From b01a246a4d5beb16341d53c8da4daa28e4cbde44 Mon Sep 17 00:00:00 2001
From: Nobuto Murata <nobuto.murata@canonical.com>
Date: Wed, 7 Jul 2021 11:31:51 +0900
Subject: [PATCH] Put a clear instruction not to expose S3 creds

Change-Id: Id2e9d4351513341b5ee41fa8a8d677aca6580fca
---
 README.md   | 5 ++++-
 config.yaml | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 4af323df..9d74064b 100644
--- a/README.md
+++ b/README.md
@@ -106,9 +106,12 @@ This S3 backend is supported for Ussuri release or later in the charm.
 The step below assumes an external and pre-existing S3 compatible server
 available.
 
-S3 server information can be passed via charm config options.
+S3 server information can be passed via charm config options, and you
+must set `expose-image-locations` as false not to expose S3 credentials
+through Glance API.
 
     juju config glance \
+        expose-image-locations=false \
         s3-store-host='http://my-object-storage.example.com:8080' \
         s3-store-access-key='ACCESS_KEY' \
         s3-store-secret-key='SECRET_KEY' \
diff --git a/config.yaml b/config.yaml
index e56f6492..38daa7c2 100644
--- a/config.yaml
+++ b/config.yaml
@@ -541,7 +541,8 @@ options:
       http://my-object-storage.example.com:8080
       .
       NOTE: The S3 backend can be enabled only for Ussuri or later
-      releases with this charm.
+      releases with this charm. You must set expose-image-locations as
+      false not to expose S3 credentials through Glance API.
   s3-store-access-key:
     type: string
     default: