Using the EC2 API
This is the full version of https://blueprints.launchpad.net/keystone/+spec/generate-ec2-access-secret
Keystone has an extension that allows the creation and use of access/secret pairs for a user/tenant pair. In diablo the creation could only occur on the CLI via keystone-manage commands:
keystone-manage credentials add $user EC2 $access $secret $tenant
This requires the operators (with ssh access to keystone) to create the access/secret for each user/tenant pair. For essex we need to allow users to access and create their access/secret pairs.
The proposal is adding an extension to keystone to:
- create a secret/access pair that is scoped to the current token scoping (tenant/user)
- list access/secret for a given user (limited to the token scope - if unscoped token all pairs, if scoped to a tenant only pairs
- delete a secret/access pair
Additionally admin users should be able to list and delete access/secrets for a specific user/tenant.
This is to support https://blueprints.launchpad.net/horizon/+spec/ec2-credentials-download