Thanks to @Stype:

Update the kmsauth token validation code to verify that all remote_usernames are checked against the offered kmsauth_token.

bless/aws_lambda/bless_lambda.py

@@ -138,7 +138,7 @@ def lambda_handler(event, context=None, ca_private_key_password=None,
                 )
                 # decrypt_token will raise a TokenValidationError if token doesn't match
                 validator.decrypt_token(
-                    "2/user/{}".format(request.remote_usernames.split(',')[0]),
+                    "2/user/{}".format(request.remote_usernames),
                     request.kmsauth_token
                 )
             except TokenValidationError as e: