Use Hashicorp Vault to sign user and host public SSH keys to allow time-leased SSH access and host authenticity
See hashicorp documentation for details
Note: Highly recommended to have deployed Vault + Consul cluster using the Ansible playbooks at this repository, or at least peruse for better understanding