Try SpotterGenerate an OTT granting access to the CA
| "added in version" 0.3.0 of maxhoesel.smallstep"
Authors: Max Hösel (@maxhoesel)
Install with ansible-galaxy collection install maxhoesel.smallstep:==0.24.5
collections:
- name: maxhoesel.smallstep
version: 0.24.5Generate an OTT granting access to the CA. This module returns the token by default, but you can also save it on the remote host if you prefer.
- name: Generate a token on the CA, using the values from $STEPPATH
maxhoesel.smallstep.step_ca_token:
name: foo.bar
key:
description: The private key path used to sign the JWT. This is usually downloaded
from the certificate authority.
type: path
kid:
description: The provisioner kid to use.
type: str
san:
description: 'Add dns/ip/email/uri Subject Alternative Name(s) (SANs) that should
be authorized. A certificate signing request using this token must match the complete
set of SANs in the token 1:1. Must be a list
'
elements: str
type: list
ssh:
description: Create a token for authorizing an SSH certificate signing request.
type: bool
host:
description: Create a host certificate instead of a user certificate.
type: bool
name:
aliases:
- subject
description: 'The Common Name, DNS Name, or IP address that will be set by the certificate
authority. When there are no additional Subject Alternative Names configured (via
the I(san) parameter, the subject will be added as the only element of the ''sans''
claim on the token.
'
required: true
type: str
root:
description: 'The path to the PEM file used as the root certificate authority. Used
if the module is run in online mode (default) and the hosts C(step-cli) is not configured
to trust the CA.
'
type: path
force:
description: Force the overwrite of files without asking.
type: bool
rekey:
description: Create a token for authorizing 'rekey' requests. The audience will be
invalid for any other API request.
type: bool
renew:
description: Create a token for authorizing 'renew' requests. The audience will be
invalid for any other API request.
type: bool
ca_url:
description: 'URI of the targeted Step Certificate Authority. Used if the module is
run in online mode (default) and the hosts C(step-cli) is not configured to trust
the CA.
'
type: str
revoke:
description: Create a token for authorizing 'Revoke' requests. The audience will be
invalid for any other API request.
type: bool
offline:
description: 'Don''t contact the CA. Offline mode uses the configuration, certificates,
and keys created with step ca init, but can accept a different configuration file
using the I(ca_config) flag.
'
type: bool
x5c_key:
description: Private key path, used to sign a JWT, corresponding to the certificate
that will be stored in the 'x5c' header.
type: path
x5c_cert:
description: Certificate (chain) in PEM format to store in the 'x5c' header of a JWT.
type: str
ca_config:
description: The path to the certificate authority configuration file on the host.
type: path
not_after:
description: "The time/duration when the certificate validity period ends. If a time\
\ is used it is expected to be in RFC 3339 format. If a duration is used, it is\
\ a sequence of decimal numbers, each with optional fraction and a unit suffix,\
\ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\
\ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
principal:
description: 'Add the principals (user or host names) that the token is authorized
to request. The signing request using this token won''t be able to add extra names.
Must be a list
'
elements: str
type: list
not_before:
description: "The time/duration when the certificate validity period starts. If a\
\ time is used it is expected to be in RFC 3339 format. If a duration is used, it\
\ is a sequence of decimal numbers, each with optional fraction and a unit suffix,\
\ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\
\ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
sshpop_key:
description: Private key path, used to sign a JWT, corresponding to the certificate
that will be stored in the 'sshpop' header.
type: path
output_file:
description: The destination file of the generated one-time token. Conflicts with
I(return_token)
type: path
provisioner:
aliases:
- issuer
description: The provisioner name to use.
type: str
sshpop_cert:
description: Certificate (chain) in PEM format to store in the 'sshpop' header of
a JWT.
type: str
return_token:
description: 'Return the OTT through the module return values. Depending on your security
needs, you might want to use I(output_path) instead.
'
type: bool
cert_not_after:
description: "The time/duration when the certificate validity period ends. If a time\
\ is used it is expected to be in RFC 3339 format. If a duration is used, it is\
\ a sequence of decimal numbers, each with optional fraction and a unit suffix,\
\ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\
\ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
cert_not_before:
description: "The time/duration when the certificate validity period starts. If a\
\ time is used it is expected to be in RFC 3339 format. If a duration is used, it\
\ is a sequence of decimal numbers, each with optional fraction and a unit suffix,\
\ such as \"300ms\", \"-1.5h\" or \"2h45m\". Valid time units are \"ns\", \"us\"\
\ (or \"\xB5s\"), \"ms\", \"s\", \"m\", \"h\".\n"
type: str
k8ssa_token_path:
description: Configure the file from which to read the kubernetes service account
token.
type: path
step_cli_executable:
default: step-cli
description: Name (or absolute path) of the C(step-cli) executable to use
type: path
provisioner_password_file:
description: The path to the file containing the password to decrypt the one-time
token generating key.
type: path