AuthProvider

dbt Cloud v1.8.0, Apr 15 26

Viewing docs for dbt Cloud v1.8.0
published on Wednesday, Apr 15, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-dbtcloud

Viewing docs for dbt Cloud v1.8.0
published on Wednesday, Apr 15, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-dbtcloud

Create AuthProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AuthProvider(name: string, args: AuthProviderArgs, opts?: CustomResourceOptions);

@overload
def AuthProvider(resource_name: str,
                 args: AuthProviderArgs,
                 opts: Optional[ResourceOptions] = None)

@overload
def AuthProvider(resource_name: str,
                 opts: Optional[ResourceOptions] = None,
                 type: Optional[str] = None,
                 client_secret_wo_version: Optional[int] = None,
                 attribute_map: Optional[str] = None,
                 authorization_url: Optional[str] = None,
                 cert: Optional[str] = None,
                 cert_wo: Optional[str] = None,
                 cert_wo_version: Optional[int] = None,
                 client_id: Optional[str] = None,
                 client_secret: Optional[str] = None,
                 admin_refresh_token: Optional[str] = None,
                 client_secret_wo: Optional[str] = None,
                 gsuite_admin_id: Optional[str] = None,
                 entity_id: Optional[str] = None,
                 domain: Optional[str] = None,
                 include_indirect_groups: Optional[bool] = None,
                 max_groups_to_retrieve: Optional[int] = None,
                 sign_request: Optional[bool] = None,
                 slug: Optional[str] = None,
                 sso_url: Optional[str] = None,
                 tenant_id: Optional[str] = None,
                 allow_password_backdoor: Optional[bool] = None)

func NewAuthProvider(ctx *Context, name string, args AuthProviderArgs, opts ...ResourceOption) (*AuthProvider, error)

public AuthProvider(string name, AuthProviderArgs args, CustomResourceOptions? opts = null)

public AuthProvider(String name, AuthProviderArgs args)
public AuthProvider(String name, AuthProviderArgs args, CustomResourceOptions options)

type: dbtcloud:AuthProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AuthProviderArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var authProviderResource = new DbtCloud.AuthProvider("authProviderResource", new()
{
    Type = "string",
    ClientSecretWoVersion = 0,
    AttributeMap = "string",
    AuthorizationUrl = "string",
    Cert = "string",
    CertWo = "string",
    CertWoVersion = 0,
    ClientId = "string",
    ClientSecret = "string",
    AdminRefreshToken = "string",
    ClientSecretWo = "string",
    GsuiteAdminId = "string",
    EntityId = "string",
    Domain = "string",
    IncludeIndirectGroups = false,
    MaxGroupsToRetrieve = 0,
    SignRequest = false,
    Slug = "string",
    SsoUrl = "string",
    TenantId = "string",
    AllowPasswordBackdoor = false,
});

example, err := dbtcloud.NewAuthProvider(ctx, "authProviderResource", &dbtcloud.AuthProviderArgs{
	Type:                  pulumi.String("string"),
	ClientSecretWoVersion: pulumi.Int(0),
	AttributeMap:          pulumi.String("string"),
	AuthorizationUrl:      pulumi.String("string"),
	Cert:                  pulumi.String("string"),
	CertWo:                pulumi.String("string"),
	CertWoVersion:         pulumi.Int(0),
	ClientId:              pulumi.String("string"),
	ClientSecret:          pulumi.String("string"),
	AdminRefreshToken:     pulumi.String("string"),
	ClientSecretWo:        pulumi.String("string"),
	GsuiteAdminId:         pulumi.String("string"),
	EntityId:              pulumi.String("string"),
	Domain:                pulumi.String("string"),
	IncludeIndirectGroups: pulumi.Bool(false),
	MaxGroupsToRetrieve:   pulumi.Int(0),
	SignRequest:           pulumi.Bool(false),
	Slug:                  pulumi.String("string"),
	SsoUrl:                pulumi.String("string"),
	TenantId:              pulumi.String("string"),
	AllowPasswordBackdoor: pulumi.Bool(false),
})

