesNamespace":{"type":"string"},"leaseDuration":{"description":"The duration of the lease in seconds.\n","type":"integer"},"leaseId":{"description":"The lease identifier assigned by Vault.\n","type":"string"},"leaseRenewable":{"description":"True if the duration of this lease can be extended through renewal.\n","type":"boolean"},"namespace":{"type":"string"},"role":{"type":"string"},"serviceAccountName":{"description":"The name of the service account associated with the token.\n","type":"string"},"serviceAccountNamespace":{"description":"The Kubernetes namespace that the service account resides in.\n","type":"string"},"serviceAccountToken":{"description":"The Kubernetes service account token.\n","secret":true,"type":"string"},"ttl":{"type":"string"}},"required":["backend","kubernetesNamespace","leaseDuration","leaseId","leaseRenewable","role","serviceAccountName","serviceAccountNamespace","serviceAccountToken","id"],"type":"object"}},"vault:kv/getSecret:getSecret":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv1 = new vault.Mount(\"kvv1\", {\n    path: \"kvv1\",\n    type: \"kv\",\n    options: {\n        version: \"1\",\n    },\n    description: \"KV Version 1 secret engine mount\",\n});\nconst secret = new vault.kv.Secret(\"secret\", {\n    path: pulumi.interpolate`${kvv1.path}/secret`,\n    dataJson: JSON.stringify({\n        zip: \"zap\",\n        foo: \"bar\",\n    }),\n});\nconst secretData = vault.kv.getSecretOutput({\n    path: secret.path,\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv1 = vault.Mount(\"kvv1\",\n    path=\"kvv1\",\n    type=\"kv\",\n    options={\n        \"version\": \"1\",\n    },\n    description=\"KV Version 1 secret engine mount\")\nsecret = vault.kv.Secret(\"secret\",\n    path=kvv1.path.apply(lambda path: f\"{path}/secret\"),\n    data_json=json.dumps({\n        \"zip\": \"zap\",\n        \"foo\": \"bar\",\n    }))\nsecret_data = vault.kv.get_secret_output(path=secret.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv1 = new Vault.Mount(\"kvv1\", new()\n    {\n        Path = \"kvv1\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"1\" },\n        },\n        Description = \"KV Version 1 secret engine mount\",\n    });\n\n    var secret = new Vault.Kv.Secret(\"secret\", new()\n    {\n        Path = kvv1.Path.Apply(path =\u003e $\"{path}/secret\"),\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"zip\"] = \"zap\",\n            [\"foo\"] = \"bar\",\n        }),\n    });\n\n    var secretData = Vault.Kv.GetSecret.Invoke(new()\n    {\n        Path = secret.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv1, err := vault.NewMount(ctx, \"kvv1\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv1\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"1\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 1 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\tsecret, err := kv.NewSecret(ctx, \"secret\", \u0026kv.SecretArgs{\n\t\t\tPath: kvv1.Path.ApplyT(func(path string) (string, error) {\n\t\t\t\treturn fmt.Sprintf(\"%v/secret\", path), nil\n\t\t\t}).(pulumi.StringOutput),\n\t\t\tDataJson: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = kv.LookupSecretOutput(ctx, kv.GetSecretOutputArgs{\n\t\t\tPath: secret.Path,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.Secret;\nimport com.pulumi.vault.kv.SecretArgs;\nimport com.pulumi.vault.kv.KvFunctions;\nimport com.pulumi.vault.kv.inputs.GetSecretArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv1 = new Mount(\"kvv1\", MountArgs.builder()\n            .path(\"kvv1\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"1\"))\n            .description(\"KV Version 1 secret engine mount\")\n            .build());\n\n        var secret = new Secret(\"secret\", SecretArgs.builder()\n            .path(kvv1.path().applyValue(_path -\u003e String.format(\"%s/secret\", _path)))\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"zip\", \"zap\"),\n                    jsonProperty(\"foo\", \"bar\")\n                )))\n            .build());\n\n        final var secretData = KvFunctions.getSecret(GetSecretArgs.builder()\n            .path(secret.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv1:\n    type: vault:Mount\n    properties:\n      path: kvv1\n      type: kv\n      options:\n        version: '1'\n      description: KV Version 1 secret engine mount\n  secret:\n    type: vault:kv:Secret\n    properties:\n      path: ${kvv1.path}/secret\n      dataJson:\n        fn::toJSON:\n          zip: zap\n          foo: bar\nvariables:\n  secretData:\n    fn::invoke:\n      function: vault:kv:getSecret\n      arguments:\n        path: ${secret.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability on the given path.\n","inputs":{"description":"A collection of arguments for invoking getSecret.\n","properties":{"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Full path of the KV-V1 secret.\n","willReplaceOnChanges":true}},"type":"object","required":["path"]},"outputs":{"description":"A collection of values returned by getSecret.\n","properties":{"data":{"additionalProperties":{"type":"string"},"description":"A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only\nrepresent string data, so any non-string values returned from Vault are\nserialized as JSON.\n","secret":true,"type":"object"},"dataJson":{"description":"JSON-encoded string that that is\nread as the secret data at the given path.\n","secret":true,"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"leaseDuration":{"description":"The duration of the secret lease, in seconds. Once \nthis time has passed any plan generated with this data may fail to apply.\n","type":"integer"},"leaseId":{"description":"The lease identifier assigned by Vault, if any.\n","type":"string"},"leaseRenewable":{"description":"True if the duration of this lease can be extended \nthrough renewal.\n","type":"boolean"},"namespace":{"type":"string"},"path":{"type":"string"}},"required":["data","dataJson","leaseDuration","leaseId","leaseRenewable","path","id"],"type":"object"}},"vault:kv/getSecretSubkeysV2:getSecretSubkeysV2":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2 = new vault.Mount(\"kvv2\", {\n    path: \"kvv2\",\n    type: \"kv\",\n    options: {\n        version: \"2\",\n    },\n    description: \"KV Version 2 secret engine mount\",\n});\nconst awsSecret = new vault.kv.SecretV2(\"aws_secret\", {\n    mount: kvv2.path,\n    name: \"aws_secret\",\n    dataJson: JSON.stringify({\n        zip: \"zap\",\n        foo: \"bar\",\n    }),\n});\nconst test = vault.kv.getSecretSubkeysV2Output({\n    mount: kvv2.path,\n    name: awsSecret.name,\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv2 = vault.Mount(\"kvv2\",\n    path=\"kvv2\",\n    type=\"kv\",\n    options={\n        \"version\": \"2\",\n    },\n    description=\"KV Version 2 secret engine mount\")\naws_secret = vault.kv.SecretV2(\"aws_secret\",\n    mount=kvv2.path,\n    name=\"aws_secret\",\n    data_json=json.dumps({\n        \"zip\": \"zap\",\n        \"foo\": \"bar\",\n    }))\ntest = vault.kv.get_secret_subkeys_v2_output(mount=kvv2.path,\n    name=aws_secret.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv2 = new Vault.Mount(\"kvv2\", new()\n    {\n        Path = \"kvv2\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"2\" },\n        },\n        Description = \"KV Version 2 secret engine mount\",\n    });\n\n    var awsSecret = new Vault.Kv.SecretV2(\"aws_secret\", new()\n    {\n        Mount = kvv2.Path,\n        Name = \"aws_secret\",\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"zip\"] = \"zap\",\n            [\"foo\"] = \"bar\",\n        }),\n    });\n\n    var test = Vault.Kv.GetSecretSubkeysV2.Invoke(new()\n    {\n        Mount = kvv2.Path,\n        Name = awsSecret.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv2, err := vault.NewMount(ctx, \"kvv2\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv2\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\tawsSecret, err := kv.NewSecretV2(ctx, \"aws_secret\", \u0026kv.SecretV2Args{\n\t\t\tMount:    kvv2.Path,\n\t\t\tName:     pulumi.String(\"aws_secret\"),\n\t\t\tDataJson: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = kv.GetSecretSubkeysV2Output(ctx, kv.GetSecretSubkeysV2OutputArgs{\n\t\t\tMount: kvv2.Path,\n\t\t\tName:  awsSecret.Name,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.SecretV2;\nimport com.pulumi.vault.kv.SecretV2Args;\nimport com.pulumi.vault.kv.KvFunctions;\nimport com.pulumi.vault.kv.inputs.GetSecretSubkeysV2Args;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv2 = new Mount(\"kvv2\", MountArgs.builder()\n            .path(\"kvv2\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"2\"))\n            .description(\"KV Version 2 secret engine mount\")\n            .build());\n\n        var awsSecret = new SecretV2(\"awsSecret\", SecretV2Args.builder()\n            .mount(kvv2.path())\n            .name(\"aws_secret\")\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"zip\", \"zap\"),\n                    jsonProperty(\"foo\", \"bar\")\n                )))\n            .build());\n\n        final var test = KvFunctions.getSecretSubkeysV2(GetSecretSubkeysV2Args.builder()\n            .mount(kvv2.path())\n            .name(awsSecret.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv2:\n    type: vault:Mount\n    properties:\n      path: kvv2\n      type: kv\n      options:\n        version: '2'\n      description: KV Version 2 secret engine mount\n  awsSecret:\n    type: vault:kv:SecretV2\n    name: aws_secret\n    properties:\n      mount: ${kvv2.path}\n      name: aws_secret\n      dataJson:\n        fn::toJSON:\n          zip: zap\n          foo: bar\nvariables:\n  test:\n    fn::invoke:\n      function: vault:kv:getSecretSubkeysV2\n      arguments:\n        mount: ${kvv2.path}\n        name: ${awsSecret.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability on the given path.\n","inputs":{"description":"A collection of arguments for invoking getSecretSubkeysV2.\n","properties":{"depth":{"type":"integer","description":"Specifies the deepest nesting level to provide in the output.\nIf non-zero, keys that reside at the specified depth value will be\nartificially treated as leaves and will thus be \u003cspan pulumi-lang-nodejs=\"`null`\" pulumi-lang-dotnet=\"`Null`\" pulumi-lang-go=\"`null`\" pulumi-lang-python=\"`null`\" pulumi-lang-yaml=\"`null`\" pulumi-lang-java=\"`null`\"\u003e`null`\u003c/span\u003e even if further\nunderlying sub-keys exist.\n"},"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n"},"name":{"type":"string","description":"Full name of the secret. For a nested secret\nthe name is the nested path excluding the mount and data\nprefix. For example, for a secret at `kvv2/data/foo/bar/baz`\nthe name is `foo/bar/baz`.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"version":{"type":"integer","description":"Specifies the version to return. If not \nset the latest version is returned.\n"}},"type":"object","required":["mount","name"]},"outputs":{"description":"A collection of values returned by getSecretSubkeysV2.\n","properties":{"data":{"additionalProperties":{"type":"string"},"description":"Subkeys for the KV-V2 secret stored as a serialized map of strings.\n","secret":true,"type":"object"},"dataJson":{"description":"Subkeys for the KV-V2 secret read from Vault.\n","type":"string"},"depth":{"type":"integer"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"mount":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"path":{"description":"Full path where the KV-V2 secrets are listed.\n","type":"string"},"version":{"type":"integer"}},"required":["data","dataJson","mount","name","path","id"],"type":"object"}},"vault:kv/getSecretV2:getSecretV2":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2 = new vault.Mount(\"kvv2\", {\n    path: \"kvv2\",\n    type: \"kv\",\n    options: {\n        version: \"2\",\n    },\n    description: \"KV Version 2 secret engine mount\",\n});\nconst exampleSecretV2 = new vault.kv.SecretV2(\"example\", {\n    mount: kvv2.path,\n    name: \"secret\",\n    deleteAllVersions: true,\n    dataJson: JSON.stringify({\n        zip: \"zap\",\n        foo: \"bar\",\n    }),\n});\nconst example = vault.kv.getSecretV2Output({\n    mount: kvv2.path,\n    name: exampleSecretV2.name,\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv2 = vault.Mount(\"kvv2\",\n    path=\"kvv2\",\n    type=\"kv\",\n    options={\n        \"version\": \"2\",\n    },\n    description=\"KV Version 2 secret engine mount\")\nexample_secret_v2 = vault.kv.SecretV2(\"example\",\n    mount=kvv2.path,\n    name=\"secret\",\n    delete_all_versions=True,\n    data_json=json.dumps({\n        \"zip\": \"zap\",\n        \"foo\": \"bar\",\n    }))\nexample = vault.kv.get_secret_v2_output(mount=kvv2.path,\n    name=example_secret_v2.name)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv2 = new Vault.Mount(\"kvv2\", new()\n    {\n        Path = \"kvv2\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"2\" },\n        },\n        Description = \"KV Version 2 secret engine mount\",\n    });\n\n    var exampleSecretV2 = new Vault.Kv.SecretV2(\"example\", new()\n    {\n        Mount = kvv2.Path,\n        Name = \"secret\",\n        DeleteAllVersions = true,\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"zip\"] = \"zap\",\n            [\"foo\"] = \"bar\",\n        }),\n    });\n\n    var example = Vault.Kv.GetSecretV2.Invoke(new()\n    {\n        Mount = kvv2.Path,\n        Name = exampleSecretV2.