|
|
|
|
|
|
by russell_h
3689 days ago
|
|
|
Author of the blog post here. You totally nailed it about the problems with SSH keys. I think what zokier is referring to is that the BLESS client uses an AWS IAM role to authenticate users, so if you wanted to invoke it directly from an end-user machine they would need their AWS credentials on disk there. Instead BLESS seems to be intended to be invoked from a jump host which has a machine role giving it access to the Lambda function - which gives you a nice choke point for auditing, but obviously has some other limitations. I get the impression from the slides that Netflix might have some additional internal tooling for authenticating users against SSO. I'm just excited to see client certificates taking off as a form of ephemeral access token. I see too many organizations that require MFA to access the corporate wiki but let users authenticate to production with a private key from 3 jobs and countless laptops ago. |
|
|
Some tools to make the process easier: https://github.com/remind101/assume-role https://github.com/trek10inc/awsume