hashivault_pki_role – Hashicorp Vault PKI Create/Update/Delete Role

New in version 4.5.0.

Synopsis

  • This module creates or updates the role definition.

  • Note that the allowed_domains, allow_subdomains, allow_glob_domains, and allow_any_name attributes are additive; between them nearly and across multiple roles nearly any issuing policy can be accommodated. server_flag, client_flag, and code_signing_flag are additive as well.

  • If a client requests a certificate that is not allowed by the CN policy in the role, the request is denied.

Requirements

The below requirements are needed on the host that executes this module.

  • hvac>=0.10.1

  • ansible>=2.0.0

  • requests

Parameters

Parameter Choices/Defaults Comments
authtype
-
    Choices:
  • token
  • userpass
  • github
  • ldap
  • approle
Default:
"token or environment variable `VAULT_AUTHTYPE`"
authentication type
aws_header
-
Default:
"to environment variable `VAULT_AWS_HEADER`"
X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
ca_cert
-
Default:
"to environment variable `VAULT_CACERT`"
Path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
ca_path
-
Default:
"to environment variable `VAULT_CAPATH`"
Path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate. If ca_cert is specified, its value will take precedence
client_cert
-
Default:
"to environment variable `VAULT_CLIENT_CERT`"
Path to a PEM-encoded client certificate for TLS authentication to the Vault server
client_key
-
Default:
"to environment variable `VAULT_CLIENT_KEY`"
Path to an unencrypted PEM-encoded private key matching the client certificate
config
dictionary
allow_any_name
boolean
    Choices:
  • no ←
  • yes
Specifies if clients can request any CN
Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.
allow_bare_domains
boolean
    Choices:
  • no ←
  • yes
Specifies if clients can request certificates matching the value of the actual domains themselves.
e.g. if a configured domain set with `allowed_domains` is `example.com`, this allows clients to actually request a certificate containing the name `example.com` as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.
allow_glob_domains
boolean
    Choices:
  • no ←
  • yes
Allows names specified in `allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`)
Clients will be allowed to request certificates with names matching the glob patterns.
allow_ip_sans
boolean
    Choices:
  • no
  • yes ←
Specifies if clients can request IP Subject Alternative Names
No authorization checking is performed except to verify that the given values are valid IP addresses.
allow_localhost
boolean
    Choices:
  • no
  • yes ←
Specifies if clients can request certificates for `localhost` as one of the requested common names.
This is useful for testing and to allow clients on a single host to talk securely.
allow_subdomains
boolean
    Choices:
  • no ←
  • yes
Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains.
For example, an `allowed_domains` value of `example.com` with this option set to true will allow `foo.example.com` and `bar.example.com` as well as `*.example.com`.
This is redundant when using the `allow_any_name` option.
allowed_domains
list
Specifies the domains of the role.
This is used with the `allow_bare_domains` and `allow_subdomains` options.
allowed_other_sans
string
Defines allowed custom OID/UTF8-string SANs
This can be a comma-delimited list or a JSON string slice, where each element has the same format as OpenSSL `<oid>;<type>:<value>`, but the only valid type is `UTF8` or `UTF-8`
The `value` part of an element may be a `*` to allow any value with that OID
Alternatively, specifying a single `*` will allow any `other_sans` input. `server_flag` `(bool)` Specifies if certificates are flagged for server use.
allowed_uri_sans
string
Defines allowed URI Subject Alternative Names
No authorization checking is performed except to verify that the given values are valid URIs
This can be a comma-delimited list or a JSON string slice
Values can contain glob patterns (e.g. `spiffe://hostname/*`).
basic_constraints_valid_for_non_ca
boolean
    Choices:
  • no ←
  • yes
Mark Basic Constraints valid when issuing non-CA certificates.
client_flag
boolean
    Choices:
  • no
  • yes ←
Specifies if certificates are flagged for client use.
code_signing_flag
boolean
    Choices:
  • no ←
  • yes
Specifies if certificates are flagged for code signing use.
country
list
Specifies the C (Country) values in the subject field of issued certificates
email_protection_flag
boolean
    Choices:
  • no ←
  • yes
Specifies if certificates are flagged for email protection use.
enforce_hostnames
boolean
    Choices:
  • no
  • yes ←
Specifies if only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses.
ext_key_usage
list
Specifies the allowed extended key usage constraint on issued certificates
Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply drop the `ExtKeyUsage` part of the value
Values are not case-sensitive
