hashivault_pki_role – Hashicorp Vault PKI Create/Update/Delete Role¶
New in version 4.5.0.
Synopsis¶
This module creates or updates the role definition.
Note that the allowed_domains, allow_subdomains, allow_glob_domains, and allow_any_name attributes are additive; between them nearly and across multiple roles nearly any issuing policy can be accommodated. server_flag, client_flag, and code_signing_flag are additive as well.
If a client requests a certificate that is not allowed by the CN policy in the role, the request is denied.
Requirements¶
The below requirements are needed on the host that executes this module.
hvac>=0.10.1
ansible>=2.0.0
requests
Parameters¶
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
authtype
-
|
"token or environment variable `VAULT_AUTHTYPE`"
|
authentication type
|
|
aws_header
-
|
Default: "to environment variable `VAULT_AWS_HEADER`"
|
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
|
|
ca_cert
-
|
Default: "to environment variable `VAULT_CACERT`"
|
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
|
|
ca_path
-
|
Default: "to environment variable `VAULT_CAPATH`"
|
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
|
|
client_cert
-
|
Default: "to environment variable `VAULT_CLIENT_CERT`"
|
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
|
|
client_key
-
|
Default: "to environment variable `VAULT_CLIENT_KEY`"
|
Path to an unencrypted PEM-encoded private key matching the client certificate
|
|
config
dictionary
|
Collection of properties from pki role https://www.vaultproject.io/api-docs/secret/pki#create-update-role
|
||
allow_any_name
boolean
|
|
Specifies if clients can request any CN
Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.
|
|
allow_bare_domains
boolean
|
|
Specifies if clients can request certificates matching the value of the actual domains themselves.
e.g. if a configured domain set with `allowed_domains` is `example.com`, this allows clients to actually request a certificate containing the name `example.com` as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.
|
|
allow_glob_domains
boolean
|
|
Allows names specified in `allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`)
Clients will be allowed to request certificates with names matching the glob patterns.
|
|
allow_ip_sans
boolean
|
|
Specifies if clients can request IP Subject Alternative Names
No authorization checking is performed except to verify that the given values are valid IP addresses.
|
|
allow_localhost
boolean
|
|
Specifies if clients can request certificates for `localhost` as one of the requested common names.
This is useful for testing and to allow clients on a single host to talk securely.
|
|
allow_subdomains
boolean
|
|
Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains.
For example, an `allowed_domains` value of `example.com` with this option set to true will allow `foo.example.com` and `bar.example.com` as well as `*.example.com`.
This is redundant when using the `allow_any_name` option.
|
|
allowed_domains
list
|
Specifies the domains of the role.
This is used with the `allow_bare_domains` and `allow_subdomains` options.
|
||
allowed_other_sans
string
|
Defines allowed custom OID/UTF8-string SANs
This can be a comma-delimited list or a JSON string slice, where each element has the same format as OpenSSL `<oid>;<type>:<value>`, but the only valid type is `UTF8` or `UTF-8`
The `value` part of an element may be a `*` to allow any value with that OID
Alternatively, specifying a single `*` will allow any `other_sans` input. `server_flag` `(bool)` Specifies if certificates are flagged for server use.
|
||
allowed_uri_sans
string
|
Defines allowed URI Subject Alternative Names
No authorization checking is performed except to verify that the given values are valid URIs
This can be a comma-delimited list or a JSON string slice
Values can contain glob patterns (e.g. `spiffe://hostname/*`).
|
||
basic_constraints_valid_for_non_ca
boolean
|
|
Mark Basic Constraints valid when issuing non-CA certificates.
|
|
client_flag
boolean
|
|
Specifies if certificates are flagged for client use.
|
|
code_signing_flag
boolean
|
|
Specifies if certificates are flagged for code signing use.
|
|
country
list
|
Specifies the C (Country) values in the subject field of issued certificates
|
||
email_protection_flag
boolean
|
|
Specifies if certificates are flagged for email protection use.
|
|
enforce_hostnames
boolean
|
|
Specifies if only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses.
|
|
ext_key_usage
list
|
Specifies the allowed extended key usage constraint on issued certificates
Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply drop the `ExtKeyUsage` part of the value
Values are not case-sensitive
To specify no key usage constraints, set this to an empty list.
|
||
ext_key_usage_oids
string
|
A comma-separated string or list of extended key usage oids.
