On 14/10/2025 15:38, Jeremy Stanley wrote:
On 2025-10-14 10:19:32 -0000 (-0000), hamid.lotfi@gmail.com wrote:
When creating an instance in OpenStack, you can use the --user-data option to pass a cloud-init configuration file to the instance at boot time. This file allows you to automate initial setup tasks such as setting a user password [...] password: ahmad [...]
While probably okay for testing purposes, this is not safe in general. See https://wiki.openstack.org/wiki/OSSN/OSSN-0074 for one reason, but there are also other ways metadata might end up exposed.
The better solution, and what basically everyone I know does, is to avoid password login and use SSH key authentication instead. Even the risks from instance metadata leaks notwithstanding, passwords can (and will) be remotely brute-forced if your sshd is listening on an Internet-reachable address. If someone manages to fish your SSH public key digest out of metadata on the other hand, there's not really anything they can do with that.
+100 the nova metadata api is not intened to sore password cert or any other sensitive info. that is explcity not an intened usecase for this api. we store metadata in plain text and auth to that endpoint is optional. most deployment will use a shared secerte between nova and neutron for some minimal auth but the metadata api is not a secret store. you should use barbican or vault if you need secret storage.