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv2, err := vault.NewMount(ctx, \"kvv2\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv2\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\texampleSecretV2, err := kv.NewSecretV2(ctx, \"example\", \u0026kv.SecretV2Args{\n\t\t\tMount:             kvv2.Path,\n\t\t\tName:              pulumi.String(\"secret\"),\n\t\t\tDeleteAllVersions: pulumi.Bool(true),\n\t\t\tDataJson:          pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = kv.LookupSecretV2Output(ctx, kv.GetSecretV2OutputArgs{\n\t\t\tMount: kvv2.Path,\n\t\t\tName:  exampleSecretV2.Name,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.SecretV2;\nimport com.pulumi.vault.kv.SecretV2Args;\nimport com.pulumi.vault.kv.KvFunctions;\nimport com.pulumi.vault.kv.inputs.GetSecretV2Args;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv2 = new Mount(\"kvv2\", MountArgs.builder()\n            .path(\"kvv2\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"2\"))\n            .description(\"KV Version 2 secret engine mount\")\n            .build());\n\n        var exampleSecretV2 = new SecretV2(\"exampleSecretV2\", SecretV2Args.builder()\n            .mount(kvv2.path())\n            .name(\"secret\")\n            .deleteAllVersions(true)\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"zip\", \"zap\"),\n                    jsonProperty(\"foo\", \"bar\")\n                )))\n            .build());\n\n        final var example = KvFunctions.getSecretV2(GetSecretV2Args.builder()\n            .mount(kvv2.path())\n            .name(exampleSecretV2.name())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv2:\n    type: vault:Mount\n    properties:\n      path: kvv2\n      type: kv\n      options:\n        version: '2'\n      description: KV Version 2 secret engine mount\n  exampleSecretV2:\n    type: vault:kv:SecretV2\n    name: example\n    properties:\n      mount: ${kvv2.path}\n      name: secret\n      deleteAllVersions: true\n      dataJson:\n        fn::toJSON:\n          zip: zap\n          foo: bar\nvariables:\n  example:\n    fn::invoke:\n      function: vault:kv:getSecretV2\n      arguments:\n        mount: ${kvv2.path}\n        name: ${exampleSecretV2.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability on the given path.\n","inputs":{"description":"A collection of arguments for invoking getSecretV2.\n","properties":{"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n"},"name":{"type":"string","description":"Full name of the secret. For a nested secret\nthe name is the nested path excluding the mount and data\nprefix. For example, for a secret at `kvv2/data/foo/bar/baz`\nthe name is `foo/bar/baz`.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"version":{"type":"integer","description":"Version of the secret to retrieve.\n"}},"type":"object","required":["mount","name"]},"outputs":{"description":"A collection of values returned by getSecretV2.\n","properties":{"createdTime":{"description":"Time at which secret was created.\n","type":"string"},"customMetadata":{"additionalProperties":{"type":"string"},"description":"Custom metadata for the secret.\n","type":"object"},"data":{"additionalProperties":{"type":"string"},"description":"A mapping whose keys are the top-level data keys returned from\nVault and whose values are the corresponding values. This map can only\nrepresent string data, so any non-string values returned from Vault are\nserialized as JSON.\n","secret":true,"type":"object"},"dataJson":{"description":"JSON-encoded string that that is\nread as the secret data at the given path.\n","secret":true,"type":"string"},"deletionTime":{"description":"Deletion time for the secret.\n","type":"string"},"destroyed":{"description":"Indicates whether the secret has been destroyed.\n","type":"boolean"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"mount":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"path":{"description":"Full path where the KVV2 secret is written.\n","type":"string"},"version":{"description":"Version of the secret.\n","type":"integer"}},"required":["createdTime","customMetadata","data","dataJson","deletionTime","destroyed","mount","name","path","id"],"type":"object"}},"vault:kv/getSecretsList:getSecretsList":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv1 = new vault.Mount(\"kvv1\", {\n    path: \"kvv1\",\n    type: \"kv\",\n    options: {\n        version: \"1\",\n    },\n    description: \"KV Version 1 secret engine mount\",\n});\nconst awsSecret = new vault.kv.Secret(\"aws_secret\", {\n    path: pulumi.interpolate`${kvv1.path}/aws-secret`,\n    dataJson: JSON.stringify({\n        zip: \"zap\",\n    }),\n});\nconst azureSecret = new vault.kv.Secret(\"azure_secret\", {\n    path: pulumi.interpolate`${kvv1.path}/azure-secret`,\n    dataJson: JSON.stringify({\n        foo: \"bar\",\n    }),\n});\nconst secrets = vault.kv.getSecretsListOutput({\n    path: kvv1.path,\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv1 = vault.Mount(\"kvv1\",\n    path=\"kvv1\",\n    type=\"kv\",\n    options={\n        \"version\": \"1\",\n    },\n    description=\"KV Version 1 secret engine mount\")\naws_secret = vault.kv.Secret(\"aws_secret\",\n    path=kvv1.path.apply(lambda path: f\"{path}/aws-secret\"),\n    data_json=json.dumps({\n        \"zip\": \"zap\",\n    }))\nazure_secret = vault.kv.Secret(\"azure_secret\",\n    path=kvv1.path.apply(lambda path: f\"{path}/azure-secret\"),\n    data_json=json.dumps({\n        \"foo\": \"bar\",\n    }))\nsecrets = vault.kv.get_secrets_list_output(path=kvv1.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv1 = new Vault.Mount(\"kvv1\", new()\n    {\n        Path = \"kvv1\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"1\" },\n        },\n        Description = \"KV Version 1 secret engine mount\",\n    });\n\n    var awsSecret = new Vault.Kv.Secret(\"aws_secret\", new()\n    {\n        Path = kvv1.Path.Apply(path =\u003e $\"{path}/aws-secret\"),\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"zip\"] = \"zap\",\n        }),\n    });\n\n    var azureSecret = new Vault.Kv.Secret(\"azure_secret\", new()\n    {\n        Path = kvv1.Path.Apply(path =\u003e $\"{path}/azure-secret\"),\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"foo\"] = \"bar\",\n        }),\n    });\n\n    var secrets = Vault.Kv.GetSecretsList.Invoke(new()\n    {\n        Path = kvv1.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv1, err := vault.NewMount(ctx, \"kvv1\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv1\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"1\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 1 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err = kv.NewSecret(ctx, \"aws_secret\", \u0026kv.SecretArgs{\n\t\t\tPath: kvv1.Path.ApplyT(func(path string) (string, error) {\n\t\t\t\treturn fmt.Sprintf(\"%v/aws-secret\", path), nil\n\t\t\t}).(pulumi.StringOutput),\n\t\t\tDataJson: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON1, err := json.Marshal(map[string]interface{}{\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson1 := string(tmpJSON1)\n\t\t_, err = kv.NewSecret(ctx, \"azure_secret\", \u0026kv.SecretArgs{\n\t\t\tPath: kvv1.Path.ApplyT(func(path string) (string, error) {\n\t\t\t\treturn fmt.Sprintf(\"%v/azure-secret\", path), nil\n\t\t\t}).(pulumi.StringOutput),\n\t\t\tDataJson: pulumi.String(json1),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = kv.GetSecretsListOutput(ctx, kv.GetSecretsListOutputArgs{\n\t\t\tPath: kvv1.Path,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.Secret;\nimport com.pulumi.vault.kv.SecretArgs;\nimport com.pulumi.vault.kv.KvFunctions;\nimport com.pulumi.vault.kv.inputs.GetSecretsListArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv1 = new Mount(\"kvv1\", MountArgs.builder()\n            .path(\"kvv1\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"1\"))\n            .description(\"KV Version 1 secret engine mount\")\n            .build());\n\n        var awsSecret = new Secret(\"awsSecret\", SecretArgs.builder()\n            .path(kvv1.path().applyValue(_path -\u003e String.format(\"%s/aws-secret\", _path)))\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"zip\", \"zap\")\n                )))\n            .build());\n\n        var azureSecret = new Secret(\"azureSecret\", SecretArgs.builder()\n            .path(kvv1.path().applyValue(_path -\u003e String.format(\"%s/azure-secret\", _path)))\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"foo\", \"bar\")\n                )))\n            .build());\n\n        final var secrets = KvFunctions.getSecretsList(GetSecretsListArgs.builder()\n            .path(kvv1.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  kvv1:\n    type: vault:Mount\n    properties:\n      path: kvv1\n      type: kv\n      options:\n        version: '1'\n      description: KV Version 1 secret engine mount\n  awsSecret:\n    type: vault:kv:Secret\n    name: aws_secret\n    properties:\n      path: ${kvv1.path}/aws-secret\n      dataJson:\n        fn::toJSON:\n          zip: zap\n  azureSecret:\n    type: vault:kv:Secret\n    name: azure_secret\n    properties:\n      path: ${kvv1.path}/azure-secret\n      dataJson:\n        fn::toJSON:\n          foo: bar\nvariables:\n  secrets:\n    fn::invoke:\n      function: vault:kv:getSecretsList\n      arguments:\n        path: ${kvv1.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability on the given path.\n","inputs":{"description":"A collection of arguments for invoking getSecretsList.\n","properties":{"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Full KV-V1 path where secrets will be listed.\n"}},"type":"object","required":["path"]},"outputs":{"description":"A collection of values returned by getSecretsList.\n","properties":{"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"names":{"description":"List of all secret names listed under the given path.\n","items":{"type":"string"},"secret":true,"type":"array"},"namespace":{"type":"string"},"path":{"type":"string"}},"required":["names","path","id"],"type":"object"}},"vault:kv/getSecretsListV2:getSecretsListV2":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst kvv2 = new vault.Mount(\"kvv2\", {\n    path: \"kvv2\",\n    type: \"kv\",\n    options: {\n        version: \"2\",\n    },\n    description: \"KV Version 2 secret engine mount\",\n});\nconst awsSecret = new vault.kv.SecretV2(\"aws_secret\", {\n    mount: kvv2.path,\n    name: \"aws_secret\",\n    dataJson: JSON.stringify({\n        zip: \"zap\",\n    }),\n});\nconst azureSecret = new vault.kv.SecretV2(\"azure_secret\", {\n    mount: kvv2.path,\n    name: \"azure_secret\",\n    dataJson: JSON.stringify({\n        foo: \"bar\",\n    }),\n});\nconst nestedSecret = new vault.kv.SecretV2(\"nested_secret\", {\n    mount: kvv2.path,\n    name: pulumi.interpolate`${azureSecret.name}/dev`,\n    dataJson: JSON.stringify({\n        password: \"test\",\n    }),\n});\nconst secrets = vault.kv.getSecretsListV2Output({\n    mount: kvv2.path,\n});\nconst nestedSecrets = kvv2.path.apply(path =\u003e vault.kv.getSecretsListV2Output({\n    mount: path,\n    name: test2.name,\n}));\n```\n```python\nimport pulumi\nimport json\nimport pulumi_vault as vault\n\nkvv2 = vault.Mount(\"kvv2\",\n    path=\"kvv2\",\n    type=\"kv\",\n    options={\n        \"version\": \"2\",\n    },\n    description=\"KV Version 2 secret engine mount\")\naws_secret = vault.kv.SecretV2(\"aws_secret\",\n    mount=kvv2.path,\n    name=\"aws_secret\",\n    data_json=json.dumps({\n        \"zip\": \"zap\",\n    }))\nazure_secret = vault.kv.SecretV2(\"azure_secret\",\n    mount=kvv2.path,\n    name=\"azure_secret\",\n    data_json=json.dumps({\n        \"foo\": \"bar\",\n    }))\nnested_secret = vault.kv.SecretV2(\"nested_secret\",\n    mount=kvv2.path,\n    name=azure_secret.name.apply(lambda name: f\"{name}/dev\"),\n    data_json=json.dumps({\n        \"password\": \"test\",\n    }))\nsecrets = vault.kv.get_secrets_list_v2_output(mount=kvv2.path)\nnested_secrets = kvv2.path.apply(lambda path: vault.kv.get_secrets_list_v2_output(mount=path,\n    name=test2[\"name\"]))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var kvv2 = new Vault.Mount(\"kvv2\", new()\n    {\n        Path = \"kvv2\",\n        Type = \"kv\",\n        Options = \n        {\n            { \"version\", \"2\" },\n        },\n        Description = \"KV Version 2 secret engine mount\",\n    });\n\n    var awsSecret = new Vault.Kv.SecretV2(\"aws_secret\", new()\n    {\n        Mount = kvv2.Path,\n        Name = \"aws_secret\",\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"zip\"] = \"zap\",\n        }),\n    });\n\n    var azureSecret = new Vault.Kv.SecretV2(\"azure_secret\", new()\n    {\n        Mount = kvv2.Path,\n        Name = \"azure_secret\",\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"foo\"] = \"bar\",\n        }),\n    });\n\n    var nestedSecret = new Vault.Kv.SecretV2(\"nested_secret\", new()\n    {\n        Mount = kvv2.Path,\n        Name = azureSecret.Name.Apply(name =\u003e $\"{name}/dev\"),\n        DataJson = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n        {\n            [\"password\"] = \"test\",\n        }),\n    });\n\n    var secrets = Vault.Kv.GetSecretsListV2.Invoke(new()\n    {\n        Mount = kvv2.Path,\n    });\n\n    var nestedSecrets = Vault.Kv.GetSecretsListV2.Invoke(new()\n    {\n        Mount = kvv2.Path,\n        Name = test2.Name,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/kv\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tkvv2, err := vault.NewMount(ctx, \"kvv2\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"kvv2\"),\n\t\t\tType: pulumi.String(\"kv\"),\n\t\t\tOptions: pulumi.StringMap{\n\t\t\t\t\"version\": pulumi.String(\"2\"),\n\t\t\t},\n\t\t\tDescription: pulumi.String(\"KV Version 2 secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"zip\": \"zap\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err = kv.NewSecretV2(ctx, \"aws_secret\", \u0026kv.SecretV2Args{\n\t\t\tMount:    kvv2.Path,\n\t\t\tName:     pulumi.String(\"aws_secret\"),\n\t\t\tDataJson: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON1, err := json.Marshal(map[string]interface{}{\n\t\t\t\"foo\": \"bar\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson1 := string(tmpJSON1)\n\t\tazureSecret, err := kv.NewSecretV2(ctx, \"azure_secret\", \u0026kv.SecretV2Args{\n\t\t\tMount:    kvv2.Path,\n\t\t\tName:     pulumi.String(\"azure_secret\"),\n\t\t\tDataJson: pulumi.String(json1),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON2, err := json.Marshal(map[string]interface{}{\n\t\t\t\"password\": \"test\",\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson2 := string(tmpJSON2)\n\t\t_, err = kv.NewSecretV2(ctx, \"nested_secret\", \u0026kv.SecretV2Args{\n\t\t\tMount: kvv2.Path,\n\t\t\tName: azureSecret.Name.ApplyT(func(name string) (string, error) {\n\t\t\t\treturn fmt.Sprintf(\"%v/dev\", name), nil\n\t\t\t}).(pulumi.StringOutput),\n\t\t\tDataJson: pulumi.String(json2),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = kv.GetSecretsListV2Output(ctx, kv.GetSecretsListV2OutputArgs{\n\t\t\tMount: kvv2.Path,\n\t\t}, nil)\n\t\t_ = kvv2.Path.ApplyT(func(path string) (kv.GetSecretsListV2Result, error) {\n\t\t\treturn kv.GetSecretsListV2Result(interface{}(kv.GetSecretsListV2(ctx, \u0026kv.GetSecretsListV2Args{\n\t\t\t\tMount: path,\n\t\t\t\tName:  pulumi.StringRef(pulumi.StringRef(pulumi.String(test2.Name))),\n\t\t\t}, nil))), nil\n\t\t}).(kv.GetSecretsListV2ResultOutput)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.kv.SecretV2;\nimport com.pulumi.vault.kv.SecretV2Args;\nimport com.pulumi.vault.kv.KvFunctions;\nimport com.pulumi.vault.kv.inputs.GetSecretsListV2Args;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var kvv2 = new Mount(\"kvv2\", MountArgs.builder()\n            .path(\"kvv2\")\n            .type(\"kv\")\n            .options(Map.of(\"version\", \"2\"))\n            .description(\"KV Version 2 secret engine mount\")\n            .build());\n\n        var awsSecret = new SecretV2(\"awsSecret\", SecretV2Args.builder()\n            .mount(kvv2.path())\n            .name(\"aws_secret\")\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"zip\", \"zap\")\n                )))\n            .build());\n\n        var azureSecret = new SecretV2(\"azureSecret\", SecretV2Args.builder()\n            .mount(kvv2.path())\n            .name(\"azure_secret\")\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"foo\", \"bar\")\n                )))\n            .build());\n\n        var nestedSecret = new SecretV2(\"nestedSecret\", SecretV2Args.builder()\n            .mount(kvv2.path())\n            .name(azureSecret.name().applyValue(_name -\u003e String.format(\"%s/dev\", _name)))\n            .dataJson(serializeJson(\n                jsonObject(\n                    jsonProperty(\"password\", \"test\")\n                )))\n            .build());\n\n        final var secrets = KvFunctions.getSecretsListV2(GetSecretsListV2Args.builder()\n            .mount(kvv2.path())\n            .build());\n\n        final var nestedSecrets = kvv2.path().applyValue(_path -\u003e KvFunctions.getSecretsListV2(GetSecretsListV2Args.builder()\n            .mount(_path)\n            .name(test2.name())\n            .build()));\n\n    }\n}\n```\n```yaml\nresources:\n  kvv2:\n    type: vault:Mount\n    properties:\n      path: kvv2\n      type: kv\n      options:\n        version: '2'\n      description: KV Version 2 secret engine mount\n  awsSecret:\n    type: vault:kv:SecretV2\n    name: aws_secret\n    properties:\n      mount: ${kvv2.path}\n      name: aws_secret\n      dataJson:\n        fn::toJSON:\n          zip: zap\n  azureSecret:\n    type: vault:kv:SecretV2\n    name: azure_secret\n    properties:\n      mount: ${kvv2.path}\n      name: azure_secret\n      dataJson:\n        fn::toJSON:\n          foo: bar\n  nestedSecret:\n    type: vault:kv:SecretV2\n    name: nested_secret\n    properties:\n      mount: ${kvv2.path}\n      name: ${azureSecret.name}/dev\n      dataJson:\n        fn::toJSON:\n          password: test\nvariables:\n  secrets:\n    fn::invoke:\n      function: vault:kv:getSecretsListV2\n      arguments:\n        mount: ${kvv2.path}\n  nestedSecrets:\n    fn::invoke:\n      function: vault:kv:getSecretsListV2\n      arguments:\n        mount: ${kvv2.path}\n        name: ${test2.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Required Vault Capabilities\n\nUse of this resource requires the \u003cspan pulumi-lang-nodejs=\"`read`\" pulumi-lang-dotnet=\"`Read`\" pulumi-lang-go=\"`read`\" pulumi-lang-python=\"`read`\" pulumi-lang-yaml=\"`read`\" pulumi-lang-java=\"`read`\"\u003e`read`\u003c/span\u003e capability on the given path.\n","inputs":{"description":"A collection of arguments for invoking getSecretsListV2.\n","properties":{"mount":{"type":"string","description":"Path where KV-V2 engine is mounted.\n"},"name":{"type":"string","description":"Full name of the secret. For a nested secret\nthe name is the nested path excluding the mount and data\nprefix. For example, for a secret at `kvv2/data/foo/bar/baz`\nthe name is `foo/bar/baz`.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["mount"]},"outputs":{"description":"A collection of values returned by getSecretsListV2.\n","properties":{"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"mount":{"type":"string"},"name":{"type":"string"},"names":{"description":"List of all secret names listed under the given path.\n","items":{"type":"string"},"secret":true,"type":"array"},"namespace":{"type":"string"},"path":{"description":"Full path where the KV-V2 secrets are listed.\n","type":"string"}},"required":["mount","names","path","id"],"type":"object"}},"vault:ldap/getDynamicCredentials:getDynamicCredentials":{"inputs":{"description":"A collection of arguments for invoking getDynamicCredentials.\n","properties":{"mount":{"type":"string"},"namespace":{"type":"string","willReplaceOnChanges":true},"roleName":{"type":"string","willReplaceOnChanges":true}},"type":"object","required":["mount","roleName"]},"outputs":{"description":"A collection of values returned by getDynamicCredentials.\n","properties":{"distinguishedNames":{"items":{"type":"string"},"type":"array"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"leaseDuration":{"type":"integer"},"leaseId":{"type":"string"},"leaseRenewable":{"type":"boolean"},"mount":{"type":"string"},"namespace":{"type":"string"},"password":{"secret":true,"type":"string"},"roleName":{"type":"string"},"username":{"type":"string"}},"required":["distinguishedNames","leaseDuration","leaseId","leaseRenewable","mount","password","roleName","username","id"],"type":"object"}},"vault:ldap/getStaticCredentials:getStaticCredentials":{"inputs":{"description":"A collection of arguments for invoking getStaticCredentials.\n","properties":{"mount":{"type":"string"},"namespace":{"type":"string","willReplaceOnChanges":true},"roleName":{"type":"string","willReplaceOnChanges":true}},"type":"object","required":["mount","roleName"]},"outputs":{"description":"A collection of values returned by getStaticCredentials.\n","properties":{"dn":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"lastPassword":{"secret":true,"type":"string"},"lastVaultRotation":{"type":"string"},"mount":{"type":"string"},"namespace":{"type":"string"},"password":{"secret":true,"type":"string"},"roleName":{"type":"string"},"rotationPeriod":{"type":"integer"},"ttl":{"type":"integer"},"username":{"type":"string"}},"required":["dn","lastPassword","lastVaultRotation","mount","password","roleName","rotationPeriod","ttl","username","id"],"type":"object"}},"vault:pkiSecret/getBackendCertMetadata:getBackendCertMetadata":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst root = new vault.pkisecret.SecretBackendRootCert(\"root\", {\n    backend: pki.path,\n    type: \"internal\",\n    commonName: \"example\",\n    ttl: \"86400\",\n    issuerName: \"example\",\n});\nconst testSecretBackendRole = new vault.pkisecret.SecretBackendRole(\"test\", {\n    backend: testVaultPkiSecretBackendRootCert.backend,\n    name: \"test\",\n    allowedDomains: [\"test.my.domain\"],\n    allowSubdomains: true,\n    maxTtl: \"3600\",\n    keyUsages: [\n        \"DigitalSignature\",\n        \"KeyAgreement\",\n        \"KeyEncipherment\",\n    ],\n    noStoreMetadata: false,\n});\nconst testSecretBackendCert = new vault.pkisecret.SecretBackendCert(\"test\", {\n    backend: testSecretBackendRole.backend,\n    name: testSecretBackendRole.name,\n    commonName: \"cert.test.my.domain\",\n    ttl: \"720h\",\n    minSecondsRemaining: 60,\n    certMetadata: \"dGVzdCBtZXRhZGF0YQ==\",\n});\nconst test = testSecretBackendCert.serialNumber.apply(serialNumber =\u003e vault.pkiSecret.getBackendCertMetadataOutput({\n    path: test_root.path,\n    serial: serialNumber,\n}));\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\nroot = vault.pkisecret.SecretBackendRootCert(\"root\",\n    backend=pki.path,\n    type=\"internal\",\n    common_name=\"example\",\n    ttl=\"86400\",\n    issuer_name=\"example\")\ntest_secret_backend_role = vault.pkisecret.SecretBackendRole(\"test\",\n    backend=test_vault_pki_secret_backend_root_cert[\"backend\"],\n    name=\"test\",\n    allowed_domains=[\"test.my.domain\"],\n    allow_subdomains=True,\n    max_ttl=\"3600\",\n    key_usages=[\n        \"DigitalSignature\",\n        \"KeyAgreement\",\n        \"KeyEncipherment\",\n    ],\n    no_store_metadata=False)\ntest_secret_backend_cert = vault.pkisecret.SecretBackendCert(\"test\",\n    backend=test_secret_backend_role.backend,\n    name=test_secret_backend_role.name,\n    common_name=\"cert.test.my.domain\",\n    ttl=\"720h\",\n    min_seconds_remaining=60,\n    cert_metadata=\"dGVzdCBtZXRhZGF0YQ==\")\ntest = test_secret_backend_cert.serial_number.apply(lambda serial_number: vault.pkiSecret.get_backend_cert_metadata_output(path=test_root[\"path\"],\n    serial=serial_number))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var root = new Vault.PkiSecret.SecretBackendRootCert(\"root\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        CommonName = \"example\",\n        Ttl = \"86400\",\n        IssuerName = \"example\",\n    });\n\n    var testSecretBackendRole = new Vault.PkiSecret.SecretBackendRole(\"test\", new()\n    {\n        Backend = testVaultPkiSecretBackendRootCert.Backend,\n        Name = \"test\",\n        AllowedDomains = new[]\n        {\n            \"test.my.domain\",\n        },\n        AllowSubdomains = true,\n        MaxTtl = \"3600\",\n        KeyUsages = new[]\n        {\n            \"DigitalSignature\",\n            \"KeyAgreement\",\n            \"KeyEncipherment\",\n        },\n        NoStoreMetadata = false,\n    });\n\n    var testSecretBackendCert = new Vault.PkiSecret.SecretBackendCert(\"test\", new()\n    {\n        Backend = testSecretBackendRole.Backend,\n        Name = testSecretBackendRole.Name,\n        CommonName = \"cert.test.my.domain\",\n        Ttl = \"720h\",\n        MinSecondsRemaining = 60,\n        CertMetadata = \"dGVzdCBtZXRhZGF0YQ==\",\n    });\n\n    var test = Vault.PkiSecret.GetBackendCertMetadata.Invoke(new()\n    {\n        Path = test_root.Path,\n        Serial = testSecretBackendCert.SerialNumber,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = pkisecret.NewSecretBackendRootCert(ctx, \"root\", \u0026pkisecret.SecretBackendRootCertArgs{\n\t\t\tBackend:    pki.Path,\n\t\t\tType:       pulumi.String(\"internal\"),\n\t\t\tCommonName: pulumi.String(\"example\"),\n\t\t\tTtl:        pulumi.String(\"86400\"),\n\t\t\tIssuerName: pulumi.String(\"example\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttestSecretBackendRole, err := pkisecret.NewSecretBackendRole(ctx, \"test\", \u0026pkisecret.SecretBackendRoleArgs{\n\t\t\tBackend: pulumi.Any(testVaultPkiSecretBackendRootCert.Backend),\n\t\t\tName:    pulumi.String(\"test\"),\n\t\t\tAllowedDomains: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"test.my.domain\"),\n\t\t\t},\n\t\t\tAllowSubdomains: pulumi.Bool(true),\n\t\t\tMaxTtl:          pulumi.String(\"3600\"),\n\t\t\tKeyUsages: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"DigitalSignature\"),\n\t\t\t\tpulumi.String(\"KeyAgreement\"),\n\t\t\t\tpulumi.String(\"KeyEncipherment\"),\n\t\t\t},\n\t\t\tNoStoreMetadata: pulumi.Bool(false),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttestSecretBackendCert, err := pkisecret.NewSecretBackendCert(ctx, \"test\", \u0026pkisecret.SecretBackendCertArgs{\n\t\t\tBackend:             testSecretBackendRole.Backend,\n\t\t\tName:                testSecretBackendRole.Name,\n\t\t\tCommonName:          pulumi.String(\"cert.test.my.domain\"),\n\t\t\tTtl:                 pulumi.String(\"720h\"),\n\t\t\tMinSecondsRemaining: pulumi.Int(60),\n\t\t\tCertMetadata:        pulumi.String(\"dGVzdCBtZXRhZGF0YQ==\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = testSecretBackendCert.SerialNumber.ApplyT(func(serialNumber string) (pkisecret.GetBackendCertMetadataResult, error) {\n\t\t\treturn pkisecret.GetBackendCertMetadataResult(interface{}(pkisecret.GetBackendCertMetadata(ctx, \u0026pkisecret.GetBackendCertMetadataArgs{\n\t\t\t\tPath:   test_root.Path,\n\t\t\t\tSerial: serialNumber,\n\t\t\t}, nil))), nil\n\t\t}).