Parameter |
Choices/Defaults |
Comments |
allowed_redirect_uris
-
|
|
The list of allowed values for redirect_uri during OIDC logins.
When using nested namespaces, use url encoding '%2F' instead of '/'
|
authtype
-
|
Choices:
- token
- userpass
- github
- ldap
- approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
|
authentication type
|
aws_header
-
|
Default:
"to environment variable `VAULT_AWS_HEADER`"
|
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
|
bound_audiences
-
|
|
List of `aud` claims to match against. Any match is sufficient.
|
bound_claims
-
|
|
If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.
|
bound_subject
-
|
|
If set, requires that the sub claim matches this value.
|
ca_cert
-
|
Default:
"to environment variable `VAULT_CACERT`"
|
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
|
ca_path
-
|
Default:
"to environment variable `VAULT_CAPATH`"
|
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
|
claim_mappings
-
|
|
If set, a map of claims (keys) to be copied to specified metadata fields (values).
|
client_cert
-
|
Default:
"to environment variable `VAULT_CLIENT_CERT`"
|
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
|
client_key
-
|
Default:
"to environment variable `VAULT_CLIENT_KEY`"
|
Path to an unencrypted PEM-encoded private key matching the client certificate
|
groups_claim
-
|
|
The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings.
|
login_mount_point
-
|
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
|
authentication mount point
|
mount_point
-
|
Default:
"oidc"
|
name of the secret engine mount name.
|
name
-
|
|
name of the role in vault
|
namespace
-
|
Default:
"to environment variable VAULT_NAMESPACE"
|
namespace for vault
|
oidc_scopes
-
|
|
If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified.
|
password
-
|
Default:
"to environment variable `VAULT_PASSWORD`"
|
password to login to vault.
|
token
-
|
Default:
"to environment variable `VAULT_TOKEN`"
|
token for vault
|
token_bound_cidrs
-
|
|
List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well.
|
token_explicit_max_ttl
-
|
|
If set, will encode an explicit max TTL onto the token. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal.
|
token_max_ttl
-
|
|
The maximum lifetime for generated tokens. This current value of this will be referenced at renewal time.
|
token_no_default_policy
-
|
|
If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies.
|
token_num_uses
-
|
|
The maximum number of times a generated token may be used (within its lifetime); 0 means unlimited.
|
token_period
-
|
|
If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this parameter.
|
token_policies
-
|
|
List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values.
|
token_ttl
-
|
|
The incremental lifetime for generated tokens. This current value of this will be referenced at renewal time.
|
token_type
-
|
|
The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities (default-service and default-batch) which specify the type to return unless the client requests a different type at generation time.
|
url
-
|
Default:
"to environment variable `VAULT_ADDR`"
|
url for vault
|
user_claim
-
|
Default:
"sub"
|
The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login. The claim value must be a string.
|
username
-
|
Default:
"to environment variable `VAULT_USER`"
|
username to login to vault.
|
verify
-
|
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
|
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing
|