var authProviderResource = new AuthProvider("authProviderResource", AuthProviderArgs.builder()
    .type("string")
    .clientSecretWoVersion(0)
    .attributeMap("string")
    .authorizationUrl("string")
    .cert("string")
    .certWo("string")
    .certWoVersion(0)
    .clientId("string")
    .clientSecret("string")
    .adminRefreshToken("string")
    .clientSecretWo("string")
    .gsuiteAdminId("string")
    .entityId("string")
    .domain("string")
    .includeIndirectGroups(false)
    .maxGroupsToRetrieve(0)
    .signRequest(false)
    .slug("string")
    .ssoUrl("string")
    .tenantId("string")
    .allowPasswordBackdoor(false)
    .build());

auth_provider_resource = dbtcloud.AuthProvider("authProviderResource",
    type="string",
    client_secret_wo_version=0,
    attribute_map="string",
    authorization_url="string",
    cert="string",
    cert_wo="string",
    cert_wo_version=0,
    client_id="string",
    client_secret="string",
    admin_refresh_token="string",
    client_secret_wo="string",
    gsuite_admin_id="string",
    entity_id="string",
    domain="string",
    include_indirect_groups=False,
    max_groups_to_retrieve=0,
    sign_request=False,
    slug="string",
    sso_url="string",
    tenant_id="string",
    allow_password_backdoor=False)

const authProviderResource = new dbtcloud.AuthProvider("authProviderResource", {
    type: "string",
    clientSecretWoVersion: 0,
    attributeMap: "string",
    authorizationUrl: "string",
    cert: "string",
    certWo: "string",
    certWoVersion: 0,
    clientId: "string",
    clientSecret: "string",
    adminRefreshToken: "string",
    clientSecretWo: "string",
    gsuiteAdminId: "string",
    entityId: "string",
    domain: "string",
    includeIndirectGroups: false,
    maxGroupsToRetrieve: 0,
    signRequest: false,
    slug: "string",
    ssoUrl: "string",
    tenantId: "string",
    allowPasswordBackdoor: false,
});

type: dbtcloud:AuthProvider
properties:
    adminRefreshToken: string
    allowPasswordBackdoor: false
    attributeMap: string
    authorizationUrl: string
    cert: string
    certWo: string
    certWoVersion: 0
    clientId: string
    clientSecret: string
    clientSecretWo: string
    clientSecretWoVersion: 0
    domain: string
    entityId: string
    gsuiteAdminId: string
    includeIndirectGroups: false
    maxGroupsToRetrieve: 0
    signRequest: false
    slug: string
    ssoUrl: string
    tenantId: string
    type: string

AuthProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AuthProvider resource accepts the following input properties:

Type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
AdminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
AllowPasswordBackdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
AttributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
AuthorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
Cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
CertWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
CertWoVersion int: Increment to rotate certWo without changing the value.
ClientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
ClientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
ClientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
ClientSecretWoVersion int: Increment to rotate clientSecretWo without changing the value.
Domain string: Primary domain for the Azure AD or Google Workspace tenant.
EntityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
GsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
IncludeIndirectGroups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
MaxGroupsToRetrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
SignRequest bool: Whether to sign SAML authentication requests. Defaults to false.
Slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
SsoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
TenantId string: Azure AD tenant ID. Required for azureSingleTenant.

Type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
AdminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
AllowPasswordBackdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
AttributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
AuthorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
Cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
CertWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
CertWoVersion int: Increment to rotate certWo without changing the value.
ClientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
ClientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
ClientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
ClientSecretWoVersion int: Increment to rotate clientSecretWo without changing the value.
Domain string: Primary domain for the Azure AD or Google Workspace tenant.
EntityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
GsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
IncludeIndirectGroups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
MaxGroupsToRetrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
SignRequest bool: Whether to sign SAML authentication requests. Defaults to false.
Slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
SsoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
TenantId string: Azure AD tenant ID. Required for azureSingleTenant.

type String: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
adminRefreshToken String: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor Boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap String: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl String: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert String: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion Integer: Increment to rotate certWo without changing the value.
clientId String: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret String: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion Integer: Increment to rotate clientSecretWo without changing the value.
domain String: Primary domain for the Azure AD or Google Workspace tenant.
entityId String: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId String: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups Boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
maxGroupsToRetrieve Integer: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest Boolean: Whether to sign SAML authentication requests. Defaults to false.
slug String: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl String: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenantId String: Azure AD tenant ID. Required for azureSingleTenant.

type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
adminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion number: Increment to rotate certWo without changing the value.
clientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion number: Increment to rotate clientSecretWo without changing the value.
domain string: Primary domain for the Azure AD or Google Workspace tenant.
entityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
maxGroupsToRetrieve number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest boolean: Whether to sign SAML authentication requests. Defaults to false.
slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenantId string: Azure AD tenant ID. Required for azureSingleTenant.

type str: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
admin_refresh_token str: Google Workspace admin OAuth refresh token used to fetch group memberships.
allow_password_backdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attribute_map str: JSON map of SAML attribute names to dbt Cloud user fields.
authorization_url str: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert str: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
cert_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
cert_wo_version int: Increment to rotate certWo without changing the value.
client_id str: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
client_secret str: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
client_secret_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
client_secret_wo_version int: Increment to rotate clientSecretWo without changing the value.
domain str: Primary domain for the Azure AD or Google Workspace tenant.
entity_id str: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuite_admin_id str: Google Workspace admin email used to fetch group memberships.
include_indirect_groups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
max_groups_to_retrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
sign_request bool: Whether to sign SAML authentication requests. Defaults to false.
slug str: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
sso_url str: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenant_id str: Azure AD tenant ID. Required for azureSingleTenant.

type String: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
adminRefreshToken String: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor Boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap String: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl String: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert String: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion Number: Increment to rotate certWo without changing the value.
clientId String: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret String: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion Number: Increment to rotate clientSecretWo without changing the value.
domain String: Primary domain for the Azure AD or Google Workspace tenant.
entityId String: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId String: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups Boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
maxGroupsToRetrieve Number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest Boolean: Whether to sign SAML authentication requests. Defaults to false.
slug String: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl String: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
tenantId String: Azure AD tenant ID. Required for azureSingleTenant.

Outputs

All input properties are implicitly available as output properties. Additionally, the AuthProvider resource produces the following output properties:

CertExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
CreatedAt string
Id string: The provider-assigned unique ID for this managed resource.
LoginUrl string: The SSO login URL for the account, auto-generated from the slug.
State int: The state of the auth provider (1 = active).
UpdatedAt string

CertExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
CreatedAt string
Id string: The provider-assigned unique ID for this managed resource.
LoginUrl string: The SSO login URL for the account, auto-generated from the slug.
State int: The state of the auth provider (1 = active).
UpdatedAt string

certExpiryDate String: Expiry date of the SAML X.509 certificate (SAML/Okta only).
createdAt String
id String: The provider-assigned unique ID for this managed resource.
loginUrl String: The SSO login URL for the account, auto-generated from the slug.
state Integer: The state of the auth provider (1 = active).
updatedAt String

certExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
createdAt string
id string: The provider-assigned unique ID for this managed resource.
loginUrl string: The SSO login URL for the account, auto-generated from the slug.
state number: The state of the auth provider (1 = active).
updatedAt string

cert_expiry_date str: Expiry date of the SAML X.509 certificate (SAML/Okta only).
created_at str
id str: The provider-assigned unique ID for this managed resource.
login_url str: The SSO login URL for the account, auto-generated from the slug.
state int: The state of the auth provider (1 = active).
updated_at str

certExpiryDate String: Expiry date of the SAML X.509 certificate (SAML/Okta only).
createdAt String
id String: The provider-assigned unique ID for this managed resource.
loginUrl String: The SSO login URL for the account, auto-generated from the slug.
state Number: The state of the auth provider (1 = active).
updatedAt String

Look up Existing AuthProvider Resource

Get an existing AuthProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AuthProviderState, opts?: CustomResourceOptions): AuthProvider

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        admin_refresh_token: Optional[str] = None,
        allow_password_backdoor: Optional[bool] = None,
        attribute_map: Optional[str] = None,
        authorization_url: Optional[str] = None,
        cert: Optional[str] = None,
        cert_expiry_date: Optional[str] = None,
        cert_wo: Optional[str] = None,
        cert_wo_version: Optional[int] = None,
        client_id: Optional[str] = None,
        client_secret: Optional[str] = None,
        client_secret_wo: Optional[str] = None,
        client_secret_wo_version: Optional[int] = None,
        created_at: Optional[str] = None,
        domain: Optional[str] = None,
        entity_id: Optional[str] = None,
        gsuite_admin_id: Optional[str] = None,
        include_indirect_groups: Optional[bool] = None,
        login_url: Optional[str] = None,
        max_groups_to_retrieve: Optional[int] = None,
        sign_request: Optional[bool] = None,
        slug: Optional[str] = None,
        sso_url: Optional[str] = None,
        state: Optional[int] = None,
        tenant_id: Optional[str] = None,
        type: Optional[str] = None,
        updated_at: Optional[str] = None) -> AuthProvider

func GetAuthProvider(ctx *Context, name string, id IDInput, state *AuthProviderState, opts ...ResourceOption) (*AuthProvider, error)

public static AuthProvider Get(string name, Input<string> id, AuthProviderState? state, CustomResourceOptions? opts = null)

public static AuthProvider get(String name, Output<String> id, AuthProviderState state, CustomResourceOptions options)

resources:  _:    type: dbtcloud:AuthProvider    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AdminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
AllowPasswordBackdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
AttributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
AuthorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
Cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
CertExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
CertWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
CertWoVersion int: Increment to rotate certWo without changing the value.
ClientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
ClientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
ClientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
ClientSecretWoVersion int: Increment to rotate clientSecretWo without changing the value.
CreatedAt string
Domain string: Primary domain for the Azure AD or Google Workspace tenant.
EntityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
GsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
IncludeIndirectGroups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
LoginUrl string: The SSO login URL for the account, auto-generated from the slug.
MaxGroupsToRetrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
SignRequest bool: Whether to sign SAML authentication requests. Defaults to false.
Slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
SsoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
State int: The state of the auth provider (1 = active).
TenantId string: Azure AD tenant ID. Required for azureSingleTenant.
Type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
UpdatedAt string

AdminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
AllowPasswordBackdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
AttributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
AuthorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
Cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
CertExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
CertWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
CertWoVersion int: Increment to rotate certWo without changing the value.
ClientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
ClientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
ClientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
ClientSecretWoVersion int: Increment to rotate clientSecretWo without changing the value.
CreatedAt string
Domain string: Primary domain for the Azure AD or Google Workspace tenant.
EntityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
GsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
IncludeIndirectGroups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
LoginUrl string: The SSO login URL for the account, auto-generated from the slug.
MaxGroupsToRetrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
SignRequest bool: Whether to sign SAML authentication requests. Defaults to false.
Slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
SsoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
State int: The state of the auth provider (1 = active).
TenantId string: Azure AD tenant ID. Required for azureSingleTenant.
Type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
UpdatedAt string

adminRefreshToken String: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor Boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap String: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl String: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert String: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certExpiryDate String: Expiry date of the SAML X.509 certificate (SAML/Okta only).
certWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion Integer: Increment to rotate certWo without changing the value.
clientId String: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret String: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion Integer: Increment to rotate clientSecretWo without changing the value.
createdAt String
domain String: Primary domain for the Azure AD or Google Workspace tenant.
entityId String: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId String: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups Boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
loginUrl String: The SSO login URL for the account, auto-generated from the slug.
maxGroupsToRetrieve Integer: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest Boolean: Whether to sign SAML authentication requests. Defaults to false.
slug String: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl String: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state Integer: The state of the auth provider (1 = active).
tenantId String: Azure AD tenant ID. Required for azureSingleTenant.
type String: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updatedAt String

adminRefreshToken string: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap string: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl string: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert string: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certExpiryDate string: Expiry date of the SAML X.509 certificate (SAML/Okta only).
certWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion number: Increment to rotate certWo without changing the value.
clientId string: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret string: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo string: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion number: Increment to rotate clientSecretWo without changing the value.
createdAt string
domain string: Primary domain for the Azure AD or Google Workspace tenant.
entityId string: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId string: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
loginUrl string: The SSO login URL for the account, auto-generated from the slug.
maxGroupsToRetrieve number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest boolean: Whether to sign SAML authentication requests. Defaults to false.
slug string: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl string: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state number: The state of the auth provider (1 = active).
tenantId string: Azure AD tenant ID. Required for azureSingleTenant.
type string: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updatedAt string