(pkisecret.GetBackendCertMetadataResultOutput)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRole;\nimport com.pulumi.vault.pkiSecret.SecretBackendRoleArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendCertArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendCertMetadataArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var root = new SecretBackendRootCert(\"root\", SecretBackendRootCertArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .commonName(\"example\")\n            .ttl(\"86400\")\n            .issuerName(\"example\")\n            .build());\n\n        var testSecretBackendRole = new SecretBackendRole(\"testSecretBackendRole\", SecretBackendRoleArgs.builder()\n            .backend(testVaultPkiSecretBackendRootCert.backend())\n            .name(\"test\")\n            .allowedDomains(\"test.my.domain\")\n            .allowSubdomains(true)\n            .maxTtl(\"3600\")\n            .keyUsages(            \n                \"DigitalSignature\",\n                \"KeyAgreement\",\n                \"KeyEncipherment\")\n            .noStoreMetadata(false)\n            .build());\n\n        var testSecretBackendCert = new SecretBackendCert(\"testSecretBackendCert\", SecretBackendCertArgs.builder()\n            .backend(testSecretBackendRole.backend())\n            .name(testSecretBackendRole.name())\n            .commonName(\"cert.test.my.domain\")\n            .ttl(\"720h\")\n            .minSecondsRemaining(60)\n            .certMetadata(\"dGVzdCBtZXRhZGF0YQ==\")\n            .build());\n\n        final var test = testSecretBackendCert.serialNumber().applyValue(_serialNumber -\u003e PkiSecretFunctions.getBackendCertMetadata(GetBackendCertMetadataArgs.builder()\n            .path(test_root.path())\n            .serial(_serialNumber)\n            .build()));\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\n  root:\n    type: vault:pkiSecret:SecretBackendRootCert\n    properties:\n      backend: ${pki.path}\n      type: internal\n      commonName: example\n      ttl: '86400'\n      issuerName: example\n  testSecretBackendRole:\n    type: vault:pkiSecret:SecretBackendRole\n    name: test\n    properties:\n      backend: ${testVaultPkiSecretBackendRootCert.backend}\n      name: test\n      allowedDomains:\n        - test.my.domain\n      allowSubdomains: true\n      maxTtl: '3600'\n      keyUsages:\n        - DigitalSignature\n        - KeyAgreement\n        - KeyEncipherment\n      noStoreMetadata: false\n  testSecretBackendCert:\n    type: vault:pkiSecret:SecretBackendCert\n    name: test\n    properties:\n      backend: ${testSecretBackendRole.backend}\n      name: ${testSecretBackendRole.name}\n      commonName: cert.test.my.domain\n      ttl: 720h\n      minSecondsRemaining: 60\n      certMetadata: dGVzdCBtZXRhZGF0YQ==\nvariables:\n  test:\n    fn::invoke:\n      function: vault:pkiSecret:getBackendCertMetadata\n      arguments:\n        path: ${[\"test-root\"].path}\n        serial: ${testSecretBackendCert.serialNumber}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getBackendCertMetadata.\n","properties":{"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"The path to the PKI secret backend to\nread the cert metadata from, with no leading or trailing `/`s.\n"},"serial":{"type":"string","description":"Specifies the serial of the certificate whose metadata to read.\n"}},"type":"object","required":["path","serial"]},"outputs":{"description":"A collection of values returned by getBackendCertMetadata.\n","properties":{"certMetadata":{"description":"The metadata associated with the certificate\n","type":"string"},"expiration":{"description":"The expiration date of the certificate in unix epoch format\n","type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"issuerId":{"description":"ID of the issuer.\n","type":"string"},"namespace":{"type":"string"},"path":{"type":"string"},"role":{"description":"The role used to create the certificate\n","type":"string"},"serial":{"type":"string"},"serialNumber":{"description":"The serial number\n","type":"string"}},"required":["certMetadata","expiration","issuerId","path","role","serial","serialNumber","id"],"type":"object"}},"vault:pkiSecret/getBackendConfigCmpv2:getBackendConfigCmpv2":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst cmpv2Config = vault.pkiSecret.getBackendConfigCmpv2Output({\n    backend: pki.path,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\ncmpv2_config = vault.pkiSecret.get_backend_config_cmpv2_output(backend=pki.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var cmpv2Config = Vault.PkiSecret.GetBackendConfigCmpv2.Invoke(new()\n    {\n        Backend = pki.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = pkisecret.GetBackendConfigCmpv2Output(ctx, pkisecret.GetBackendConfigCmpv2OutputArgs{\n\t\t\tBackend: pki.Path,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendConfigCmpv2Args;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        final var cmpv2Config = PkiSecretFunctions.getBackendConfigCmpv2(GetBackendConfigCmpv2Args.builder()\n            .backend(pki.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\nvariables:\n  cmpv2Config:\n    fn::invoke:\n      function: vault:pkiSecret:getBackendConfigCmpv2\n      arguments:\n        backend: ${pki.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getBackendConfigCmpv2.\n","properties":{"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the CMPv2 configuration from, with no leading or trailing `/`s.\n\n# Attributes Reference\n","willReplaceOnChanges":true},"disabledValidations":{"type":"array","items":{"type":"string"},"description":"A comma-separated list of validations not to perform on CMPv2 messages.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["backend"]},"outputs":{"description":"A collection of values returned by getBackendConfigCmpv2.\n","properties":{"auditFields":{"items":{"type":"string"},"type":"array"},"authenticators":{"items":{"$ref":"#/types/vault:pkiSecret/getBackendConfigCmpv2Authenticator:getBackendConfigCmpv2Authenticator"},"type":"array"},"backend":{"type":"string"},"defaultPathPolicy":{"type":"string"},"disabledValidations":{"items":{"type":"string"},"type":"array"},"enableSentinelParsing":{"type":"boolean"},"enabled":{"type":"boolean"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"lastUpdated":{"type":"string"},"namespace":{"type":"string"}},"required":["auditFields","authenticators","backend","defaultPathPolicy","enableSentinelParsing","enabled","lastUpdated","id"],"type":"object"}},"vault:pkiSecret/getBackendConfigEst:getBackendConfigEst":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst estConfig = vault.pkiSecret.getBackendConfigEstOutput({\n    backend: pki.path,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\nest_config = vault.pkiSecret.get_backend_config_est_output(backend=pki.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var estConfig = Vault.PkiSecret.GetBackendConfigEst.Invoke(new()\n    {\n        Backend = pki.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = pkisecret.GetBackendConfigEstOutput(ctx, pkisecret.GetBackendConfigEstOutputArgs{\n\t\t\tBackend: pki.Path,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendConfigEstArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        final var estConfig = PkiSecretFunctions.getBackendConfigEst(GetBackendConfigEstArgs.builder()\n            .backend(pki.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\nvariables:\n  estConfig:\n    fn::invoke:\n      function: vault:pkiSecret:getBackendConfigEst\n      arguments:\n        backend: ${pki.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getBackendConfigEst.\n","properties":{"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the EST configuration from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["backend"]},"outputs":{"description":"A collection of values returned by getBackendConfigEst.\n","properties":{"auditFields":{"description":"Fields parsed from the CSR that appear in the audit and can be used by sentinel policies.\n","items":{"type":"string"},"type":"array"},"authenticators":{"description":"Lists the mount accessors EST should delegate authentication requests towards (see below for nested schema).\n","items":{"$ref":"#/types/vault:pkiSecret/getBackendConfigEstAuthenticator:getBackendConfigEstAuthenticator"},"type":"array"},"backend":{"type":"string"},"defaultMount":{"description":"If set, this mount is registered as the default `.well-known/est` URL path. Only a single mount can enable this across a Vault cluster.\n","type":"boolean"},"defaultPathPolicy":{"description":"Required to be set if\u003cspan pulumi-lang-nodejs=\" defaultMount \" pulumi-lang-dotnet=\" DefaultMount \" pulumi-lang-go=\" defaultMount \" pulumi-lang-python=\" default_mount \" pulumi-lang-yaml=\" defaultMount \" pulumi-lang-java=\" defaultMount \"\u003e default_mount \u003c/span\u003eis enabled. Specifies the behavior for requests using the default EST label. Can be sign-verbatim or a role given by role:\u003crole_name\u003e.\n","type":"string"},"enableSentinelParsing":{"description":"If set, parse out fields from the provided CSR making them available for Sentinel policies.\n","type":"boolean"},"enabled":{"description":"Specifies whether EST is enabled.\n","type":"boolean"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"labelToPathPolicy":{"additionalProperties":{"type":"string"},"description":"A pairing of an EST label with the redirected behavior for requests hitting that role. The path policy can be sign-verbatim or a role given by role:\u003crole_name\u003e. Labels must be unique across Vault cluster, and will register .well-known/est/\u003clabel\u003e URL paths.\n","type":"object"},"lastUpdated":{"description":"A read-only timestamp representing the last time the configuration was updated.\n","type":"string"},"namespace":{"type":"string"}},"required":["auditFields","authenticators","backend","defaultMount","defaultPathPolicy","enableSentinelParsing","enabled","labelToPathPolicy","lastUpdated","id"],"type":"object"}},"vault:pkiSecret/getBackendConfigScep:getBackendConfigScep":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst scepConfig = vault.pkiSecret.getBackendConfigScepOutput({\n    backend: pki.path,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\nscep_config = vault.pkiSecret.get_backend_config_scep_output(backend=pki.path)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var scepConfig = Vault.PkiSecret.GetBackendConfigScep.Invoke(new()\n    {\n        Backend = pki.Path,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = pkisecret.GetBackendConfigScepOutput(ctx, pkisecret.GetBackendConfigScepOutputArgs{\n\t\t\tBackend: pki.Path,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendConfigScepArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        final var scepConfig = PkiSecretFunctions.getBackendConfigScep(GetBackendConfigScepArgs.builder()\n            .backend(pki.path())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\nvariables:\n  scepConfig:\n    fn::invoke:\n      function: vault:pkiSecret:getBackendConfigScep\n      arguments:\n        backend: ${pki.path}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getBackendConfigScep.\n","properties":{"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the SCEP configuration from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"logLevel":{"type":"string","description":"The level of logging verbosity, affects only SCEP logs on this mount.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["backend"]},"outputs":{"description":"A collection of values returned by getBackendConfigScep.\n","properties":{"allowedDigestAlgorithms":{"description":"List of allowed digest algorithms for SCEP requests.\n","items":{"type":"string"},"type":"array"},"allowedEncryptionAlgorithms":{"description":"List of allowed encryption algorithms for SCEP requests.\n","items":{"type":"string"},"type":"array"},"authenticators":{"description":"Lists the mount accessors SCEP should delegate authentication requests towards (see below for nested schema).\n","items":{"$ref":"#/types/vault:pkiSecret/getBackendConfigScepAuthenticator:getBackendConfigScepAuthenticator"},"type":"array"},"backend":{"type":"string"},"defaultPathPolicy":{"description":"Specifies the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or \"role:\u003crole_name\u003e\" to specify a role to use as this policy.\n","type":"string"},"enabled":{"description":"Specifies whether SCEP is enabled.\n","type":"boolean"},"externalValidations":{"description":"Lists the 3rd party validation of SCEP requests (see below for nested schema).\n","items":{"$ref":"#/types/vault:pkiSecret/getBackendConfigScepExternalValidation:getBackendConfigScepExternalValidation"},"type":"array"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"lastUpdated":{"description":"A read-only timestamp representing the last time the configuration was updated.\n","type":"string"},"logLevel":{"description":"The level of logging verbosity, affects only SCEP logs on this mount.\n","type":"string"},"namespace":{"type":"string"},"restrictCaChainToIssuer":{"description":"If true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount.