Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. HashiCorp Vault Provider
  3. API Docs
  4. aws
  5. AuthBackendRole
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
pulumi/pulumi-vault

vault.aws.AuthBackendRole

Explore with Pulumi AI

vault logo
HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
pulumi/pulumi-vault

    Manages an AWS auth backend role in a Vault server. Roles constrain the instances or principals that can perform the login operation against the backend. See the Vault documentation for more information.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as vault from "@pulumi/vault";

const aws = new vault.AuthBackend("aws", {type: "aws"});
const example = new vault.aws.AuthBackendRole("example", {
    backend: aws.path,
    role: "test-role",
    authType: "iam",
    boundAmiIds: ["ami-8c1be5f6"],
    boundAccountIds: ["123456789012"],
    boundVpcIds: ["vpc-b61106d4"],
    boundSubnetIds: ["vpc-133128f1"],
    boundIamRoleArns: ["arn:aws:iam::123456789012:role/MyRole"],
    boundIamInstanceProfileArns: ["arn:aws:iam::123456789012:instance-profile/MyProfile"],
    inferredEntityType: "ec2_instance",
    inferredAwsRegion: "us-east-1",
    tokenTtl: 60,
    tokenMaxTtl: 120,
    tokenPolicies: [
        "default",
        "dev",
        "prod",
    ],
});

    import pulumi
import pulumi_vault as vault

aws = vault.AuthBackend("aws", type="aws")
example = vault.aws.AuthBackendRole("example",
    backend=aws.path,
    role="test-role",
    auth_type="iam",
    bound_ami_ids=["ami-8c1be5f6"],
    bound_account_ids=["123456789012"],
    bound_vpc_ids=["vpc-b61106d4"],
    bound_subnet_ids=["vpc-133128f1"],
    bound_iam_role_arns=["arn:aws:iam::123456789012:role/MyRole"],
    bound_iam_instance_profile_arns=["arn:aws:iam::123456789012:instance-profile/MyProfile"],
    inferred_entity_type="ec2_instance",
    inferred_aws_region="us-east-1",
    token_ttl=60,
    token_max_ttl=120,
    token_policies=[
        "default",
        "dev",
        "prod",
    ])

    package main

import (
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault"
	"github.com/pulumi/pulumi-vault/sdk/v6/go/vault/aws"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		aws, err := vault.NewAuthBackend(ctx, "aws", &vault.AuthBackendArgs{
			Type: pulumi.String("aws"),
		})
		if err != nil {
			return err
		}
		_, err = aws.NewAuthBackendRole(ctx, "example", &aws.AuthBackendRoleArgs{
			Backend:  aws.Path,
			Role:     pulumi.String("test-role"),
			AuthType: pulumi.String("iam"),
			BoundAmiIds: pulumi.StringArray{
				pulumi.String("ami-8c1be5f6"),
			},
			BoundAccountIds: pulumi.StringArray{
				pulumi.String("123456789012"),
			},
			BoundVpcIds: pulumi.StringArray{
				pulumi.String("vpc-b61106d4"),
			},
			BoundSubnetIds: pulumi.StringArray{
				pulumi.String("vpc-133128f1"),
			},
			BoundIamRoleArns: pulumi.StringArray{
				pulumi.String("arn:aws:iam::123456789012:role/MyRole"),
			},
			BoundIamInstanceProfileArns: pulumi.StringArray{
				pulumi.String("arn:aws:iam::123456789012:instance-profile/MyProfile"),
			},
			InferredEntityType: pulumi.String("ec2_instance"),
			InferredAwsRegion:  pulumi.String("us-east-1"),
			TokenTtl:           pulumi.Int(60),
			TokenMaxTtl:        pulumi.Int(120),
			TokenPolicies: pulumi.StringArray{
				pulumi.String("default"),
				pulumi.String("dev"),
				pulumi.String("prod"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Vault = Pulumi.Vault;

return await Deployment.RunAsync(() => 
{
    var aws = new Vault.AuthBackend("aws", new()
    {
        Type = "aws",
    });

    var example = new Vault.Aws.AuthBackendRole("example", new()
    {
        Backend = aws.Path,
        Role = "test-role",
        AuthType = "iam",
        BoundAmiIds = new[]
        {
            "ami-8c1be5f6",
        },
        BoundAccountIds = new[]
        {
            "123456789012",
        },
        BoundVpcIds = new[]
        {
            "vpc-b61106d4",
        },
        BoundSubnetIds = new[]
        {
            "vpc-133128f1",
        },
        BoundIamRoleArns = new[]
        {
            "arn:aws:iam::123456789012:role/MyRole",
        },
        BoundIamInstanceProfileArns = new[]
        {
            "arn:aws:iam::123456789012:instance-profile/MyProfile",
        },
        InferredEntityType = "ec2_instance",
        InferredAwsRegion = "us-east-1",
        TokenTtl = 60,
        TokenMaxTtl = 120,
        TokenPolicies = new[]
        {
            "default",
            "dev",
            "prod",
        },
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.vault.AuthBackend;
import com.pulumi.vault.AuthBackendArgs;
import com.pulumi.vault.aws.AuthBackendRole;
import com.pulumi.vault.aws.AuthBackendRoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var aws = new AuthBackend("aws", AuthBackendArgs.builder()
            .type("aws")
            .build());

