maxhoesel / maxhoesel.smallstep / 0.23.1 / module / step_ca_token Generate an OTT granting access to the CA | "added in version" 0.3.0 of maxhoesel.smallstep" Authors: Max Hösel (@maxhoesel)maxhoesel.smallstep.step_ca_token (0.23.1) — module
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.23.1
collections: - name: maxhoesel.smallstep version: 0.23.1
Generate an OTT granting access to the CA. This module returns the token by default, but you can also save it on the remote host if you prefer.
- name: Generate a token on the CA, using the values from $STEPPATH maxhoesel.smallstep.step_ca_token: name: foo.bar
key: description: The private key path used to sign the JWT. This is usually downloaded from the certificate authority. type: path kid: description: The provisioner kid to use. type: str san: description: 'Add dns/ip/email/uri Subject Alternative Name(s) (SANs) that should be authorized. A certificate signing request using this token must match the complete set of SANs in the token 1:1. Must be a list ' elements: str type: list ssh: description: Create a token for authorizing an SSH certificate signing request. type: bool host: description: Create a host certificate instead of a user certificate. type: bool name: aliases: - subject description: 'The Common Name, DNS Name, or IP address that will be set by the certificate authority. When there are no additional Subject Alternative Names configured (via the I(san) parameter, the subject will be added as the only element of the ''sans'' claim on the token. ' required: true type: str root: description: 'The path to the PEM file used as the root certificate authority. Used if the module is run in online mode (default) and the hosts C(step-cli) is not configured to trust the CA. ' type: path force: description: Force the overwrite of files without asking. type: bool rekey: description: Create a token for authorizing 'rekey' requests. The audience will be invalid for any other API request. type: bool renew: description: Create a token for authorizing 'renew' requests. The audience will be invalid for any other API request. type: bool ca_url: description: 'URI of the targeted Step Certificate Authority. Used if the module is run in online mode (default) and the hosts C(step-cli) is not configured to trust the CA. ' type: str revoke: description: Create a token for authorizing 'Revoke' requests. The audience will be invalid for any other API request. type: bool offline: description: 'Don''t contact the CA. Offline mode uses the configuration, certificates, and keys created with step ca init, but can accept a different configuration file using the I(ca_config) flag. ' type: bool x5c_key: description: Private key path, used to sign a JWT, corresponding to the certificate that will be stored in the 'x5c' header. type: path x5c_cert: description: Certificate (chain) in PEM format to store in the 'x5c' header of a JWT. type: str ca_config: description: The path to the certificate authority configuration file on the host. type: path not_after: description: "The time/duration when the certificate validity period ends. If a time\ \ is used it is expected to be in RFC 3339 format. If a duration is used, it is\ \ a sequence of decimal numbers, each with optional fraction and a unit suffix,\ \ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\ \ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str principal: description: 'Add the principals (user or host names) that the token is authorized to request. The signing request using this token won''t be able to add extra names. Must be a list ' elements: str type: list not_before: description: "The time/duration when the certificate validity period starts. If a\ \ time is used it is expected to be in RFC 3339 format. If a duration is used, it\ \ is a sequence of decimal numbers, each with optional fraction and a unit suffix,\ \ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\ \ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str sshpop_key: description: Private key path, used to sign a JWT, corresponding to the certificate that will be stored in the 'sshpop' header. type: path output_file: description: The destination file of the generated one-time token. Conflicts with I(return_token) type: path provisioner: aliases: - issuer description: The provisioner name to use. type: str sshpop_cert: description: Certificate (chain) in PEM format to store in the 'sshpop' header of a JWT. type: str return_token: description: 'Return the OTT through the module return values. Depending on your security needs, you might want to use I(output_path) instead. ' type: bool cert_not_after: description: "The time/duration when the certificate validity period ends. If a time\ \ is used it is expected to be in RFC 3339 format. If a duration is used, it is\ \ a sequence of decimal numbers, each with optional fraction and a unit suffix,\ \ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\ \ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str cert_not_before: description: "The time/duration when the certificate validity period starts. If a\ \ time is used it is expected to be in RFC 3339 format. If a duration is used, it\ \ is a sequence of decimal numbers, each with optional fraction and a unit suffix,\ \ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\ \ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n" type: str k8ssa_token_path: description: Configure the file from which to read the kubernetes service account token. type: path step_cli_executable: default: step-cli description: Name (or absolute path) of the C(step-cli) executable to use type: path provisioner_password_file: description: The path to the file containing the password to decrypt the one-time token generating key. type: path