hashivault_pki_cert_issue – Hashicorp Vault PKI Generate Certificate¶
New in version 4.5.0.
Synopsis¶
This module generates a new set of credentials (private key and certificate) based on the role named in the module.
The issuing CA certificate is returned as well, so that only the root CA need be in a client’s trust store.
Requirements¶
The below requirements are needed on the host that executes this module.
hvac>=0.10.1
ansible>=2.0.0
requests
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
authtype
-
|
"token or environment variable `VAULT_AUTHTYPE`"
|
authentication type
|
aws_header
-
|
Default: "to environment variable `VAULT_AWS_HEADER`"
|
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
|
ca_cert
-
|
Default: "to environment variable `VAULT_CACERT`"
|
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
|
ca_path
-
|
Default: "to environment variable `VAULT_CAPATH`"
|
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
|
client_cert
-
|
Default: "to environment variable `VAULT_CLIENT_CERT`"
|
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
|
client_key
-
|
Default: "to environment variable `VAULT_CLIENT_KEY`"
|
Path to an unencrypted PEM-encoded private key matching the client certificate
|
common_name
-
|
Specifies the requested CN for the certificate. If the CN is allowed by role policy, it will be issued.
|
|
extra_params
dictionary
|
Collection of properties from pki role https://www.vaultproject.io/api-docs/secret/pki#parameters-6
|
|
login_mount_point
-
|
Default: "value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
|
authentication mount point
|
mount_point
-
|
Default: "pki"
|
location where secrets engine is mounted. also known as path
|
namespace
-
|
Default: "to environment variable VAULT_NAMESPACE"
|
namespace for vault
|
password
-
|
Default: "to environment variable `VAULT_PASSWORD`"
|
password to login to vault.
|
role
-
|
Specifies the name of the role to create.
|
|
token
-
|
Default: "to environment variable `VAULT_TOKEN`"
|
token for vault
|
url
-
|
Default: "to environment variable `VAULT_ADDR`"
|
url for vault
|
username
-
|
Default: "to environment variable `VAULT_USER`"
|
username to login to vault.
|
verify
-
|
Default: "to environment variable `VAULT_SKIP_VERIFY`"
|
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing
|
Examples¶
---
- hosts: localhost
tasks:
- hashivault_pki_cert_issue:
role: 'tester'
common_name: 'test.example.com'
register: cert
- debug: msg="{{ cert }}"
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]
Authors¶
UNKNOWN
Hint
If you notice any issues in this documentation, you can edit this document to improve it.