eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this only when rotating principal keys is the intended maintenance action.

Boundary
Mutating
Authority
idm, kerberos, collection
Evidence
command-output

Rotate a keytab explicitly

When To Use This

Use this only when rotating principal keys is the intended maintenance action.

Required Authority

IdM and Kerberos own the principal keys. The module rotates only with explicit confirmation.

Safety Boundary

This workflow is mutating. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Secret Handling

Do not print payload material. Use no_log: true on payload-bearing tasks. Review artifacts should redact secret values, and payload manifest rendering should be opt-in.

Inputs

  • Principal name
  • Destination or return-content decision
  • confirm_rotation: true when state: rotated is intended

Steps

  1. Notify owners that existing keytabs will be invalidated.
  2. Run check mode or a retrieve-only task first.
  3. Run rotation with confirm_rotation: true and protect output with no_log: true.
- name: Rotate service keytab with explicit confirmation
  eigenstate.ipa.keytab_manage:
    principal: HTTP/app.example.com
    state: rotated
    confirm_rotation: true
    destination: /secure/keytabs/http-app.keytab
    mode: "0600"
  no_log: true

Example Explicit Rotation

This playbook rotates a keytab only after both the module state and the confirmation guard make the destructive operation explicit.

rotate-keytab.yml

---
- name: Rotate a service keytab with an explicit guard
  hosts: app_servers
  become: true
  gather_facts: false
  serial: 1
  tasks:
    - name: Rotate and install the HTTP keytab
      eigenstate.ipa.keytab_manage:
        principal: "HTTP/{{ inventory_hostname }}@EXAMPLE.COM"
        state: rotated
        confirm_rotation: true
        destination: /etc/httpd/conf/httpd.keytab
        mode: "0600"
        owner: apache
        group: apache
        server: idm-01.example.com
        kerberos_keytab: /runner/env/ipa/automation.keytab
        verify: /etc/ipa/ca.crt
      no_log: true

    - name: Restart the service after the keytab changes
      ansible.builtin.service:
        name: httpd
        state: restarted

Run It

ansible-playbook -i inventory.eigenstate_ipa.yml rotate-keytab.yml

Expected Evidence

The task reports an explicit rotation and the destination written by the module; the keytab bytes remain hidden by no_log: true:

keytab_result:
  changed: true
  principal: HTTP/app.example.com@EXAMPLE.COM
  state: rotated
  destination: /secure/keytabs/http-app.keytab
  mode: "0600"

Troubleshooting

  • Module refuses rotation: verify confirm_rotation: true.
  • Dependent services fail: deploy the new keytab before restarting services.
  • Unexpected content return: keep return_content disabled unless required.