# Reference for the teleport\_scoped\_token Terraform data-source

This page describes the supported values of the `teleport_scoped_token` data source of the Teleport Terraform provider.

## Schema

### Required

- `metadata` (Attributes) Metadata contains the resource metadata. (see [below for nested schema](#nested-schema-for-metadata))
- `scope` (String) Scope is the scope of the token resource.
- `spec` (Attributes) Spec is the token specification. (see [below for nested schema](#nested-schema-for-spec))
- `version` (String) Version is the resource version.

### Optional

- `sub_kind` (String) SubKind is the resource sub-kind.

### Nested Schema for `metadata`

Required:

- `name` (String) name is an object name.

Optional:

- `description` (String) description is object description.
- `expires` (String) expires is a global expiry time header can be set on any resource in the system.
- `labels` (Map of String) labels is a set of labels.

### Nested Schema for `spec`

Required:

- `assigned_scope` (String) The scope to which this token is assigned. Must be equivalent or descendent to the scope of the token itself.
- `join_method` (String) The joining method required in order to use this token. Supported joining methods for scoped tokens only include 'token'.
- `roles` (List of String) The list of roles associated with the token. They will be converted to metadata in the SSH and X509 certificates issued to the user of the token.
- `usage_mode` (String) The usage mode of the token. Can be "single\_use" or "unlimited". Single use tokens can only be used to provision a single resource. Unlimited tokens can be be used to provision any number of resources until it expires.

Optional:

- `aws` (Attributes) The AWS-specific configuration used with the "ec2" and "iam" join methods. (see [below for nested schema](#nested-schema-for-specaws))
- `azure` (Attributes) The Azure-specific configuration used with the "azure" join method. (see [below for nested schema](#nested-schema-for-specazure))
- `azure_devops` (Attributes) The Azure Devops-specific configuration used with the "azure\_devops" join method. (see [below for nested schema](#nested-schema-for-specazure_devops))
- `gcp` (Attributes) The GCP-specific configuration used with the "gcp" join method. (see [below for nested schema](#nested-schema-for-specgcp))
- `immutable_labels` (Attributes) Immutable labels that should be applied to any resulting resources provisioned using this token. (see [below for nested schema](#nested-schema-for-specimmutable_labels))
- `kubernetes` (Attributes) The Kubernetes-specific configuration used with the "kubernetes" join method. (see [below for nested schema](#nested-schema-for-speckubernetes))
- `oracle` (Attributes) The Oracle-specific configuration used with the "oracle" join method. (see [below for nested schema](#nested-schema-for-specoracle))

### Nested Schema for `spec.aws`

Optional:

- `allow` (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see [below for nested schema](#nested-schema-for-specawsallow))
- `iid_ttl` (String) The TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. This should be a duration string such as "8h" or "6mo".
- `integration` (String) Integration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method.

### Nested Schema for `spec.aws.allow`

Optional:

- `aws_account` (String) The AWS account ID.
- `aws_arn` (String) The ARN of the joining identity for use with the IAM join method. Supports wildcards "\*" and "?".
- `aws_organization_id` (String) The organization ID that the joining AWS identity must belong to when using the IAM join method.
- `aws_regions` (List of String) List of AWS regions a node is allowed to join from when using the EC2 join method.
- `aws_role` (String) The ARN of the role the Auth Service will assume in order to call the EC2 API when using the EC2 join method.

### Nested Schema for `spec.azure`

Optional:

- `allow` (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see [below for nested schema](#nested-schema-for-specazureallow))

### Nested Schema for `spec.azure.allow`

Optional:

- `resource_groups` (List of String) A list of Azure resource groups the node is allowed to join from.
- `subscription` (String) The Azure subscription.

### Nested Schema for `spec.azure_devops`

Optional:

- `allow` (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see [below for nested schema](#nested-schema-for-specazure_devopsallow))
- `organization_id` (String) The UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field.

### Nested Schema for `spec.azure_devops.allow`

Optional:

- `definition_id` (String) The ID of the AZDO pipeline definition. Example: `1` Mapped from the `def_id` claim.
- `pipeline_name` (String) The name of the AZDO pipeline. Example: `my-pipeline`. Mapped out of the `sub` claim.
- `project_id` (String) The ID of the AZDO pipeline. Example: `271ef6f7-0000-0000-0000-4b54d9129990` Mapped from the `prj_id` claim.
- `project_name` (String) The name of the AZDO project. Example: `my-project`. Mapped out of the `sub` claim.
- `repository_ref` (String) The reference of the repository the pipeline is using. Example: `refs/heads/main`. Mapped from the `rpo_ref` claim.
- `repository_uri` (String) The URI of the repository the pipeline is using. Example: `https://github.com/gravitational/teleport.git`. Mapped from the `rpo_uri` claim.
- `repository_version` (String) The individual commit of the repository the pipeline is using. Example: `e6b9eb29a288b27a3a82cc19c48b9d94b80aff36`. Mapped from the `rpo_ver` claim.
- `sub` (String) The subject string that roughly uniquely identifies the workload. Example: `p://my-organization/my-project/my-pipeline` Mapped from the `sub` claim.

### Nested Schema for `spec.gcp`

Optional:

- `allow` (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see [below for nested schema](#nested-schema-for-specgcpallow))

### Nested Schema for `spec.gcp.allow`

Optional:

- `locations` (List of String) A list of regions (e.g. "us-west1") and/or zones (e.g. "us-west1-b").
- `project_ids` (List of String) A list of project IDs (e.g. `<example-id-123456>`).
- `service_accounts` (List of String) A list of service account emails (e.g. `<project-number>-compute@developer.gserviceaccount.com`).

### Nested Schema for `spec.immutable_labels`

Optional:

- `ssh` (Map of String) Labels that should be applied to SSH nodes.

### Nested Schema for `spec.kubernetes`

Optional:

- `allow` (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see [below for nested schema](#nested-schema-for-speckubernetesallow))
- `oidc` (Attributes) The configuration specific to the `oidc` type. (see [below for nested schema](#nested-schema-for-speckubernetesoidc))
- `static_jwks` (Attributes) The configuration specific to the `static_jwks` type. (see [below for nested schema](#nested-schema-for-speckubernetesstatic_jwks))
- `type` (String) Controls which behavior should be used for validating the Kubernetes Service Account token. Supported values: - `in_cluster` - `static_jwks` - `oidc`

### Nested Schema for `spec.kubernetes.allow`

Optional:

- `service_account` (String) The namespaced name of the Kubernetes service account. Its format is "namespace:service-account".

### Nested Schema for `spec.kubernetes.oidc`

Optional:

- `insecure_allow_http_issuer` (Boolean) If set, disables the requirement that the issuer must use HTTPS.
- `issuer` (String) The URI of the OIDC issuer. It must have an accessible and OIDC-compliant `/.well-known/openid-configuration` endpoint. This should be a valid URL and must exactly match the `issuer` field in a service account JWT. For example: <https://oidc.eks.us-west-2.amazonaws.com/id/12345>...

### Nested Schema for `spec.kubernetes.static_jwks`

Optional:

- `jwks` (String) The JSON Web Key Set formatted public keys that the Kubernetes Cluster uses to sign service account tokens. This can be fetched from /openid/v1/jwks on the Kubernetes API Server.

### Nested Schema for `spec.oracle`

Optional:

- `allow` (Attributes List) A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token. (see [below for nested schema](#nested-schema-for-specoracleallow))

### Nested Schema for `spec.oracle.allow`

Optional:

- `instances` (List of String) A list of the OCIDs of specific instances that are allowed to join. If empty, any instance matching the other fields in the rule is allowed. Limited to 100 instance OCIDs per rule.
- `parent_compartments` (List of String) A list of the OCIDs of compartments an instance is allowed to join from. Only direct parents are allowed, i.e. no nested compartments. If empty, any compartment is allowed.
- `regions` (List of String) A list of regions an instance is allowed to join from. Both full region names ("us-phoenix-1") and abbreviations ("phx") are allowed. If empty, any region is allowed.
- `tenancy` (String) The OCID of the instance's tenancy. Required.