Reviewed: https://review.opendev.org/c/openstack/glance/+/963875 Committed: https://opendev.org/openstack/glance/commit/9bb7ffd4eda728fe74de2baf7767c5f655916ad4 Submitter: "Zuul (22348)" Branch: master
commit 9bb7ffd4eda728fe74de2baf7767c5f655916ad4 Author: Abhishek Kekane <[email protected]> Date: Tue Oct 14 18:37:35 2025 +0000 Lazy update S3 URL on credential rotation Enables automatic updating of S3 credentials in image location URIs when store configurations change, ensuring continued access to stored images. This change covers below scenarios: - Upgrade from single store to multi-store, update store name in location metadata - Single store credential rotation - Multistore credential roataion for all s3 stores Closes-Bug: #2127798 Change-Id: Ib281d01ecf5187fc1a02917cc1016c1572afb071 Signed-off-by: Abhishek Kekane <[email protected]> ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/2127798 Title: Glance S3 credential update requires manual metadata management when EC2 credentials are rotated Status in Glance: Fix Released Bug description: When EC2 credentials used for S3 backend authentication are rotated/deleted in Keystone, Glance images with S3 locations become inaccessible because the image metadata still references the old credentials in the location URLs. There is no automatic mechanism to update image location metadata when S3 credentials change. Steps to Reproduce: 1. Setup S3 backend with EC2 credentials: # Create EC2 credentials openstack ec2 credential create # Configure Glance with S3 backend using these credentials 2. Create an image with S3 backend: openstack image create --file cirros.img --disk-format qcow2 test- image 3. Verify image has S3 location with current credentials: openstack image show test-image --format json | grep -A 5 locations # Shows: s3://ACCESS_KEY:SECRET_KEY@host/path 4. Rotate EC2 credentials: # Delete old credentials openstack ec2 credential delete OLD_ACCESS_KEY # Create new credentials openstack ec2 credential create # Update Glance configuration with new credentials # Restart Glance service 5. Attempt to download the image: openstack image save --file downloaded.img test-image Expected Behavior - Glance should automatically update image location metadata when S3 credentials change - Images should remain accessible after credential rotation - No manual intervention should be required Actual Behavior - Image becomes inaccessible with "Image has no data" error - Old credential URLs remain in metadata even after credential rotation - Manual location management required to restore image access - No automatic credential update mechanism exists Workaround, Currently requires manual steps: Add new location with new credentials: glance location-add --url "s3://NEW_ACCESS_KEY:NEW_SECRET_KEY@host/path" \ --metadata '{"store": "s3_fast"}' IMAGE_ID With this workaround you will get access to your data but image will have two locations out of which one will be forever not accessible and needs to be deleted from the database only. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/2127798/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
