eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

Tutorial

Learn the lease-like access boundary and expiry evidence.

Boundary
Read-only
Authority
idm, collection
Evidence
command-output

Open and close a temporary access window

What You Will Build

A lab-only temporary access window and a report showing the boundary.

What You Need Before Starting

  • An existing lab user
  • Delegated permission to manage user expiry attributes
  • A short test window that can expire safely

Lab Assumptions

  • Use a disposable lab user.
  • Do not test against a production breakglass account.
  • The tutorial demonstrates expiry behavior, not dynamic secret leasing.

Step-By-Step Path

  1. Open a short access window for the lab user.
  2. Optionally verify authentication behavior while the window is active.
  3. Expire the window with the same playbook.
  4. Verify authentication behavior after expiry.
ansible-playbook temporary-access.yml
ansible-playbook temporary-access.yml -e access_state=expire
ls -l artifacts

Example Tutorial Playbook

Open a short access window, then run the same playbook with `expire` to close it immediately when work is done.

temporary-access.yml

---
- name: Manage a temporary IdM user lease
  hosts: localhost
  gather_facts: false
  vars:
    access_state: open
  roles:
    - role: eigenstate.ipa.temporary_access_window
      vars:
        eigenstate_taw_state: "{{ access_state }}"
        eigenstate_taw_username: contractor01
        eigenstate_taw_server: idm-01.example.com
        eigenstate_taw_kerberos_keytab: /runner/env/ipa/automation.keytab
        eigenstate_taw_hbac_targethost: bastion01.example.com
        eigenstate_taw_hbac_service: sshd
        eigenstate_taw_principal_expiration: "02:00"
        eigenstate_taw_password_expiration_matches_principal: true
        eigenstate_taw_report_dir: ./artifacts

Run It

ansible-playbook temporary-access.yml
ansible-playbook temporary-access.yml -e access_state=expire

Expected Evidence

Open and expire each produce metadata-only evidence. Static report validation produces this review shape:

TASK [eigenstate.ipa.temporary_access_report : Render temporary access report JSON] ***
changed: [localhost]

TASK [eigenstate.ipa.temporary_access_report : Render temporary access report YAML] ***
changed: [localhost]

TASK [eigenstate.ipa.temporary_access_report : Render temporary access report Markdown] ***
changed: [localhost]

Sanitized JSON fields look like:

{
  "schema": "eigenstate.ipa/temporary_access_report/v1",
  "read_only": true,
  "summary": {
    "total_windows": "1",
    "expired_windows": "1"
  },
  "windows": [
    {
      "principal": "contractor01",
      "target": "bastion.example.com",
      "status": "expired",
      "opened_at": "2026-05-01T14:00:00Z",
      "expires_at": "2026-05-01T18:00:00Z"
    }
  ]
}

What You Learned

  • Temporary access is represented through IdM expiry attributes.
  • Fresh authentication after expiry is the important proof.
  • Reports record evidence but do not enforce remediation.

Next Page

Continue with /how-to/open-temporary-access-window.html.