Credentials for reading STACK outputs from VM inside the stack through HEAT API?

asked 2015-04-27 16:42:58 -0500

job gravatar image

updated 2015-04-27 16:45:00 -0500

How whould you handled heat authorization within a stack without compromising security?

I would like to be able to read some stack's output from a vm defined in the heat template. Particularly, IP list of an autoscaling group, which might vary during STACK lifecycle. Since I only have access to nova-network, I would like to use this output along with scaling webhooks in a controller VM to gracefully manage autoscaling. That's why I was thinking in passing the same Keystone credentials I used to create the STACK to the controller VM that will do this job for the stack. However, I'm also thinking about security: If the VM is compromise, those credentials could give access beyond the stack.

I read Keystone V3 has domains but what if I don't have admin credentials to create users.

edit retag flag offensive close merge delete