Try SpotterGenerates a new set of credentials (private key and certificate) using HashiCorp Vault PKI
| "added in version" 2.3.0 of community.hashi_vault"
Authors: Florent David (@Ripolin)
Install with ansible-galaxy collection install community.hashi_vault:==6.2.0
collections:
- name: community.hashi_vault
version: 6.2.0Generates a new set of credentials (private key and certificate) based on a Vault PKI role.
- name: Login and use the resulting token
community.hashi_vault.vault_login:
url: https://localhost:8200
auth_method: ldap
username: "john.doe"
password: "{{ user_passwd }}"
register: login_data
- name: Generate a certificate with an existing token
community.hashi_vault.vault_pki_generate_certificate:
role_name: test.example.org
common_name: test.example.org
ttl: 8760h
alt_names:
- test2.example.org
- test3.example.org
url: https://vault:8201
auth_method: token
token: "{{ login_data.login.auth.client_token }}"
register: cert_data
- name: Display generated certificate
debug:
msg: "{{ cert_data.data.data.certificate }}"
jwt:
description: The JSON Web Token (JWT) to use for JWT authentication to Vault.
type: str
ttl:
description:
- Specifies requested Time To Live.
- Cannot be greater than the role's C(max_ttl) value.
- If not provided, the role's C(ttl) value will be used.
- Note that the role values default to system values if not explicitly set.
type: str
url:
description:
- URL to the Vault service.
- If not specified by any other means, the value of the C(VAULT_ADDR) environment
variable will be used.
- If C(VAULT_ADDR) is also not defined then an error will be raised.
type: str
token:
description:
- Vault token. Token may be specified explicitly, through the listed [env] vars, and
also through the C(VAULT_TOKEN) env var.
- If no token is supplied, explicitly or through env, then the plugin will check for
a token file, as determined by I(token_path) and I(token_file).
- The order of token loading (first found wins) is C(token param -> ansible var ->
ANSIBLE_HASHI_VAULT_TOKEN -> VAULT_TOKEN -> token file).
type: str
format:
choices:
- pem
- der
- pem_bundle
default: pem
description:
- Specifies the format for returned data.
- Can be C(pem), C(der), or C(pem_bundle).
- If C(der), the output is base64 encoded.
- If C(pem_bundle), the C(certificate) field will contain the private key and certificate,
concatenated. If the issuing CA is not a Vault-derived self-signed root, this will
be included as well.
type: str
region:
description: The AWS region for which to create the connection.
type: str
ca_cert:
aliases:
- cacert
description:
- Path to certificate to use for authentication.
- If not specified by any other means, the C(VAULT_CACERT) environment variable will
be used.
type: str
ip_sans:
default: []
description:
- Specifies requested IP Subject Alternative Names.
- Only valid if the role allows IP SANs (which is the default).
elements: str
type: list
proxies:
description:
- URL(s) to the proxies used to access the Vault service.
- It can be a string or a dict.
- If it's a dict, provide the scheme (eg. C(http) or C(https)) as the key, and the
URL as the value.
- If it's a string, provide a single URL that will be used as the proxy for both C(http)
and C(https) schemes.
- A string that can be interpreted as a dictionary will be converted to one (see examples).
- You can specify a different proxy for HTTP and HTTPS resources.
- If not specified, L(environment variables from the Requests library,https://requests.readthedocs.io/en/master/user/advanced/#proxies)
are used.
type: raw
version_added: 1.1.0
version_added_collection: community.hashi_vault
retries:
description:
- Allows for retrying on errors, based on the L(Retry class in the urllib3 library,https://urllib3.readthedocs.io/en/latest/reference/urllib3.util.html#urllib3.util.Retry).
- This collection defines recommended defaults for retrying connections to Vault.
- This option can be specified as a positive number (integer) or dictionary.
- If this option is not specified or the number is C(0), then retries are disabled.
