Try SpotterManage provisioners for a Smallstep CA server
| "added in version" 2.10.0 of maxhoesel.smallstep"
Authors: Max Hösel (@maxhoesel)
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.2.1
collections:
- name: maxhoesel.smallstep
version: 0.2.1Use this module to create and remove provisioners from a Smallstep CA server.
- name: Add a single JWK provisioner
maxhoesel.smallstep.ca_provisioner:
name: max@smallstep.com
type: JWK
# Key and password files must already exist on the remote host
jwk_key_files: /tmp/step-ca/max-laptop.jwk
jwk_password_file: /tmp/step-ca/max-laptop.pass
jwk_encrypt_password: a-secret-password
state: present
- name: Add a single JWK provisioner using an auto-generated asymmetric key pair
maxhoesel.smallstep.ca_provisioner:
name: max@smallstep.com
type: JWK
# Password file must already exist on the remote host
jwk_password_file: /tmp/step-ca/max-laptop.pass
jwk_encrypt_password: a-secret-password
jwk_create: yes
state: present
- name: Add a list of provisioners for a single name
maxhoesel.smallstep.ca_provisioner:
name: max@smallstep.com
type: JWK
# Key and password files must already exist on the remote host
jwk_key_files:
- /tmp/step-ca/max-laptop.jwk
- /tmp/max-phone.pem
- /tmp/max-work.pem
jwk_password_file: /tmp/step-ca/max-laptop.pass
jwk_encrypt_password: a-secret-password
state: present
- name: Add a single OIDC provisioner
maxhoesel.smallstep.ca_provisioner:
name: Google
type: OIDC
oidc_client_id: 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com
oidc_configuration_endpoint: https://accounts.google.com/.well-known/openid-configuration
- name: Add an OIDC provisioner with two administrators
maxhoesel.smallstep.ca_provisioner:
name: Google
type: OIDC
oidc_client_id: 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com
oidc_configuration_endpoint: https://accounts.google.com/.well-known/openid-configuration
oidc_admin_email:
- mariano@smallstep.com
- max@smallstep.com
oidc_domain: smallstep.com
- name: Add an AWS provisioner on one account with a one hour of instance age
maxhoesel.smallstep.ca_provisioner:
name: Amazon
type: AWS
aws_account: 123456789
instance_age: 1h
- name: Add an GCP provisioner with two service accounts and two project ids
maxhoesel.smallstep.ca_provisioner:
name: Google
type: GCP
gcp_service_account:
- 1234567890-compute@developer.gserviceaccount.com
- 9876543210-compute@developer.gserviceaccount.com
gcp_project:
- identity
- accounting
- name: Add an Azure provisioner with two service groups
maxhoesel.smallstep.ca_provisioner:
name: Azure
type: Azure
azure_tenant: bc9043e2-b645-4c1c-a87a-78f8644bfe57
azure_resource_group:
- identity
- accounting
- name: Add an GCP provisioner that will only accept the SANs provided in the identity token
maxhoesel.smallstep.ca_provisioner:
name: Google
type: GCP
disable_custom_sans: yes
gcp_project: internal
- name: Add an ACME provisioner
maxhoesel.smallstep.ca_provisioner:
name: acme-smallstep
type: ACME
- name: Add an X5C provisioner.
maxhoesel.smallstep.ca_provisioner:
name: x5c-smallstep
type: X5C
# Key file must already exist on the remote host
x5c_root_file: /tmp/x5c_root.crt
- name: Add a K8s Service Account provisioner
maxhoesel.smallstep.ca_provisioner:
name: my-kube-provisioner
type: K8sSA
# Key file must already exist on the remote host
k8s_pem_keys_file: /tmp/keys.pub
- name: Add an SSH-POP provisioner
maxhoesel.smallstep.ca_provisioner:
name: sshpop-smallstep
type: SSHPOP
- name: Remove a JWK provisioner
maxhoesel.smallstep.ca_provisioner:
name: my-jwk-provisioner
type: JWK
ssh:
default: false
description: Whether to enable SSH on the new provisioners.
type: bool
name:
description: The name of the provisioner to add/remove.
required: true
type:
choices:
- JWK
- OIDC
- AWS
- GCP
- Azure
- ACME
- X5C
- K8sSA
- SSHPOP
description: The type of provisioner to create or remove (case-sensitive).
required: true
state:
choices:
- present
- absent
default: present
description: Whether the provisioner should be present or absent.
ca_config:
default: ~/.step/config/ca.json
description: The path to the certificate authority configuration file. Defaults to
the C(step) default of C($STEPPATH/config/ca.json).
jwk_create:
default: false
description: Create a new ECDSA key pair using curve P-256 and populate a new JWK
provisioner with it.
type: bool
aws_account:
description: The AWS account id used to validate the identity documents. Also accepts
a list for passing multiple ids.
gcp_project:
description: The Google project id used to validate the identity tokens. Also accepts
a list for passing multiple ids.
oidc_domain:
description: The domain used to validate the email claim in an OpenID Connect provisioner.
Also accepts a list for multiple domains.
azure_tenant:
description: The Microsoft Azure tenant id used to validate the identity tokens.
instance_age:
description: "The maximum duration to grant a certificate in AWS and GCP provisioners.\
\ A duration is sequence of decimal numbers, each with optional fraction and a unit\
\ suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or\
\ '\xB5s'), 'ms', 's', 'm', 'h'.\n"
jwk_key_files:
description: List of private (or public) keys in JWK or PEM format to be added to
the provisioner.
x5c_root_file:
description: Root certificate (chain) file used to validate the signature on X5C provisioning
tokens.
oidc_client_id:
description: The id used to validate the audience in an OpenID Connect token.
step_executable:
default: step
description: Path or name of the step tool used to manage the step-ca server
oidc_admin_email:
description: 'The email of an admin user in an OpenID Connect provisioner, this user
will not have restrictions in the certificates to sign. Also accepts a list for
multiple administrators.
'
jwk_password_file:
description: The path to the file containing the password to encrypt or decrypt the
private key
k8s_pem_keys_file:
description: 'Public key file for validating signatures on K8s Service Account Tokens.
PEM formatted bundle (can have multiple PEM blocks in the same file) of public keys
and x509 Certificates.
'
aws_iid_roots_file:
description: The path to the file containing the certificates used to validate the
instance identity documents in AWS.
oidc_client_secret:
description: The secret used to obtain the OpenID Connect Tokens.
disable_custom_sans:
default: false
description: On cloud provisioners, if enabled only the internal DNS and IP will be
added as a SAN. By default it will accept any SAN in the CSR.
type: bool
gcp_service_account:
description: The Google service account email or id used to validate the identity
tokens. Also accepts a list for passing multiple ids.
oidc_listen_address:
description: The callback address used in the OpenID Connect flow (e.g. ':10000').
azure_resource_group:
description: The Microsoft Azure resource group name used to validate the identity
tokens. Also accepts a list for passing multiple names.
jwk_encrypt_password:
description: Password used to encrypt the JWK provisioner key. Required when creating
a JWK provisioner
no_log: true
disable_trust_on_first_use:
default: false
description: 'On cloud provisioners, if enabled multiple sign request for this provisioner
with the same instance will be accepted. By default only the first request will
be accepted.
'
type: bool
oidc_configuration_endpoint:
description: OpenID Connect configuration url.