maxhoesel / maxhoesel.smallstep / 0.23.1 / module / step_ca_provisioner Manage provisioners on a C(step-ca) server | "added in version" 0.3.0 of maxhoesel.smallstep" Authors: Max Hösel (@maxhoesel)maxhoesel.smallstep.step_ca_provisioner (0.23.1) — module
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.23.1
collections: - name: maxhoesel.smallstep version: 0.23.1
Use this module to create and remove provisioners from a Smallstep CA server.
# NOTE: All examples assume that the module is executed as a user with STEPPATH set to # the step-ca config directory. If this is not the case, you can always specify the required # parameters with ca_config - name: Create a JWK provisioner with newly generated keys and a template for x509 certificates maxhoesel.smallstep.step_ca_provisioner: name: cicd type: JWK jwk_create: yes x509_template: ./templates/example.tpl
- name: Create a JWK provisioner with duration claims maxhoesel.smallstep.step_ca_provisioner: name: cicd type: JWK create: yes x509_min_dur: 20m x509_default_dur: 20m x509_max_dur: 24h
- name: Create a JWK provisioner with existing keys maxhoesel.smallstep.step_ca_provisioner: name: jane@doe.com type: JWK public_key: jwk.pub private_key: jwk.priv
- name: Create an OIDC provisioner maxhoesel.smallstep.step_ca_provisioner: name: Google type: OIDC client_id: 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com client_secret: udTrOT3gzrO7W9fDPgZQLfYJ configuration_endpoint: https://accounts.google.com/.well-known/openid-configuration
- name: Create an X5C provisioner maxhoesel.smallstep.step_ca_provisioner: name: x5c type: X5C x5c_root: x5c_ca.crt
- name: Create an ACME provisioner, forcing a CN and requiring EAB maxhoesel.smallstep.step_ca_provisioner: name: acme type: ACME force_cn: yes require_eab: yes
- name: Crate an K8SSA provisioner maxhoesel.smallstep.step_ca_provisioner: name: kube type: K8SSA ssh: true public_key: key.pub
- name: Create an SSHPOP provisioner maxhoesel.smallstep.step_ca_provisioner: name: sshpop type: SSHPOP
- name: Create a SCEP provisioner maxhoesel.smallstep.step_ca_provisioner: name: scep_provisioner type: SCEP scep_challenge: secret scep_encryption_algorithm_identifier: 2
- name: Create a complexAzure provisioner maxhoesel.smallstep.step_ca_provisioner: name: Azure type: Azure azure_tenant: bc9043e2-b645-4c1c-a87a-78f8644bfe57 azure_resource_groups: - identity - accounting azure_subscription_ids: - dc760a01-2886-4a84-9abc-f3508e0f87d9 azure_object_ids: - f50926c7-abbf-4c28-87dc-9adc7eaf3ba7
ssh: default: true description: Enable provisioning of ssh certificates. The default value is true. To disable ssh use '--ssh=false'. type: bool name: description: The name of the provisioner to add/remove. required: true type: str root: description: The path to the PEM file used as the root certificate authority. type: path version_added: 0.20.0 version_added_collection: maxhoesel.smallstep type: choices: - JWK - OIDC - AWS - GCP - Azure - ACME - X5C - K8SSA - SSHPOP - SCEP - Nebula description: 'The type of provisioner to create (case-sensitive). Ignored when state == absent or updated. Required if state == present ' type: str state: choices: - present - updated - absent default: present description: 'Whether the provisioner should be present or absent. Note that C(present) does not update existing provisioners. C(updated) will attempt to update the provisioner regardless of whether it has changed or not. Note that this will always report the task as changed. ' type: str ca_url: description: URI of the targeted Step Certificate Authority type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep force_cn: description: Always set the common name in provisioned certificates. type: bool version_added: 0.20.0 version_added_collection: maxhoesel.smallstep x5c_root: aliases: - x5c_root_file description: Root certificate (chain) file used to validate the signature on X5C provisioning tokens. type: path admin_key: description: Private key file, used to sign a JWT,corresponding to the admin certificate that will be stored in the 'x5c' header. type: path ca_config: default: CI($STEPPATH)/config/ca.json description: The path to the certificate authority configuration file on the host if managing provisioners locally. type: path admin_cert: description: Admin certificate (chain) in PEM format to store in the 'x5c' header of a JWT. type: path jwk_create: aliases: - create description: Create the JWK key pair for the provisioner. type: bool version_added: 0.20.0 version_added_collection: maxhoesel.smallstep public_key: aliases: - jwk_public_key - k8ssa_public_key - k8s_pem_keys_file description: 'The file containing the JWK public key. Or, a file containing one or more PEM formatted keys, if used with the K8SSA provisioner. ' type: path nebula_root: description: Root certificate (chain) file used to validate the signature on Nebula provisioning tokens. type: path version_added: 0.20.0 version_added_collection: maxhoesel.smallstep oidc_admins: aliases: - admin - oidc_admin - oidc_admin_email description: 'The emails of admin users in an OpenID Connect provisioner, these users will not have restrictions in the certificates to sign. Must be a list ' elements: str type: list oidc_domain: description: Removed from step-cli. Does nothing. Will be removed in release 0.24.0. type: str oidc_groups: aliases: - oidc_group - group description: The group list used to validate the groups extenstion in an OpenID Connect token. Must be a list elements: str type: list require_eab: description: 'Require (and enable) External Account Binding (EAB) for Account creation. If this flag is set to false, then disable EAB. ' type: bool version_added: 0.20.0 version_added_collection: maxhoesel.smallstep aws_accounts: aliases: - aws_account description: The AWS account ids used to validate the identity documents. Must be a list elements: str type: list azure_tenant: description: The Microsoft Azure tenant id used to validate the identity tokens. type: str gcp_projects: aliases: - gcp_project description: The Google project ids used to validate the identity tokens. Must be a list elements: str type: list instance_age: description: "The maximum duration to grant a certificate in AWS and GCP provisioners.