/ home / maxhoesel / maxhoesel.smallstep / 0.2.1 / module / ca_claims

maxhoesel.smallstep.ca_claims (0.2.1) — module

Manage default or provisioner claims on a step-ca server

| "added in version" 2.10.0 of maxhoesel.smallstep"

Authors: Max Hösel (@maxhoesel)

Install collection

Install with ansible-galaxy collection install maxhoesel.smallstep:==0.2.1

Add to requirements.yml

  collections:
    - name: maxhoesel.smallstep
      version: 0.2.1

Description

This module can add, update or remove claims (such as certificate duration) on a step-ca server. You can either modify the claims of an individual provisioner, or change the default claims.

Requirements

A initialized step-ca server with a C(ca.json) file

Usage examples

Scanned by Steampunk Spotter

- name: Change the TLS cert duration of a provisioner
  maxhoesel.smallstep.ca_claims:
    name: webtokens-1
    type: JWK
    min_tls_cert_duration: 24h
    max_tls_cert_duration: 720h
    default_tls_cert_duration: 168h

Scanned by Steampunk Spotter

- name: Change default (global) claims
  maxhoesel.smallstep.ca_claims:
    scope: global
    min_tls_cert_duration: 24h
    max_tls_cert_duration: 720h
    default_tls_cert_duration: 168h

Scanned by Steampunk Spotter

- name: Overwrite the claims of a provisioner with the given parameters
  maxhoesel.smallstep.ca_claims:
    name: webtokens-1
    type: JWK
    exclusive: yes
    min_tls_cert_duration: 24h
    max_tls_cert_duration: 720h
    default_tls_cert_duration: 168h

Inputs

name:
description: 'The name of the provisioner to modify. If multiple provisioners have
the same name, all provisioners will be modified unless I(type) is set. Conflicts
with I(scope=global)

type:
choices:
- JWK
- OIDC
- AWS
- GCP
- Azure
- ACME
- X5C
- K8sSA
- SSHPOP
description: Modify the provisioner with the name I(provisioner) that has this type.
Has no effect if I(scope=global). Case-sensitive

scope:
choices:
- global
- provisioner
default: provisioner
description: The scope for which the claims should be modified (either global defaults
or a specific provisioner).

ca_config:
default: ~/.step/config/ca.json
description: The path to the certificate authority configuration file. Defaults to
the C(step) default of C($STEPPATH/config/ca.json).

exclusive:
default: false
description: Replace all existing claims for the selected scope with the ones defined
in the module parameters.
type: bool

enable_SSHCA:
description: Enable this provisioner to generate SSH Certificates.
type: bool

disable_renewal:
description: Disable renewals with this provisioner.
type: bool

max_host_ssh_duration:
description: Do not allow certificates with a duration greater than this value.

max_tls_cert_duration:
description: Do not allow certificates with a duration greater than this value.

max_user_ssh_duration:
description: Do not allow certificates with a duration greater than this value.

min_host_ssh_duration:
description: Do not allow certificates with a duration less than this value.

min_tls_cert_duration:
description: Do not allow certificates with a duration less than this value.

min_user_ssh_duration:
description: Do not allow certificates with a duration less than this value.

disable_issued_at_check:
description: 'Disable a check verifying that provisioning tokens must be issued after
the CA has booted. This claim is one prevention against token reuse. The default
value is false. Do not change this unless you know what you are doing.

default_host_ssh_duration:
description: If no certificate validity period is specified, use this value.

default_tls_cert_duration:
description: If no certificate validity period is specified, use this value.

default_user_ssh_duration:
description: If no certificate validity period is specified, use this value.

Outputs

claims:
  description: 'Dictionary contianing the claims of the selected scope. Dict of dict
    if multiple provisioners were selected, with the provisioners type as key

    '
  returned: always
  type: dict