azure.azcollection.azure_rm_keyvaultcertificate module – Managed keyvault certificate
Note
This module is part of the azure.azcollection collection (version 3.8.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install azure.azcollection.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: azure.azcollection.azure_rm_keyvaultcertificate.
New in azure.azcollection 3.4.0
Synopsis
Managed keyvault certificate.
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.7
The host that executes this module must have the azure.azcollection collection installed via galaxy
All python packages listed in collection’s requirements.txt must be installed via pip on the host that executes modules from azure.azcollection
Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection
Parameters
Parameter |
Comments |
|---|---|
Active Directory username. Use when authenticating with an Active Directory user rather than service principal. |
|
Azure AD authority url. Use when authenticating with Username/password, and has your own ADFS authority. |
|
Selects an API profile to use when communicating with Azure services. Default value of Default: |
|
Use to control if tags field is canonical or just appends to existing tags. When canonical, any tags not found in the tags parameter will be removed from the object’s metadata. Choices:
|
|
Controls the source of the credentials to use for authentication. Can also be set via the When set to When set to When set to When set to When set to The Choices:
|
|
Aan existing valid certificate, containing a private key, into Azure Key Vault. |
|
Controls the certificate validation behavior for Azure endpoints. By default, all modules will validate the server certificate, but when an HTTPS proxy is in use, or against Azure Stack, it may be necessary to disable this behavior by passing Choices:
|
|
Azure client ID. Use when authenticating with a Service Principal or Managed Identity (msi). Can also be set via the |
|
For cloud environments other than the US public cloud, the environment name (as defined by Azure Python SDK, eg, Default: |
|
Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy. Set via credential file profile or the Choices:
|
|
Whether the certificate is enabled for use. Choices:
|
|
Parent argument. |
|
Parent argument. |
|
Certificate name. |
|
If the private key in the passed in certificate is encrypted, it is the password used for encryption. |
|
The management policy for the certificate. When generating a new certificate, if no policy is set, the default policy will be used. |
|
Indicates if the certificates generated under this policy should be published to certificate transparency logs. Choices:
|
|
Type of certificate to be requested from the issuer provider. |
|
he media type (MIME type) of the secret backing the certificate. Choices:
|
|
The extended ways the key of the certificate can be used. |
|
Indicates if the private key can be exported. For valid values, see KeyType. Choices:
|
|
Name of the referenced issuer object or reserved names. For example Choices:
|
|
Elliptic curve name. For valid values, see KeyCurveName. Choices:
|
|
The key size in bits. For example |
|
The type of key pair to be used for the certificate. Choices:
|
|
The extended ways the key of the certificate can be used. Choices:
|
|
Actions that will be performed by Key Vault over the lifetime of a certificate. |
|
The type of the action. Choices:
|
|
Days before expiry to attempt renewal. Value should be between 1 and `validity_in_months` multiplied by 27. If validity_in_months is 36, then value should be between 1 and 972 (36 * 27). |
|
Percentage of lifetime at which to trigger. Value should be between 1 and 99. |
|
Indicates if the same key pair will be used on certificate renewal. Choices:
|
|
Subject alternative DNS names of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate. |
|
Subject alternative emails of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate. |
|
Subject alternative user principal names of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate. |
|
The subject name of the certificate. Should be a valid X509 distinguished name. Either subject or one of the subject alternative name parameters are required for creating a certificate. This will be ignored when importing a certificate; the subject will be parsed from the imported certificate. |
|
The duration that the certificate is valid in months. |
|
Security profile found in ~/.azure/credentials file. |
|
Azure client secret. Use when authenticating with a Service Principal. |
|
State of the keyvault certificate. Choices:
|
|
Your Azure subscription Id. |
|
Dictionary of string:string pairs to assign as metadata to the object. Metadata tags on the object will be updated with any provided values. To remove tags set append_tags option to false. Currently, Azure DNS zones and Traffic Manager services also don’t allow the use of spaces in the tag. Azure Front Door doesn’t support the use of Azure Automation and Azure CDN only support 15 tags on resources. |
|
Azure tenant ID. Use when authenticating with a Service Principal. |
|
The thumbprint of the private key specified in x509_certificate_path. Use when authenticating with a Service Principal. Required if x509_certificate_path is defined. |
|
Vault uri where the certificate stored in. |
|
Path to the X509 certificate used to create the service principal in PEM format. The certificate must be appended to the private key. Use when authenticating with a Service Principal. |
Notes
Note
For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with
az login.Authentication is also possible using a service principal or Active Directory user.
To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.
To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.
Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.
See Also
See also
- Sign in with Azure CLI
How to authenticate using the
az logincommand.