|
||
generate_lease
boolean
|
|
Specifies if certificates issued/signed against this role will have Vault leases attached to them
Certificates can be added to the CRL by `vault revoke <lease_id>` when certificates are associated with leases
It can also be done using the `pki/revoke` endpoint
However, when lease generation is disabled, invoking `pki/revoke` would be the only way to add the certificates to the CRL.
|
|
key_bits
integer
|
Default: 2048
|
Specifies the number of bits to use for the generated keys
This will need to be changed for `ec` keys, e.g., 224 or 521.
|
|
key_type
string
|
Default: "rsa"
|
Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs
Currently, `rsa` and `ec` are supported, or when signing CSRs `any` can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).
|
|
key_usage
list
|
Default: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]
|
Specifies the allowed key usage constraint on issued certificates
Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply drop the `KeyUsage` part of the value
Values are not case-sensitive
To specify no key usage constraints, set this to an empty list.
|
|
locality
list
|
Specifies the L (Locality) values in the subject field of issued certificates
|
||
max_ttl
string
|
Specifies the maximum Time To Live value provided as a string duration with time suffix.
Hour is the largest suffix.
If not set, defaults to the system maximum lease TTL.
|
||
no_store
boolean
|
|
If set, certificates issued/signed against this role will not be stored in the storage backend
This can improve performance when issuing large numbers of certificates
However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived
This option implies a value of `false` for `generate_lease`.
|
|
not_before_duration
duration
|
Default: "30s"
|
Specifies the duration by which to backdate the NotBefore property.
|
|
organization
list
|
Specifies the O (Organization) values in the subject field of issued certificates
|
||
ou
list
|
Specifies the OU (OrganizationalUnit) values in the subject field of issued certificates
|
||
policy_identifiers
list
|
A comma-separated string or list of policy OIDs.
|
||
postal_code
list
|
Specifies the Postal Code values in the subject field of issued certificates
|
||
province
list
|
Specifies the ST (Province) values in the subject field of issued certificates
|
||
require_cn
boolean
|
|
If set to false, makes the `common_name` field optional while generating a certificate.
|
|
serial_number
string
|
Specifies the Serial Number, if any
Otherwise Vault will generate a random serial for you
If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.
|
||
server_flag
boolean
|
|
Specifies if certificates are flagged for server use.
|
|
street_address
list
|
Specifies the Street Address values in the subject field of issued certificates
|
||
ttl
string
|
Specifies the Time To Live value provided as a string duration with time suffix.
Hour is the largest suffix.
If not set, uses the system default value or the value of `max_ttl`, whichever is shorter.
|
||
use_csr_common_name
boolean
|
|
When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data
This does `not` include any requested SANs in the CSR; use `use_csr_sans` for that.
|
|
use_csr_sans
boolean
|
|
When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data
This does `not` include the common name in the CSR; use `use_csr_common_name` for that.
|
|
login_mount_point
-
|
Default: "value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
|
authentication mount point
|
|
mount_point
-
|
Default: "pki"
|
location where secrets engine is mounted. also known as path
|
|
name
-
|
Specifies the name of the role to create.
|
||
namespace
-
|
Default: "to environment variable VAULT_NAMESPACE"
|
namespace for vault
|
|
password
-
|
Default: "to environment variable `VAULT_PASSWORD`"
|
password to login to vault.
|
|
role_file
-
|
file with a json object containing play parameters. pass all params but name, state, mount_point which stay in the ansible play
|
||
state
-
|
|
Do you want for this config to be present or absent
|
|
token
-
|
Default: "to environment variable `VAULT_TOKEN`"
|
token for vault
|
|
url
-
|
Default: "to environment variable `VAULT_ADDR`"
|
url for vault
|
|
username
-
|
Default: "to environment variable `VAULT_USER`"
|
username to login to vault.
|
|
verify
-
|
Default: "to environment variable `VAULT_SKIP_VERIFY`"
|
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing
|
Examples¶
---
- hosts: localhost
tasks:
- hashivault_pki_role:
name: tester
config:
allow_subdomains: true
- hashivault_pki_role:
name: tester
role_file: "/opt/vault/etc/roles/pki-tester.json"
state: "present"
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]
Authors¶
UNKNOWN
Hint
If you notice any issues in this documentation, you can edit this document to improve it.