eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this when automation needs an existing keytab and must not rotate the principal keys.

Boundary
Read-only
Authority
idm, kerberos, collection
Evidence
command-output

Retrieve a keytab

When To Use This

Use this when automation needs an existing keytab and must not rotate the principal keys.

Required Authority

IdM and Kerberos own the principal and keys. The lookup retrieves existing key material through ipa-getkeytab when configured for retrieve behavior.

Safety Boundary

This workflow is read-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Secret Handling

Do not print payload material. Use no_log: true on payload-bearing tasks. Review artifacts should redact secret values, and payload manifest rendering should be opt-in.

Inputs

  • Service or host principal
  • Control node or EE package that provides ipa-getkeytab
  • Kerberos authority allowed to retrieve the keytab

Steps

  1. Preflight the principal with the principal lookup.
  2. Retrieve the keytab with retrieve behavior and no_log: true.
  3. Write payloads only to controlled destinations or pass them directly to a render role.
- name: Retrieve existing service keytab
  ansible.builtin.set_fact:
    service_keytab_b64: "{{ lookup('eigenstate.ipa.keytab', 'HTTP/app.example.com', retrieve_mode='retrieve') }}"
  no_log: true

Example Keytab Retrieval

This playbook retrieves an existing keytab without rotating the principal and writes it with restrictive file permissions.

retrieve-keytab.yml

---
- name: Retrieve an existing service keytab
  hosts: app_servers
  become: true
  gather_facts: false
  tasks:
    - name: Retrieve and install the existing HTTP keytab
      eigenstate.ipa.keytab_manage:
        principal: "HTTP/{{ inventory_hostname }}@EXAMPLE.COM"
        state: retrieved
        destination: /etc/httpd/conf/httpd.keytab
        mode: "0600"
        owner: apache
        group: apache
        server: idm-01.example.com
        kerberos_keytab: /runner/env/ipa/automation.keytab
        verify: /etc/ipa/ca.crt
      no_log: true

Run It

ansible-playbook -i inventory.eigenstate_ipa.yml retrieve-keytab.yml

Expected Evidence

The lookup returns base64 keytab content for the requested principal with no key rotation.

TASK [Retrieve existing service keytab] ********************************
changed: [localhost] => (output redacted by no_log)

Troubleshooting

  • ipa-getkeytab missing: use the IdM execution environment or install the platform IPA client package.
  • Existing key not retrievable: verify principal and IdM keytab retrieval policy.
  • Payload printed: add no_log: true and remove debug output.