Related docs:
USER LEASE PLUGIN USER LEASE CAPABILITIES EPHEMERAL ACCESS CAPABILITIES AAP INTEGRATION DOCS MAP
This page contains worked playbook patterns for eigenstate.ipa.user_lease.
Use the capability guide to decide whether the module fits the temporary-access
problem. Use this page when you need the corresponding playbook shape.
- name: Open a two-hour access window for a temporary user
hosts: localhost
gather_facts: false
tasks:
- name: Set the principal lease boundary
eigenstate.ipa.user_lease:
username: temp-deploy
principal_expiration: "02:00"
server: idm-01.example.com
kerberos_keytab: /etc/ipa/lease-operator.keytab
ipaadmin_principal: lease-operator
verify: /etc/ipa/ca.crt
register: lease_result
- ansible.builtin.debug:
msg: "Lease ends at {{ lease_result.lease_end }}"
Why this pattern:
lease_end can be passed to downstream audit or notification steps- name: Close the access window now
hosts: localhost
gather_facts: false
tasks:
- name: Expire both the principal and password path
eigenstate.ipa.user_lease:
username: temp-maintenance
state: expired
password_expiration_matches_principal: true
server: idm-01.example.com
kerberos_keytab: /etc/ipa/lease-operator.keytab
ipaadmin_principal: lease-operator
verify: /etc/ipa/ca.crt
Why this pattern:
state: expired makes the cutoff explicit instead of relying on cleanupIn the delegated model, the automation user only gets rights over users in a
particular group such as lease-targets. Add require_groups so the play
refuses to mutate a user outside that boundary.
- name: Set a lease only for governed users
hosts: localhost
gather_facts: false
tasks:
- name: Refuse to touch users outside the governed target group
eigenstate.ipa.user_lease:
username: temp-build
principal_expiration: "2026-04-09T18:30:00Z"
password_expiration_matches_principal: true
require_groups:
- lease-targets
server: idm-01.example.com
kerberos_keytab: /etc/ipa/lease-operator.keytab
ipaadmin_principal: lease-operator
verify: /etc/ipa/ca.crt
Why this pattern:
A temporary user lease is stronger when the workflow also checks whether the user would actually be allowed onto the target host.
- name: Open access only if IdM policy already allows it
hosts: localhost
gather_facts: false
vars:
lease_user: temp-maintenance
target_host: bastion-01.workshop.lan
tasks:
- name: Confirm HBAC allows the login path
ansible.builtin.set_fact:
hbactest_result: >-
{{ lookup('eigenstate.ipa.hbacrule',
operation='test',
user=lease_user,
host=target_host,
service='sshd',
server='idm-01.example.com',
kerberos_keytab='/etc/ipa/lease-operator.keytab',
ipaadmin_principal='lease-operator',
verify='/etc/ipa/ca.crt') }}
- name: Stop if IdM policy already denies the login path
ansible.builtin.assert:
that:
- not hbactest_result.denied
fail_msg: "HBAC denies {{ lease_user }} on {{ target_host }}"
- name: Open the temporary access window
eigenstate.ipa.user_lease:
username: "{{ lease_user }}"
principal_expiration: "01:00"
password_expiration_matches_principal: true
require_groups:
- lease-targets
server: idm-01.example.com
kerberos_keytab: /etc/ipa/lease-operator.keytab
ipaadmin_principal: lease-operator
verify: /etc/ipa/ca.crt
Why this pattern:
user_lease controls the cutoff, while hbacrule answers whether access would work at allAAP is the scheduler and execution boundary here, not the lease engine. IdM is still what makes the user unusable after the cutoff.
Recommended Controller posture:
ipaadmin_principal at the delegated operator userMinimal task shape:
- name: Controller task to open a temporary user lease
hosts: localhost
gather_facts: false
tasks:
- name: Set the lease boundary in IdM
eigenstate.ipa.user_lease:
username: temp-release
principal_expiration: "00:45"
password_expiration_matches_principal: true
require_groups:
- lease-targets
server: idm-01.workshop.lan
kerberos_keytab: /runner/env/ipa/lease-operator.keytab
ipaadmin_principal: lease-operator
verify: /etc/ipa/ca.crt
Why this pattern: