forked from chanzuckerberg/blessclient
/
config.yml
76 lines (76 loc) · 3.42 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# An example blessclient config
# importing it: `blessclient import-config <url|local_path>`
# blessclient install instructions https://github.com/chanzuckerberg/blessclient#install
version: 0 # blessclient config version
client_config:
# The aws user (not role) profile to use. "" means "default"
aws_user_profile: ""
# The lifetime for your certificate
cert_lifetime: 30m
# A default ssh key. We prefer ed25519 keys but you can also use RSA keys.
# (see https://github.com/chanzuckerberg/blessclient#ssh-client-78-cant-connect-with-certificates)
# You can generate an ed25519 key with ssh-keygen -t ed25519
ssh_private_key: ~/.ssh/id_ed25519
# Do you want blessclient to attempt to update your ssh agent
update_ssh_agent: true
# Remote users that bless will mint into your certificate
remote_users:
- foo_user
- bar_user
# These IPs and/or netmasks will be added as valid source IPs to every
# certificate issued. If your users proxy / agent-forward through a bastion host, then
# the internal IP of each should be listed here.
bastion_ips:
- 0.0.0.0/0
# configuration for the bless lambda
lambda_config:
# the role authorized to invoke bless lambda
role_arn: arn:aws:iam::123456789123:role/blessclient
# the name of the bless lambda function
function_name: bless_lambda_function_name
# For multi-region availability or geographic colocation.
# Regions will be attempted in the order specified.
regions:
- aws_region: us-west-2
# The kmsauth key_id (not arn) of the key to use for authentication for this region
kms_auth_key_id: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
- aws_region: us-east-2
kms_auth_key_id: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
# configuration for aws-okta
okta_config:
# the name of the profile to be used for aws-okta (profiles are listed at ~/.aws/config)
profile: bless_profile
# optional, the MFA provider to be used for Okta MFA verification (e.g. Okta, DUO)
# defaults to DUO
mfa_provider: DUO
# optional, the factor type to be used for Okta MFA verification (e.g. sms, token, web)
# DUO requires the "web" factor type
mfa_factor_type: web
# optional, the Duo device to be used for Duo MFA verification (e.g. phone1, phone2, u2f)
# duo_device should only be set if the provider is "DUO"
duo_device: phone1
# This will help you generate a ~/.ssh/config compatible with blessclient
ssh_config:
# If you have a bastion and other servers behind it then
bastions:
# The address of the bastion
- pattern: bastion.foo.bar.com
# User you want to use to ssh into these machines
user: foo_user
# Use this if you want to override the call to "blessclient run"
# Useful if you want to use aws-vault or similar
ssh_exec_command: "blessclient run"
# Patterns for servers behind this bastion
hosts:
- pattern: 10.0.* # Anything in the 10.0.* block will go through this bastion
- pattern: "!bastion.foo.bar.com *.foo.bar.com" # Also anything *.foo.bar.com
# If you with to enable telemetry, add this block, otherwise exclude
telemetry:
# Honeycomb telemetry
honeycomb:
# A secret manager arn to fetch a honeycomb write key.
# Note that the user you specified in client_config.aws_user_profile
# must be able to read this secret
secret_manager_arn: arn:aws:secretsmanager:us-west-2:123456789123:secret:blessclient/blessclient-honeycomb
# Honeycomb dataset to write data to
dataset: blessclient