To specify no key usage constraints, set this to an empty list.
ext_key_usage_oids
string
A comma-separated string or list of extended key usage oids.
generate_lease
boolean
    Choices:
  • no ←
  • yes
Specifies if certificates issued/signed against this role will have Vault leases attached to them
Certificates can be added to the CRL by `vault revoke <lease_id>` when certificates are associated with leases
It can also be done using the `pki/revoke` endpoint
However, when lease generation is disabled, invoking `pki/revoke` would be the only way to add the certificates to the CRL.
key_bits
integer
Default:
2048
Specifies the number of bits to use for the generated keys
This will need to be changed for `ec` keys, e.g., 224 or 521.
key_type
string
Default:
"rsa"
Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs
Currently, `rsa` and `ec` are supported, or when signing CSRs `any` can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).
key_usage
list
Default:
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]
Specifies the allowed key usage constraint on issued certificates
Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply drop the `KeyUsage` part of the value
Values are not case-sensitive
To specify no key usage constraints, set this to an empty list.
locality
list
Specifies the L (Locality) values in the subject field of issued certificates
max_ttl
string
Specifies the maximum Time To Live value provided as a string duration with time suffix.
Hour is the largest suffix.
If not set, defaults to the system maximum lease TTL.
no_store
boolean
    Choices:
  • no ←
  • yes
If set, certificates issued/signed against this role will not be stored in the storage backend
This can improve performance when issuing large numbers of certificates
However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived
This option implies a value of `false` for `generate_lease`.
not_before_duration
duration
Default:
"30s"
Specifies the duration by which to backdate the NotBefore property.
organization
list
Specifies the O (Organization) values in the subject field of issued certificates
ou
list
Specifies the OU (OrganizationalUnit) values in the subject field of issued certificates
policy_identifiers
list
A comma-separated string or list of policy OIDs.
postal_code
list
Specifies the Postal Code values in the subject field of issued certificates
province
list
Specifies the ST (Province) values in the subject field of issued certificates
require_cn
boolean
    Choices:
  • no
  • yes ←
If set to false, makes the `common_name` field optional while generating a certificate.
serial_number
string
Specifies the Serial Number, if any
Otherwise Vault will generate a random serial for you
If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.
server_flag
boolean
    Choices:
  • no
  • yes ←
Specifies if certificates are flagged for server use.
street_address
list
Specifies the Street Address values in the subject field of issued certificates
ttl
string
Specifies the Time To Live value provided as a string duration with time suffix.
Hour is the largest suffix.
If not set, uses the system default value or the value of `max_ttl`, whichever is shorter.
use_csr_common_name
boolean
    Choices:
  • no
  • yes ←
When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data
This does `not` include any requested SANs in the CSR; use `use_csr_sans` for that.
use_csr_sans
boolean
    Choices:
  • no
  • yes ←
When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data
This does `not` include the common name in the CSR; use `use_csr_common_name` for that.
login_mount_point
-
Default:
"value of authtype or environment varialbe `VAULT_LOGIN_MOUNT_POINT`"
authentication mount point
mount_point
-
Default:
"pki"
location where secrets engine is mounted. also known as path
name
-
Specifies the name of the role to create.
namespace
-
Default:
"to environment variable VAULT_NAMESPACE"
namespace for vault
password
-
Default:
"to environment variable `VAULT_PASSWORD`"
password to login to vault.
role_file
-
file with a json object containing play parameters. pass all params but name, state, mount_point which stay in the ansible play
state
-
    Choices:
  • present ←
  • absent
Do you want for this config to be present or absent
token
-
Default:
"to environment variable `VAULT_TOKEN`"
token for vault
url
-
Default:
"to environment variable `VAULT_ADDR`"
url for vault
username
-
Default:
"to environment variable `VAULT_USER`"
username to login to vault.
verify
-
Default:
"to environment variable `VAULT_SKIP_VERIFY`"
If set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing

Examples

---
- hosts: localhost
  tasks:
    - hashivault_pki_role:
        name: tester
        config:
            allow_subdomains: true

    - hashivault_pki_role:
        name: tester
        role_file: "/opt/vault/etc/roles/pki-tester.json"
        state: "present"

Status

Authors

  • UNKNOWN

Hint

If you notice any issues in this documentation, you can edit this document to improve it.