Examples
- name: Import a keyvault certificate
azure_rm_keyvaultcertificate:
vault_uri: https://vault{{ rpfx }}.vault.azure.net
name: fredcerticate
enabled: true
password: Password@****
cert_data: "{{ lookup('file', 'cert.pem') }}"
state: import
tags:
key1: value1
- name: Generate a keyvault certificate
azure_rm_keyvaultcertificate:
vault_uri: https://vault{{ rpfx }}.vault.azure.net
name: fredcerticate
policy:
subject: 'CN=Anhui02'
issuer_name: self
exportable: true
key_type: RSA
key_size: 2048
san_emails:
- [email protected]
content_type: 'application/x-pkcs12'
validity_in_months: 36
lifetime_actions:
- action: EmailContacts
days_before_expiry: 10
enabled: true
state: generate
- name: Update the keyvault certificate
azure_rm_keyvaultcertificate:
vault_uri: https://vault{{ rpfx }}.vault.azure.net
name: fredcerticate
policy:
subject: 'CN=Anhui'
issuer_name: self
exportable: true
key_type: RSA
key_size: 2048
san_emails:
- [email protected]
content_type: 'application/x-pkcs12'
validity_in_months: 36
lifetime_actions:
- action: EmailContacts
days_before_expiry: 10
enabled: true
state: update
- name: Purge the keyvault certificate
azure_rm_keyvaultcertificate:
vault_uri: https://vault{{ rpfx }}.vault.azure.net
name: fredcerticate
state: purge
- name: Recover the keyvault certificate
azure_rm_keyvaultcertificate:
vault_uri: https://vault{{ rpfx }}.vault.azure.net
name: fredcerticate
state: recover
- name: Delete the keyvault certificate
azure_rm_keyvaultcertificate:
vault_uri: https://vault{{ rpfx }}.vault.azure.net
name: fredcerticate
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The facts of certificates in Azure Key Vault. Returned: always |
|
CER contents of the X509 certificate. Returned: always Sample: |
|
The time when the certificate was deleted, in UTC. Returned: always Sample: |
|
The name of the certificate. Returned: always Sample: |
|
The management policy of the deleted certificate. Returned: always |
|
Certificate attributes. Returned: always |
|
Creation datetime. Returned: always Sample: |
|
Indicate whether the certificate is enabled. Returned: always Sample: |
|
Expiration datetime. Returned: success Sample: |
|
Not before datetime. Returned: success Sample: |
|
Reflects the deletion recovery days. Returned: always Sample: |
|
Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains ‘Purgeable’ the certificate can be permanently deleted by a privileged user, Otherwise, only the system can purge the certificate, at the end of the retention interval. Returned: always Sample: |
|
Update datetime. Returned: always Sample: |
|
Indicates if the certificates generated under this policy should be published to certificate transparency logs. Returned: always Sample: |
|
Type of certificate to be requested from the issuer provider. Returned: str Sample: |
|
If not specified, the media type (MIME type) of the secret backing the certificate. Returned: always Sample: |
|
The extended ways the key of the certificate can be used. Returned: always Sample: |
|
Indicates if the private key can be exported. Returned: always Sample: |
|
Name of the referenced issuer object or reserved names. Returned: always Sample: |
|
Elliptic curve name. For valid values, see KeyCurveName. Returned: always Sample: |
|
The key size in bits. Returned: always Sample: |
|
The type of key pair to be used for the certificate. Returned: always Sample: |
|
List of key usages. Returned: always Sample: |
|
Actions that will be performed by Key Vault over the lifetime of a certificate. Returned: always Sample: |
|
Indicates if the same key pair will be used on certificate renewal. Returned: always Sample: |
|
Subject alternative DNS names of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate. Returned: always Sample: |
|
Subject alternative emails of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate. Returned: always Sample: |
|
Subject alternative user principal names of the X509 object. Either subject or one of the subject alternative name parameters are required for creating a certificate. Returned: always Sample: |
|
The subject name of the certificate. Should be a valid X509 distinguished name. Either subject or one of the subject alternative name parameters are required for creating a certificate. This will be ignored when importing a certificate; the subject will be parsed from the imported certificate. Returned: always Sample: |
|
The duration that the certificate is valid in months. Returned: always Sample: |
|
The certificate’s properties. Returned: always |
|
Certificate attributes. Returned: always |
|
Creation datetime. Returned: always Sample: |
|
Indicate whether the certificate is enabled. Returned: always Sample: |
|
Expiration datetime. Returned: success Sample: |
|
Not before datetime. Returned: success Sample: |
|
Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains ‘Purgeable’ the certificate can be permanently deleted by a privileged user, Otherwise, only the system can purge the certificate, at the end of the retention interval. Returned: always Sample: |
|
Update datetime. Returned: always Sample: |
|
Id of the certificate. If specified all other ‘Id’ arguments should be omitted. Returned: always Sample: |
|
List of the certificate tags. Returned: always Sample: |
|
ID of the Key Vault. Returned: always Sample: |
|
The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string. Returned: always Sample: |
|
The url of the recovery object, used to identify and recover the deleted certificate. Returned: always Sample: |
|
The time when the certificate is scheduled to be purged, in UTC. Returned: always Sample: |