[openstack-dev] [heat] Why heat needs a keystone user per resource ?

Attila Fazekas afazekas at redhat.com
Thu Jul 9 10:28:33 UTC 2015


Heat creates a keystone user for every resource which uses a CFN_SIGNAL.
Heat also stores their AWS credentials in the heat.resource_data table.

These credentials/users are restricted to operate only on limited (1?) resource,
with very limited operations (3?). Normally these resource users are member of only
a special heat domain and tenant.

Looks like heat has everything to have CFN/hashmac working without touching 
the keystone service.

Why heat needs to store anything in keystone regarding to the CFN_SIGNALS ?
Is these credentials supposed to be used anywhere else than on heat?

Best Regards,

More information about the OpenStack-dev mailing list