BLESS is an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys. SSH Certificates are an excellent way to authorize users to access a particular SSH host, as they can be restricted for a single-use case, and can be short-lived. Instead of managing the authorized_keys of a host, or controlling who has access to SSH Private Keys, hosts just need to be configured to trust an SSH CA. BLESS should be run as an AWS Lambda in an isolated AWS account. Because BLESS needs access to a private key that is trusted by your hosts, an isolated AWS account helps restrict who can access that private key, or modify the BLESS code you are running. AWS Lambda functions can use an AWS IAM Policy to limit which IAM Roles can invoke the Lambda Function. If properly configured, you can restrict which IAM Roles can request SSH Certificates.
Features
- To deploy an AWS Lambda Function, you need to provide a .zip with the code and all dependencies
- All three handlers exist in the published .zip
- To deploy code as a Lambda Function, you need to package up all of the dependencies
- Compile and include your dependencies before you can publish a working AWS Lambda
- BLESS uses a docker container running Amazon Linux 2 to package everything up
- Manage your Private Keys .pem files and passwords outside of this repo
- Update your bless_deploy.cfg with your Private Key's filename and encrypted passwords