maxhoesel.smallstep.step_ca_provisioner module – Manage provisioners on a step-ca server
Note
This module is part of the maxhoesel.smallstep collection (version 0.24.5).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install maxhoesel.smallstep.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: maxhoesel.smallstep.step_ca_provisioner.
New in maxhoesel.smallstep 0.3.0
Synopsis
Use this module to create and remove provisioners from a Smallstep CA server.
Requirements
The below requirements are needed on the host that executes this module.
step-climust be installed on the remote host. You can set the executable name/path with step_cli_executable.
Parameters
Parameter |
Comments |
|---|---|
Admin certificate (chain) in PEM format to store in the ‘x5c’ header of a JWT. |
|
Private key file, used to sign a JWT,corresponding to the admin certificate that will be stored in the ‘x5c’ header. |
|
The password to encrypt or decrypt the private key. Will be passed to step-cli through a temporary file. Mutually exclusive with admin_password_file |
|
The path to the file containing the password to encrypt or decrypt the private key. Must already be present on the remote host. Mutually exclusive with admin_password |
|
The provisioner name to use for generating admin credentials. |
|
The admin subject to use for generating admin credentials. |
|
Allow renewals for expired certificates generated by this provisioner. Choices:
|
|
The AWS account ids used to validate the identity documents. Must be a list |
|
The Microsoft Azure audience name used to validate the identity tokens. |
|
The Microsoft Azure AD object ids used to validate the identity tokens. Must be a list |
|
The Microsoft Azure resource group names used to validate the identity tokens. Must be a list |
|
The Microsoft Azure subscription ids used to validate the identity tokens. Must be a list |
|
The Microsoft Azure tenant id used to validate the identity tokens. |
|
The path to the certificate authority configuration file on the host if managing provisioners locally. Default: |
|
URI of the targeted Step Certificate Authority |
|
On cloud provisioners, if enabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR. Choices:
|
|
Disable renewal for all certificates generated by this provisioner. Choices:
|
|
On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted. Choices:
|
|
Always set the common name in provisioned certificates. Choices:
|
|
The Google project ids used to validate the identity tokens. Must be a list |
|
The Google service account emails or ids used to validate the identity tokens. Must be a list |
|
The maximum duration to grant a certificate in AWS and GCP provisioners. A duration is sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
Create the JWK key pair for the provisioner. Choices:
|
|
The file containing the JWK private key. |
|
The name of the provisioner to add/remove. |
|
Root certificate (chain) file used to validate the signature on Nebula provisioning tokens. |
|
The emails of admin users in an OpenID Connect provisioner, these users will not have restrictions in the certificates to sign. Must be a list |
|
The id used to validate the audience in an OpenID Connect token. |
|
The secret used to obtain the OpenID Connect tokens. |
|
OpenID Connect configuration url. |
|
The group list used to validate the groups extenstion in an OpenID Connect token. Must be a list |
|
The callback address used in the OpenID Connect flow (e.g. “:10000”). |
|
The tenant-id used to replace the templatized {tenantid} in the OpenID Configuration. |
|
The password to encrypt or decrypt the private key. Will be passed to step-cli through a temporary file. Mutually exclusive with password_file |
|
The path to the file containing the password to encrypt or decrypt the private key. Mutually exclusive with password |
|
The file containing the JWK public key. Or, a file containing one or more PEM formatted keys, if used with the K8SSA provisioner. |
|
Require (and enable) External Account Binding (EAB) for Account creation. If this flag is set to false, then disable EAB. Choices:
|
|
The path to the PEM file used as the root certificate authority. |
|
The SCEP capabilities to advertise |
|
The SCEP challenge to use as a shared secret between a client and the CA |
|
The id for the SCEP encryption algorithm to use. Valid values are 0 - 4, inclusive. The values correspond to: 0: DES-CBC, 1: AES-128-CBC, 2: AES-256-CBC, 3: AES-128-GCM, 4: AES-256-GCM. Defaults to DES-CBC (0) for legacy clients. |
|
Include the CA root certificate in the SCEP CA certificate chain. Choices:
|
|
The minimum public key length of the SCEP RSA encryption key |
|
Enable provisioning of ssh certificates. The default value is true. To disable ssh use ‘–ssh=false’. Choices:
|
|
The default duration for an ssh host certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The maximum duration for an ssh host certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The minimum duration for an ssh host certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The ssh certificate template file, a JSON representation of the certificate to create. |
|
The ssh certificate template data file, a JSON map of data that can be used by the certificate template. |
|
The default duration for an ssh user certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The maximum duration for an ssh user certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The minimum duration for an ssh user certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
Whether the provisioner should be present or absent. Note that Choices:
|
|
Name (or absolute path) of the Default: |
|
The type of provisioner to create (case-sensitive). Ignored when state == absent or updated. Required if state == present Choices:
|
|
The default duration for an x509 certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The maximum duration for an x509 certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The minimum duration for an x509 certificate generated by this provisioner. Value must be a sequence of decimal numbers, each with optional fraction, and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The x509 certificate template file, a JSON representation of the certificate to create. |
|
The x509 certificate template data file, a JSON map of data that can be used by the certificate template. |
|
Root certificate (chain) file used to validate the signature on X5C provisioning tokens. |
Notes
Note
Existing provisioners will not be modified by default, use the update flag to force provisioner updates
Most of the options correspond to the command-line parameters for the
step ca provisionercommand. See the documentation for more information.Any files used to create the provisioner (e.g. root certificate chains) must already be present on the remote host.
Check mode is supported.
Examples
# NOTE: All examples assume that the module is executed as a user with STEPPATH set to
# the step-ca config directory. If this is not the case, you can always specify the required
# parameters with ca_config
- name: Create a JWK provisioner with newly generated keys and a template for x509 certificates
maxhoesel.smallstep.step_ca_provisioner:
name: cicd
type: JWK
jwk_create: yes
x509_template: ./templates/example.tpl
- name: Create a JWK provisioner with duration claims
maxhoesel.smallstep.step_ca_provisioner:
name: cicd
type: JWK, cli
create: yes
x509_min_dur: 20m
x509_default_dur: 20m
x509_max_dur: 24h
- name: Create a JWK provisioner with existing keys
maxhoesel.smallstep.step_ca_provisioner:
name: jane@doe.com
type: JWK
public_key: jwk.pub
private_key: jwk.priv
- name: Create an OIDC provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: Google
type: OIDC
client_id: 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com
client_secret: udTrOT3gzrO7W9fDPgZQLfYJ
configuration_endpoint: https://accounts.google.com/.well-known/openid-configuration
- name: Create an X5C provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: x5c
type: X5C
x5c_root: x5c_ca.crt
- name: Create an ACME provisioner, forcing a CN and requiring EAB
maxhoesel.smallstep.step_ca_provisioner:
name: acme
type: ACME
force_cn: yes
require_eab: yes
- name: Crate an K8SSA provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: kube
type: K8SSA
ssh: true
public_key: key.pub
- name: Create an SSHPOP provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: sshpop
type: SSHPOP
- name: Create a SCEP provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: scep_provisioner
type: SCEP
scep_challenge: secret
scep_encryption_algorithm_identifier: 2
- name: Create a complexAzure provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: Azure
type: Azure
azure_tenant: bc9043e2-b645-4c1c-a87a-78f8644bfe57
azure_resource_groups:
- identity
- accounting
azure_subscription_ids:
- dc760a01-2886-4a84-9abc-f3508e0f87d9
azure_object_ids:
- f50926c7-abbf-4c28-87dc-9adc7eaf3ba7