\n","type":"boolean"}},"required":["allowedDigestAlgorithms","allowedEncryptionAlgorithms","authenticators","backend","defaultPathPolicy","enabled","externalValidations","lastUpdated","restrictCaChainToIssuer","id"],"type":"object"}},"vault:pkiSecret/getBackendIssuer:getBackendIssuer":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst root = new vault.pkisecret.SecretBackendRootCert(\"root\", {\n    backend: pki.path,\n    type: \"internal\",\n    commonName: \"example\",\n    ttl: \"86400\",\n    issuerName: \"example\",\n});\nconst example = root.issuerId.apply(issuerId =\u003e vault.pkiSecret.getBackendIssuerOutput({\n    backend: root.path,\n    issuerRef: issuerId,\n}));\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\nroot = vault.pkisecret.SecretBackendRootCert(\"root\",\n    backend=pki.path,\n    type=\"internal\",\n    common_name=\"example\",\n    ttl=\"86400\",\n    issuer_name=\"example\")\nexample = root.issuer_id.apply(lambda issuer_id: vault.pkiSecret.get_backend_issuer_output(backend=root.path,\n    issuer_ref=issuer_id))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var root = new Vault.PkiSecret.SecretBackendRootCert(\"root\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        CommonName = \"example\",\n        Ttl = \"86400\",\n        IssuerName = \"example\",\n    });\n\n    var example = Vault.PkiSecret.GetBackendIssuer.Invoke(new()\n    {\n        Backend = root.Path,\n        IssuerRef = root.IssuerId,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\troot, err := pkisecret.NewSecretBackendRootCert(ctx, \"root\", \u0026pkisecret.SecretBackendRootCertArgs{\n\t\t\tBackend:    pki.Path,\n\t\t\tType:       pulumi.String(\"internal\"),\n\t\t\tCommonName: pulumi.String(\"example\"),\n\t\t\tTtl:        pulumi.String(\"86400\"),\n\t\t\tIssuerName: pulumi.String(\"example\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = root.IssuerId.ApplyT(func(issuerId string) (pkisecret.GetBackendIssuerResult, error) {\n\t\t\treturn pkisecret.GetBackendIssuerResult(interface{}(pkisecret.GetBackendIssuer(ctx, \u0026pkisecret.GetBackendIssuerArgs{\n\t\t\t\tBackend:   root.Path,\n\t\t\t\tIssuerRef: issuerId,\n\t\t\t}, nil))), nil\n\t\t}).(pkisecret.GetBackendIssuerResultOutput)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendIssuerArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var root = new SecretBackendRootCert(\"root\", SecretBackendRootCertArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .commonName(\"example\")\n            .ttl(\"86400\")\n            .issuerName(\"example\")\n            .build());\n\n        final var example = root.issuerId().applyValue(_issuerId -\u003e PkiSecretFunctions.getBackendIssuer(GetBackendIssuerArgs.builder()\n            .backend(root.path())\n            .issuerRef(_issuerId)\n            .build()));\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\n  root:\n    type: vault:pkiSecret:SecretBackendRootCert\n    properties:\n      backend: ${pki.path}\n      type: internal\n      commonName: example\n      ttl: '86400'\n      issuerName: example\nvariables:\n  example:\n    fn::invoke:\n      function: vault:pkiSecret:getBackendIssuer\n      arguments:\n        backend: ${root.path}\n        issuerRef: ${root.issuerId}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getBackendIssuer.\n","properties":{"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the issuer from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"disableCriticalExtensionChecks":{"type":"boolean","description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nissued certificate) contain critical extensions not processed by Vault.\n"},"disableNameChecks":{"type":"boolean","description":"This determines whether this issuer is able\nto issue certificates where the chain of trust (including the final issued\ncertificate) contains a link in which the subject of the issuing certificate\ndoes not match the named issuer of the certificate it signed.\n"},"disableNameConstraintChecks":{"type":"boolean","description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nfinal issued certificate) violates the name constraints critical extension of\none of the issuer certificates in the chain.\n"},"disablePathLengthChecks":{"type":"boolean","description":"This determines whether this issuer\nis able to issue certificates where the chain of trust (including the final\nissued certificate) is longer than allowed by a certificate authority in that\nchain.\n"},"issuerRef":{"type":"string","description":"Reference to an existing issuer.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["backend","issuerRef"]},"outputs":{"description":"A collection of values returned by getBackendIssuer.\n","properties":{"backend":{"type":"string"},"caChains":{"description":"The CA chain as a list of format specific certificates.\n","items":{"type":"string"},"type":"array"},"certificate":{"description":"Certificate associated with this issuer.\n","type":"string"},"disableCriticalExtensionChecks":{"description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nissued certificate) contain critical extensions not processed by Vault.\n","type":"boolean"},"disableNameChecks":{"description":"This determines whether this issuer is able\nto issue certificates where the chain of trust (including the final issued\ncertificate) contains a link in which the subject of the issuing certificate\ndoes not match the named issuer of the certificate it signed.\n","type":"boolean"},"disableNameConstraintChecks":{"description":"This determines whether this\nissuer is able to issue certificates where the chain of trust (including the\nfinal issued certificate) violates the name constraints critical extension of\none of the issuer certificates in the chain.\n","type":"boolean"},"disablePathLengthChecks":{"description":"This determines whether this issuer\nis able to issue certificates where the chain of trust (including the final\nissued certificate) is longer than allowed by a certificate authority in that\nchain.\n","type":"boolean"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"issuerId":{"description":"ID of the issuer.\n","type":"string"},"issuerName":{"description":"Name of the issuer.\n","type":"string"},"issuerRef":{"type":"string"},"keyId":{"description":"ID of the key used by the issuer.\n","type":"string"},"leafNotAfterBehavior":{"description":"Behavior of a leaf's NotAfter field during issuance.\n","type":"string"},"manualChains":{"description":"Chain of issuer references to build this issuer's computed \nCAChain field from, when non-empty.\n","items":{"type":"string"},"type":"array"},"namespace":{"type":"string"},"usage":{"description":"Allowed usages for this issuer.\n","type":"string"}},"required":["backend","caChains","certificate","issuerId","issuerName","issuerRef","keyId","leafNotAfterBehavior","manualChains","usage","id"],"type":"object"}},"vault:pkiSecret/getBackendIssuers:getBackendIssuers":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst root = new vault.pkisecret.SecretBackendRootCert(\"root\", {\n    backend: pki.path,\n    type: \"internal\",\n    commonName: \"example\",\n    ttl: \"86400\",\n    issuerName: \"example\",\n});\nconst test = vault.pkiSecret.getBackendIssuersOutput({\n    backend: root.backend,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\nroot = vault.pkisecret.SecretBackendRootCert(\"root\",\n    backend=pki.path,\n    type=\"internal\",\n    common_name=\"example\",\n    ttl=\"86400\",\n    issuer_name=\"example\")\ntest = vault.pkiSecret.get_backend_issuers_output(backend=root.backend)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var root = new Vault.PkiSecret.SecretBackendRootCert(\"root\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        CommonName = \"example\",\n        Ttl = \"86400\",\n        IssuerName = \"example\",\n    });\n\n    var test = Vault.PkiSecret.GetBackendIssuers.Invoke(new()\n    {\n        Backend = root.Backend,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\troot, err := pkisecret.NewSecretBackendRootCert(ctx, \"root\", \u0026pkisecret.SecretBackendRootCertArgs{\n\t\t\tBackend:    pki.Path,\n\t\t\tType:       pulumi.String(\"internal\"),\n\t\t\tCommonName: pulumi.String(\"example\"),\n\t\t\tTtl:        pulumi.String(\"86400\"),\n\t\t\tIssuerName: pulumi.String(\"example\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = pkisecret.GetBackendIssuersOutput(ctx, pkisecret.GetBackendIssuersOutputArgs{\n\t\t\tBackend: root.Backend,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendIssuersArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var root = new SecretBackendRootCert(\"root\", SecretBackendRootCertArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .commonName(\"example\")\n            .ttl(\"86400\")\n            .issuerName(\"example\")\n            .build());\n\n        final var test = PkiSecretFunctions.getBackendIssuers(GetBackendIssuersArgs.builder()\n            .backend(root.backend())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\n  root:\n    type: vault:pkiSecret:SecretBackendRootCert\n    properties:\n      backend: ${pki.path}\n      type: internal\n      commonName: example\n      ttl: '86400'\n      issuerName: example\nvariables:\n  test:\n    fn::invoke:\n      function: vault:pkiSecret:getBackendIssuers\n      arguments:\n        backend: ${root.backend}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getBackendIssuers.\n","properties":{"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the issuers from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["backend"]},"outputs":{"description":"A collection of values returned by getBackendIssuers.\n","properties":{"backend":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"keyInfo":{"additionalProperties":{"type":"string"},"description":"Map of issuer strings read from Vault.\n","type":"object"},"keyInfoJson":{"description":"JSON-encoded issuer data read from Vault.\n","type":"string"},"keys":{"description":"Keys used by issuers under the backend path.\n","items":{"type":"string"},"type":"array"},"namespace":{"type":"string"}},"required":["backend","keyInfo","keyInfoJson","keys","id"],"type":"object"}},"vault:pkiSecret/getBackendKey:getBackendKey":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst key = new vault.pkisecret.SecretBackendKey(\"key\", {\n    backend: pki.path,\n    type: \"internal\",\n    keyName: \"example\",\n    keyType: \"rsa\",\n    keyBits: 4096,\n});\nconst example = key.keyId.apply(keyId =\u003e vault.pkiSecret.getBackendKeyOutput({\n    backend: keyVaultMount.path,\n    keyRef: keyId,\n}));\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\nkey = vault.pkisecret.SecretBackendKey(\"key\",\n    backend=pki.path,\n    type=\"internal\",\n    key_name=\"example\",\n    key_type=\"rsa\",\n    key_bits=4096)\nexample = key.key_id.apply(lambda key_id: vault.pkiSecret.get_backend_key_output(backend=key_vault_mount[\"path\"],\n    key_ref=key_id))\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var key = new Vault.PkiSecret.SecretBackendKey(\"key\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        KeyName = \"example\",\n        KeyType = \"rsa\",\n        KeyBits = 4096,\n    });\n\n    var example = Vault.PkiSecret.GetBackendKey.Invoke(new()\n    {\n        Backend = keyVaultMount.Path,\n        KeyRef = key.KeyId,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tkey, err := pkisecret.NewSecretBackendKey(ctx, \"key\", \u0026pkisecret.SecretBackendKeyArgs{\n\t\t\tBackend: pki.Path,\n\t\t\tType:    pulumi.String(\"internal\"),\n\t\t\tKeyName: pulumi.String(\"example\"),\n\t\t\tKeyType: pulumi.String(\"rsa\"),\n\t\t\tKeyBits: pulumi.Int(4096),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = key.KeyId.ApplyT(func(keyId string) (pkisecret.GetBackendKeyResult, error) {\n\t\t\treturn pkisecret.GetBackendKeyResult(interface{}(pkisecret.GetBackendKey(ctx, \u0026pkisecret.GetBackendKeyArgs{\n\t\t\t\tBackend: keyVaultMount.Path,\n\t\t\t\tKeyRef:  keyId,\n\t\t\t}, nil))), nil\n\t\t}).(pkisecret.GetBackendKeyResultOutput)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendKey;\nimport com.pulumi.vault.pkiSecret.SecretBackendKeyArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendKeyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var key = new SecretBackendKey(\"key\", SecretBackendKeyArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .keyName(\"example\")\n            .keyType(\"rsa\")\n            .keyBits(4096)\n            .build());\n\n        final var example = key.keyId().applyValue(_keyId -\u003e PkiSecretFunctions.getBackendKey(GetBackendKeyArgs.builder()\n            .backend(keyVaultMount.path())\n            .keyRef(_keyId)\n            .build()));\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\n  key:\n    type: vault:pkiSecret:SecretBackendKey\n    properties:\n      backend: ${pki.path}\n      type: internal\n      keyName: example\n      keyType: rsa\n      keyBits: '4096'\nvariables:\n  example:\n    fn::invoke:\n      function: vault:pkiSecret:getBackendKey\n      arguments:\n        backend: ${keyVaultMount.path}\n        keyRef: ${key.keyId}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getBackendKey.\n","properties":{"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the key from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"keyRef":{"type":"string","description":"Reference to an existing key.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["backend","keyRef"]},"outputs":{"description":"A collection of values returned by getBackendKey.\n","properties":{"backend":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"keyId":{"description":"ID of the key.\n","type":"string"},"keyName":{"description":"Name of the key.\n","type":"string"},"keyRef":{"type":"string"},"keyType":{"description":"Type of the key.\n","type":"string"},"namespace":{"type":"string"}},"required":["backend","keyId","keyName","keyRef","keyType","id"],"type":"object"}},"vault:pkiSecret/getBackendKeys:getBackendKeys":{"description":"## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst pki = new vault.Mount(\"pki\", {\n    path: \"pki\",\n    type: \"pki\",\n    description: \"PKI secret engine mount\",\n});\nconst root = new vault.pkisecret.SecretBackendRootCert(\"root\", {\n    backend: pki.path,\n    type: \"internal\",\n    commonName: \"example\",\n    ttl: \"86400\",\n    keyName: \"example\",\n});\nconst example = vault.pkiSecret.getBackendKeysOutput({\n    backend: root.backend,\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\npki = vault.Mount(\"pki\",\n    path=\"pki\",\n    type=\"pki\",\n    description=\"PKI secret engine mount\")\nroot = vault.pkisecret.SecretBackendRootCert(\"root\",\n    backend=pki.path,\n    type=\"internal\",\n    common_name=\"example\",\n    ttl=\"86400\",\n    key_name=\"example\")\nexample = vault.pkiSecret.get_backend_keys_output(backend=root.backend)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var pki = new Vault.Mount(\"pki\", new()\n    {\n        Path = \"pki\",\n        Type = \"pki\",\n        Description = \"PKI secret engine mount\",\n    });\n\n    var root = new Vault.PkiSecret.SecretBackendRootCert(\"root\", new()\n    {\n        Backend = pki.Path,\n        Type = \"internal\",\n        CommonName = \"example\",\n        Ttl = \"86400\",\n        KeyName = \"example\",\n    });\n\n    var example = Vault.PkiSecret.GetBackendKeys.Invoke(new()\n    {\n        Backend = root.Backend,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/pkisecret\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tpki, err := vault.NewMount(ctx, \"pki\", \u0026vault.MountArgs{\n\t\t\tPath:        pulumi.String(\"pki\"),\n\t\t\tType:        pulumi.String(\"pki\"),\n\t\t\tDescription: pulumi.String(\"PKI secret engine mount\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\troot, err := pkisecret.NewSecretBackendRootCert(ctx, \"root\", \u0026pkisecret.SecretBackendRootCertArgs{\n\t\t\tBackend:    pki.Path,\n\t\t\tType:       pulumi.String(\"internal\"),\n\t\t\tCommonName: pulumi.String(\"example\"),\n\t\t\tTtl:        pulumi.String(\"86400\"),\n\t\t\tKeyName:    pulumi.String(\"example\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = pkisecret.GetBackendKeysOutput(ctx, pkisecret.GetBackendKeysOutputArgs{\n\t\t\tBackend: root.Backend,\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCert;\nimport com.pulumi.vault.pkiSecret.SecretBackendRootCertArgs;\nimport com.pulumi.vault.pkiSecret.PkiSecretFunctions;\nimport com.pulumi.vault.pkiSecret.inputs.GetBackendKeysArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var pki = new Mount(\"pki\", MountArgs.builder()\n            .path(\"pki\")\n            .type(\"pki\")\n            .description(\"PKI secret engine mount\")\n            .build());\n\n        var root = new SecretBackendRootCert(\"root\", SecretBackendRootCertArgs.builder()\n            .backend(pki.path())\n            .type(\"internal\")\n            .commonName(\"example\")\n            .ttl(\"86400\")\n            .keyName(\"example\")\n            .build());\n\n        final var example = PkiSecretFunctions.getBackendKeys(GetBackendKeysArgs.builder()\n            .backend(root.backend())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  pki:\n    type: vault:Mount\n    properties:\n      path: pki\n      type: pki\n      description: PKI secret engine mount\n  root:\n    type: vault:pkiSecret:SecretBackendRootCert\n    properties:\n      backend: ${pki.path}\n      type: internal\n      commonName: example\n      ttl: '86400'\n      keyName: example\nvariables:\n  example:\n    fn::invoke:\n      function: vault:pkiSecret:getBackendKeys\n      arguments:\n        backend: ${root.backend}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getBackendKeys.\n","properties":{"backend":{"type":"string","description":"The path to the PKI secret backend to\nread the keys from, with no leading or trailing `/`s.\n","willReplaceOnChanges":true},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true}},"type":"object","required":["backend"]},"outputs":{"description":"A collection of values returned by getBackendKeys.\n","properties":{"backend":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"keyInfo":{"additionalProperties":{"type":"string"},"description":"Map of key strings read from Vault.\n","type":"object"},"keyInfoJson":{"description":"JSON-encoded key data read from Vault.\n","type":"string"},"keys":{"description":"Keys used under the backend path.\n","items":{"type":"string"},"type":"array"},"namespace":{"type":"string"}},"required":["backend","keyInfo","keyInfoJson","keys","id"],"type":"object"}},"vault:ssh/getSecretBackendSign:getSecretBackendSign":{"description":"This is a data source which can be used to sign an SSH public key\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = vault.ssh.getSecretBackendSign({\n    path: \"ssh\",\n    publicKey: \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com\",\n    name: \"test\",\n    validPrincipals: \"my-user\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.ssh.get_secret_backend_sign(path=\"ssh\",\n    public_key=\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com\",\n    name=\"test\",\n    valid_principals=\"my-user\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = Vault.Ssh.GetSecretBackendSign.Invoke(new()\n    {\n        Path = \"ssh\",\n        PublicKey = \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com\",\n        Name = \"test\",\n        ValidPrincipals = \"my-user\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/ssh\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := ssh.GetSecretBackendSign(ctx, \u0026ssh.GetSecretBackendSignArgs{\n\t\t\tPath:            \"ssh\",\n\t\t\tPublicKey:       \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com\",\n\t\t\tName:            \"test\",\n\t\t\tValidPrincipals: pulumi.StringRef(\"my-user\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.ssh.SshFunctions;\nimport com.pulumi.vault.ssh.inputs.GetSecretBackendSignArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var test = SshFunctions.getSecretBackendSign(GetSecretBackendSignArgs.builder()\n            .path(\"ssh\")\n            .publicKey(\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com\")\n            .name(\"test\")\n            .validPrincipals(\"my-user\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  test:\n    fn::invoke:\n      function: vault:ssh:getSecretBackendSign\n      arguments:\n        path: ssh\n        publicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDR6q4PTcuIkpdGEqaCaxnR8/REqlbSiEIKaRZkVSjiTXOaiSfUsy9cY2+7+oO9fLMUrhylImerjzEoagX1IjYvc9IeUBaRnfacN7QwUDfstgp2jknbg7rNX9j9nFxwltV/jYQPcRq8Ud0wn1nb4qixq+diM7+Up+xJOeaKxbpjEUJH5dcvaBB+Aa24tJpjOQxtFyQ6dUxlgJu0tcygZR92kKYCVjZDohlSED3i/Ak2KFwqCKx2IZWq9z1vMEgmRzv++4Qt1OsbpW8itiCyWn6lmV33eDCdjMrr9TEThQNnMinPrHdmVUnPZ/OomP+rLDRE9lQR16uaSvKhg5TWOFIXRPyEhX9arEATrE4KSWeQN2qgHOb6P24YqgEm1ZdHJq25q/nBBAa1x0tFMiWqZwOsGeJ9nTeOeyiqFKH5YRBo6DIy3ag3taFsfQSve6oqjnrudUd1hJ8/bNSz8amECfP0ULvAEAgpiurj3eCPc3OcXl4tAld9F6KwabEJV5eelcs= user@example.com\n        name: test\n        validPrincipals: my-user\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getSecretBackendSign.\n","properties":{"certType":{"type":"string","description":"Specifies the type of certificate to be created; either \"user\" or \"host\".\n"},"criticalOptions":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies a map of the critical options that the certificate should be signed for. Defaults to none.\n"},"extensions":{"type":"object","additionalProperties":{"type":"string"},"description":"Specifies a map of the extensions that the certificate should be signed for. Defaults to none.\n"},"keyId":{"type":"string","description":"Specifies the key id that the created certificate should have. If not specified, the display name of the token will be used.\n"},"name":{"type":"string","description":"Specifies the name of the role to sign.\n"},"namespace":{"type":"string","willReplaceOnChanges":true},"path":{"type":"string","description":"Full path where SSH backend is mounted.\n","willReplaceOnChanges":true},"publicKey":{"type":"string","description":"Specifies the SSH public key that should be signed.\n"},"ttl":{"type":"string","description":"Specifies the Requested Time To Live. Cannot be greater than the role's\u003cspan pulumi-lang-nodejs=\" maxTtl \" pulumi-lang-dotnet=\" MaxTtl \" pulumi-lang-go=\" maxTtl \" pulumi-lang-python=\" max_ttl \" pulumi-lang-yaml=\" maxTtl \" pulumi-lang-java=\" maxTtl \"\u003e max_ttl \u003c/span\u003evalue. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.\n"},"validPrincipals":{"type":"string","description":"Specifies valid principals, either usernames or hostnames, that the certificate should be signed for. Required unless the role has specified\u003cspan pulumi-lang-nodejs=\" allowEmptyPrincipals \" pulumi-lang-dotnet=\" AllowEmptyPrincipals \" pulumi-lang-go=\" allowEmptyPrincipals \" pulumi-lang-python=\" allow_empty_principals \" pulumi-lang-yaml=\" allowEmptyPrincipals \" pulumi-lang-java=\" allowEmptyPrincipals \"\u003e allow_empty_principals \u003c/span\u003eor a value has been set for either the\u003cspan pulumi-lang-nodejs=\" defaultUser \" pulumi-lang-dotnet=\" DefaultUser \" pulumi-lang-go=\" defaultUser \" pulumi-lang-python=\" default_user \" pulumi-lang-yaml=\" defaultUser \" pulumi-lang-java=\" defaultUser \"\u003e default_user \u003c/span\u003eor\u003cspan pulumi-lang-nodejs=\" defaultUserTemplate \" pulumi-lang-dotnet=\" DefaultUserTemplate \" pulumi-lang-go=\" defaultUserTemplate \" pulumi-lang-python=\" default_user_template \" pulumi-lang-yaml=\" defaultUserTemplate \" pulumi-lang-java=\" defaultUserTemplate \"\u003e default_user_template \u003c/span\u003erole parameters.\n"}},"type":"object","required":["name","path","publicKey"]},"outputs":{"description":"A collection of values returned by getSecretBackendSign.\n","properties":{"certType":{"type":"string"},"criticalOptions":{"additionalProperties":{"type":"string"},"type":"object"},"extensions":{"additionalProperties":{"type":"string"},"type":"object"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"keyId":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"path":{"type":"string"},"publicKey":{"type":"string"},"serialNumber":{"description":"The serial number of the certificate returned from Vault\n","type":"string"},"signedKey":{"description":"The signed certificate returned from Vault\n","type":"string"},"ttl":{"type":"string"},"validPrincipals":{"type":"string"}},"required":["name","path","publicKey","serialNumber","signedKey","id"],"type":"object"}},"vault:transform/getDecode:getDecode":{"description":"This data source supports the \"/transform/decode/{role_name}\" Vault endpoint.\n\nIt decodes the provided value using a named role.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst transform = new vault.Mount(\"transform\", {\n    path: \"transform\",\n    type: \"transform\",\n});\nconst ccn_fpe = new vault.transform.Transformation(\"ccn-fpe\", {\n    path: transform.path,\n    name: \"ccn-fpe\",\n    type: \"fpe\",\n    template: \"builtin/creditcardnumber\",\n    tweakSource: \"internal\",\n    allowedRoles: [\"payments\"],\n});\nconst payments = new vault.transform.Role(\"payments\", {\n    path: ccn_fpe.path,\n    name: \"payments\",\n    transformations: [\"ccn-fpe\"],\n});\nconst test = vault.transform.getDecodeOutput({\n    path: payments.path,\n    roleName: \"payments\",\n    value: \"9300-3376-4943-8903\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntransform = vault.Mount(\"transform\",\n    path=\"transform\",\n    type=\"transform\")\nccn_fpe = vault.transform.Transformation(\"ccn-fpe\",\n    path=transform.path,\n    name=\"ccn-fpe\",\n    type=\"fpe\",\n    template=\"builtin/creditcardnumber\",\n    tweak_source=\"internal\",\n    allowed_roles=[\"payments\"])\npayments = vault.transform.Role(\"payments\",\n    path=ccn_fpe.path,\n    name=\"payments\",\n    transformations=[\"ccn-fpe\"])\ntest = vault.transform.get_decode_output(path=payments.path,\n    role_name=\"payments\",\n    value=\"9300-3376-4943-8903\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var transform = new Vault.Mount(\"transform\", new()\n    {\n        Path = \"transform\",\n        Type = \"transform\",\n    });\n\n    var ccn_fpe = new Vault.Transform.Transformation(\"ccn-fpe\", new()\n    {\n        Path = transform.Path,\n        Name = \"ccn-fpe\",\n        Type = \"fpe\",\n        Template = \"builtin/creditcardnumber\",\n        TweakSource = \"internal\",\n        AllowedRoles = new[]\n        {\n            \"payments\",\n        },\n    });\n\n    var payments = new Vault.Transform.Role(\"payments\", new()\n    {\n        Path = ccn_fpe.Path,\n        Name = \"payments\",\n        Transformations = new[]\n        {\n            \"ccn-fpe\",\n        },\n    });\n\n    var test = Vault.Transform.GetDecode.Invoke(new()\n    {\n        Path = payments.Path,\n        RoleName = \"payments\",\n        Value = \"9300-3376-4943-8903\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transform\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttransform, err := vault.NewMount(ctx, \"transform\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"transform\"),\n\t\t\tType: pulumi.String(\"transform\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tccn_fpe, err := transform.NewTransformation(ctx, \"ccn-fpe\", \u0026transform.TransformationArgs{\n\t\t\tPath:        transform.Path,\n\t\t\tName:        pulumi.String(\"ccn-fpe\"),\n\t\t\tType:        pulumi.String(\"fpe\"),\n\t\t\tTemplate:    pulumi.String(\"builtin/creditcardnumber\"),\n\t\t\tTweakSource: pulumi.String(\"internal\"),\n\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"payments\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpayments, err := transform.NewRole(ctx, \"payments\", \u0026transform.RoleArgs{\n\t\t\tPath: ccn_fpe.Path,\n\t\t\tName: pulumi.String(\"payments\"),\n\t\t\tTransformations: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ccn-fpe\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = transform.GetDecodeOutput(ctx, transform.GetDecodeOutputArgs{\n\t\t\tPath:     payments.Path,\n\t\t\tRoleName: pulumi.String(\"payments\"),\n\t\t\tValue:    pulumi.String(\"9300-3376-4943-8903\"),\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transform.Transformation;\nimport com.pulumi.vault.transform.TransformationArgs;\nimport com.pulumi.vault.transform.Role;\nimport com.pulumi.vault.transform.RoleArgs;\nimport com.pulumi.vault.transform.TransformFunctions;\nimport com.pulumi.vault.transform.inputs.GetDecodeArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var transform = new Mount(\"transform\", MountArgs.builder()\n            .path(\"transform\")\n            .type(\"transform\")\n            .build());\n\n        var ccn_fpe = new Transformation(\"ccn-fpe\", TransformationArgs.builder()\n            .path(transform.path())\n            .name(\"ccn-fpe\")\n            .type(\"fpe\")\n            .template(\"builtin/creditcardnumber\")\n            .tweakSource(\"internal\")\n            .allowedRoles(\"payments\")\n            .build());\n\n        var payments = new Role(\"payments\", RoleArgs.builder()\n            .path(ccn_fpe.path())\n            .name(\"payments\")\n            .transformations(\"ccn-fpe\")\n            .build());\n\n        final var test = TransformFunctions.getDecode(GetDecodeArgs.builder()\n            .path(payments.path())\n            .roleName(\"payments\")\n            .value(\"9300-3376-4943-8903\")\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  transform:\n    type: vault:Mount\n    properties:\n      path: transform\n      type: transform\n  ccn-fpe:\n    type: vault:transform:Transformation\n    properties:\n      path: ${transform.path}\n      name: ccn-fpe\n      type: fpe\n      template: builtin/creditcardnumber\n      tweakSource: internal\n      allowedRoles:\n        - payments\n  payments:\n    type: vault:transform:Role\n    properties:\n      path: ${[\"ccn-fpe\"].path}\n      name: payments\n      transformations:\n        - ccn-fpe\nvariables:\n  test:\n    fn::invoke:\n      function: vault:transform:getDecode\n      arguments:\n        path: ${payments.path}\n        roleName: payments\n        value: 9300-3376-4943-8903\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getDecode.\n","properties":{"batchInputs":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"Specifies a list of items to be decoded in a single batch. If this parameter is set, the top-level parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.\n"},"batchResults":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"The result of decoding a batch.\n"},"decodedValue":{"type":"string","description":"The result of decoding a value.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.\n"},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations\n"},"value":{"type":"string","description":"The value in which to decode.\n"}},"type":"object","required":["path","roleName"]},"outputs":{"description":"A collection of values returned by getDecode.\n","properties":{"batchInputs":{"items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"batchResults":{"items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"decodedValue":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"path":{"type":"string"},"roleName":{"type":"string"},"transformation":{"type":"string"},"tweak":{"type":"string"},"value":{"type":"string"}},"required":["batchResults","decodedValue","path","roleName","id"],"type":"object"}},"vault:transform/getEncode:getEncode":{"description":"This data source supports the \"/transform/encode/{role_name}\" Vault endpoint.\n\nIt encodes the provided value using a named role.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst transform = new vault.Mount(\"transform\", {\n    path: \"transform\",\n    type: \"transform\",\n});\nconst ccn_fpe = new vault.transform.Transformation(\"ccn-fpe\", {\n    path: transform.path,\n    name: \"ccn-fpe\",\n    type: \"fpe\",\n    template: \"builtin/creditcardnumber\",\n    tweakSource: \"internal\",\n    allowedRoles: [\"payments\"],\n});\nconst payments = new vault.transform.Role(\"payments\", {\n    path: ccn_fpe.path,\n    name: \"payments\",\n    transformations: [\"ccn-fpe\"],\n});\nconst test = vault.transform.getEncodeOutput({\n    path: payments.path,\n    roleName: \"payments\",\n    batchInputs: [{\n        value: \"1111-2222-3333-4444\",\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntransform = vault.Mount(\"transform\",\n    path=\"transform\",\n    type=\"transform\")\nccn_fpe = vault.transform.Transformation(\"ccn-fpe\",\n    path=transform.path,\n    name=\"ccn-fpe\",\n    type=\"fpe\",\n    template=\"builtin/creditcardnumber\",\n    tweak_source=\"internal\",\n    allowed_roles=[\"payments\"])\npayments = vault.transform.Role(\"payments\",\n    path=ccn_fpe.path,\n    name=\"payments\",\n    transformations=[\"ccn-fpe\"])\ntest = vault.transform.get_encode_output(path=payments.path,\n    role_name=\"payments\",\n    batch_inputs=[{\n        \"value\": \"1111-2222-3333-4444\",\n    }])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var transform = new Vault.Mount(\"transform\", new()\n    {\n        Path = \"transform\",\n        Type = \"transform\",\n    });\n\n    var ccn_fpe = new Vault.Transform.Transformation(\"ccn-fpe\", new()\n    {\n        Path = transform.Path,\n        Name = \"ccn-fpe\",\n        Type = \"fpe\",\n        Template = \"builtin/creditcardnumber\",\n        TweakSource = \"internal\",\n        AllowedRoles = new[]\n        {\n            \"payments\",\n        },\n    });\n\n    var payments = new Vault.Transform.Role(\"payments\", new()\n    {\n        Path = ccn_fpe.Path,\n        Name = \"payments\",\n        Transformations = new[]\n        {\n            \"ccn-fpe\",\n        },\n    });\n\n    var test = Vault.Transform.GetEncode.Invoke(new()\n    {\n        Path = payments.Path,\n        RoleName = \"payments\",\n        BatchInputs = new[]\n        {\n            \n            {\n                { \"value\", \"1111-2222-3333-4444\" },\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault\"\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transform\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttransform, err := vault.NewMount(ctx, \"transform\", \u0026vault.MountArgs{\n\t\t\tPath: pulumi.String(\"transform\"),\n\t\t\tType: pulumi.String(\"transform\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tccn_fpe, err := transform.NewTransformation(ctx, \"ccn-fpe\", \u0026transform.TransformationArgs{\n\t\t\tPath:        transform.Path,\n\t\t\tName:        pulumi.String(\"ccn-fpe\"),\n\t\t\tType:        pulumi.String(\"fpe\"),\n\t\t\tTemplate:    pulumi.String(\"builtin/creditcardnumber\"),\n\t\t\tTweakSource: pulumi.String(\"internal\"),\n\t\t\tAllowedRoles: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"payments\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpayments, err := transform.NewRole(ctx, \"payments\", \u0026transform.RoleArgs{\n\t\t\tPath: ccn_fpe.Path,\n\t\t\tName: pulumi.String(\"payments\"),\n\t\t\tTransformations: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ccn-fpe\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_ = transform.GetEncodeOutput(ctx, transform.GetEncodeOutputArgs{\n\t\t\tPath:     payments.Path,\n\t\t\tRoleName: pulumi.String(\"payments\"),\n\t\t\tBatchInputs: pulumi.StringMapArray{\n\t\t\t\tpulumi.StringMap{\n\t\t\t\t\t\"value\": pulumi.String(\"1111-2222-3333-4444\"),\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.Mount;\nimport com.pulumi.vault.MountArgs;\nimport com.pulumi.vault.transform.Transformation;\nimport com.pulumi.vault.transform.TransformationArgs;\nimport com.pulumi.vault.transform.Role;\nimport com.pulumi.vault.transform.RoleArgs;\nimport com.pulumi.vault.transform.TransformFunctions;\nimport com.pulumi.vault.transform.inputs.GetEncodeArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var transform = new Mount(\"transform\", MountArgs.builder()\n            .path(\"transform\")\n            .type(\"transform\")\n            .build());\n\n        var ccn_fpe = new Transformation(\"ccn-fpe\", TransformationArgs.builder()\n            .path(transform.path())\n            .name(\"ccn-fpe\")\n            .type(\"fpe\")\n            .template(\"builtin/creditcardnumber\")\n            .tweakSource(\"internal\")\n            .allowedRoles(\"payments\")\n            .build());\n\n        var payments = new Role(\"payments\", RoleArgs.builder()\n            .path(ccn_fpe.path())\n            .name(\"payments\")\n            .transformations(\"ccn-fpe\")\n            .build());\n\n        final var test = TransformFunctions.getEncode(GetEncodeArgs.builder()\n            .path(payments.path())\n            .roleName(\"payments\")\n            .batchInputs(Map.of(\"value\", \"1111-2222-3333-4444\"))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  transform:\n    type: vault:Mount\n    properties:\n      path: transform\n      type: transform\n  ccn-fpe:\n    type: vault:transform:Transformation\n    properties:\n      path: ${transform.path}\n      name: ccn-fpe\n      type: fpe\n      template: builtin/creditcardnumber\n      tweakSource: internal\n      allowedRoles:\n        - payments\n  payments:\n    type: vault:transform:Role\n    properties:\n      path: ${[\"ccn-fpe\"].path}\n      name: payments\n      transformations:\n        - ccn-fpe\nvariables:\n  test:\n    fn::invoke:\n      function: vault:transform:getEncode\n      arguments:\n        path: ${payments.path}\n        roleName: payments\n        batchInputs:\n          - value: 1111-2222-3333-4444\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getEncode.\n","properties":{"batchInputs":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"Specifies a list of items to be encoded in a single batch. If this parameter is set, the parameters 'value', 'transformation' and 'tweak' will be ignored. Each batch item within the list can specify these parameters instead.\n"},"batchResults":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"The result of encoding a batch.\n"},"encodedValue":{"type":"string","description":"The result of encoding a value.\n"},"namespace":{"type":"string","description":"The namespace of the target resource.\nThe value should not contain leading or trailing forward slashes.\nThe \u003cspan pulumi-lang-nodejs=\"`namespace`\" pulumi-lang-dotnet=\"`Namespace`\" pulumi-lang-go=\"`namespace`\" pulumi-lang-python=\"`namespace`\" pulumi-lang-yaml=\"`namespace`\" pulumi-lang-java=\"`namespace`\"\u003e`namespace`\u003c/span\u003e is always relative to the provider's configured [namespace](https://www.terraform.io/docs/providers/vault/index.html#namespace).\n*Available only for Vault Enterprise*.\n","willReplaceOnChanges":true},"path":{"type":"string","description":"Path to where the back-end is mounted within Vault.\n","willReplaceOnChanges":true},"roleName":{"type":"string","description":"The name of the role.\n","willReplaceOnChanges":true},"transformation":{"type":"string","description":"The transformation to perform. If no value is provided and the role contains a single transformation, this value will be inferred from the role.\n"},"tweak":{"type":"string","description":"The tweak value to use. Only applicable for FPE transformations\n"},"value":{"type":"string","description":"The value in which to encode.\n"}},"type":"object","required":["path","roleName"]},"outputs":{"description":"A collection of values returned by getEncode.\n","properties":{"batchInputs":{"items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"batchResults":{"items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"encodedValue":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"namespace":{"type":"string"},"path":{"type":"string"},"roleName":{"type":"string"},"transformation":{"type":"string"},"tweak":{"type":"string"},"value":{"type":"string"}},"required":["batchResults","encodedValue","path","roleName","id"],"type":"object"}},"vault:transit/getCmac:getCmac":{"description":"This is a data source which can be used to generate a CMAC using a Vault Transit key.