        var example = new AuthBackendRole("example", AuthBackendRoleArgs.builder()
            .backend(aws.path())
            .role("test-role")
            .authType("iam")
            .boundAmiIds("ami-8c1be5f6")
            .boundAccountIds("123456789012")
            .boundVpcIds("vpc-b61106d4")
            .boundSubnetIds("vpc-133128f1")
            .boundIamRoleArns("arn:aws:iam::123456789012:role/MyRole")
            .boundIamInstanceProfileArns("arn:aws:iam::123456789012:instance-profile/MyProfile")
            .inferredEntityType("ec2_instance")
            .inferredAwsRegion("us-east-1")
            .tokenTtl(60)
            .tokenMaxTtl(120)
            .tokenPolicies(            
                "default",
                "dev",
                "prod")
            .build());

    }
}

    resources:
  aws:
    type: vault:AuthBackend
    properties:
      type: aws
  example:
    type: vault:aws:AuthBackendRole
    properties:
      backend: ${aws.path}
      role: test-role
      authType: iam
      boundAmiIds:
        - ami-8c1be5f6
      boundAccountIds:
        - '123456789012'
      boundVpcIds:
        - vpc-b61106d4
      boundSubnetIds:
        - vpc-133128f1
      boundIamRoleArns:
        - arn:aws:iam::123456789012:role/MyRole
      boundIamInstanceProfileArns:
        - arn:aws:iam::123456789012:instance-profile/MyProfile
      inferredEntityType: ec2_instance
      inferredAwsRegion: us-east-1
      tokenTtl: 60
      tokenMaxTtl: 120
      tokenPolicies:
        - default
        - dev
        - prod

    Create AuthBackendRole Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new AuthBackendRole(name: string, args: AuthBackendRoleArgs, opts?: CustomResourceOptions);
    @overload
def AuthBackendRole(resource_name: str,
                    args: AuthBackendRoleArgs,
                    opts: Optional[ResourceOptions] = None)

@overload
def AuthBackendRole(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    role: Optional[str] = None,
                    inferred_entity_type: Optional[str] = None,
                    token_policies: Optional[Sequence[str]] = None,
                    bound_account_ids: Optional[Sequence[str]] = None,
                    bound_ami_ids: Optional[Sequence[str]] = None,
                    bound_ec2_instance_ids: Optional[Sequence[str]] = None,
                    bound_iam_instance_profile_arns: Optional[Sequence[str]] = None,
                    bound_iam_principal_arns: Optional[Sequence[str]] = None,
                    bound_iam_role_arns: Optional[Sequence[str]] = None,
                    bound_regions: Optional[Sequence[str]] = None,
                    bound_subnet_ids: Optional[Sequence[str]] = None,
                    bound_vpc_ids: Optional[Sequence[str]] = None,
                    namespace: Optional[str] = None,
                    backend: Optional[str] = None,
                    inferred_aws_region: Optional[str] = None,
                    disallow_reauthentication: Optional[bool] = None,
                    resolve_aws_unique_ids: Optional[bool] = None,
                    auth_type: Optional[str] = None,
                    role_tag: Optional[str] = None,
                    token_bound_cidrs: Optional[Sequence[str]] = None,
                    token_explicit_max_ttl: Optional[int] = None,
                    token_max_ttl: Optional[int] = None,
                    token_no_default_policy: Optional[bool] = None,
                    token_num_uses: Optional[int] = None,
                    token_period: Optional[int] = None,
                    allow_instance_migration: Optional[bool] = None,
                    token_ttl: Optional[int] = None,
                    token_type: Optional[str] = None)
    func NewAuthBackendRole(ctx *Context, name string, args AuthBackendRoleArgs, opts ...ResourceOption) (*AuthBackendRole, error)
    public AuthBackendRole(string name, AuthBackendRoleArgs args, CustomResourceOptions? opts = null)
    public AuthBackendRole(String name, AuthBackendRoleArgs args)
public AuthBackendRole(String name, AuthBackendRoleArgs args, CustomResourceOptions options)