admin_refresh_token str: Google Workspace admin OAuth refresh token used to fetch group memberships.
allow_password_backdoor bool: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attribute_map str: JSON map of SAML attribute names to dbt Cloud user fields.
authorization_url str: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert str: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
cert_expiry_date str: Expiry date of the SAML X.509 certificate (SAML/Okta only).
cert_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
cert_wo_version int: Increment to rotate certWo without changing the value.
client_id str: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
client_secret str: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
client_secret_wo str: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
client_secret_wo_version int: Increment to rotate clientSecretWo without changing the value.
created_at str
domain str: Primary domain for the Azure AD or Google Workspace tenant.
entity_id str: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuite_admin_id str: Google Workspace admin email used to fetch group memberships.
include_indirect_groups bool: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
login_url str: The SSO login URL for the account, auto-generated from the slug.
max_groups_to_retrieve int: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
sign_request bool: Whether to sign SAML authentication requests. Defaults to false.
slug str: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
sso_url str: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state int: The state of the auth provider (1 = active).
tenant_id str: Azure AD tenant ID. Required for azureSingleTenant.
type str: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updated_at str

adminRefreshToken String: Google Workspace admin OAuth refresh token used to fetch group memberships.
allowPasswordBackdoor Boolean: When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
attributeMap String: JSON map of SAML attribute names to dbt Cloud user fields.
authorizationUrl String: OAuth authorization URL for Google Workspace. May be auto-populated server-side.
cert String: SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using certWo instead. Conflicts with certWo.
certExpiryDate String: Expiry date of the SAML X.509 certificate (SAML/Okta only).
certWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to cert. Not stored in state. Use certWoVersion to trigger updates. Conflicts with cert.
certWoVersion Number: Increment to rotate certWo without changing the value.
clientId String: OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
clientSecret String: OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using clientSecretWo instead. Conflicts with clientSecretWo.
clientSecretWo String: NOTE: This field is write-only and its value will not be updated in state as part of read operations. Write-only alternative to clientSecret. Not stored in state. Use clientSecretWoVersion to trigger updates. Conflicts with clientSecret.
clientSecretWoVersion Number: Increment to rotate clientSecretWo without changing the value.
createdAt String
domain String: Primary domain for the Azure AD or Google Workspace tenant.
entityId String: SAML entity ID (Issuer) from your identity provider. Required for saml and okta.
gsuiteAdminId String: Google Workspace admin email used to fetch group memberships.
includeIndirectGroups Boolean: Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
loginUrl String: The SSO login URL for the account, auto-generated from the slug.
maxGroupsToRetrieve Number: Maximum number of Azure AD groups to fetch per user. Defaults to 250.
signRequest Boolean: Whether to sign SAML authentication requests. Defaults to false.
slug String: URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
ssoUrl String: SAML Single Sign-On URL from your identity provider. Required for saml and okta.
state Number: The state of the auth provider (1 = active).
tenantId String: Azure AD tenant ID. Required for azureSingleTenant.
type String: The SSO provider type. One of: saml, okta, gsuite, azureSingleTenant, azureMultiTenant, azureActiveDirectory. Changing this value forces a new resource.
updatedAt String

Import

Import an existing auth provider by its numeric ID. The ID can be found via the dbt Cloud API: GET /api/v3/accounts/{account_id}/auth-provider/

$ pulumi import dbtcloud:index/authProvider:AuthProvider example 12345

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: dbtcloud pulumi/pulumi-dbtcloud
License: Apache-2.0
Notes: This Pulumi package is based on the dbtcloud Terraform Provider.

Viewing docs for dbt Cloud v1.8.0
published on Wednesday, Apr 15, 2026 by Pulumi

Schema (JSON)

pulumi/pulumi-dbtcloud

dbtcloud.AuthProvider

On this page

On this page

Create AuthProvider Resource

Constructor syntax

Parameters

Constructor example

AuthProvider Resource Properties

Inputs

Outputs

Look up Existing AuthProvider Resource

Import

Package Details

On this page

On this page