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = vault.transit.getCmac({\n    path: \"transit\",\n    name: \"test\",\n    input: \"aGVsbG8gd29ybGQ=\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.transit.get_cmac(path=\"transit\",\n    name=\"test\",\n    input=\"aGVsbG8gd29ybGQ=\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = Vault.Transit.GetCmac.Invoke(new()\n    {\n        Path = \"transit\",\n        Name = \"test\",\n        Input = \"aGVsbG8gd29ybGQ=\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transit\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := transit.GetCmac(ctx, \u0026transit.GetCmacArgs{\n\t\t\tPath:  \"transit\",\n\t\t\tName:  \"test\",\n\t\t\tInput: pulumi.StringRef(\"aGVsbG8gd29ybGQ=\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.transit.TransitFunctions;\nimport com.pulumi.vault.transit.inputs.GetCmacArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var test = TransitFunctions.getCmac(GetCmacArgs.builder()\n            .path(\"transit\")\n            .name(\"test\")\n            .input(\"aGVsbG8gd29ybGQ=\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  test:\n    fn::invoke:\n      function: vault:transit:getCmac\n      arguments:\n        path: transit\n        name: test\n        input: aGVsbG8gd29ybGQ=\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getCmac.\n","properties":{"batchInputs":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}}},"batchResults":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"The results returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`batchInput`\" pulumi-lang-dotnet=\"`BatchInput`\" pulumi-lang-go=\"`batchInput`\" pulumi-lang-python=\"`batch_input`\" pulumi-lang-yaml=\"`batchInput`\" pulumi-lang-java=\"`batchInput`\"\u003e`batch_input`\u003c/span\u003e\n"},"cmac":{"type":"string","description":"The CMAC returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`input`\" pulumi-lang-dotnet=\"`Input`\" pulumi-lang-go=\"`input`\" pulumi-lang-python=\"`input`\" pulumi-lang-yaml=\"`input`\" pulumi-lang-java=\"`input`\"\u003e`input`\u003c/span\u003e\n"},"input":{"type":"string"},"keyVersion":{"type":"integer"},"macLength":{"type":"integer"},"name":{"type":"string"},"namespace":{"type":"string","willReplaceOnChanges":true},"path":{"type":"string"},"urlMacLength":{"type":"integer"}},"type":"object","required":["name","path"]},"outputs":{"description":"A collection of values returned by getCmac.\n","properties":{"batchInputs":{"items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"batchResults":{"description":"The results returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`batchInput`\" pulumi-lang-dotnet=\"`BatchInput`\" pulumi-lang-go=\"`batchInput`\" pulumi-lang-python=\"`batch_input`\" pulumi-lang-yaml=\"`batchInput`\" pulumi-lang-java=\"`batchInput`\"\u003e`batch_input`\u003c/span\u003e\n","items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"cmac":{"description":"The CMAC returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`input`\" pulumi-lang-dotnet=\"`Input`\" pulumi-lang-go=\"`input`\" pulumi-lang-python=\"`input`\" pulumi-lang-yaml=\"`input`\" pulumi-lang-java=\"`input`\"\u003e`input`\u003c/span\u003e\n","type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"input":{"type":"string"},"keyVersion":{"type":"integer"},"macLength":{"type":"integer"},"name":{"type":"string"},"namespace":{"type":"string"},"path":{"type":"string"},"urlMacLength":{"type":"integer"}},"required":["batchResults","cmac","name","path","id"],"type":"object"}},"vault:transit/getDecrypt:getDecrypt":{"description":"This is a data source which can be used to decrypt ciphertext using a Vault Transit key.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as vault from \"@pulumi/vault\";\n\nconst test = vault.transit.getDecrypt({\n    backend: \"transit\",\n    key: \"test\",\n    ciphertext: \"vault:v1:S3GtnJ5GUNCWV+/pdL9+g1Feu/nzAv+RlmTmE91Tu0rBkeIU8MEb2nSspC/1IQ==\",\n});\n```\n```python\nimport pulumi\nimport pulumi_vault as vault\n\ntest = vault.transit.get_decrypt(backend=\"transit\",\n    key=\"test\",\n    ciphertext=\"vault:v1:S3GtnJ5GUNCWV+/pdL9+g1Feu/nzAv+RlmTmE91Tu0rBkeIU8MEb2nSspC/1IQ==\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Vault = Pulumi.Vault;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var test = Vault.Transit.GetDecrypt.Invoke(new()\n    {\n        Backend = \"transit\",\n        Key = \"test\",\n        Ciphertext = \"vault:v1:S3GtnJ5GUNCWV+/pdL9+g1Feu/nzAv+RlmTmE91Tu0rBkeIU8MEb2nSspC/1IQ==\",\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-vault/sdk/v7/go/vault/transit\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := transit.GetDecrypt(ctx, \u0026transit.GetDecryptArgs{\n\t\t\tBackend:    \"transit\",\n\t\t\tKey:        \"test\",\n\t\t\tCiphertext: \"vault:v1:S3GtnJ5GUNCWV+/pdL9+g1Feu/nzAv+RlmTmE91Tu0rBkeIU8MEb2nSspC/1IQ==\",\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.vault.transit.TransitFunctions;\nimport com.pulumi.vault.transit.inputs.GetDecryptArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var test = TransitFunctions.getDecrypt(GetDecryptArgs.builder()\n            .backend(\"transit\")\n            .key(\"test\")\n            .ciphertext(\"vault:v1:S3GtnJ5GUNCWV+/pdL9+g1Feu/nzAv+RlmTmE91Tu0rBkeIU8MEb2nSspC/1IQ==\")\n            .build());\n\n    }\n}\n```\n```yaml\nvariables:\n  test:\n    fn::invoke:\n      function: vault:transit:getDecrypt\n      arguments:\n        backend: transit\n        key: test\n        ciphertext: vault:v1:S3GtnJ5GUNCWV+/pdL9+g1Feu/nzAv+RlmTmE91Tu0rBkeIU8MEb2nSspC/1IQ==\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getDecrypt.\n","properties":{"backend":{"type":"string"},"ciphertext":{"type":"string"},"context":{"type":"string"},"key":{"type":"string"},"namespace":{"type":"string","willReplaceOnChanges":true}},"type":"object","required":["backend","ciphertext","key"]},"outputs":{"description":"A collection of values returned by getDecrypt.\n","properties":{"backend":{"type":"string"},"ciphertext":{"type":"string"},"context":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"key":{"type":"string"},"namespace":{"type":"string"},"plaintext":{"description":"Decrypted plaintext returned from Vault\n","secret":true,"type":"string"}},"required":["backend","ciphertext","key","plaintext","id"],"type":"object"}},"vault:transit/getEncrypt:getEncrypt":{"description":"This is a data source which can be used to encrypt plaintext using a Vault Transit key.\n\n","inputs":{"description":"A collection of arguments for invoking getEncrypt.\n","properties":{"backend":{"type":"string"},"context":{"type":"string"},"key":{"type":"string"},"keyVersion":{"type":"integer"},"namespace":{"type":"string","willReplaceOnChanges":true},"plaintext":{"type":"string","secret":true}},"type":"object","required":["backend","key","plaintext"]},"outputs":{"description":"A collection of values returned by getEncrypt.\n","properties":{"backend":{"type":"string"},"ciphertext":{"description":"Encrypted ciphertext returned from Vault\n","type":"string"},"context":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"key":{"type":"string"},"keyVersion":{"type":"integer"},"namespace":{"type":"string"},"plaintext":{"secret":true,"type":"string"}},"required":["backend","ciphertext","key","plaintext","id"],"type":"object"}},"vault:transit/getSign:getSign":{"description":"This is a data source which can be used to generate a signature using a Vault Transit key.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```yaml\nvariables:\n  test:\n    fn::invoke:\n      function: vault:transit:getSign\n      arguments:\n        path: transit\n        key: test\n        input: aGVsbG8gd29ybGQ=\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getSign.\n","properties":{"batchInputs":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}}},"batchResults":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"The results returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`batchInput`\" pulumi-lang-dotnet=\"`BatchInput`\" pulumi-lang-go=\"`batchInput`\" pulumi-lang-python=\"`batch_input`\" pulumi-lang-yaml=\"`batchInput`\" pulumi-lang-java=\"`batchInput`\"\u003e`batch_input`\u003c/span\u003e\n"},"context":{"type":"string"},"hashAlgorithm":{"type":"string"},"input":{"type":"string"},"keyVersion":{"type":"integer"},"marshalingAlgorithm":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string","willReplaceOnChanges":true},"path":{"type":"string"},"prehashed":{"type":"boolean"},"reference":{"type":"string"},"saltLength":{"type":"string"},"signature":{"type":"string","description":"The signature returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`input`\" pulumi-lang-dotnet=\"`Input`\" pulumi-lang-go=\"`input`\" pulumi-lang-python=\"`input`\" pulumi-lang-yaml=\"`input`\" pulumi-lang-java=\"`input`\"\u003e`input`\u003c/span\u003e\n"},"signatureAlgorithm":{"type":"string"},"signatureContext":{"type":"string"}},"type":"object","required":["name","path"]},"outputs":{"description":"A collection of values returned by getSign.\n","properties":{"batchInputs":{"items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"batchResults":{"description":"The results returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`batchInput`\" pulumi-lang-dotnet=\"`BatchInput`\" pulumi-lang-go=\"`batchInput`\" pulumi-lang-python=\"`batch_input`\" pulumi-lang-yaml=\"`batchInput`\" pulumi-lang-java=\"`batchInput`\"\u003e`batch_input`\u003c/span\u003e\n","items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"context":{"type":"string"},"hashAlgorithm":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"input":{"type":"string"},"keyVersion":{"type":"integer"},"marshalingAlgorithm":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"path":{"type":"string"},"prehashed":{"type":"boolean"},"reference":{"type":"string"},"saltLength":{"type":"string"},"signature":{"description":"The signature returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`input`\" pulumi-lang-dotnet=\"`Input`\" pulumi-lang-go=\"`input`\" pulumi-lang-python=\"`input`\" pulumi-lang-yaml=\"`input`\" pulumi-lang-java=\"`input`\"\u003e`input`\u003c/span\u003e\n","type":"string"},"signatureAlgorithm":{"type":"string"},"signatureContext":{"type":"string"}},"required":["batchResults","name","path","signature","id"],"type":"object"}},"vault:transit/getVerify:getVerify":{"description":"This is a data source which can be used to verify a signature using a Vault Transit key.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```yaml\nvariables:\n  test:\n    fn::invoke:\n      function: vault:transit:getVerify\n      arguments:\n        path: transit\n        key: test\n        signature: vault:v1:4kYRAVY/Q/6jjA3CT7HPhxKO+ru/4PhyGKBLRpn9DSeT99McPXEk302NXtzCzsvbSOZPif7f32tlr58iYoxjCQ==\n        input: aGVsbG8gd29ybGQ=\n```\n\u003c!--End PulumiCodeChooser --\u003e\n","inputs":{"description":"A collection of arguments for invoking getVerify.\n","properties":{"batchInputs":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}}},"batchResults":{"type":"array","items":{"type":"object","additionalProperties":{"type":"string"}},"description":"The results returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`batchInput`\" pulumi-lang-dotnet=\"`BatchInput`\" pulumi-lang-go=\"`batchInput`\" pulumi-lang-python=\"`batch_input`\" pulumi-lang-yaml=\"`batchInput`\" pulumi-lang-java=\"`batchInput`\"\u003e`batch_input`\u003c/span\u003e\n"},"cmac":{"type":"string"},"context":{"type":"string"},"hashAlgorithm":{"type":"string"},"hmac":{"type":"string"},"input":{"type":"string"},"macLength":{"type":"integer"},"marshalingAlgorithm":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string","willReplaceOnChanges":true},"path":{"type":"string"},"prehashed":{"type":"boolean"},"reference":{"type":"string"},"saltLength":{"type":"string"},"signature":{"type":"string"},"signatureAlgorithm":{"type":"string"},"signatureContext":{"type":"string"},"valid":{"type":"boolean","description":"Returns \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the signature verification succeeded and \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e otherwise\n"}},"type":"object","required":["name","path"]},"outputs":{"description":"A collection of values returned by getVerify.\n","properties":{"batchInputs":{"items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"batchResults":{"description":"The results returned from Vault if using \u003cspan pulumi-lang-nodejs=\"`batchInput`\" pulumi-lang-dotnet=\"`BatchInput`\" pulumi-lang-go=\"`batchInput`\" pulumi-lang-python=\"`batch_input`\" pulumi-lang-yaml=\"`batchInput`\" pulumi-lang-java=\"`batchInput`\"\u003e`batch_input`\u003c/span\u003e\n","items":{"additionalProperties":{"type":"string"},"type":"object"},"type":"array"},"cmac":{"type":"string"},"context":{"type":"string"},"hashAlgorithm":{"type":"string"},"hmac":{"type":"string"},"id":{"description":"The provider-assigned unique ID for this managed resource.","type":"string"},"input":{"type":"string"},"macLength":{"type":"integer"},"marshalingAlgorithm":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"path":{"type":"string"},"prehashed":{"type":"boolean"},"reference":{"type":"string"},"saltLength":{"type":"string"},"signature":{"type":"string"},"signatureAlgorithm":{"type":"string"},"signatureContext":{"type":"string"},"valid":{"description":"Returns \u003cspan pulumi-lang-nodejs=\"`true`\" pulumi-lang-dotnet=\"`True`\" pulumi-lang-go=\"`true`\" pulumi-lang-python=\"`true`\" pulumi-lang-yaml=\"`true`\" pulumi-lang-java=\"`true`\"\u003e`true`\u003c/span\u003e if the signature verification succeeded and \u003cspan pulumi-lang-nodejs=\"`false`\" pulumi-lang-dotnet=\"`False`\" pulumi-lang-go=\"`false`\" pulumi-lang-python=\"`false`\" pulumi-lang-yaml=\"`false`\" pulumi-lang-java=\"`false`\"\u003e`false`\u003c/span\u003e otherwise\n","type":"boolean"}},"required":["batchResults","name","path","valid","id"],"type":"object"}}}}