    type: vault:aws:AuthBackendRole
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args AuthBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AuthBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AuthBackendRoleArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AuthBackendRoleArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AuthBackendRoleArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var exampleauthBackendRoleResourceResourceFromAwsauthBackendRole = new Vault.Aws.AuthBackendRole("exampleauthBackendRoleResourceResourceFromAwsauthBackendRole", new()
{
    Role = "string",
    InferredEntityType = "string",
    TokenPolicies = new[]
    {
        "string",
    },
    BoundAccountIds = new[]
    {
        "string",
    },
    BoundAmiIds = new[]
    {
        "string",
    },
    BoundEc2InstanceIds = new[]
    {
        "string",
    },
    BoundIamInstanceProfileArns = new[]
    {
        "string",
    },
    BoundIamPrincipalArns = new[]
    {
        "string",
    },
    BoundIamRoleArns = new[]
    {
        "string",
    },
    BoundRegions = new[]
    {
        "string",
    },
    BoundSubnetIds = new[]
    {
        "string",
    },
    BoundVpcIds = new[]
    {
        "string",
    },
    Namespace = "string",
    Backend = "string",
    InferredAwsRegion = "string",
    DisallowReauthentication = false,
    ResolveAwsUniqueIds = false,
    AuthType = "string",
    RoleTag = "string",
    TokenBoundCidrs = new[]
    {
        "string",
    },
    TokenExplicitMaxTtl = 0,
    TokenMaxTtl = 0,
    TokenNoDefaultPolicy = false,
    TokenNumUses = 0,
    TokenPeriod = 0,
    AllowInstanceMigration = false,
    TokenTtl = 0,
    TokenType = "string",
});

    example, err := aws.NewAuthBackendRole(ctx, "exampleauthBackendRoleResourceResourceFromAwsauthBackendRole", &aws.AuthBackendRoleArgs{
	Role:               pulumi.String("string"),
	InferredEntityType: pulumi.String("string"),
	TokenPolicies: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundAccountIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundAmiIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundEc2InstanceIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundIamInstanceProfileArns: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundIamPrincipalArns: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundIamRoleArns: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundRegions: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundSubnetIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	BoundVpcIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	Namespace:                pulumi.String("string"),
	Backend:                  pulumi.String("string"),
	InferredAwsRegion:        pulumi.String("string"),
	DisallowReauthentication: pulumi.Bool(false),
	ResolveAwsUniqueIds:      pulumi.Bool(false),
	AuthType:                 pulumi.String("string"),
	RoleTag:                  pulumi.String("string"),
	TokenBoundCidrs: pulumi.StringArray{
		pulumi.String("string"),
	},
	TokenExplicitMaxTtl:    pulumi.Int(0),
	TokenMaxTtl:            pulumi.Int(0),
	TokenNoDefaultPolicy:   pulumi.Bool(false),
	TokenNumUses:           pulumi.Int(0),
	TokenPeriod:            pulumi.Int(0),
	AllowInstanceMigration: pulumi.Bool(false),
	TokenTtl:               pulumi.Int(0),
	TokenType:              pulumi.String("string"),
})

    var exampleauthBackendRoleResourceResourceFromAwsauthBackendRole = new com.pulumi.vault.aws.AuthBackendRole("exampleauthBackendRoleResourceResourceFromAwsauthBackendRole", com.pulumi.vault.aws.AuthBackendRoleArgs.builder()
    .role("string")
    .inferredEntityType("string")
    .tokenPolicies("string")
    .boundAccountIds("string")
    .boundAmiIds("string")
    .boundEc2InstanceIds("string")
    .boundIamInstanceProfileArns("string")
    .boundIamPrincipalArns("string")
    .boundIamRoleArns("string")
    .boundRegions("string")
    .boundSubnetIds("string")
    .boundVpcIds("string")
    .namespace("string")
    .backend("string")
    .inferredAwsRegion("string")
    .disallowReauthentication(false)
    .resolveAwsUniqueIds(false)
    .authType("string")
    .roleTag("string")
    .tokenBoundCidrs("string")
    .tokenExplicitMaxTtl(0)
    .tokenMaxTtl(0)
    .tokenNoDefaultPolicy(false)
    .tokenNumUses(0)
    .tokenPeriod(0)
    .allowInstanceMigration(false)
    .tokenTtl(0)
    .tokenType("string")
    .build());

    exampleauth_backend_role_resource_resource_from_awsauth_backend_role = vault.aws.AuthBackendRole("exampleauthBackendRoleResourceResourceFromAwsauthBackendRole",
    role="string",
    inferred_entity_type="string",
    token_policies=["string"],
    bound_account_ids=["string"],
    bound_ami_ids=["string"],
    bound_ec2_instance_ids=["string"],
    bound_iam_instance_profile_arns=["string"],
    bound_iam_principal_arns=["string"],
    bound_iam_role_arns=["string"],
    bound_regions=["string"],
    bound_subnet_ids=["string"],
    bound_vpc_ids=["string"],
    namespace="string",
    backend="string",
    inferred_aws_region="string",
    disallow_reauthentication=False,
    resolve_aws_unique_ids=False,
    auth_type="string",
    role_tag="string",
    token_bound_cidrs=["string"],
    token_explicit_max_ttl=0,
    token_max_ttl=0,
    token_no_default_policy=False,
    token_num_uses=0,
    token_period=0,
    allow_instance_migration=False,
    token_ttl=0,
    token_type="string")

