Automated SSH PKI Solution

We're a small company. We have several servers that we access through SSH. We like to centralize SSH access.

Current solutions we are aware of:

  - Share the SSH keys, e.g. on a shared filesystem.
  - Distribute SSH public keys of users with Puppet, Ansible, etc.
  - https://goteleport.com/ (a fancy bastion host)

What I'm looking for:

A tool, with which an employee requests access to a server and automatically gets a signed ssh key in return which has limited validity. This key is automatically loaded into the ssh-agent. Ideally, the '~/.ssh/config' is adjusted, so that the correct username is used, and '~/.ssh/known_hosts' is updated with the server's public key digest.

What I imagine from the perspective of the user:

  - 'tool auth'
    > Check if authenticated with the central key management server
    > Otherwise OAuth with my regular SSO (e.g. Google Workspace)
  - 'tool ssh server0.corp.com'
    > Check with the central key management server if the user has permission to access server0.corp.com
    > If yes, issue a time-constrained certificate (or sign the user's local public key, whatever)
    > Ensure that the server is configured correctly in '~/.ssh/config'
    > Ensure that the server public key digest is in '~/.ssh/known_hosts'
    > Add the certificate to ssh-agent
  - Run the ssh-based command, e.g. 'ssh server0.corp.com', 'scp local_file server0.corp.com:remote_file', 'ansible-playbook ...', 'git pull -pr' or whatever

Does such a system exist? Ideally something that is easy to deploy to a cloud if it would be self-hosted (and in the best case makes use of Azure KV, Google KMS, AWS KMS, Vault, ...) or that is hosted (i.e. offered as a service).

From the operator perspective, it should not take more than configuring the PKI in OpenSSH and/or maybe install an agent on the server. (But it'd be great if that would not be necessary (as OpenSSH afaik can already handle PKI) and if the PKI-related tasks were handled through Ansible/Puppet/etc. or the 'tool'.)