diff --git a/files/user-cloud-config b/files/user-cloud-config
new file mode 100644
index 0000000..d1ef28f
--- /dev/null
+++ b/files/user-cloud-config
@@ -0,0 +1,11 @@
+#cloud-config
+write_files:
+  - path: /etc/ssh/auth_principals/ubuntu
+    content: webRoot
+  - path: /etc/ssh/ca_users.pub
+    content: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM+YVCEZ4xCqBIGOQOEsGzBzOFS3JNDtPxLAviBMtS4zCwuGmOMvAvatKtPY5E9JMnkhI72faJnwYc4w/pnXf4Sh6AnLfwcOoQ6U16iucfY8tPOeFQhKJokSRdwnfm08QMOHN0xzCA/tL6HHZgPXGHUgTL18kkjv5Zk5Nv1H/ciuOSz24edo94Fu9eIQkK1pUhdejC6hDKdbki/c/3coZU4ZNDdtIpRlGnrUNTaAIq+E0TYEZkgClglTlBQOTvUoRkxEng/U23dfBCCz5DfewfA+6higUil5lIvidbaFjUiTMox38w9fM0wzUUs3o5pC9X/H3BE4mBrfpS9VmYHgll root@Bamboo
+runcmd:
+  - sed -i -e '$aTrustedUserCAKeys /etc/ssh/ca_user.pub' /etc/ssh/sshd_config
+  - sed -i -e '$aAuthorizedPrincipalsFile /etc/ssh/auth_principals/%u' /etc/ssh/sshd_config
+
+  - systemctl restart ssh
diff --git a/scripts/cloud-config-to-vendor-data b/scripts/cloud-config-to-vendor-data
new file mode 100755
index 0000000..13c7e85
--- /dev/null
+++ b/scripts/cloud-config-to-vendor-data
@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+import sys
+import json
+import yaml
+
+# load from file:
+with open(sys.argv[1], 'r') as f:
+    yaml_string = f.read()
+
+# save to file:
+with open(sys.argv[2], 'w') as f:
+    f.write(json.dumps({"cloud-init":yaml_string}))
diff --git a/scripts/vendor-data-to-cloud-config b/scripts/vendor-data-to-cloud-config
new file mode 100755
index 0000000..80e4081
--- /dev/null
+++ b/scripts/vendor-data-to-cloud-config
@@ -0,0 +1,13 @@
+#!/usr/bin/env python
+import sys
+import json
+import yaml
+
+# load from file:
+with open(sys.argv[1], 'r') as f:
+    js = json.loads(f.read())
+
+# save to file:
+#with open(sys.argv[2], 'w') as f:
+#    f.write(js['cloud-init'])
+print js['cloud-init']
diff --git a/tatu/api/models.py b/tatu/api/models.py
index 802708e..0eb4e48 100644
--- a/tatu/api/models.py
+++ b/tatu/api/models.py
@@ -4,11 +4,13 @@ import uuid
 from tatu.db import models as db
 from Crypto.PublicKey import RSA
 
-def validate_uuid(string):
+def validate_uuid(map, key):
   try:
-    val = uuid.UUID(string, version=4)
+    # Verify it's a valid UUID, then convert to canonical string representation
+    # to avoiid DB errors.
+    map[key] = str(uuid.UUID(map[key], version=4))
   except ValueError:
-    msg = '{} is not a valid UUID'.format(string)
+    msg = '{} is not a valid UUID'.format(map[key])
     raise falcon.HTTPBadRequest('Bad request', msg)
 
 def validate_uuids(req, params):
@@ -16,10 +18,10 @@ def validate_uuids(req, params):
   if req.method in ('POST', 'PUT'):
     for key in id_keys:
       if key in req.body:
-        validate_uuid(req.body[key])
+        validate_uuid(req.body, key)
   for key in id_keys:
     if key in params:
-      validate_uuid(params[key])
+      validate_uuid(params, key)
 
 def validate(req, resp, resource, params):
   if req.content_length: