Try SpotterManage provisioners on a C(step-ca) server
| "added in version" 0.3.0 of maxhoesel.smallstep"
Authors: Max Hösel (@maxhoesel)
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.24.5
collections:
- name: maxhoesel.smallstep
version: 0.24.5Use this module to create and remove provisioners from a Smallstep CA server.
# NOTE: All examples assume that the module is executed as a user with STEPPATH set to
# the step-ca config directory. If this is not the case, you can always specify the required
# parameters with ca_config
- name: Create a JWK provisioner with newly generated keys and a template for x509 certificates
maxhoesel.smallstep.step_ca_provisioner:
name: cicd
type: JWK
jwk_create: yes
x509_template: ./templates/example.tpl
- name: Create a JWK provisioner with duration claims
maxhoesel.smallstep.step_ca_provisioner:
name: cicd
type: JWK
create: yes
x509_min_dur: 20m
x509_default_dur: 20m
x509_max_dur: 24h
- name: Create a JWK provisioner with existing keys
maxhoesel.smallstep.step_ca_provisioner:
name: jane@doe.com
type: JWK
public_key: jwk.pub
private_key: jwk.priv
- name: Create an OIDC provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: Google
type: OIDC
client_id: 1087160488420-8qt7bavg3qesdhs6it824mhnfgcfe8il.apps.googleusercontent.com
client_secret: udTrOT3gzrO7W9fDPgZQLfYJ
configuration_endpoint: https://accounts.google.com/.well-known/openid-configuration
- name: Create an X5C provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: x5c
type: X5C
x5c_root: x5c_ca.crt
- name: Create an ACME provisioner, forcing a CN and requiring EAB
maxhoesel.smallstep.step_ca_provisioner:
name: acme
type: ACME
force_cn: yes
require_eab: yes
- name: Crate an K8SSA provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: kube
type: K8SSA
ssh: true
public_key: key.pub
- name: Create an SSHPOP provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: sshpop
type: SSHPOP
- name: Create a SCEP provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: scep_provisioner
type: SCEP
scep_challenge: secret
scep_encryption_algorithm_identifier: 2
- name: Create a complexAzure provisioner
maxhoesel.smallstep.step_ca_provisioner:
name: Azure
type: Azure
azure_tenant: bc9043e2-b645-4c1c-a87a-78f8644bfe57
azure_resource_groups:
- identity
- accounting
azure_subscription_ids:
- dc760a01-2886-4a84-9abc-f3508e0f87d9
azure_object_ids:
- f50926c7-abbf-4c28-87dc-9adc7eaf3ba7
ssh:
default: true
description: Enable provisioning of ssh certificates. The default value is true. To
disable ssh use '--ssh=false'.
type: bool
name:
description: The name of the provisioner to add/remove.
required: true
type: str
root:
description: The path to the PEM file used as the root certificate authority.
type: path
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
type:
choices:
- JWK
- OIDC
- AWS
- GCP
- Azure
- ACME
- X5C
- K8SSA
- SSHPOP
- SCEP
- Nebula
description: 'The type of provisioner to create (case-sensitive). Ignored when state
== absent or updated. Required if state == present
'
type: str
state:
choices:
- present
- updated
- absent
default: present
description: 'Whether the provisioner should be present or absent. Note that C(present)
does not update existing provisioners. C(updated) will attempt to update the provisioner
regardless of whether it has changed or not. Note that this will always report the
task as changed.
'
type: str
ca_url:
description: URI of the targeted Step Certificate Authority
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
force_cn:
description: Always set the common name in provisioned certificates.
type: bool
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
x5c_root:
aliases:
- x5c_root_file
description: Root certificate (chain) file used to validate the signature on X5C provisioning
tokens.
type: path
admin_key:
description: Private key file, used to sign a JWT,corresponding to the admin certificate
that will be stored in the 'x5c' header.
type: path
ca_config:
default: CI($STEPPATH)/config/ca.json
description: The path to the certificate authority configuration file on the host
if managing provisioners locally.
type: path
admin_cert:
description: Admin certificate (chain) in PEM format to store in the 'x5c' header
of a JWT.
type: path
jwk_create:
aliases:
- create
description: Create the JWK key pair for the provisioner.
type: bool
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
public_key:
aliases:
- jwk_public_key
- k8ssa_public_key
- k8s_pem_keys_file
description: 'The file containing the JWK public key. Or, a file containing one or
more PEM formatted keys, if used with the K8SSA provisioner.
'
type: path
nebula_root:
description: Root certificate (chain) file used to validate the signature on Nebula
provisioning tokens.
type: path
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
oidc_admins:
aliases:
- admin
- oidc_admin
- oidc_admin_email
description: 'The emails of admin users in an OpenID Connect provisioner, these users
will not have restrictions in the certificates to sign. Must be a list
'
elements: str
type: list
oidc_groups:
aliases:
- oidc_group
- group
description: The group list used to validate the groups extenstion in an OpenID Connect
token. Must be a list
elements: str
type: list
require_eab:
description: 'Require (and enable) External Account Binding (EAB) for Account creation.
If this flag is set to false, then disable EAB.
