bless_deploy_example.cfg

# This section and its options are optional
[Bless Options]
# Number of seconds +/- the issued time for the certificate to be valid
certificate_validity_after_seconds = 120
certificate_validity_before_seconds = 120
# Minimum number of bits in the system entropy pool before requiring an additional seeding step
entropy_minimum_bits = 2048
# Number of bytes of random to fetch from KMS to seed /dev/urandom
random_seed_bytes = 256
# Set the logging level
logging_level = INFO
# Comma separated list of the SSH Certificate extensions to include. Not specifying this uses the ssh-keygen defaults:
# certificate_extensions = permit-X11-forwarding,permit-agent-forwarding,permit-port-forwarding,permit-pty,permit-user-rc
# Username validation options are described in bless_request_user.py:USERNAME_VALIDATION_OPTIONS
# Configure how bastion_user names are validated.
# username_validation = useradd
# Configure how remote_usernames names are validated.
# remote_usernames_validation = principal
# Configure a regex of blacklisted remote_usernames that will be rejected for any value of remote_usernames_validation.
# remote_usernames_blacklist = root|admin.*
# Number of seconds +/- the issued time for the server certificates to be valid
# server_certificate_validity_before_seconds = 120
# server_certificate_validity_after_seconds = 31536000
# Configure how server certificate hostnames are validated
# hostname_validation = url

# These values are all required to be modified for deployment
[Bless CA]
# You must set an encrypted private key password for each AWS Region you deploy into
# for each aws region specify a config option like '{}_password'.format(aws_region)
us-east-1_password = <INSERT_US-EAST-1_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>
us-west-2_password = <INSERT_US-WEST-2_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>
# Or you can set a default password. Region specific password have precedence over the default
# default_password = <KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>
# Specify the file name of your SSH CA's Private Key in PEM format.
ca_private_key_file = <INSERT_YOUR_ENCRYPTED_PEM_FILE_NAME>
# Or specify the private key directly as a base64 encoded string.
# ca_private_key = <INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>

# This section is optional
[KMS Auth]
# Enable kmsauth, to ensure the certificate's username matches the AWS user
# use_kmsauth = True

# One or multiple KMS keys, setup for kmsauth (see github.com/lyft/python-kmsauth)
# kmsauth_key_id = arn:aws:kms:us-east-1:000000012345:key/eeff5544-6677-8899-9988-aaaabbbbcccc

# If using kmsauth, you need to set the kmsauth service name. Users need to set the 'to'
# context to this same service name when they create a kmsauth token.
# kmsauth_serviceid = bless-production

# By default, kmsauth requires that requested bastion_user must be the same as the requested remote_usernames.  If you
# want Bless to sign a certificate for a different remote_usernames (like root, or a shared admin account), you must
# specify those allowed names here.  * will allow signing for all remote_usernames
# kmsauth_remote_usernames_allowed = ubuntu,root,ec2-user,stufflikethat

# If the kmsauth_remote_usernames_allowed option is set, kmsauth will allow certifiates for those usernames 
# to be generated by any user who can invoke the lambda function. If you would like to ensure that users have to 
# be in a an IAM group pertaining to the remote_username, enable this option.
# kmsauth_validate_remote_usernames_against_iam_groups = False

# For use with the kmsauth_validate_remote_usernames_against_iam_groups option. By default the required format for
# the group name is "ssh-{}".format(remote_username), but that can be changed here. The groups must have a
# consistent naming scheme and must all contain the remote_username once. For example, ssh-ubuntu.
# kmsauth_iam_group_name_format = ssh-{}