Authenticating cloud services

摘要

The disclosed embodiments provide a system that facilitates authenticating cloud services that execute in an untrusted cloud computing environment. During operation, a verifying party receives a request for a credential from a compute instance that is executing in the untrusted cloud computing environment. This request includes one or more metadata parameters that are associated with the compute instance. The verifying party queries a management interface for the untrusted cloud computing environment to retrieve a second set of metadata parameters for the compute instance, and then compares the two sets of parameters. If the values for the two sets of parameters match, the verifying party grants the credential to the requesting compute instance. Otherwise, the verifying party denies the request.

主权项

1. A computer-implemented method for authenticating cloud services, the method comprising:
receiving a request for a credential from a compute instance executing in a cloud computing environment, wherein the request comprises a first set of metadata specific to the compute instance; wherein the credential is associated with a compute role; wherein the method further comprises denying the compute instance access to the credential when a second compute role associated with the credential key does not match the compute role of the compute instance; tracking the credentials that have been requested by and granted to the compute instance; determining anomalous requests from the compute instance; querying a management interface for the cloud computing environment to retrieve a second set of metadata specific to the compute instance; and upon determining that the first set of metadata matches the second set of metadata, granting the credential to the compute instance.