Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- cat bless_deploy.cfg
- # This section and its options are optional
- [Bless Options]
- # Number of seconds +/- the issued time for the certificate to be valid
- certificate_validity_after_seconds = 120
- certificate_validity_before_seconds = 120
- # Minimum number of bits in the system entropy pool before requiring an additional seeding step
- entropy_minimum_bits = 2048
- # Number of bytes of random to fetch from KMS to seed /dev/urandom
- random_seed_bytes = 256
- # Set the logging level
- logging_level = INFO
- # Comma separated list of the SSH Certificate extensions to include. Not specifying this uses the ssh-keygen defaults:
- # certificate_extensions = permit-X11-forwarding,permit-agent-forwarding,permit-port-forwarding,permit-pty,permit-user-rc
- # Username validation options are described in bless_request.py:USERNAME_VALIDATION_OPTIONS
- # Configure how bastion_user names are validated.
- # username_validation = useradd
- # Configure how remote_usernames names are validated.
- # remote_usernames_validation = principal
- # These values are all required to be modified for deployment
- [Bless CA]
- # You must set an encrypted private key password for each AWS Region you deploy into
- # for each aws region specify a config option like '{}_password'.format(aws_region)
- us-west-2_password = AQICAHjOatjV8fUy0tQ/1I8mgIfTWd9rs1gRoksJq1i3xNIO4wFS5hdYswnk+VxT+0D4KLV4AAAAhzCBhAYJKoZIhvcNAQcGoHcwdQIBADBwBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI2LvPxPa6wv4GluvQIBEIBDfIHZngMsZCZVeqW2JWWLh/P9wdRKuL5oAr1lNhCdD1pC6nXeM1ERAJ+utjDX4hnhwW5KUwkhkh9NHRpFXJZf8cIaXA==
- # Specify the file name of your SSH CA's Private Key in PEM format.
- ca_private_key_file = bless-ca.pem
- # This section is optional
- [KMS Auth]
- # Enable kmsauth, to ensure the certificate's username matches the AWS user
- use_kmsauth = True
- # One or multiple KMS keys, setup for kmsauth (see github.com/lyft/python-kmsauth)
- kmsauth_key_id = arn:aws:kms:us-west-2:515720457059:key/9a055fd9-47b9-4930-821c-59f56e834b10
- # If using kmsauth, you need to set the kmsauth service name. Users need to set the 'to'
- # context to this same service name when they create a kmsauth token.
- kmsauth_serviceid = bless
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement