[openstack-dev] [heat] Why heat needs a keystone user per resource ?
afazekas at redhat.com
Thu Jul 9 10:28:33 UTC 2015
Heat creates a keystone user for every resource which uses a CFN_SIGNAL.
Heat also stores their AWS credentials in the heat.resource_data table.
These credentials/users are restricted to operate only on limited (1?) resource,
with very limited operations (3?). Normally these resource users are member of only
a special heat domain and tenant.
Looks like heat has everything to have CFN/hashmac working without touching
the keystone service.
Why heat needs to store anything in keystone regarding to the CFN_SIGNALS ?
Is these credentials supposed to be used anywhere else than on heat?
More information about the OpenStack-dev