\ \ A duration is sequence of decimal numbers, each with optional fraction and a unit\ \ suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\"\ , \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str ssh_template: description: The ssh certificate template file, a JSON representation of the certificate to create. type: path version_added: 0.20.0 version_added_collection: maxhoesel.smallstep x509_max_dur: description: "The maximum duration for an x509 certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep x509_min_dur: description: "The minimum duration for an x509 certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep admin_subject: aliases: - admin_name description: The admin subject to use for generating admin credentials. type: str password_file: aliases: - jwk_password_file description: The path to the file containing the password to encrypt or decrypt the private key. type: path x509_template: description: The x509 certificate template file, a JSON representation of the certificate to create. type: path version_added: 0.20.0 version_added_collection: maxhoesel.smallstep azure_audience: description: The Microsoft Azure audience name used to validate the identity tokens. type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep oidc_client_id: aliases: - client_id description: The id used to validate the audience in an OpenID Connect token. type: str oidc_tenant_id: aliases: - tenant_id description: The tenant-id used to replace the templatized {tenantid} in the OpenID Configuration. type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep scep_challenge: aliases: - challenge description: The SCEP challenge to use as a shared secret between a client and the CA type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep disable_renewal: description: Disable renewal for all certificates generated by this provisioner. type: bool version_added: 0.20.0 version_added_collection: maxhoesel.smallstep jwk_private_key: aliases: - private_key description: The file containing the JWK private key. type: path version_added: 0.20.0 version_added_collection: maxhoesel.smallstep azure_object_ids: aliases: - azure_object_id description: The Microsoft Azure AD object ids used to validate the identity tokens. Must be a list elements: str type: list version_added: 0.20.0 version_added_collection: maxhoesel.smallstep ssh_host_max_dur: description: "The maximum duration for an ssh host certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep ssh_host_min_dur: description: "The minimum duration for an ssh host certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep ssh_user_max_dur: description: "The maximum duration for an ssh user certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep ssh_user_min_dur: description: "The minimum duration for an ssh user certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep x509_default_dur: description: "The default duration for an x509 certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep admin_provisioner: aliases: - admin_issuer description: The provisioner name to use for generating admin credentials. type: str scep_capabilities: aliases: - capabilities description: The SCEP capabilities to advertise type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep scep_include_root: aliases: - include_root description: Include the CA root certificate in the SCEP CA certificate chain. type: bool version_added: 0.20.0 version_added_collection: maxhoesel.smallstep ssh_template_data: description: The ssh certificate template data file, a JSON map of data that can be used by the certificate template. type: path version_added: 0.20.0 version_added_collection: maxhoesel.smallstep aws_iid_roots_file: description: Removed from step-cli. Does nothing. Will be removed in release 0.24.0. type: path oidc_client_secret: aliases: - client_secret description: The secret used to obtain the OpenID Connect tokens. type: str x509_template_data: description: The x509 certificate template data file, a JSON map of data that can be used by the certificate template. type: path version_added: 0.20.0 version_added_collection: maxhoesel.smallstep disable_custom_sans: description: 'On cloud provisioners, if enabled only the internal DNS and IP will be added as a SAN. By default it will accept any SAN in the CSR. ' type: bool oidc_listen_address: aliases: - listen_address - oidc_client_address description: The callback address used in the OpenID Connect flow (e.g. ":10000"). type: str step_cli_executable: default: step-cli description: Name (or absolute path) of the C(step-cli) executable to use type: path gcp_service_accounts: aliases: - gcp_service_account description: The Google service account emails or ids used to validate the identity tokens. Must be a list elements: str type: list ssh_host_default_dur: description: "The default duration for an ssh host certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep ssh_user_default_dur: description: "The default duration for an ssh user certificate generated by this provisioner.\ \ Value must be a sequence of decimal numbers, each with optional fraction, and\ \ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\ \ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep azure_resource_groups: aliases: - azure_resource_group description: The Microsoft Azure resource group names used to validate the identity tokens. Must be a list elements: str type: list azure_subscription_ids: aliases: - azure_subscription_id description: The Microsoft Azure subscription ids used to validate the identity tokens. Must be a list elements: str type: list version_added: 0.20.0 version_added_collection: maxhoesel.smallstep allow_renewal_after_expiry: description: Allow renewals for expired certificates generated by this provisioner. type: bool version_added: 0.20.0 version_added_collection: maxhoesel.smallstep disable_trust_on_first_use: description: 'On cloud provisioners, if enabled multiple sign request for this provisioner with the same instance will be accepted. By default only the first request will be accepted. ' type: bool scep_min_public_key_length: aliases: - min_public_key_length description: The minimum public key length of the SCEP RSA encryption key type: str version_added: 0.20.0 version_added_collection: maxhoesel.smallstep oidc_configuration_endpoint: aliases: - configuration_endpoint description: OpenID Connect configuration url. type: str scep_encryption_algorithm_identifier: aliases: - encryption_algorithm_identifier description: 'The id for the SCEP encryption algorithm to use. Valid values are 0 - 4, inclusive. The values correspond to: 0: DES-CBC, 1: AES-128-CBC, 2: AES-256-CBC, 3: AES-128-GCM, 4: AES-256-GCM. Defaults to DES-CBC (0) for legacy clients. ' type: int version_added: 0.20.0 version_added_collection: maxhoesel.smallstep