During the recent security mid-cycle the topic of authorizing on cloud applications to cloud services (e.g A compute instance that wants to interact with Swift) was addressed, we designed a reflective pattern that focussed on de-escalating application privilege and moving policy enforcement for applications into the application space, we've called this "Re-entrant policy management for on-cloud applications".
A second, slightly earlier approach using PKI and Barbican exists as a spec called "Instance Users for Cloud Interaction" (https://review.openstack.org/#/c/222293)
In this fishbowl we will briefly introduce both models before inviting the attendees to discuss the relevant benefits and issues with both sets of ideas. The aim is to breed discussion and capture research items to discuss further - we wont fix anything in this session but we will capture the next steps for working towards solving this problem.