keystone/releasenotes/notes/bug-1750678-88a38851ca80fc64.yaml

---
features:
  - |
    [`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
    The EC2 credentials API now supports the ``admin``,
    ``member``, and ``reader`` default roles.    

upgrade:
  - |
    [`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
    The EC2 credentials API uses new default policies to
    make it more accessible to end users and administrators in a secure way.
    Please consider these new defaults if your deployment overrides EC2
    credentials consumer policies.    
deprecations:
  - |
    [`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
    The EC2 credentials policies have been deprecated. The
    ``identity:ec2_get_credentials`` now use  ``(role:reader and system_scope:all)
    or user_id:%(target.credential.user_id)s`` instead of
    ``rule:admin_required``and ``identity:ec2_list_credentials`` policies now use
    ``role:reader and system_scope:all or rule:owner`` instead of
    ``rule:admin_required``. The ``identity:ec2_delete_credentials`` now use
    ``(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s``
    instead of ``rule:admin_required``and ``identity:ec2_create_credentials``
    policies now use ``role:admin and system_scope:all or rule:owner`` instead of
    ``rule:admin_required``.
    These new defaults automatically account for system-scope and support
    a read-only role, making it easier for system administrators to delegate
    subsets of responsibility without compromising security. Please consider
    these new defaults if your deployment overrides the EC2 credentials policies.    
security:
  - |
    [`bug 1750678 <https://bugs.launchpad.net/keystone/+bug/1750678>`_]
    The EC2 credentials API now uses system-scope and default
    roles to provide better accessibility to users in a secure manner.