Public bug reported: Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth.
EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind. An example of EC2 auth request with application credentials: $ openstack application credential list +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | ID | Name | Project ID | Description | Expires At | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ POST http://keystone:8080/v3/ec2tokens { "credentials": { "access": "3defd466f04646d094a1ee4b6afc53e8", "body_hash": "***", "headers": { "Accept-Encoding": "identity", "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature", "Host": "keystone:8080", "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19", "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "X-Amz-Date": "20220505T101354Z", "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date" }, "host": "", "params": {}, "path": "/", "signature": "appCredSecretBasedSignature", "verb": "GET" } } An example of EC2 auth token response with application credentials: { "token": { "application_credential": { "access_rules": [ { "id": "9416a34e7f3b45ecb029063d8a239463", "method": "GET", "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**", "service": "key-manager" } ], "id": "3defd466f04646d094a1ee4b6afc53e8", "name": "test", "restricted": true }, "audit_ids": [ "m6C3NgSiQmqQnrBRySYW2A" ], "catalog": [...], "expires_at": "2022-05-05T18:24:48.000000Z", "is_admin_project": false, "is_domain": false, "issued_at": "2022-05-05T10:24:48.000000Z", "methods": [ "application_credential" ], "project": { "domain": { "id": "default", "name": "Default" }, "id": "f8d450e9cb7b4f1cbf664401d5bf1d29", "name": "test" }, "roles": [ { "id": "a66c3a324bc24c0da7259faa03f2704d", "name": "limited_role" } ], "user": { "domain": { "id": "default", "name": "Default" }, "id": "0c4cac95c039441d9b8bb509fe836110", "name": "appCredOwner", "password_expires_at": "2022-09-07T18:13:38.126030" } } } ** Affects: keystone Importance: Undecided Status: New ** Tags: application credentials ec2 ** Description changed: Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth. Hence EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind. An example of EC2 auth request with application credentials: $ openstack application credential list +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | ID | Name | Project ID | Description | Expires At | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ - + POST http://keystone:8080/v3/ec2tokens { - "credentials": { - "access": "3defd466f04646d094a1ee4b6afc53e8", - "body_hash": "***", - "headers": { - "Accept-Encoding": "identity", - "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature", - "Host": "keystone:8080", - "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19", - "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", - "X-Amz-Date": "20220505T101354Z", - "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date" - }, - "host": "", - "params": {}, - "path": "/", - "signature": "appCredSecretBasedSignature", - "verb": "GET" - } + "credentials": { + "access": "3defd466f04646d094a1ee4b6afc53e8", + "body_hash": "***", + "headers": { + "Accept-Encoding": "identity", + "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature", + "Host": "keystone:8080", + "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19", + "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "X-Amz-Date": "20220505T101354Z", + "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date" + }, + "host": "", + "params": {}, + "path": "/", + "signature": "appCredSecretBasedSignature", + "verb": "GET" + } } An example of EC2 auth token response with application credentials: { - "token": { - "application_credential": { - "access_rules": [ - { - "id": "9416a34e7f3b45ecb029063d8a239463", - "method": "GET", - "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**", - "service": "key-manager" - } - ], - "id": "3defd466f04646d094a1ee4b6afc53e8", - "name": "test", - "restricted": true - }, - "audit_ids": [ - "m6C3NgSiQmqQnrBRySYW2A" - ], - "catalog": [...], - "expires_at": "2022-05-05T18:24:48.000000Z", - "is_admin_project": false, - "is_domain": false, - "issued_at": "2022-05-05T10:24:48.000000Z", - "methods": [ - "application_credential" - ], - "project": { - "domain": { - "id": "default", - "name": "Default" - }, - "id": "f8d450e9cb7b4f1cbf664401d5bf1d29", - "name": "test" - }, - "roles": [ - { - "id": "a66c3a324bc24c0da7259faa03f2704d", - "name": "limited_role" - } - ], - "user": { - "domain": { - "id": "default", - "name": "Default" - }, - "id": "0c4cac95c039441d9b8bb509fe836110", - "name": "appCredOwner", - "password_expires_at": "2022-09-07T18:13:38.126030" - } - } + "token": { + "application_credential": { + "access_rules": [ + { + "id": "9416a34e7f3b45ecb029063d8a239463", + "method": "GET", + "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**", + "service": "key-manager" + } + ], + "id": "3defd466f04646d094a1ee4b6afc53e8", + "name": "test", + "restricted": true + }, + "audit_ids": [ + "m6C3NgSiQmqQnrBRySYW2A" + ], + "catalog": [...], + "expires_at": "2022-05-05T18:24:48.000000Z", + "is_admin_project": false, + "is_domain": false, + "issued_at": "2022-05-05T10:24:48.000000Z", + "methods": [ + "application_credential" + ], + "project": { + "domain": { + "id": "default", + "name": "Default" + }, + "id": "f8d450e9cb7b4f1cbf664401d5bf1d29", + "name": "test" + }, + "roles": [ + { + "id": "a66c3a324bc24c0da7259faa03f2704d", + "name": "limited_role" + } + ], + "user": { + "domain": { + "id": "default", + "name": "Default" + }, + "id": "0c4cac95c039441d9b8bb509fe836110", + "name": "appCredOwner", + "password_expires_at": "2022-09-07T18:13:38.126030" + } + } } ** Description changed: Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth. - Hence EC2 AUTH is actively used by Swift S3 emulation (not limited only - to Swift, btw.) it would be nice to use application credentials as an - auth source in keystone internals and issue a limited access token. With - all features application credentials provide, EC2 can get a second wind. + However EC2 AUTH is actively used by Swift S3 emulation (not limited + only to Swift, btw.) it would be nice to use application credentials as + an auth source in keystone internals and issue a limited access token. + With all features application credentials provide, EC2 can get a second + wind. An example of EC2 auth request with application credentials: $ openstack application credential list +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | ID | Name | Project ID | Description | Expires At | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ POST http://keystone:8080/v3/ec2tokens { "credentials": { "access": "3defd466f04646d094a1ee4b6afc53e8", "body_hash": "***", "headers": { "Accept-Encoding": "identity", "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature", "Host": "keystone:8080", "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19", "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "X-Amz-Date": "20220505T101354Z", "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date" }, "host": "", "params": {}, "path": "/", "signature": "appCredSecretBasedSignature", "verb": "GET" } } An example of EC2 auth token response with application credentials: { "token": { "application_credential": { "access_rules": [ { "id": "9416a34e7f3b45ecb029063d8a239463", "method": "GET", "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**", "service": "key-manager" } ], "id": "3defd466f04646d094a1ee4b6afc53e8", "name": "test", "restricted": true }, "audit_ids": [ "m6C3NgSiQmqQnrBRySYW2A" ], "catalog": [...], "expires_at": "2022-05-05T18:24:48.000000Z", "is_admin_project": false, "is_domain": false, "issued_at": "2022-05-05T10:24:48.000000Z", "methods": [ "application_credential" ], "project": { "domain": { "id": "default", "name": "Default" }, "id": "f8d450e9cb7b4f1cbf664401d5bf1d29", "name": "test" }, "roles": [ { "id": "a66c3a324bc24c0da7259faa03f2704d", "name": "limited_role" } ], "user": { "domain": { "id": "default", "name": "Default" }, "id": "0c4cac95c039441d9b8bb509fe836110", "name": "appCredOwner", "password_expires_at": "2022-09-07T18:13:38.126030" } } } ** Description changed: Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth. - However EC2 AUTH is actively used by Swift S3 emulation (not limited - only to Swift, btw.) it would be nice to use application credentials as - an auth source in keystone internals and issue a limited access token. - With all features application credentials provide, EC2 can get a second - wind. + EC2 AUTH is actively used by Swift S3 emulation (not limited only to + Swift, btw.) it would be nice to use application credentials as an auth + source in keystone internals and issue a limited access token. With all + features application credentials provide, EC2 can get a second wind. An example of EC2 auth request with application credentials: $ openstack application credential list +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | ID | Name | Project ID | Description | Expires At | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ POST http://keystone:8080/v3/ec2tokens { "credentials": { "access": "3defd466f04646d094a1ee4b6afc53e8", "body_hash": "***", "headers": { "Accept-Encoding": "identity", "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature", "Host": "keystone:8080", "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19", "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "X-Amz-Date": "20220505T101354Z", "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date" }, "host": "", "params": {}, "path": "/", "signature": "appCredSecretBasedSignature", "verb": "GET" } } An example of EC2 auth token response with application credentials: { "token": { "application_credential": { "access_rules": [ { "id": "9416a34e7f3b45ecb029063d8a239463", "method": "GET", "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**", "service": "key-manager" } ], "id": "3defd466f04646d094a1ee4b6afc53e8", "name": "test", "restricted": true }, "audit_ids": [ "m6C3NgSiQmqQnrBRySYW2A" ], "catalog": [...], "expires_at": "2022-05-05T18:24:48.000000Z", "is_admin_project": false, "is_domain": false, "issued_at": "2022-05-05T10:24:48.000000Z", "methods": [ "application_credential" ], "project": { "domain": { "id": "default", "name": "Default" }, "id": "f8d450e9cb7b4f1cbf664401d5bf1d29", "name": "test" }, "roles": [ { "id": "a66c3a324bc24c0da7259faa03f2704d", "name": "limited_role" } ], "user": { "domain": { "id": "default", "name": "Default" }, "id": "0c4cac95c039441d9b8bb509fe836110", "name": "appCredOwner", "password_expires_at": "2022-09-07T18:13:38.126030" } } } ** Summary changed: - Add application credentials as a source for EC2 auth + Support application credentials as a source for EC2 auth -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1971691 Title: Support application credentials as a source for EC2 auth Status in OpenStack Identity (keystone): New Bug description: Unfortunately EC2 credentials are not secure enough. EC2 credentials are not protected by limited roles, expiration time, access rules and ec2 secret part is visible via get/list API calls. Leaked EC2 credentials imply a big security risk in terms of access, because EC2 creds token has the same power as a regular user/pass auth. EC2 AUTH is actively used by Swift S3 emulation (not limited only to Swift, btw.) it would be nice to use application credentials as an auth source in keystone internals and issue a limited access token. With all features application credentials provide, EC2 can get a second wind. An example of EC2 auth request with application credentials: $ openstack application credential list +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | ID | Name | Project ID | Description | Expires At | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ | 3defd466f04646d094a1ee4b6afc53e8 | test | f8d450e9cb7b4f1cbf664401d5bf1d29 | None | 2219-02-13T12:12:12.000000 | +----------------------------------+---------------+----------------------------------+-------------+----------------------------+ POST http://keystone:8080/v3/ec2tokens { "credentials": { "access": "3defd466f04646d094a1ee4b6afc53e8", "body_hash": "***", "headers": { "Accept-Encoding": "identity", "Authorization": "AWS4-HMAC-SHA256 Credential=3defd466f04646d094a1ee4b6afc53e8/20220505/RegionOne/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=appCredSecretBasedSignature", "Host": "keystone:8080", "User-Agent": "aws-cli/1.18.69 Python/3.8.10 Linux/5.4.0-109-generic botocore/1.16.19", "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "X-Amz-Date": "20220505T101354Z", "X-Amz-SignedHeaders": "host;x-amz-content-sha256;x-amz-date" }, "host": "", "params": {}, "path": "/", "signature": "appCredSecretBasedSignature", "verb": "GET" } } An example of EC2 auth token response with application credentials: { "token": { "application_credential": { "access_rules": [ { "id": "9416a34e7f3b45ecb029063d8a239463", "method": "GET", "path": "/v1/secrets/e8f07eae-3a6b-4c3c-a847-f14f6e348d8f**", "service": "key-manager" } ], "id": "3defd466f04646d094a1ee4b6afc53e8", "name": "test", "restricted": true }, "audit_ids": [ "m6C3NgSiQmqQnrBRySYW2A" ], "catalog": [...], "expires_at": "2022-05-05T18:24:48.000000Z", "is_admin_project": false, "is_domain": false, "issued_at": "2022-05-05T10:24:48.000000Z", "methods": [ "application_credential" ], "project": { "domain": { "id": "default", "name": "Default" }, "id": "f8d450e9cb7b4f1cbf664401d5bf1d29", "name": "test" }, "roles": [ { "id": "a66c3a324bc24c0da7259faa03f2704d", "name": "limited_role" } ], "user": { "domain": { "id": "default", "name": "Default" }, "id": "0c4cac95c039441d9b8bb509fe836110", "name": "appCredOwner", "password_expires_at": "2022-09-07T18:13:38.126030" } } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1971691/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp