Comments (10)
I think using bless_ca_us_east_1_password
is good solution. Also pretty easy to change by editing the _environment_key
function: https://github.com/Netflix/bless/blob/master/bless/config/bless_config.py#L147
We use the bless_ca_default_password
environment variable, so I didn't run into this issue.
We also ran into the issue of exceeding 4 KB. Using a 2048 bit private key will stay below this limit.
My colleague has been thinking about a solution to include a 4096 bit key in the environment (beside some metadata the key is already base64 encoded), but this would require bigger changes to the code base.
from bless.
I've talked to some colleagues but we don't want to use shorter private keys. What kind of ideas do you have for that?
from bless.
I'm also an advocate of using a 4096 bit key for this. After taking a look, I can reproduce the issue with the api.
From the API responses: Value "must satisfy regular expression pattern: a-zA-Z+]" and "Lambda was unable to configure your environment variables because the environment variables you have provided exceeded the 4KB limit."
If you wanted to use gzip, it looks like a 4096 bit key gzipped and base64 encoded works out to about 3.3KB.
from bless.
Thanks @russell-lewis I'll give it a try using gzip and see how that works and what kind of impact it would have on the code base.
from bless.
Gzip is a great solution, I whish I've had tought of it before.
If we do a try/catch around zlib.decompress
when reading the keyfile, we can support both compressed and uncompressed keys in the same setting.
Or is there a preference for adding an extra settings key (eg bless_ca_ca_private_key_compression = ['zlib'|None]
)
from bless.
I'd rather have the compression set by an additional parameter, who's default is None.
from bless.
Something like this? https://github.com/ikben/bless/blob/env-v2/bless/config/bless_config.py#L109
I'm still thinking about how to write tests for this, tips are welcome. So are comments on that implementation
from bless.
Just my opinion but I think for testing you could focus on the getprivatekey method.
Setup the config with CA_PRIVATE_KEY_OPTION and a uncompressed base64 encoded key check the returned value is the key.
Another test with compression set to zlib and an encrypted key.
Another that tests the exception when an invalid format is set.
And for completion another one when the file option is set that reads the file maybe using http://www.voidspace.org.uk/python/mock/helpers.html#mock-open.
I don't think the value of the key is necessarily important to be a valid rss key though.
from bless.
For unit testing, I've included an encrypted private key:
https://github.com/Netflix/bless/blob/master/tests/aws_lambda/only-use-for-unit-tests.pem
https://github.com/Netflix/bless/blob/master/tests/ssh/vectors.py#L3-L6
You can add a gzipped then base64 encoded version of that key to the vectors.py.
In addition to testing BlessConfig.getprivatekey() you can add a test of the lambda itself that will produce a valid ssh-cert with an environment loaded, gzipped ssh key like this:
https://github.com/russell-lewis/bless/blob/PR43_enhancements/tests/aws_lambda/test_bless_lambda.py#L161-L176
While that branch isn't merged yet, the environment config support is, so you can add tests like that now on master.
from bless.
Here is an attempt to implement everything discussed here
#67
from bless.
Related Issues (20)
- Is Marshmellow<3 required to function? HOT 4
- Invalid Key length when using gpg-agent
- Is this project still under development HOT 1
- Ability to sign SSH certificate with SHA2 HOT 4
- hope
- Nonstandard SSH port HOT 1
- Add optional parameters HOT 3
- Optional parameter [kmsauth token] cannot be passed in HOT 3
- Are you guys aware of anything similar to this for Google Cloud Platform? HOT 2
- How has to be the kmsauth token created? HOT 1
- Amazonlinux make bug HOT 2
- Unable to login with the cert got from lambda function HOT 1
- make test fails on deprecated warnings [linting] HOT 5
- document `-m PEM` option to ssh-keygen
- .travis.yml: The 'sudo' tag is now deprecated in Travis CI
- Authorization with BLESS? HOT 1
- Support authentication with OpenID Connect HOT 4
- How to make the bastion transparent for users
- Add the possibility to use encrypted private key with KMS HOT 2
- Potential dependency conflicts between bless and boto3 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bless.