Skip to content

Prevent unauthorized EC2 credential creation and deletion#21

Merged
Alex-Welsh merged 1 commit into
stackhpc/yogafrom
keystone_ec2_cred
Apr 8, 2026
Merged

Prevent unauthorized EC2 credential creation and deletion#21
Alex-Welsh merged 1 commit into
stackhpc/yogafrom
keystone_ec2_cred

Conversation

@GregWhiteyBialas

Copy link
Copy Markdown

Prevent unauthorized EC2 credential creation and deletion
A restricted application credential could be used to create EC2
credentials granting full user access to S3, bypassing the role
restriction. Add the same _check_unrestricted_application_credential
guard that already protects application credential create/delete
endpoints.

Additionally, tighten the ec2_create_credential and ec2_delete_credential
policies to require at least member role, as these are write operations
that should not be accessible to reader-role users regardless of whether
they are using an application credential.

Change-Id: Ib6904ec9f1bc069a9f607d39814b1d2633c17f53
Closes-Bug: #2142138
Signed-off-by: Grzegorz Grasza xek@redhat.com
(cherry picked from commit https://github.com/stackhpc/keystone-private/commit/34b7c572d065267bb31dbd6846aa48b9f11fe8c9)

@Alex-Welsh Alex-Welsh merged commit 9b590fe into stackhpc/yoga Apr 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants