https://stackoverflow.com/questions/17594795
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThe short answer is:
At the moment there is no way to do this securely...
As Keystone extends the capabilities of providing shared trust tokens this may be feasible.
Long answer is:
What it basically comes down to is that the images are accessible fully to the users that have them. So any API creds you store on that image can be stolen by the guest users. And that means you can't set your base public image up to have any API credentials available for it to make API calls.
Now you can inject credentials at run time, but that would have to be done by the users. You could also have a script on the base image that interactively requests the users auth creds so it can get a valid token from keystone. Heck you can even pass that at run time of the instance using one of these options:
I prefer user-data and cloud-init. http://docs.openstack.org/trunk/openstack-compute/admin/content/user-data.html
Config drive has exposed some fairly nasty security risks in the past. http://docs.openstack.org/trunk/openstack-compute/admin/content/config-drive.html
That might get you far enough. But it won't be fully automated.