    const exampleauthBackendRoleResourceResourceFromAwsauthBackendRole = new vault.aws.AuthBackendRole("exampleauthBackendRoleResourceResourceFromAwsauthBackendRole", {
    role: "string",
    inferredEntityType: "string",
    tokenPolicies: ["string"],
    boundAccountIds: ["string"],
    boundAmiIds: ["string"],
    boundEc2InstanceIds: ["string"],
    boundIamInstanceProfileArns: ["string"],
    boundIamPrincipalArns: ["string"],
    boundIamRoleArns: ["string"],
    boundRegions: ["string"],
    boundSubnetIds: ["string"],
    boundVpcIds: ["string"],
    namespace: "string",
    backend: "string",
    inferredAwsRegion: "string",
    disallowReauthentication: false,
    resolveAwsUniqueIds: false,
    authType: "string",
    roleTag: "string",
    tokenBoundCidrs: ["string"],
    tokenExplicitMaxTtl: 0,
    tokenMaxTtl: 0,
    tokenNoDefaultPolicy: false,
    tokenNumUses: 0,
    tokenPeriod: 0,
    allowInstanceMigration: false,
    tokenTtl: 0,
    tokenType: "string",
});

    type: vault:aws:AuthBackendRole
properties:
    allowInstanceMigration: false
    authType: string
    backend: string
    boundAccountIds:
        - string
    boundAmiIds:
        - string
    boundEc2InstanceIds:
        - string
    boundIamInstanceProfileArns:
        - string
    boundIamPrincipalArns:
        - string
    boundIamRoleArns:
        - string
    boundRegions:
        - string
    boundSubnetIds:
        - string
    boundVpcIds:
        - string
    disallowReauthentication: false
    inferredAwsRegion: string
    inferredEntityType: string
    namespace: string
    resolveAwsUniqueIds: false
    role: string
    roleTag: string
    tokenBoundCidrs:
        - string
    tokenExplicitMaxTtl: 0
    tokenMaxTtl: 0
    tokenNoDefaultPolicy: false
    tokenNumUses: 0
    tokenPeriod: 0
    tokenPolicies:
        - string
    tokenTtl: 0
    tokenType: string

    AuthBackendRole Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The AuthBackendRole resource accepts the following input properties:

