Jump to: navigation, search


Using the EC2 API

This is the full version of https://blueprints.launchpad.net/keystone/+spec/generate-ec2-access-secret

Keystone has an extension that allows the creation and use of access/secret pairs for a user/tenant pair. In diablo the creation could only occur on the CLI via keystone-manage commands:

keystone-manage credentials add $user EC2 $access $secret $tenant

This requires the operators (with ssh access to keystone) to create the access/secret for each user/tenant pair. For essex we need to allow users to access and create their access/secret pairs.

The proposal is adding an extension to keystone to:

  • create a secret/access pair that is scoped to the current token scoping (tenant/user)
  • list access/secret for a given user (limited to the token scope - if unscoped token all pairs, if scoped to a tenant only pairs
  • delete a secret/access pair

Additionally admin users should be able to list and delete access/secrets for a specific user/tenant.

This is to support https://blueprints.launchpad.net/horizon/+spec/ec2-credentials-download