'
type: bool
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
aws_accounts:
aliases:
- aws_account
description: The AWS account ids used to validate the identity documents. Must be
a list
elements: str
type: list
azure_tenant:
description: The Microsoft Azure tenant id used to validate the identity tokens.
type: str
gcp_projects:
aliases:
- gcp_project
description: The Google project ids used to validate the identity tokens. Must be
a list
elements: str
type: list
instance_age:
description: "The maximum duration to grant a certificate in AWS and GCP provisioners.\
\ A duration is sequence of decimal numbers, each with optional fraction and a unit\
\ suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\"\
, \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
ssh_template:
description: The ssh certificate template file, a JSON representation of the certificate
to create.
type: path
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
x509_max_dur:
description: "The maximum duration for an x509 certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
x509_min_dur:
description: "The minimum duration for an x509 certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
admin_subject:
aliases:
- admin_name
description: The admin subject to use for generating admin credentials.
type: str
password_file:
description: The path to the file containing the password to encrypt or decrypt the
private key.
type: path
x509_template:
description: The x509 certificate template file, a JSON representation of the certificate
to create.
type: path
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
azure_audience:
description: The Microsoft Azure audience name used to validate the identity tokens.
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
oidc_client_id:
aliases:
- client_id
description: The id used to validate the audience in an OpenID Connect token.
type: str
oidc_tenant_id:
aliases:
- tenant_id
description: The tenant-id used to replace the templatized {tenantid} in the OpenID
Configuration.
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
scep_challenge:
aliases:
- challenge
description: The SCEP challenge to use as a shared secret between a client and the
CA
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
disable_renewal:
description: Disable renewal for all certificates generated by this provisioner.
type: bool
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
jwk_private_key:
aliases:
- private_key
description: The file containing the JWK private key.
type: path
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
azure_object_ids:
aliases:
- azure_object_id
description: The Microsoft Azure AD object ids used to validate the identity tokens.
Must be a list
elements: str
type: list
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
ssh_host_max_dur:
description: "The maximum duration for an ssh host certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
ssh_host_min_dur:
description: "The minimum duration for an ssh host certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
ssh_user_max_dur:
description: "The maximum duration for an ssh user certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
ssh_user_min_dur:
description: "The minimum duration for an ssh user certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
x509_default_dur:
description: "The default duration for an x509 certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
admin_provisioner:
aliases:
- admin_issuer
description: The provisioner name to use for generating admin credentials.
type: str
scep_capabilities:
aliases:
- capabilities
description: The SCEP capabilities to advertise
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
scep_include_root:
aliases:
- include_root
description: Include the CA root certificate in the SCEP CA certificate chain.
type: bool
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
ssh_template_data:
description: The ssh certificate template data file, a JSON map of data that can be
used by the certificate template.
type: path
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
oidc_client_secret:
aliases:
- client_secret
description: The secret used to obtain the OpenID Connect tokens.
type: str
x509_template_data:
description: The x509 certificate template data file, a JSON map of data that can
be used by the certificate template.
type: path
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
admin_password_file:
description: The path to the file containing the password to encrypt or decrypt the
private key.
type: path
disable_custom_sans:
description: 'On cloud provisioners, if enabled only the internal DNS and IP will
be added as a SAN. By default it will accept any SAN in the CSR.
'
type: bool
oidc_listen_address:
aliases:
- listen_address
- oidc_client_address
description: The callback address used in the OpenID Connect flow (e.g. ":10000").
type: str
step_cli_executable:
default: step-cli
description: Name (or absolute path) of the C(step-cli) executable to use
type: path
gcp_service_accounts:
aliases:
- gcp_service_account
description: The Google service account emails or ids used to validate the identity
tokens. Must be a list
elements: str
type: list
ssh_host_default_dur:
description: "The default duration for an ssh host certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
ssh_user_default_dur:
description: "The default duration for an ssh user certificate generated by this provisioner.\
\ Value must be a sequence of decimal numbers, each with optional fraction, and\
\ a unit suffix, such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are\
\ \"ns\", \"us\" (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
azure_resource_groups:
aliases:
- azure_resource_group
description: The Microsoft Azure resource group names used to validate the identity
tokens. Must be a list
elements: str
type: list
azure_subscription_ids:
aliases:
- azure_subscription_id
description: The Microsoft Azure subscription ids used to validate the identity tokens.
Must be a list
elements: str
type: list
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
allow_renewal_after_expiry:
description: Allow renewals for expired certificates generated by this provisioner.
type: bool
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
disable_trust_on_first_use:
description: 'On cloud provisioners, if enabled multiple sign request for this provisioner
with the same instance will be accepted. By default only the first request will
be accepted.
'
type: bool
scep_min_public_key_length:
aliases:
- min_public_key_length
description: The minimum public key length of the SCEP RSA encryption key
type: str
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep
oidc_configuration_endpoint:
aliases:
- configuration_endpoint
description: OpenID Connect configuration url.
type: str
scep_encryption_algorithm_identifier:
aliases:
- encryption_algorithm_identifier
description: 'The id for the SCEP encryption algorithm to use. Valid values are 0
- 4, inclusive. The values correspond to: 0: DES-CBC, 1: AES-128-CBC, 2: AES-256-CBC,
3: AES-128-GCM, 4: AES-256-GCM. Defaults to DES-CBC (0) for legacy clients.
'
type: int
version_added: 0.20.0
version_added_collection: maxhoesel.smallstep