You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: step-ca/registration-authority-ra-mode.mdx
+26-8Lines changed: 26 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -559,27 +559,45 @@ Here are the `config` options for `vaultcas` authorities:
559
559
560
560
-**pkiRoleEd25519**: the pki role used to issue Ed25519 certificates, defaults to *pkiRoleDefault*
561
561
562
-
-**authType**: required. the authentication method used to login to the vault, one of `approle`or `kubernetes`
562
+
-**authType**: required. the authentication method used to login to the vault, one of `approle`, `kubernetes`or `aws`
563
563
564
564
-**authMountPath**: the vault mount path for the auth method you want to use, if not set the default mount path for that auth type is used (usually the same name as the auth method)
565
565
566
566
-**namespace**: optional. if using Vault Enterprise, the [namespace](https://developer.hashicorp.com/vault/docs/enterprise/namespaces) to which requests should be scoped. Note: this value will apply to both the `pkiMountPath` and the `authMountPath`, effectively prefixing them
567
567
568
568
-**authOptions**: required. a set of options specific to the selected auth method type
569
569
570
-
-**roleID**:[authType=`approle`] required. the approle role-id to use
570
+
-For[authType=`approle`]:
571
571
572
-
-**secretID**: [authType=`approle`] the approle secret-id to use
572
+
-**roleID**: required. the approle role-id to use
573
573
574
-
-**secretIDFile**: [authType=`approle`]the path to a file containing a secret-id (recommended method in production environments)
574
+
-**secretID**: the approle secret-id to use
575
575
576
-
-**secretIDEnv**: [authType=`approle`]the name of an environment variable that contains the secret-id
576
+
-**secretIDFile**: the path to a file containing a secret-id (recommended method in production environments)
577
577
578
-
-**isWrappingToken**: [authType=`approle`] set true if the secret-id is wrapped
578
+
-**secretIDEnv**: the name of an environment variable that contains the secret-id
579
579
580
-
-**role**: [authType=`kubernetes`] required. the kubernetes role to use
580
+
-**isWrappingToken**: set true if the secret-id is wrapped
581
+
582
+
- For [authType=`kubernetes`]:
581
583
582
-
-**tokenPath**: [authType=`kubernetes`] the path to a token used to authenticate (default to the service account token path in a k8s pod)
584
+
-**role**: required. the kubernetes role to use
585
+
586
+
-**tokenPath**: the path to a token used to authenticate (default to the service account token path in a k8s pod)
587
+
588
+
- For [authType=`aws`]:
589
+
590
+
-**role**: required. the AWS role to use
591
+
592
+
-**awsAuthType**: required. the AWS authentication type to use, one of `iam` or `ec2`
593
+
594
+
-**region**: optional. the AWS region to use
595
+
596
+
-**iamServerIdHeader**: [awsAuthType=`iam`] optional. the additional header sent to Vault to mitigate replay attack
597
+
598
+
-**signatureType**: [awsAuthType=`ec2`] optional. the type of signature used to verify EC2 auth logins, one of `pkcs7`, `identity`, or `rsa2048`
599
+
600
+
-**nonce**: [awsAuthType=`ec2`] optional. the nonce sent to Vault to mitigate replay attack, a randomly generated nonce will be used if not provided
583
601
584
602
Finally, remove the `"root"`, `"key"`, and `"crt"` values from your `$(step path)/config/ca.json`, and the associated files. These are generated by `step ca init` but are not used by RA servers.
0 commit comments