Question 1

Is BLESS still maintained by Netflix?

Accepted Answer

No, Netflix has archived BLESS and moved it to an archived OSS project state, meaning they no longer plan to maintain it. It's available for reference but not recommended for new projects due to lack of support.

Question 2

BLESS vs AWS Systems Manager Session Manager for SSH access

Accepted Answer

BLESS issues short-lived SSH certificates for traditional SSH access with IAM controls, while Session Manager provides a managed, browser-based shell without SSH keys. BLESS offers more control but is archived and complex, whereas Session Manager is a fully managed AWS service.

Question 3

How to deploy BLESS in multiple AWS regions?

Accepted Answer

You need to deploy the Lambda function in each region, encrypt the CA key password with KMS keys per region, and update the bless_deploy.cfg accordingly. The README specifies using KMS to encrypt passwords for each region individually.

Question 4

What are good alternatives to BLESS for SSH certificates?

Accepted Answer

Alternatives include HashiCorp Vault with SSH secrets engine, Smallstep SSH CA, or native OpenSSH certificate features. These options often provide active maintenance, broader platform support, and simpler setups compared to BLESS.

Question 5

Can BLESS generate certificates for SSH hosts?

Accepted Answer

Yes, BLESS supports host certificate generation through the bless_lambda_host.lambda_handler_host handler, as mentioned in the deployment section. This allows signing SSH public keys for servers, not just user access.

Question 6

How to rotate SSH CA keys with BLESS?

Accepted Answer

BLESS supports multiple CA keys for rotation by provisioning offline keys and updating the TrustedUserCAKeys file on servers. The README recommends keeping multiple keys offline until ready to rotate to simplify the process.

bless

What is bless?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions