-
Notifications
You must be signed in to change notification settings - Fork 224
/
Copy pathbless_deploy_example.cfg
65 lines (58 loc) · 3.81 KB
/
bless_deploy_example.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# This section and its options are optional
[Bless Options]
# Number of seconds +/- the issued time for the certificate to be valid
certificate_validity_after_seconds = 120
certificate_validity_before_seconds = 120
# Minimum number of bits in the system entropy pool before requiring an additional seeding step
entropy_minimum_bits = 2048
# Number of bytes of random to fetch from KMS to seed /dev/urandom
random_seed_bytes = 256
# Set the logging level
logging_level = INFO
# Comma separated list of the SSH Certificate extensions to include. Not specifying this uses the ssh-keygen defaults:
# certificate_extensions = permit-X11-forwarding,permit-agent-forwarding,permit-port-forwarding,permit-pty,permit-user-rc
# Username validation options are described in bless_request_user.py:USERNAME_VALIDATION_OPTIONS
# Configure how bastion_user names are validated.
# username_validation = useradd
# Configure how remote_usernames names are validated.
# remote_usernames_validation = principal
# Configure a regex of blacklisted remote_usernames that will be rejected for any value of remote_usernames_validation.
# remote_usernames_blacklist = root|admin.*
# Number of seconds +/- the issued time for the server certificates to be valid
# server_certificate_validity_before_seconds = 120
# server_certificate_validity_after_seconds = 31536000
# Configure how server certificate hostnames are validated
# hostname_validation = url
# These values are all required to be modified for deployment
[Bless CA]
# You must set an encrypted private key password for each AWS Region you deploy into
# for each aws region specify a config option like '{}_password'.format(aws_region)
us-east-1_password = <INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>
us-west-2_password = <INSERT_US-WEST-2_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>
# Or you can set a default password. Region specific password have precedence over the default
# default_password = <KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>
# Specify the file name of your SSH CA's Private Key in PEM format.
ca_private_key_file = <INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>
# Or specify the private key directly as a base64 encoded string.
# ca_private_key = <INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>
# This section is optional
[KMS Auth]
# Enable kmsauth, to ensure the certificate's username matches the AWS user
# use_kmsauth = True
# One or multiple KMS keys, setup for kmsauth (see github.com/lyft/python-kmsauth)
# kmsauth_key_id = arn:aws:kms:us-east-1:000000012345:key/eeff5544-6677-8899-9988-aaaabbbbcccc
# If using kmsauth, you need to set the kmsauth service name. Users need to set the 'to'
# context to this same service name when they create a kmsauth token.
# kmsauth_serviceid = bless-production
# By default, kmsauth requires that requested bastion_user must be the same as the requested remote_usernames. If you
# want Bless to sign a certificate for a different remote_usernames (like root, or a shared admin account), you must
# specify those allowed names here. * will allow signing for all remote_usernames
# kmsauth_remote_usernames_allowed = ubuntu,root,ec2-user,stufflikethat
# If the kmsauth_remote_usernames_allowed option is set, kmsauth will allow certifiates for those usernames
# to be generated by any user who can invoke the lambda function. If you would like to ensure that users have to
# be in a an IAM group pertaining to the remote_username, enable this option.
# kmsauth_validate_remote_usernames_against_iam_groups = False
# For use with the kmsauth_validate_remote_usernames_against_iam_groups option. By default the required format for
# the group name is "ssh-{}".format(remote_username), but that can be changed here. The groups must have a
# consistent naming scheme and must all contain the remote_username once. For example, ssh-ubuntu.
# kmsauth_iam_group_name_format = ssh-{}