[openstack-dev] [Keystone][Marconi][Heat] Creating accounts in Keystone
Ryan Brown
rybrown at redhat.com
Mon Aug 25 14:50:42 UTC 2014
On 08/22/2014 05:35 PM, Zane Bitter wrote:
>
> On AWS the very first thing a user does is create a bunch of IAM
> accounts so that they virtually never have to use the credentials
> associated with their natural person ever again. There are both user
> accounts and service accounts - the latter IIUC have
> automatically-rotating keys. Is there anything like this planned in
> Keystone? Zaqar is likely only the first (I guess second, if you count
> Heat) of many services that will need it.
>
The only auto-rotation in AWS is through roles[1], which are separate
from users.
User:
* Is a real person or a service account
* Can generate temporary tokens with a subset of their perms
* Has a static credentials (access keys, username/password, MFA)
Role:
* Has no static credentials
* Is granted to an instance on launch
* Temporary tokens are provided to instance by instance metadata service
I'm actually quite partial to roles because, in my experience, service
accounts rarely have their credentials rotated more than once per eon.
Having the ability to let instances grab tokens would certainly help
Heat, especially if we start using Zaqar (the artist formerly known as
marconi).
[1]:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
--
Ryan Brown / Software Engineer, Openstack / Red Hat, Inc.
More information about the OpenStack-dev
mailing list