hosts map binds each managed host’s machine identity to the set of certificate profiles it can request.
Fields
| Field | Type | Required | Notes |
|---|---|---|---|
identity | string | yes | The CN of the host’s identity certificate (issued by step-ca). |
profiles | string[] | yes | Non-empty list of profile names the host may request. |
edge01, api01) is a human-readable label only — it appears in audit events and policy validation output. The broker authorizes by identity, not by label.
Matching rules
identitymust be a stable CN — the agent presents it as the client certificate’s CN over mTLS.- Two host entries must not share the same
identity. The policy compiler rejects duplicates. profilesmust reference profiles that exist in the same policy file.- An agent that asks for a profile not in its host’s
profileslist is rejected with an authorization failure, regardless of whether the profile itself exists.
Adding a new host
-
Issue a
step-cabootstrap token for the new CN. -
Add a host entry to the policy file:
-
If
policy.watch: trueis set on the broker, the change goes live immediately. Otherwise restart the broker. -
Deploy the agent and run
enrollon the host.
Removing a host
Delete itshosts.<label> entry. With policy.watch: true the change applies on next file change. The host’s identity certificate may continue to be valid (step-ca decides that), but the broker will reject all of its issuance requests.