maxhoesel.smallstep.step_ca_token module – Generate an OTT granting access to the CA
Note
This module is part of the maxhoesel.smallstep collection (version 0.24.5).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install maxhoesel.smallstep.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: maxhoesel.smallstep.step_ca_token.
New in maxhoesel.smallstep 0.3.0
Synopsis
Generate an OTT granting access to the CA. This module returns the token by default, but you can also save it on the remote host if you prefer.
Requirements
The below requirements are needed on the host that executes this module.
step-climust be installed on the remote host. You can set the executable name/path with step_cli_executable.
Parameters
Parameter |
Comments |
|---|---|
The path to the certificate authority configuration file on the host. |
|
URI of the targeted Step Certificate Authority. Used if the module is run in online mode (default) and the hosts |
|
The time/duration when the certificate validity period ends. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The time/duration when the certificate validity period starts. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
Force the overwrite of files without asking. Choices:
|
|
Create a host certificate instead of a user certificate. Choices:
|
|
Configure the file from which to read the kubernetes service account token. |
|
The private key path used to sign the JWT. This is usually downloaded from the certificate authority. |
|
The provisioner kid to use. |
|
The Common Name, DNS Name, or IP address that will be set by the certificate authority. When there are no additional Subject Alternative Names configured (via the san parameter, the subject will be added as the only element of the ‘sans’ claim on the token. |
|
The time/duration when the certificate validity period ends. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
The time/duration when the certificate validity period starts. If a time is used it is expected to be in RFC 3339 format. If a duration is used, it is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. |
|
Don’t contact the CA. Offline mode uses the configuration, certificates, and keys created with step ca init, but can accept a different configuration file using the ca_config flag. Choices:
|
|
The destination file of the generated one-time token. Conflicts with return_token |
|
Add the principals (user or host names) that the token is authorized to request. The signing request using this token won’t be able to add extra names. Must be a list |
|
The provisioner name to use. |
|
The password to encrypt or decrypt the one-time token generating key. Will be passed to step-cli through a temporary file. Mutually exclusive with password_file |
|
The path to the file containing the password to decrypt the one-time token generating key. Mutually exclusive with provisioner_password_file |
|
Create a token for authorizing ‘rekey’ requests. The audience will be invalid for any other API request. Choices:
|
|
Create a token for authorizing ‘renew’ requests. The audience will be invalid for any other API request. Choices:
|
|
Return the OTT through the module return values. Depending on your security needs, you might want to use output_path instead. Choices:
|
|
Create a token for authorizing ‘Revoke’ requests. The audience will be invalid for any other API request. Choices:
|
|
The path to the PEM file used as the root certificate authority. Used if the module is run in online mode (default) and the hosts |
|
Add dns/ip/email/uri Subject Alternative Name(s) (SANs) that should be authorized. A certificate signing request using this token must match the complete set of SANs in the token 1:1. Must be a list |
|
Create a token for authorizing an SSH certificate signing request. Choices:
|
|
Certificate (chain) in PEM format to store in the ‘sshpop’ header of a JWT. |
|
Private key path, used to sign a JWT, corresponding to the certificate that will be stored in the ‘sshpop’ header. |
|
Name (or absolute path) of the Default: |
|
Certificate (chain) in PEM format to store in the ‘x5c’ header of a JWT. |
|
Private key path, used to sign a JWT, corresponding to the certificate that will be stored in the ‘x5c’ header. |
Notes
Note
Check mode is supported.
Examples
- name: Generate a token on the CA, using the values from $STEPPATH
maxhoesel.smallstep.step_ca_token:
name: foo.bar