I finally got Netflix’s Bless running in production using a forked version of Lyft’s client. This post will focus on the first and easier portion: Bless in Lambda
Time and terraform. I like terraform because I dislike cloudformation. Feel free to adapt.
This is actually the easiest part, because it’s straight forward. Side note: I like bless because of its simplicity. It uses lambda + KMS and nothing more. The permissions are stupid simple. The purpose, after talking to one of the guys behind it, was to make it feel native and un-intrusive. It works.
This was the hardest to get going, because configuration always is. The readme says to paste in a function to lambda to generate your password. But thats not needed with the super awesome lambda container from lambci. To do this, create a file function.py with the contents:
This is an example of what my client config looks like:
ip_urls: https://api.ipify.org, https://canihazip.com
account_id: my account id
kmsauthkey: my kms id that i used for the original password encrypt
You should now have a lambda that can generate certificates to use. You’ll need to put the public keys from foo1.pub and foo2.pub into your servers at /etc/ssh/cas.pub and add TrustedUserCAKeys /etc/ssh/cas.pub to /etc/ssh/sshd_config You can test this with their client: