You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enterprise Omni currently presents Enterprise Image Factory credentials as a "username" and "password," with both embedded in plaintext in the download/boot URLs shown in the install-media dialog (visible on staging today). Enterprise customers expect API-key semantics: a secret that is shown once at creation, never displayed again, and rotatable — and they will not accept plaintext credentials in URLs for a product sold on security. This came out of the July 15 planning meeting and is part of TEL September readiness.
The underlying mechanism already mostly supports this — the factory supports multiple keys per account and graceful rotation, and the credential is already redacted in the Talos machine config. This is primarily a presentation and terminology change on the Omni side.
Solution
Rename throughout the enterprise UI: "username" → customer ID (it's a per-customer identifier, not a person), "password" → API key.
Never render an API key in clear text anywhere in the UI after creation. If/when a creation flow exists in Omni, show the key once at creation with a "copy it now" pattern.
Rotation model discussed in the meeting: a customer can hold multiple API keys; when Omni's own credential is rotated, Omni reconciles the change out to machine configs.
Out of scope: credential provisioning/rotation backend (ops-managed-siderolabs#3168), the longer-term user database + provisioning API (Spencer's research, RFD 38), and the signed-URL mechanism itself (image-factory#498).
Problem Description
Enterprise Omni currently presents Enterprise Image Factory credentials as a "username" and "password," with both embedded in plaintext in the download/boot URLs shown in the install-media dialog (visible on staging today). Enterprise customers expect API-key semantics: a secret that is shown once at creation, never displayed again, and rotatable — and they will not accept plaintext credentials in URLs for a product sold on security. This came out of the July 15 planning meeting and is part of TEL September readiness.
The underlying mechanism already mostly supports this — the factory supports multiple keys per account and graceful rotation, and the credential is already redacted in the Talos machine config. This is primarily a presentation and terminology change on the Omni side.
Solution
Alternative Solutions
No response
Notes
Decided at the July 15 planning marathon