Refresh from upstream #40
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updated all refrences of bastion_ip to bastion_ips. Added some extra checks to the bless_request.
…bastion_ip to bastion_ips. Removing a package from requirements.txt that isn't needed.
…ensions and explicitly set the defaults instead of needing ssh_certificate_builder.py to set them.
fixes #30 : add coveralls for test coverage reporting
… Requests and the lambda responses. Changing BLESS requests from using remote_username to remote_usernames, a comma-separated list. remote_usernames can be used for SSH principals specified in an AuthorizedPrincipalsFile (see SSHD_CONFIG(5)). Aligning BLESS returns so that Lambda configuration errors raise exceptions, and request errors return a dictionary with either errorType and errorMessage or a certificate. Updating the sample BLESS client to deal with the new lambda return values.
Addressing open issues: Pulling in contributions from lyft/bless. Fixing #27 and #29 Pulling in #9 by way of lyft/bless. Pulling in #33 with explicit defaults in the config. Resolving #34 with changes from lyft/bless. Bumping version to BLESS v.0.2.0 which changes the format of BLESS Requests and the lambda responses.
Document permissions required for CA key file
Add support to compile dependencies in container
Fixes while merge testing
For decryption the key id is part of the ciphertext.
Remove unused option 'kms_key_id'
Allow overriding settings with environment variables. Leveraging the environment variables in AWS Lambda makes it possible to include the bless_deploy.cfg in the same repo, without exposing secrets or to deploy the same zip with multiple configurations When deploying the same zip in mulitple regions, you can leave out the region_passwprd option and set the default_password option with environment variables. This allows you the change the same variable in every region * Add 'ca_private_key' option This extra option allows passing in the (encrypted) private key directly. When setting this with an environment variable it can be used to have one zip that can be deployed with different ca's.
* Use enum type and raise exception for wrong value
Allows username validation against IAM groups
…icular SSH Authorized Principals from being included in a BLESS certificate.
Also cleaned up and added bz2 support to Netflix#67 .
Compressed CA private key support
Features include: Python 3.6 Lambda support Caching of the KMS decrypted CA Private Key Password. Compressed CA Private Key support, allowing RSA 4096 keys to be set in the Lambda Environment. Issue certificates for ED25519 public keys (RSA CA). New option to validate the remote username against the IAM groups of the calling user. Updated dependencies.
I had to go and discover the right link. I'd like to save that trouble for other readers.
Add link to Amazon Linux repository
The flag is not needed and breaks scripts if the input device does not have a TTY
… latest Amazon Linux.
* Plus minor formatting proposals
…' into lambda-host-split.
… request schemas. You can now use bless_lambda_user.lambda_handler_user for user cert requests and bless_lambda_host.lambda_handler_host for host cert requests. Please note that as implemented, anyone who can call the host lambda can obtain host certs for any hostname.
In addition to bless_lambda.lambda_handler, you can now use bless_lambda_user.lambda_handler_user for user cert requests and bless_lambda_host.lambda_handler_host for host cert requests. Please note that as implemented, anyone who can call the host lambda can obtain host certs for any hostname.
Features include: New support for a Host SSH Certificate Lambda. Please consider how you will control who can obtain host certs for which hostnames before using. Updated publishing code to build with the latest Amazon Linux 2. Validated for Python 3.7 Lambda runtime. Updated dependencies. Various typo fixes.
Pull upstream changes in netflix/bless into lyft's fork lyft/bless
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.