It's unclear from this and the slides what the UX for the engineers is? The repo contains a bless-client that'll fetch a newly minted cert, but the slides talk about integration with SSO - is there another piece that invokes bless and drops the cert on disk?<p><a href="https://github.com/Netflix/bless/blob/master/bless_client/bless_client.py" rel="nofollow">https://github.com/Netflix/bless/blob/master/bless_client/bl...</a>
<a href="https://speakerdeck.com/rlewis/how-netflix-gives-all-its-engineers-ssh-access-to-instances-running-in-production" rel="nofollow">https://speakerdeck.com/rlewis/how-netflix-gives-all-its-eng...</a><p>That's a great slidedeck, looks great and I can actually learn something from it just reading the slides.
I'm not sure how much BLESS really improves the overall situation. It just shifts the problem from securing SSH secrets to securing AWS/IAM secrets, which seems pretty much the same to me.