I am building a service that is distributed across multiple machines that logs into other target machines and does an action (write to a file, run a shell script, etc.).
Currently, I have this service configured to use username and password as a form of authentication for ssh-ing to the target machines, but it requires some additional bootstrapping on the target machine to get it working. I want to move to a public/private key authentication model.
My question is, since this service is distributed across multiple hosts, is it bad practice to store the private key in a secure location (say using AWS KMS or some similar service), and have each of my machines read from that secured location, or should I have a private key for each of my machines?
Having all of your machines get the ssh keys from a central location is not inherently worse than their all getting their username and password from a central location. However, the connection over which they get the ssh keys should be secure, which may mean that you have to have at least one key - the one that gets to your central location - stored locally on each machine.