- A number sets the total number of retries, and uses collection defaults for the
other settings.
- A dictionary value is used directly to initialize the C(Retry) class, so it can
be used to fully customize retries.
- For detailed information on retries, see the collection User Guide.
type: raw
version_added: 1.3.0
version_added_collection: community.hashi_vault
role_id:
description:
- Vault Role ID or name. Used in C(approle), C(aws_iam), C(azure) and C(cert) auth
methods.
- For C(cert) auth, if no I(role_id) is supplied, the default behavior is to try all
certificate roles and return any one that matches.
- For C(azure) auth, I(role_id) is required.
type: str
timeout:
description:
- Sets the connection timeout in seconds.
- If not set, then the C(hvac) library's default is used.
type: int
version_added: 1.3.0
version_added_collection: community.hashi_vault
password:
description: Authentication password.
type: str
uri_sans:
default: []
description:
- Specifies the requested URI Subject Alternative Names.
elements: str
type: list
username:
description: Authentication user name.
type: str
alt_names:
default: []
description:
- Specifies requested Subject Alternative Names.
- These can be host names or email addresses; they will be parsed into their respective
fields.
- If any requested names do not match role policy, the entire request will be denied.
elements: str
type: list
namespace:
description:
- Vault namespace where secrets reside. This option requires HVAC 0.7.0+ and Vault
0.11+.
- Optionally, this may be achieved by prefixing the authentication mount point and/or
secret path with the namespace (e.g C(mynamespace/secret/mysecret)).
- If environment variable C(VAULT_NAMESPACE) is set, its value will be used last among
all ways to specify I(namespace).
type: str
role_name:
description:
- Specifies the name of the role to create the certificate against.
required: true
type: str
secret_id:
description: Secret ID to be used for Vault AppRole authentication.
type: str
other_sans:
default: []
description:
- Specifies custom OID/UTF8-string SANs.
- These must match values specified on the role in C(allowed_other_sans).
- 'The format is the same as OpenSSL: C(<oid>;<type>:<value>) where the only current
valid type is C(UTF8).'
elements: str
type: list
token_file:
default: .vault-token
description: If no token is specified, will try to read the token from this file in
I(token_path).
type: str
token_path:
description: If no token is specified, will try to read the I(token_file) from this
path.
type: str
auth_method:
choices:
- token
- userpass
- ldap
- approle
- aws_iam
- azure
- jwt
- cert
- none
default: token
description:
- Authentication method to be used.
- C(none) auth method was added in collection version C(1.2.0).
- C(cert) auth method was added in collection version C(1.4.0).
- C(aws_iam_login) was renamed C(aws_iam) in collection version C(2.1.0) and was removed
in C(3.0.0).
- C(azure) auth method was added in collection version C(3.2.0).
type: str
aws_profile:
aliases:
- boto_profile
description: The AWS profile
type: str
common_name:
description:
- Specifies the requested CN for the certificate.
- If the CN is allowed by role policy, it will be issued.
required: true
type: str
mount_point:
description:
- Vault mount point.
- If not specified, the default mount point for a given auth method is used.
- Does not apply to token authentication.
type: str
retry_action:
choices:
- ignore
- warn
default: warn
description:
- Controls whether and how to show messages on I(retries).
- This has no effect if a request is not retried.
type: str
version_added: 1.3.0
version_added_collection: community.hashi_vault
aws_access_key:
aliases:
- aws_access_key_id
description: The AWS access key to use.
type: str
aws_secret_key:
aliases:
- aws_secret_access_key
description: The AWS secret key that corresponds to the access key.
type: str
azure_resource:
default: https://management.azure.com/
description: The resource URL for the application registered in Azure Active Directory.
Usually should not be changed from the default.
required: false
type: str
version_added: 3.2.0
version_added_collection: community.hashi_vault
token_validate:
default: false
description:
- For token auth, will perform a C(lookup-self) operation to determine the token's
validity before using it.
- Disable if your token does not have the C(lookup-self) capability.
type: bool
version_added: 0.2.0
version_added_collection: community.hashi_vault
validate_certs:
description:
- Controls verification and validation of SSL certificates, mostly you only want to
turn off with self signed ones.
- Will be populated with the inverse of C(VAULT_SKIP_VERIFY) if that is set and I(validate_certs)
is not explicitly provided.
- Will default to C(true) if neither I(validate_certs) or C(VAULT_SKIP_VERIFY) are
set.
type: bool
azure_client_id:
description:
- The client ID (also known as application ID) of the Azure AD service principal or
managed identity. Should be a UUID.
- If not specified, will use the system assigned managed identity.
required: false
type: str
version_added: 3.2.0
version_added_collection: community.hashi_vault
azure_tenant_id:
description:
- The Azure Active Directory Tenant ID (also known as the Directory ID) of the service
principal. Should be a UUID.
- Required when using a service principal to authenticate to Vault, e.g. required
when both I(azure_client_id) and I(azure_client_secret) are specified.
- Optional when using managed identity to authenticate to Vault.
required: false
type: str
version_added: 3.2.0
version_added_collection: community.hashi_vault
aws_iam_server_id:
description: If specified, sets the value to use for the C(X-Vault-AWS-IAM-Server-ID)
header as part of C(GetCallerIdentity) request.
required: false
type: str
version_added: 0.2.0
version_added_collection: community.hashi_vault
aws_security_token:
description: The AWS security token if using temporary access and secret keys.
type: str
engine_mount_point:
description:
- Specify the mount point used by the PKI engine.
- Defaults to the default used by C(hvac).
type: str
private_key_format:
choices:
- der
- pkcs8
default: der
description:
- Specifies the format for marshaling the private key.
- Defaults to C(der) which will return either base64-encoded DER or PEM-encoded DER,
depending on the value of I(format).
- The other option is C(pkcs8) which will return the key marshalled as PEM-encoded
PKCS8.
type: str
azure_client_secret:
description: The client secret of the Azure AD service principal.
required: false
type: str
version_added: 3.2.0
version_added_collection: community.hashi_vault
cert_auth_public_key:
description: For C(cert) auth, path to the certificate file to authenticate with,
in PEM format.
type: path
version_added: 1.4.0
version_added_collection: community.hashi_vault
exclude_cn_from_sans:
default: false
description:
- If true, the given I(common_name) will not be included in DNS or Email Subject Alternate
Names (as appropriate).
- Useful if the CN is not a hostname or email address, but is instead some human-readable
identifier.
type: bool
cert_auth_private_key:
description: For C(cert) auth, path to the private key file to authenticate with,
in PEM format.
type: path
version_added: 1.4.0
version_added_collection: community.hashi_vault
data:
contains:
data:
contains:
ca_chain:
description: Linked list of CA certificates.
elements: str
returned: success
sample:
- '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
type: list
certificate:
description: Generated certificate.
returned: success
sample: '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
type: str
issuing_ca:
description: CA certificate.
returned: success
sample: '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
type: str
private_key:
description: Private key used to generate certificate.
returned: success
sample: '-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----'
type: str
private_key_type:
description: Private key algorithm.
returned: success
sample: rsa
type: str
serial_number:
description: Certificate's serial number.
returned: success
sample: 39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58
type: str
description: Payload
returned: success
type: complex
lease_duration:
description: Vault lease duration.
returned: success
sample: 21600
type: int
lease_id:
description: Vault lease attached to certificate.
returned: success
sample: pki/issue/test/7ad6cfa5-f04f-c62a-d477-f33210475d05
type: str
renewable:
description: True if certificate is renewable.
returned: success
sample: false
type: bool
warning:
description: Warnings returned by Vault during generation.
returned: success
type: str
description: Information about newly generated certificate
returned: success
type: complex