Comment 0 for bug 1971691

Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth.

Hence EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind.

An example of EC2 auth request with application credentials:

$ openstack application credential list
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+
| 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 |
+----------------------------------+---------------+----------------------------------+-------------+----------------------------+

{
  "credentials": {
    "access": "3defd466f04646d094a1ee4b6afc53e8",
    "body_hash": "***",
    "headers": {
      "Accept-Encoding": "identity",
      "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature",
      "Host": "keystone:8080",
      "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19",
      "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
      "X-Amz-Date": "20220505T101354Z",
      "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date"
    },
    "host": "",
    "params": {},
    "path": "/",
    "signature": "appCredSecretBasedSignature",
    "verb": "GET"
  }
}

An example of EC2 auth token response with application credentials:

{
  "token": {
    "application_credential": {
      "access_rules": [
        {
          "id": "9416a34e7f3b45ecb029063d8a239463",
          "method": "GET",
          "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**",
          "service": "key-manager"
        }
      ],
      "id": "3defd466f04646d094a1ee4b6afc53e8",
      "name": "test",
      "restricted": true
    },
    "audit_ids": [
      "m6C3NgSiQmqQnrBRySYW2A"
    ],
    "catalog": [...],
    "expires_at": "2022-05-05T18:24:48.000000Z",
    "is_admin_project": false,
    "is_domain": false,
    "issued_at": "2022-05-05T10:24:48.000000Z",
    "methods": [
      "application_credential"
    ],
    "project": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "f8d450e9cb7b4f1cbf664401d5bf1d29",
      "name": "test"
    },
    "roles": [
      {
        "id": "a66c3a324bc24c0da7259faa03f2704d",
        "name": "limited_role"
      }
    ],
    "user": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "0c4cac95c039441d9b8bb509fe836110",
      "name": "appCredOwner",
      "password_expires_at": "2022-09-07T18:13:38.126030"
    }
  }
}