diff options
| author | Niall Sheridan <nsheridan@gmail.com> | 2016-06-05 22:18:24 +0100 |
|---|---|---|
| committer | Niall Sheridan <nsheridan@gmail.com> | 2016-06-05 23:00:46 +0100 |
| commit | b8af9fe60f27353bdd5933ed37508b30d4290046 (patch) | |
| tree | fcc12e2f39f9fe4d7aa7d37fd4114309d3362c38 /README.md | |
| parent | a52d19e9e78d08643ffd4aee0483515d8bae2939 (diff) | |
Add AWS S3 and Google GCS virtual filesystems.
This allows the signing key to be read directly from S3 using a path like
/s3/<bucket>/<path/to/signing.key> or /gcs/<bucket>/<path/to/signing.key>.
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 13 |
1 files changed, 11 insertions, 2 deletions
@@ -70,7 +70,7 @@ A working SSH agent. I have only tested this on Linux & OSX. # Configuration -Configuration is divided into three sections: `server`, `auth`, and `ssh`. +Configuration is divided into different sections: `server`, `auth`, `ssh`, and `aws`. ### server - `use_tls` : boolean. If set `tls_key` and `tls_cert` are required. @@ -110,11 +110,20 @@ Example: Supported options: ### ssh -- `signing_key`: string. Path to the signing ssh private key you created earlier. +- `signing_key`: string. Path to the signing ssh private key you created earlier. This can be a S3 or GCS path using `/s3/<bucket>/<path/to/key>` or `/gcs/<bucket>/<path/to/key>` as appropriate. For S3 you should add an [aws](#aws) config as needed. - `additional_principals`: array of string. By default certificates will have one principal set - the username portion of the requester's email address. If `additional_principals` is set, these will be added to the certificate e.g. if your production machines use shared user accounts. - `max_age`: string. If set the server will not issue certificates with an expiration value longer than this, regardless of what the client requests. Must be a valid Go [`time.Duration`](https://golang.org/pkg/time/#ParseDuration) string. - `permissions`: array of string. Actions the certificate can perform. See the [`-O` option to `ssh-keygen(1)`](http://man.openbsd.org/OpenBSD-current/man1/ssh-keygen.1) for a complete list. +### aws +AWS configuration is only needed for accessing signing keys stored on S3, and isn't required even then. +The S3 client can be configured using any of [the usual AWS-SDK means](https://github.com/aws/aws-sdk-go/wiki/configuring-sdk) - environment variables, IAM roles etc. +It's strongly recommended that signing keys stored on S3 be locked down to specific IAM roles and encrypted using KMS. + +- `region`: string. AWS region the bucket resides in, e.g. `us-east-1`. +- `access_key`: string. AWS Access Key ID. +- `secret_key`: string. AWS Secret Key. + ## Configuring ssh The client needs no special configuration, just a running ssh-agent. The ssh server needs to trust the public part of the CA signing key. Add something like the following to your sshd_config: |