-
Notifications
You must be signed in to change notification settings - Fork 17
/
config.yml
55 lines (55 loc) · 2.48 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# An example blessclient config
# importing it: `blessclient import-config <url|local_path>`
# blessclient install instructions https://github.com/chanzuckerberg/blessclient#install
version: 0 # blessclient config version
client_config:
# The aws user (not role) profile to use. "" means "default"
aws_user_profile: ""
# The lifetime for your certificate
cert_lifetime: 30m
# A default ssh key. We prefer ed25519 keys but you can also use RSA keys.
# (see https://github.com/chanzuckerberg/blessclient#ssh-client-78-cant-connect-with-certificates)
# You can generate an ed25519 key with ssh-keygen -t ed25519
ssh_private_key: ~/.ssh/id_ed25519
# Do you want blessclient to attempt to update your ssh agent
update_ssh_agent: true
# Remote users that bless will mint into your certificate
remote_users:
- foo_user
- bar_user
# These IPs and/or netmasks will be added as valid source IPs to every
# certificate issued. If your users proxy / agent-forward through a bastion host, then
# the internal IP of each should be listed here.
bastion_ips:
- 0.0.0.0/0
# configuration for the bless lambda
lambda_config:
# the role authorized to invoke bless lambda
role_arn: arn:aws:iam::123456789123:role/blessclient
# the name of the bless lambda function
function_name: bless_lambda_function_name
# For multi-region availability or geographic colocation.
# Regions will be attempted in the order specified.
regions:
- aws_region: us-west-2
# The kmsauth key_id (not arn) of the key to use for authentication for this region
kms_auth_key_id: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
- aws_region: us-east-2
kms_auth_key_id: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
# This will help you generate a ~/.ssh/config compatible with blessclient
ssh_config:
# If you have a bastion and other servers behind it then
bastions:
# The address of the bastion
- pattern: bastion.foo.bar.com
# User you want to use to ssh into these machines
user: foo_user
# Use this if you want to override the call to "blessclient run"
# Useful if you want to use aws-vault or similar
ssh_exec_command: "blessclient run"
# Patterns for servers behind this bastion
hosts:
- pattern: 10.0.* # Anything in the 10.0.* block will go through this bastion
local_forward_ports:
300: 4000 # LocalForward local port 4000 to remote port 300
- pattern: "!bastion.foo.bar.com *.foo.bar.com" # Also anything *.foo.bar.com