    Role string
    The name of the role.
    AllowInstanceMigration bool
    If set to true, allows migration of the underlying instance where the client resides.
    AuthType string
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    Backend string
    Path to the mounted aws auth backend.
    BoundAccountIds List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundAmiIds List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundEc2InstanceIds List<string>
    Only EC2 instances that match this instance ID will be permitted to log in.
    BoundIamInstanceProfileArns List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundIamPrincipalArns List<string>
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    BoundIamRoleArns List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundRegions List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundSubnetIds List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundVpcIds List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    DisallowReauthentication bool
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    InferredAwsRegion string
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    InferredEntityType string
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ResolveAwsUniqueIds bool
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    RoleTag string
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    TokenBoundCidrs List<string>
    Specifies the blocks of IP addresses which are allowed to use the generated token
    TokenExplicitMaxTtl int
    Generated Token's Explicit Maximum TTL in seconds
    TokenMaxTtl int
    The maximum lifetime of the generated token
    TokenNoDefaultPolicy bool
    If true, the 'default' policy will not automatically be added to generated tokens
    TokenNumUses int
    The maximum number of times a token may be used, a value of zero means unlimited
    TokenPeriod int
    Generated Token's Period
    TokenPolicies List<string>
    Generated Token's Policies
    TokenTtl int
    The initial ttl of the token to generate in seconds
    TokenType string
    The type of token to generate, service or batch
    Role string
    The name of the role.
    AllowInstanceMigration bool
    If set to true, allows migration of the underlying instance where the client resides.
    AuthType string
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    Backend string
    Path to the mounted aws auth backend.
    BoundAccountIds []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundAmiIds []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundEc2InstanceIds []string
    Only EC2 instances that match this instance ID will be permitted to log in.
    BoundIamInstanceProfileArns []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundIamPrincipalArns []string
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    BoundIamRoleArns []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundRegions []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundSubnetIds []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundVpcIds []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    DisallowReauthentication bool
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    InferredAwsRegion string
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    InferredEntityType string
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ResolveAwsUniqueIds bool
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    RoleTag string
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    TokenBoundCidrs []string
    Specifies the blocks of IP addresses which are allowed to use the generated token
    TokenExplicitMaxTtl int
    Generated Token's Explicit Maximum TTL in seconds
    TokenMaxTtl int
    The maximum lifetime of the generated token
    TokenNoDefaultPolicy bool
    If true, the 'default' policy will not automatically be added to generated tokens
    TokenNumUses int
    The maximum number of times a token may be used, a value of zero means unlimited
    TokenPeriod int
    Generated Token's Period
    TokenPolicies []string
    Generated Token's Policies
    TokenTtl int
    The initial ttl of the token to generate in seconds
    TokenType string
    The type of token to generate, service or batch
    role String
    The name of the role.
    allowInstanceMigration Boolean
    If set to true, allows migration of the underlying instance where the client resides.
    authType String
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    backend String
    Path to the mounted aws auth backend.
    boundAccountIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundAmiIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundEc2InstanceIds List<String>
    Only EC2 instances that match this instance ID will be permitted to log in.
    boundIamInstanceProfileArns List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundIamPrincipalArns List<String>
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    boundIamRoleArns List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundRegions List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundSubnetIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundVpcIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    disallowReauthentication Boolean
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    inferredAwsRegion String
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    inferredEntityType String
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    resolveAwsUniqueIds Boolean
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    roleTag String
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    tokenBoundCidrs List<String>
    Specifies the blocks of IP addresses which are allowed to use the generated token
    tokenExplicitMaxTtl Integer
    Generated Token's Explicit Maximum TTL in seconds
    tokenMaxTtl Integer
    The maximum lifetime of the generated token
    tokenNoDefaultPolicy Boolean
    If true, the 'default' policy will not automatically be added to generated tokens
    tokenNumUses Integer
    The maximum number of times a token may be used, a value of zero means unlimited
    tokenPeriod Integer
    Generated Token's Period
    tokenPolicies List<String>
    Generated Token's Policies
    tokenTtl Integer
    The initial ttl of the token to generate in seconds
    tokenType String
    The type of token to generate, service or batch
    role string
    The name of the role.
    allowInstanceMigration boolean
    If set to true, allows migration of the underlying instance where the client resides.
    authType string
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    backend string
    Path to the mounted aws auth backend.
    boundAccountIds string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundAmiIds string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundEc2InstanceIds string[]
    Only EC2 instances that match this instance ID will be permitted to log in.
    boundIamInstanceProfileArns string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundIamPrincipalArns string[]
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    boundIamRoleArns string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundRegions string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundSubnetIds string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundVpcIds string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    disallowReauthentication boolean
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    inferredAwsRegion string
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    inferredEntityType string
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    resolveAwsUniqueIds boolean
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    roleTag string
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    tokenBoundCidrs string[]
    Specifies the blocks of IP addresses which are allowed to use the generated token
    tokenExplicitMaxTtl number
    Generated Token's Explicit Maximum TTL in seconds
    tokenMaxTtl number
    The maximum lifetime of the generated token
    tokenNoDefaultPolicy boolean
    If true, the 'default' policy will not automatically be added to generated tokens
    tokenNumUses number
    The maximum number of times a token may be used, a value of zero means unlimited
    tokenPeriod number
    Generated Token's Period
    tokenPolicies string[]
    Generated Token's Policies
    tokenTtl number
    The initial ttl of the token to generate in seconds
    tokenType string
    The type of token to generate, service or batch
    role str
    The name of the role.
    allow_instance_migration bool
    If set to true, allows migration of the underlying instance where the client resides.
    auth_type str
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    backend str
    Path to the mounted aws auth backend.
    bound_account_ids Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_ami_ids Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_ec2_instance_ids Sequence[str]
    Only EC2 instances that match this instance ID will be permitted to log in.
    bound_iam_instance_profile_arns Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_iam_principal_arns Sequence[str]
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    bound_iam_role_arns Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_regions Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_subnet_ids Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_vpc_ids Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    disallow_reauthentication bool
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    inferred_aws_region str
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    inferred_entity_type str
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    resolve_aws_unique_ids bool
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    role_tag str
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    token_bound_cidrs Sequence[str]
    Specifies the blocks of IP addresses which are allowed to use the generated token
    token_explicit_max_ttl int
    Generated Token's Explicit Maximum TTL in seconds
    token_max_ttl int
    The maximum lifetime of the generated token
    token_no_default_policy bool
    If true, the 'default' policy will not automatically be added to generated tokens
    token_num_uses int
    The maximum number of times a token may be used, a value of zero means unlimited
    token_period int
    Generated Token's Period
    token_policies Sequence[str]
    Generated Token's Policies
    token_ttl int
    The initial ttl of the token to generate in seconds
    token_type str
    The type of token to generate, service or batch
    role String
    The name of the role.
    allowInstanceMigration Boolean
    If set to true, allows migration of the underlying instance where the client resides.
    authType String
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    backend String
    Path to the mounted aws auth backend.
    boundAccountIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundAmiIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundEc2InstanceIds List<String>
    Only EC2 instances that match this instance ID will be permitted to log in.
    boundIamInstanceProfileArns List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundIamPrincipalArns List<String>
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    boundIamRoleArns List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundRegions List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundSubnetIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundVpcIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    disallowReauthentication Boolean
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    inferredAwsRegion String
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    inferredEntityType String
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    resolveAwsUniqueIds Boolean
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    roleTag String
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    tokenBoundCidrs List<String>
    Specifies the blocks of IP addresses which are allowed to use the generated token
    tokenExplicitMaxTtl Number
    Generated Token's Explicit Maximum TTL in seconds
    tokenMaxTtl Number
    The maximum lifetime of the generated token
    tokenNoDefaultPolicy Boolean
    If true, the 'default' policy will not automatically be added to generated tokens
    tokenNumUses Number
    The maximum number of times a token may be used, a value of zero means unlimited
    tokenPeriod Number
    Generated Token's Period
    tokenPolicies List<String>
    Generated Token's Policies
    tokenTtl Number
    The initial ttl of the token to generate in seconds
    tokenType String
    The type of token to generate, service or batch

    Outputs

    All input properties are implicitly available as output properties. Additionally, the AuthBackendRole resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    RoleId string
    The Vault generated role ID.
    Id string
    The provider-assigned unique ID for this managed resource.
    RoleId string
    The Vault generated role ID.
    id String
    The provider-assigned unique ID for this managed resource.
    roleId String
    The Vault generated role ID.
    id string
    The provider-assigned unique ID for this managed resource.
    roleId string
    The Vault generated role ID.
    id str
    The provider-assigned unique ID for this managed resource.
    role_id str
    The Vault generated role ID.
    id String
    The provider-assigned unique ID for this managed resource.
    roleId String
    The Vault generated role ID.

    Look up Existing AuthBackendRole Resource

    Get an existing AuthBackendRole resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AuthBackendRoleState, opts?: CustomResourceOptions): AuthBackendRole
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allow_instance_migration: Optional[bool] = None,
        auth_type: Optional[str] = None,
        backend: Optional[str] = None,
        bound_account_ids: Optional[Sequence[str]] = None,
        bound_ami_ids: Optional[Sequence[str]] = None,
        bound_ec2_instance_ids: Optional[Sequence[str]] = None,
        bound_iam_instance_profile_arns: Optional[Sequence[str]] = None,
        bound_iam_principal_arns: Optional[Sequence[str]] = None,
        bound_iam_role_arns: Optional[Sequence[str]] = None,
        bound_regions: Optional[Sequence[str]] = None,
        bound_subnet_ids: Optional[Sequence[str]] = None,
        bound_vpc_ids: Optional[Sequence[str]] = None,
        disallow_reauthentication: Optional[bool] = None,
        inferred_aws_region: Optional[str] = None,
        inferred_entity_type: Optional[str] = None,
        namespace: Optional[str] = None,
        resolve_aws_unique_ids: Optional[bool] = None,
        role: Optional[str] = None,
        role_id: Optional[str] = None,
        role_tag: Optional[str] = None,
        token_bound_cidrs: Optional[Sequence[str]] = None,
        token_explicit_max_ttl: Optional[int] = None,
        token_max_ttl: Optional[int] = None,
        token_no_default_policy: Optional[bool] = None,
        token_num_uses: Optional[int] = None,
        token_period: Optional[int] = None,
        token_policies: Optional[Sequence[str]] = None,
        token_ttl: Optional[int] = None,
        token_type: Optional[str] = None) -> AuthBackendRole
    func GetAuthBackendRole(ctx *Context, name string, id IDInput, state *AuthBackendRoleState, opts ...ResourceOption) (*AuthBackendRole, error)
    public static AuthBackendRole Get(string name, Input<string> id, AuthBackendRoleState? state, CustomResourceOptions? opts = null)
    public static AuthBackendRole get(String name, Output<String> id, AuthBackendRoleState state, CustomResourceOptions options)
    resources:  _:    type: vault:aws:AuthBackendRole    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AllowInstanceMigration bool
    If set to true, allows migration of the underlying instance where the client resides.
    AuthType string
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    Backend string
    Path to the mounted aws auth backend.
    BoundAccountIds List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundAmiIds List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundEc2InstanceIds List<string>
    Only EC2 instances that match this instance ID will be permitted to log in.
    BoundIamInstanceProfileArns List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundIamPrincipalArns List<string>
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    BoundIamRoleArns List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundRegions List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundSubnetIds List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundVpcIds List<string>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    DisallowReauthentication bool
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    InferredAwsRegion string
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    InferredEntityType string
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ResolveAwsUniqueIds bool
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    Role string
    The name of the role.
    RoleId string
    The Vault generated role ID.
    RoleTag string
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    TokenBoundCidrs List<string>
    Specifies the blocks of IP addresses which are allowed to use the generated token
    TokenExplicitMaxTtl int
    Generated Token's Explicit Maximum TTL in seconds
    TokenMaxTtl int
    The maximum lifetime of the generated token
    TokenNoDefaultPolicy bool
    If true, the 'default' policy will not automatically be added to generated tokens
    TokenNumUses int
    The maximum number of times a token may be used, a value of zero means unlimited
    TokenPeriod int
    Generated Token's Period
    TokenPolicies List<string>
    Generated Token's Policies
    TokenTtl int
    The initial ttl of the token to generate in seconds
    TokenType string
    The type of token to generate, service or batch
    AllowInstanceMigration bool
    If set to true, allows migration of the underlying instance where the client resides.
    AuthType string
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    Backend string
    Path to the mounted aws auth backend.
    BoundAccountIds []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundAmiIds []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundEc2InstanceIds []string
    Only EC2 instances that match this instance ID will be permitted to log in.
    BoundIamInstanceProfileArns []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundIamPrincipalArns []string
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    BoundIamRoleArns []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundRegions []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundSubnetIds []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    BoundVpcIds []string
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    DisallowReauthentication bool
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    InferredAwsRegion string
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    InferredEntityType string
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    Namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    ResolveAwsUniqueIds bool
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    Role string
    The name of the role.
    RoleId string
    The Vault generated role ID.
    RoleTag string
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    TokenBoundCidrs []string
    Specifies the blocks of IP addresses which are allowed to use the generated token
    TokenExplicitMaxTtl int
    Generated Token's Explicit Maximum TTL in seconds
    TokenMaxTtl int
    The maximum lifetime of the generated token
    TokenNoDefaultPolicy bool
    If true, the 'default' policy will not automatically be added to generated tokens
    TokenNumUses int
    The maximum number of times a token may be used, a value of zero means unlimited
    TokenPeriod int
    Generated Token's Period
    TokenPolicies []string
    Generated Token's Policies
    TokenTtl int
    The initial ttl of the token to generate in seconds
    TokenType string
    The type of token to generate, service or batch
    allowInstanceMigration Boolean
    If set to true, allows migration of the underlying instance where the client resides.
    authType String
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    backend String
    Path to the mounted aws auth backend.
    boundAccountIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundAmiIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundEc2InstanceIds List<String>
    Only EC2 instances that match this instance ID will be permitted to log in.
    boundIamInstanceProfileArns List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundIamPrincipalArns List<String>
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    boundIamRoleArns List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundRegions List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundSubnetIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundVpcIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    disallowReauthentication Boolean
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    inferredAwsRegion String
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    inferredEntityType String
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    resolveAwsUniqueIds Boolean
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    role String
    The name of the role.
    roleId String
    The Vault generated role ID.
    roleTag String
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    tokenBoundCidrs List<String>
    Specifies the blocks of IP addresses which are allowed to use the generated token
    tokenExplicitMaxTtl Integer
    Generated Token's Explicit Maximum TTL in seconds
    tokenMaxTtl Integer
    The maximum lifetime of the generated token
    tokenNoDefaultPolicy Boolean
    If true, the 'default' policy will not automatically be added to generated tokens
    tokenNumUses Integer
    The maximum number of times a token may be used, a value of zero means unlimited
    tokenPeriod Integer
    Generated Token's Period
    tokenPolicies List<String>
    Generated Token's Policies
    tokenTtl Integer
    The initial ttl of the token to generate in seconds
    tokenType String
    The type of token to generate, service or batch
    allowInstanceMigration boolean
    If set to true, allows migration of the underlying instance where the client resides.
    authType string
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    backend string
    Path to the mounted aws auth backend.
    boundAccountIds string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundAmiIds string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundEc2InstanceIds string[]
    Only EC2 instances that match this instance ID will be permitted to log in.
    boundIamInstanceProfileArns string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundIamPrincipalArns string[]
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    boundIamRoleArns string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundRegions string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundSubnetIds string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundVpcIds string[]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    disallowReauthentication boolean
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    inferredAwsRegion string
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    inferredEntityType string
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    namespace string
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    resolveAwsUniqueIds boolean
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    role string
    The name of the role.
    roleId string
    The Vault generated role ID.
    roleTag string
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    tokenBoundCidrs string[]
    Specifies the blocks of IP addresses which are allowed to use the generated token
    tokenExplicitMaxTtl number
    Generated Token's Explicit Maximum TTL in seconds
    tokenMaxTtl number
    The maximum lifetime of the generated token
    tokenNoDefaultPolicy boolean
    If true, the 'default' policy will not automatically be added to generated tokens
    tokenNumUses number
    The maximum number of times a token may be used, a value of zero means unlimited
    tokenPeriod number
    Generated Token's Period
    tokenPolicies string[]
    Generated Token's Policies
    tokenTtl number
    The initial ttl of the token to generate in seconds
    tokenType string
    The type of token to generate, service or batch
    allow_instance_migration bool
    If set to true, allows migration of the underlying instance where the client resides.
    auth_type str
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    backend str
    Path to the mounted aws auth backend.
    bound_account_ids Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_ami_ids Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_ec2_instance_ids Sequence[str]
    Only EC2 instances that match this instance ID will be permitted to log in.
