Strengthening Scaleway Token Security Policy

Introducing Access Keys and Secrets

Currently, to authenticate on the Scaleway APIs, you use a token.
This token is a value (an UUID precisely) that is typically used in an HTTP header in the request:

curl -H '-X-Auth-Token: 5f3e5122-d0b0-4d0c-8ae6-7844ab64a5aa' https://cp-ams1.scaleway.com/servers  

This token must stay secret! If stolen, it can be used to impersonate you and perform multiple actions on your behalf.
Most developers put it as an environment variable (https://12factor.net/config) or use a secret management solution such as Vault to store it safely.

Because tokens are very sensitive information, we wanted to improve security policy and access control to them.

Today it is possible to retrieve your tokens, once created, from the web console or the account API. For most workflows, it is unnecessary: you only need the secret once to configure your application.

We want to protect you against all threats that you might be exposed to. Having your tokens stolen is one of them.
That's why, starting now, tokens will be made of a pair of 2 values: "Access Key" and "Secret Key".

drawing

What are Access Key and Secret Key?

  • An Access Key can identify a token.
  • It's not a sensitive piece of information.
  • The secret is the value that already exists today (the value used in X-Auth-Token HTTP-header).
  • The secret must stay secret and not given to anyone or publish online.

Consider the access key as a login, and the secret key as a password.
And a token is the pair of those 2 values.
As usual, each Scaleway account can have several tokens (so several pairs of access-key + secret).
Several tokens are useful to give different applications access to the same Scaleway account and you can add a description to differentiate them. However, you remain in control and you can revoke access to any application individually.

What consequences does it have?

The Secret Key is now only given once during the creation of the token, either in the response of a HTTP POST /tokens on the api-account or in the web console during its creation.
The secret key cannot be retrieved after its creation. As a result, you must store it securely at this point. In case you forget or lose this secret, you will need to delete the token, and create a new one (it will have a new access-key).

For API users:

  • This modification will not invalidate existing tokens. So, current tokens are not affected, and your API calls will keep on working as before without any change.
  • The API authentification format does not change, requests are still authenticated using 'X-Auth-Token' header.
  • The only change is the attribute "id" that is not returned anymore by call to GET /tokens.

For Scaleway CLI users:

  • The modification will prevent users that use an outdated Scaleway-CLI to login (scw login), you need to upgrade scw to be able to login again
  • Users that are already logged-in (scw login) can continue using an old version without any changes/upgrade needed, it will continue to work.
  • NB: of course, we still recommand regular upgrades of the CLI to keep enjoying latest features and improvements.

This change will also allow us to offer new security features related to authentication more easily in the future.

Author image

Maxime Lavandier

Accounts and Billing at Online.net & Scaleway