    bound_iam_instance_profile_arns Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_iam_principal_arns Sequence[str]
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    bound_iam_role_arns Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_regions Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_subnet_ids Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    bound_vpc_ids Sequence[str]
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    disallow_reauthentication bool
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    inferred_aws_region str
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    inferred_entity_type str
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    namespace str
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    resolve_aws_unique_ids bool
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    role str
    The name of the role.
    role_id str
    The Vault generated role ID.
    role_tag str
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    token_bound_cidrs Sequence[str]
    Specifies the blocks of IP addresses which are allowed to use the generated token
    token_explicit_max_ttl int
    Generated Token's Explicit Maximum TTL in seconds
    token_max_ttl int
    The maximum lifetime of the generated token
    token_no_default_policy bool
    If true, the 'default' policy will not automatically be added to generated tokens
    token_num_uses int
    The maximum number of times a token may be used, a value of zero means unlimited
    token_period int
    Generated Token's Period
    token_policies Sequence[str]
    Generated Token's Policies
    token_ttl int
    The initial ttl of the token to generate in seconds
    token_type str
    The type of token to generate, service or batch
    allowInstanceMigration Boolean
    If set to true, allows migration of the underlying instance where the client resides.
    authType String
    The auth type permitted for this role. Valid choices are ec2 and iam. Defaults to iam.
    backend String
    Path to the mounted aws auth backend.
    boundAccountIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundAmiIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundEc2InstanceIds List<String>
    Only EC2 instances that match this instance ID will be permitted to log in.
    boundIamInstanceProfileArns List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile ARN which has a prefix that matches the value specified by this field. The value is prefix-matched as though it were a glob ending in *. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundIamPrincipalArns List<String>
    If set, defines the IAM principal that must be authenticated when auth_type is set to iam. Wildcards are supported at the end of the ARN.
    boundIamRoleArns List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundRegions List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that the region in their identity document must match the one specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundSubnetIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    boundVpcIds List<String>
    If set, defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value specified by this field. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    disallowReauthentication Boolean
    IF set to true, only allows a single token to be granted per instance ID. This can only be set when auth_type is set to ec2.
    inferredAwsRegion String
    When inferred_entity_type is set, this is the region to search for the inferred entities. Required if inferred_entity_type is set. This only applies when auth_type is set to iam.
    inferredEntityType String
    If set, instructs Vault to turn on inferencing. The only valid value is ec2_instance, which instructs Vault to infer that the role comes from an EC2 instance in an IAM instance profile. This only applies when auth_type is set to iam.
    namespace String
    The namespace to provision the resource in. The value should not contain leading or trailing forward slashes. The namespace is always relative to the provider's configured namespace. Available only for Vault Enterprise.
    resolveAwsUniqueIds Boolean
    Only valid when auth_type is iam. If set to true, the bound_iam_principal_arns are resolved to AWS Unique IDs for the bound principal ARN. This field is ignored when a bound_iam_principal_arn ends in a wildcard. Resolving to unique IDs more closely mimics the behavior of AWS services in that if an IAM user or role is deleted and a new one is recreated with the same name, those new users or roles won't get access to roles in Vault that were permissioned to the prior principals of the same name. Defaults to true. Once set to true, this cannot be changed to false without recreating the role.
    role String
    The name of the role.
    roleId String
    The Vault generated role ID.
    roleTag String
    If set, enable role tags for this role. The value set for this field should be the key of the tag on the EC2 instance. auth_type must be set to ec2 or inferred_entity_type must be set to ec2_instance to use this constraint.
    tokenBoundCidrs List<String>
    Specifies the blocks of IP addresses which are allowed to use the generated token
    tokenExplicitMaxTtl Number
    Generated Token's Explicit Maximum TTL in seconds
    tokenMaxTtl Number
    The maximum lifetime of the generated token
    tokenNoDefaultPolicy Boolean
    If true, the 'default' policy will not automatically be added to generated tokens
    tokenNumUses Number
    The maximum number of times a token may be used, a value of zero means unlimited
    tokenPeriod Number
    Generated Token's Period
    tokenPolicies List<String>
    Generated Token's Policies
    tokenTtl Number
    The initial ttl of the token to generate in seconds
    tokenType String
    The type of token to generate, service or batch

    Import

    AWS auth backend roles can be imported using auth/, the backend path, /role/, and the role name e.g.

    $ pulumi import vault:aws/authBackendRole:AuthBackendRole example auth/aws/role/test-role

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Vault pulumi/pulumi-vault
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the vault Terraform Provider.
    vault logo
    HashiCorp Vault v6.7.1 published on Friday, May 2, 2025 by Pulumi
    pulumi/pulumi-vault